Syncing users two-way with AD to FIM & Attribute Flow Rules
Hi Everyone, I'm making my way through this FIM stuff. I somehow made it around my last issue and to be honest I have no idea what caused it. Right now i'm trying to build what will be our production Syncing logic. Right now I have two MA's: the FIM Service MA and AD DS. I'm trying to set it up so I can provision users in FIM into a particular OU and also have FIM sync my existing user accounts over to the FIM Portal (for password reset). I'm running into an issue where if I configure both import and export attribute flows on the FIM Service MA objects then are exported to the Service database without any AD Attributes. If I remove the Import flow mappings AD data then is published to the FIM Service data without a problem. There must be a simple reason for what is going on. Any ideas?
July 15th, 2010 11:59pm

Did you configure import and export flows on the AD sync rules in the FIM portal? Do you see the attributes present in the FIM Sync MV? Did you check the attribute flow precedence in the FIM Sync MV? HTH, Peter Peter Geelen - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2010 12:04pm

This is by design. As Peter has indicated, you need to take a look at your attribute flow precedence configuration. You can either configure your environment to use manual flow precedence - which is not a good idea if you need one source to be authoritative - or you are initializing your environment in phases. In case of a phased approach, you would first bring all AD objects into FIM and configure an outbound synchronization rule to AD when you are done bringing existing AD objects into FIM. More details about attribute flow precedence are here. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
July 16th, 2010 1:29pm

Thanks guys for responding I was at work late last night trying to figure this out. 1. I have configured an inbound and outbound sync rule in the FIM portal. 2. I have checked the attribute flow precedence on the sync service. If seems to have the same effect regardless if I specify the FIM Sync MA or the AD MA first. 3. I'm not at my computer right now but I will say I do remember that the attributes ARE in the MV, they just will not sync to the FIM MV Connector space. That's just the outbound sync from the portal, but I also am having a problem with the inbound sync for AD DS to the MV. For some reason if I try to sync the "displayName" attribute the sync will fail giving me a "sync provisioning" error. If I remove the displayname attribtue from the import flow rules on the MA and in the sync rule the user will sync over. One time I even got an exception-dll error Can I remove import mappings on the FIM MA and just use the declarative sync rule, am I doing something wrong? I was going off of the "Two Authoritative Sources Guide" I'm so close I can taste it, there has to be something minor i'm overlooking. I'll take a look at that attribute flow precedence doc. Is there a way I can post my MA and sync rule config so you guys can take a look?
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2010 3:27pm

To post MA and sync rule config: see the FIM Script box and FIM Community Knowledge Box. HTH, Peter Peter Geelen - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]
July 16th, 2010 3:32pm

