Gal Sync and group member sync cross forest. Not working together

  I am finalizing a cross forest migration. The End client needs an extended period of time with both domains up and running. I have been working with an advisory engineer and we are having a hard time.

  We started by setting up GAL sync and that works as expected. Then we tried to setup group provisioning, and I have that working. I can create a groups and add members, as long as those users are in FIM and the Target forest the membership information is preserved. During the process we removed the GAL sync agents for ease of troubleshooting. Now when I run the GAL sync agents and I search the connector space I am showing connector false on both sides. I am not sure how to correct that. The other objects were created by the DS agents and FIM.  If I sync a new object it will create a contact cross forest. 

  What I want it to do is run the GAL sync without group contacts. Synchronize the GAL on both sides. (Groups have been created on both sides of the domain and ADMT has moved the group membership with the user) After the GAL is synchronized I need FIM to synchronize the group membership adding the contacts from the missing users that have moved. I am not sure how to get that logic in the system.

  I am not sure I am going about this the right way. It may be easier to use the FIM and AD DS agents to provision users cross forest as contacts and the group membership would be preserved.  If that is the case, I am not sure how to pull that off.

Does anyone have recommendations?

Thank You


  • Edited by Intelibyte Thursday, December 08, 2011 2:30 AM
December 7th, 2011 11:53pm

At this point I am looking to retool the FIM service and not use GAL sync at all.  Right now the FIM service and ASDS service agents are provisoining users cross forest.  I plan on changing that to provision users to contacts cross forest.   This will place the contacts in their resepctive OU's and preserve group memberhsip throughout the flow. 

I am using the GAL sync as a guide for attribute flow.

Can anyone tell me if that is sound, and will work?  I want to be sure I am understanding this correctly.

Thanks

Free Windows Admin Tool Kit Click here and download it now
December 9th, 2011 2:00am

So far I have adjusted my outbound syncronization rule for users, changing the scope form person, person, to person, contact. 

I set the DN to inital Flow.  Now contacts flow in place of users.  Somewhere my membership data is lost between FIM and the Outbound AD agent. 

When I check the connector space, I see members on my groups in FIM and in the connector space.  When I run a preview the membership data is available out of FIM.  The AD DS spavce shows the rule is applied but the attribute is blank.

I changed the join rule for users, joining on accountname-samaccountName.  I removed the user join rule and added a contact join rule maping accountname to displayname.

There is something about the memberhip attribute or the join rule I am not understanding.

http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/9a1ba52c-4e36-48fa-b9d0-266a9c0d8adb

This is the only reference I have been able to find online describing what I want to do.  If that helps.

Any Ideas?

Thank You

  • Edited by Intelibyte Saturday, December 10, 2011 1:55 AM
December 10th, 2011 12:10am

I got a call back from the advasory engineer and we did some troubleshooting.

We changed the precedence of the sync rules to user sync first, group second.  Then we mapped the member attribute in the attribute flow for the outgoing AD agent.

And it works.  Users are read from source, groups are read from source and provisioned cross forest.  users are provisioned cross forest as contacts and the membership is maintained throughout the flow.

I am testing it now, Ill post again when its done.

Free Windows Admin Tool Kit Click here and download it now
December 13th, 2011 11:50pm

I got the two way sync to work without errors.

I need to import the exchange attributes to the flow, and I need to do something about the dn attribute.

Right now I am using the displayname string way to get the dn populated.  I would like to have a way to do this that can accomodate the OU structure.

Does anyone have a way to recurse OU's or translate a dn, remove the domain name and I can concat it with the new domain?

The OU's are identical on source and destination.

Thanks

December 17th, 2011 3:04am

The exchange attributes seem to work properly.  I ended up exporting the dn value to cn in FIM, exporting cn to dn in the target MA flowing out to target domain -  ReplaceString(cn,targetdomain,sourcedomain)>dn

It works great. Any user or group in any OU defined in the selection on the MA synchronizes cross forest.  Groups flow straight across, users to flow to contacts and membership is maintained.  No errors at all.

I am catching up documentation, I intend to produce a how to doc on this as soon as I can.

Thanks

Free Windows Admin Tool Kit Click here and download it now
December 19th, 2011 11:04pm

Did you ever write out this documentation?  We're looking into this process and would love to see how somebody else pulled this off.  Are you using the Microsoft Federation Gateway as part of your solution?
February 3rd, 2012 12:17am

Hi, 

 

No on the MS Federation Gateway.  

The documentation is not quite ready yet, I will work on that and post it asap. 

 

 

 

Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2012 12:23am

hi Intelibyte,

Could you please provide me the steps to make "group flow across forest, and maintain the membership" ?

I am in the process of restructuring from exchange 2k3 ( AD 2003)to exchange 2010 ( AD 2008), i was able to make users to flow as contact, but no luck with group as group across forest. Now currently i have copied around 1000 DL Groups across the forest and adding the contacts present in the forest as members manually.

Thank you.

February 25th, 2012 1:06pm

I will put something together on how this works.  Overview and a diagram.

I have been slammed with tickets in the last few weeks and I am a little behind.  Sorry for the dealy.

Ill put that together and post it shortly.

Free Windows Admin Tool Kit Click here and download it now
February 29th, 2012 11:50pm

March 7th, 2012 4:04am

 

This is an overview of basically how it works. 

The Group sync is pretty much out of the box, the real key here is the User is imported to FIM and that 'Person' is then provisioned outbound as a contact. 

Membership synchronizes with the Group and FIM maintains group membership cross forest as the source user, and the target contact are the same 'Person'. 

Precedence is important.  The OU structure is the same on both forests and needs to be initialized.  The Groups Sync is ahead of the users and then the users sync, and the group membership syncs. 

The attribute flow is a long list.  It includes all of the exchange information for the contact, and it provisions the contact as mail enabled on both sides.  There is no VB its all done in sync rules. 

Next Ill post the attribute flow and precedence diagram, Ill get that together this week (I hope).  I intend to put this up in a lab and get screen shots on the whole configuration.  I will do that as soon as I can.

Let me know if you have questions.

Free Windows Admin Tool Kit Click here and download it now
March 7th, 2012 4:16am

To address your question, (Sorry aobut that)

I added the member attribute to flow with the group.  Select the member attribute.

Take a look at these screen shots.  This is how its setup.

March 15th, 2012 3:33am

Dear Itelibyte,

Thanks for sharing your findings. Great work. It helped me a lot and able to do the group sync now. It would be more helpful for others , if you could share this on some blog site as there is little information regarding FIM group sync online.

Regards,

Abilash

Free Windows Admin Tool Kit Click here and download it now
March 26th, 2012 2:41am

Abilash,

That is a great idea.  Ill setup a blog spot and post my progress there.  Ill get back with the link.

Thanks,

Dave

March 28th, 2012 9:21pm

Topic is still hot. We are waiting for your blog ))

Free Windows Admin Tool Kit Click here and download it now
May 25th, 2012 2:54pm

Im packaging up my notes this week.  Ill have that together soon. 
May 29th, 2012 11:13pm

Hi guys, would like to know if there is a step by step procedure on how to do this group sync in FIM. Thanks a lot.
Free Windows Admin Tool Kit Click here and download it now
June 15th, 2014 11:12pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics