Configure FIM 2010 R2 between domains

So for your footwear.com connector (assuming FIM is in the same domain) 

- In the credentials page enter footwear.com and the username and password for the footwear.com FIMMA user account

- In the configure directory partitions page, click on containers, select your FIM Managed OU

- In join and projection rules, create a person -> person join rule based on sAMAccountName = accountName. Afterwards click on project, select person from the dropdown list (this is what pulls the users into FIM)

- Skip through to attribute flows, add new import flows for person along the lines of:

  sAMAccountName -> accountName

  givenName -> givenName

  sn -> sn

  displayName -> displayName

- Click next and finish the creation of the AD MA

- After this you need to create run profiles to execute the import/synchronisation of users into the Metaverse

You will follow a similar process for your nautica.com domain, however instead of import flows you'd use export flows. Additionally, you would need to ensure that you do not create a projection rule within that AD MA. 




September 16th, 2014 5:39am

Hi folks,

In my other post: http://social.technet.microsoft.com/Forums/en-US/4428df6a-467f-44e1-8431-f16a2b1b9f5c/configuration-fim-2010-r2-between-domains?forum=ilm2


Had asked whether it was possible to perform the following actions with Microsoft Forefront Identity Manager 2010 R2.


- If you change the password on the domain A, should synchronize the domino B;
- If you change the password on the domain B, should not synchronize the domain A;
- Create user in domain A, should be replicated to the domino B;
- Create user in domain B, should not be replicated in the field A;

Dominik Trojnar informed me that it was possible by performing the following actions:


With FIM Synchronization Service and PCNS only (no need for FIMService). IN FIM Synchronization you prepare two management agents (one for each domain) and enable password synchronization on Them.


Moreover in Agent That Is connected to domainA, you create "Projection Rule" inside MA properties. In both agents you should create join rules that would match pre-existing accounts of two users.

In the domain you have to install PCNS on every DC and configure it to point FIM Server.

Did some testing without much success.

I need help from you which way or which steps to complete the following configuration:

- Create user in domain A, should be replicated to the domino B;


Recalling that the structure of the environment is as follows:

 
Domain A (footwear.com);
Domain B (Nautica.com);


The customer environment has no trust relationship between the domains.

Thanks a lot!

Free Windows Admin Tool Kit Click here and download it now
September 20th, 2014 4:35pm

You'll need to elaborate more on what you've actually been able to complete.

Have you installed the Synchronization Service and created your AD management agents?

Basically you need to do the following:

- Create service accounts in both domain a and b

- Create connector for domain A, at inbound attribute flows and a projection rule for user

- Create a connector for domain B, add outbound attribute flows

- Create a provisioning code (MvExtension) to provision the user (http://msdn.microsoft.com/en-us/library/windows/desktop/ms696035(v=vs.100).aspx)

Also, you will only need a trust if your FIM server is in a different domain to the PCNS source. For example if you put your synchronization service in domain A, you will not need a trust, however you will need to open additional firewalls between your FIM server and domain B. 

http://technet.microsoft.com/en-us/library/cc720599(v=ws.10).aspx

September 20th, 2014 8:31pm

Hi Cameron Zivkovic,

Sorry for the incomplete question.

let's go...

The Scenario.

- 1 Active Directory called Footwear.com

- 1 Active Directory called Nautica.com

- 1 SQL Server 2008 R2 SP1

- 1 FIM Synchronization Service

Accounts FIMMA and FIMSync created in domain Footwear.com

Accounts FIMMA and FIMSync Created in domain Nautica.com

I started installing FIM Syncrhonization Service successfully.

I create a new OU dedicated to be Managed by FIM. FIMusers, after right-click on the OU and run the delegate control wizard give the FIMMA:

Createm delete, and manage user accounts and create, delete and manage groups.

After in a footwear.com. After in footwear.com, security, assign permission to the FIMMA for Replication Directory Changes.

I did the same process for the domain Nautica.com.

I initiated the creation of the AD MA. When configuring Create Management Agent for Active Directory, i lost myself.

Can you help me?

Thanks a lot!

Free Windows Admin Tool Kit Click here and download it now
September 20th, 2014 10:33pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics