Hello, I'm provisioining from my FIM portal to Active Directory. We've created a number of accounts in th FIM Portal and after issuing Full Import and Full Sync these accounts are pending exports in th AD management agent. The issue is that some of these accounts already exist in AD (someone manually created them). I was able to identify the OU and add that in the AD MA container selection section. We setup a join to occur on the AD MA (AccountName = SAMAccount name). When I ran the export some of the accounts joined and the rest were provisioned. The pending exports still show in AD MA and whenever I run an Export on my AD ma i get hundred of "cd-existing-object" error. How do I go about resolving this? When I check the MV object it shows me objects bound the mV object (FIM MA, AD MA (object that was synchronized), AD MA (user object that was discovered in the OU). There are no disconnectors. Thanks Neil

When I need to "forward join" objects I run a full synchronization, but with "provisioning" disabled. You can disable provisioning from within your Synchronization Service manager, below the tools -> options section. Kind regards, Thomahttp://setspn.blogspot.com

Thanks for you reponse thomas. I dont udnerstand what you mean. I have a join on my AD MA that joins SAMAccountName to AccountName in the MV.

If you are provisioning from the FIM Portal to AD, you have to provisioing objects that don't exist in AD yet. If they do you'll have to temporarily disable provisioning in the Synchronizatin Manager (tools options ...). It's a checkbox. Then instead of an error "cd-existing-object", objects will join. In your scenario the "provisioning" takes precedence over the joining. It tries to create another object in the MV and the AD CS and that conflicts. By temporarily disabling provisioning, the object gets projected in the MV and after running a sync on the AD MA it can be joined togehter. It's pretty hard for me to explain this in detail... Hope the above helps some. Regards, Thomashttp://setspn.blogspot.com

I did that. I disabled "synchronization" under tools-options. I then ran an export, delta import on my AD ma. I also ran an export, delta import and full sync on my FIM MA. I enabled synchronization and now the two objects are back in the AD MA. export fails with cd-existing-objects. As far as "deprovisioning" is concerned, i have "make them disconnectors" enabled. Any otehr ideas?

You have to run a sync on your AD MA. The object (which is now disconnected) in the AD CS has to be "considered" for joining to the MV object. This has sync has to run with provisioining disabled.http://setspn.blogspot.com

Yes I have run a full sync on my AD MA. After disabling "synchronization" I run a full import/ful sync on my FIM MA and I can see that under the AD MA 2 "provisioning disconnects" are issued. I then run a full sync on AD MA and now the objects the gone. As soon as I enable synchronization and run eiterh delta sync / full sync the objects are back in AD MA cs.

So do two joins occur? If not then something is either wrong with the join rule or more likely those two objects. You can use the Joiner tool to work around this if you can't get them to join automatically.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com