Okay here are my Sync Rules and MA configuration. I totally figured out my "Display Name" problem. I smacked myself in the face when I thought about it. I had been using a comma in my Display name i.e Russell, Brandon. And because i'm using it in my DN string as a variable its causing an error, cause you can't have a DN with a comma in the middle of it like that. "DOH" I'll just have to switch the variable, no biggie. I'm still having the problem where I can't sync any user attributes when I have import sync rules on my MA. Perhaps it's presendence but when I make the AD MA 1st presendence it doesen't change anything. I just have to be missing something. Does this config seem okay for a start? Synchronization Rule Configuration Name FENIX User Inbound Sync Rule Connector {4CD914AA-4C22-4920-BFBD-955BF724EB08} Pending No Description Created Time 14/07/2010 Precedence 1 Flow Type Inbound and Outbound Scope Metaverse Object Type person Data Source {7F6896F4-E481-43B9-B03C-6C55AE7CBFB2} Data Source Object Type user Relationship Create object in FIM true Create object in Connected System true Relationship termination false Relationship Criteria ILM Attribute Data Source Attribute accountName sAMAccountName Inbound Attribute Flows Destination Source displayName displayName firstName givenName domain CustomExpression(IIF(Eq(Left(ConvertSidToString(objectSid),40),"S-1-5-21-4133570775-275769922-3532604739"),"FENIXVM","Unknown")) objectSid objectSid accountName sAMAccountName lastName sn Initial Outbound Attribute Flows Allow Nulls Destination Source false userAccountControl Constant: 512 false dn +("CN=",displayName,",OU=FIMObjects,DC=FENIX,DC=Local") false unicodePwd Constant: p@ssw0rd Persistent Outbound Attribute Flows Allow Nulls Destination Source false sAMAccountName accountName false company company false displayName displayName false employeeID employeeID false givenName firstName false sn lastName false manager manager MA CONFIG: FIM MA Attribute Flow Configuration Metaverse object type: detectedRuleEntry Flow Direction Data Source Attribute Metaverse Attribute Type Flow Nulls Inbound dn csObjectID Direct Outbound SynchronizationRuleID synchronizationRuleID Direct no DisplayName displayName Direct no Connector connector Direct no ResourceParent resourceParent Direct no dn sync-rule-mapping no MVObjectID object-id Direct no Metaverse object type: expectedRuleEntry Flow Direction Data Source Attribute Metaverse Attribute Type Flow Nulls Inbound CreatedTime createdTime Direct ExpectedRuleEntryAction expectedRuleEntryAction Direct SynchronizationRuleData synchronizationRuleData Direct SynchronizationRuleID synchronizationRuleID Direct DisplayName displayName Direct Outbound StatusError statusError Direct no SynchronizationRuleStatus status Direct no Metaverse object type: group Flow Direction Data Source Attribute Metaverse Attribute Type Flow Nulls Inbound dn csObjectID Direct AccountName accountName Direct DisplayName displayName Direct Member member Direct ExpectedRulesList expectedRulesList Direct Scope scope Direct Type type Direct DisplayedOwner displayedOwner Direct Outbound dn sync-rule-mapping no MVObjectID object-id Direct no AccountName accountName Direct no DisplayName displayName Direct no Member member Direct no Scope scope Direct no Type type Direct no DisplayedOwner displayedOwner Direct no Metaverse object type: person Flow Direction Data Source Attribute Metaverse Attribute Type Flow Nulls Inbound sAMAccountNameAccountName accountName sync-rule-mapping displayNameDisplayName displayName sync-rule-mapping objectSidDomain domain sync-rule-mapping givenNameFirstName firstName sync-rule-mapping snLastName lastName sync-rule-mapping objectSid objectSid sync-rule-mapping dn csObjectID Direct ExpectedRulesList expectedRulesList Direct Company company Direct Manager manager Direct Outbound dn sync-rule-mapping no MVObjectID object-id Direct no AccountName accountName Direct no Company company Direct no DisplayName displayName Direct no Domain domain Direct no EmployeeID employeeID Direct no EmployeeType employeeType Direct no FirstName firstName Direct no LastName lastName Direct no Manager manager Direct no ObjectSID objectSid Direct no Metaverse object type: synchronizationRule Flow Direction Data Source Attribute Metaverse Attribute Type Flow Nulls Inbound ConnectedObjectType connectedObjectType Direct ConnectedSystem connectedSystem Direct ConnectedSystemScope connectedSystemScope Direct CreateConnectedSystemObject createConnectedSystemObject Direct CreateILMObject createILMObject Direct Dependency dependency Direct DisconnectConnectedSystemObject disconnectConnectedSystemObject Direct DisplayName displayName Direct ExistenceTest existenceTest Direct FlowType flowType Direct ILMObjectType ilmObjectType Direct InitialFlow initialFlow Direct PersistentFlow persistentFlow Direct Precedence precedence Direct RelationshipCriteria relationshipCriteria Direct SynchronizationRuleParameters synchronizationRuleParameters Direct Thanks for the assistance guys!
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2010 1:13am

I'm just stuck. Anyone see anything funny with the config?
July 19th, 2010 5:37pm

Just wanted to write and update with what has happened. I took a look at the attribute precedence. I'm positive I put the AD MA with the highest presdence. That didn't seem to work despite the document provided explained the exact problem I was having. However after turning on the "Use equal precedence" option the problem stopped. Oddly in this case this is exactly what I want. I want the last MA to write to the MV to change the value and allow it to pass to all connected MAs. I'd imagine if I had an HR system or something that was more authoritative I'd use that as the highest precedence and then anything lower than that would simply drop off other attributes that it was not authoritative for. So essentially the lesson learned here (I think) is that an MA that has higher precedence of an attribute will not accept a value from an MA that has a lower precendence value into its connector space (although that value will be stored in the MV).
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2010 11:52pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics