I have been tasked to setup synchronization of an OU in a domain completely external to our company, to another OU in our domain. The will involve only user accounts, probably distribution groups at a later stage as well. I already have a FIM2010 server running the database, portal and service, as well as synchronization service. My questions are as follows: Do I need the portal installed in this scenario? The syncing will happen programatically only, I understand the portal is only for self-service. Don't need this. I'm also not interested in workflow whatsoever, just syncing between two OU's. What should be installed on the external company servers and where? How does the external company connect to the FIM? What needs to be published on the ISA, if at all? Where should the management agents etc be installed? I've looked at the How Do I guides but the How Do I Synchronize Users from Active Directory Domain Services to FIM guide seems to work only internally. I am completely new to FIM so I need your assistance please. Thanking you in advance.

OK, so I've now completed the "Introduction to Inbound Synchronization ", which is basically importing into FIM from CSV file. Not very exciting... I've noticed that my first question would then be irrelevant as it is required for the Sync Rules. So, in essence, what needs to happen is External Domain --> FIM --> Internal Domain? Is this even possible? Another question, how do you automate the Run profiles, everything looks manual from what I've seen.

It is possible to use the synchronization service without the portal component. However, this involves coding - developing rules extensions. As soon as you want to use declarative synchronization rules ("no coding"), you need the portal. Your description is not really clear - what does "setup synchronization of an OU in a domain completely external to our company, to another OU in our domain" mean? I also don't understand what "How Do I Synchronize Users from Active Directory Domain Services to FIM guide seems to work only internally" means. Could you please clarify? It sounds like you need an inbound synchronization rule as outlined in How Do I Synchronize Users from Active Directory Domain Services to FIM and an outbound synchronization rule as outlined in How do I Provision Users to Active Directory Domain Services. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thanks for the reply Markus. Let me explain differently. My company has a AD domain that hosts AD domain accounts for another company via hosted Exchange. Now, this other company has their own AD as well, with their own user accounts. They would have an OU with all their users situated within it, which is how they authenticate locally and access resources. Their OU of their own users and my OU of their users should be very similar as far as display name, first name, etc goes. These need to be kept in sync so that if they change something on their AD, it updates my AD, especially passwords. In "picture terms": (1) External AD -> router -> ((internet)) -> router (2) Internal AD AD1 and AD2 need to be kept in sync, at least the OU's I choose. To answer your second question, internally meaning internal to my network, i.e. LAN. Thanks, Ryno

You need a network connection to a domain controller if you want to connect to an Active Directory by using the AD management agent. If network connectivity to a target does not exist, you can exchange data between an Active Directory and FIM by using a file or LDIF management agent. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I assume you mean RPC network connectivity? I thought this could be done via a web service of sorts from an agent loaded on the external machine. So I guess my question then is, can this be done in the way I explained without a physical network connection? How about federation?

Yes you can sync through Web services but in this case you need the follwings: 1. Write a Web service that provide access to partner domain and install it at partner network 2. Write your own Extensible MA to communicate with such Web service We have simiar requirement and working to develop a solution based on the above points Issam Andoni

Issam, an ECMA that talks to the web service is a very good idea. It would be great if you could share your progress with the community. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thank you for the feedback Isaam, I would appreciate if you share with me as much as possible. Is there any documentation or articles you can direct me to or are you "pioneering" this? Thanks, Ryno

We did not start working on such solution but we are planning to. As soon as we have something ready that we can share, I will post it and share it with you and maybe publish as public domain. Issam Andoni http://www.zevainc.com

I developed a solution called DevNaBox to synchronize production with Development environment. We implemented the solution for few customers. Now I am thinking to adjust the solution as a cloud application. For such I need to make the synchronization work through the internet. I will keep you posted Issam Andoni http://www.zevainc.com