Scenario: Users are added to a SQL table first and are provisioned correctly to FIM Portal & AD. Some users are initially added to AD directly and subsequently imported & synced from SQL MA - with the intention that during FIM MA sync process they will join with metaverse. To facilitate the join there is accountName=SAMAccountname Relationship Criteria for sync rule declaration in the FIM Portal. The issue seems to be that this criteria does not Join resulting in hundreds of AD accounts remaining in normal disconnector mode. The FIM MA Sync generates error: "Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: An object with DN "CN=xxxx,OU=xxxx,DC=xxxx" already exists in management agent "AD MA"." 

The recommended method to turn off Synchronization Rule Provisioning and run sync cycles (for all & specifically AD MA) at http://social.technet.microsoft.com/Forums/en-US/36db6716-87c8-499a-b20d-35a96ecf56d8/join-rule-not-working also does not work.

The process that has worked  for the disconnectors to connect up is to enable the Join property for AD MA in the Sync Console accountName=SAMAccountname. This is sub-optimal as this workaround makes the Join common to multiple provisioned ADs. It would be preferable to have the FIM Portal Sync Rule relationship handle the relationships for individual domains.

• Edited by B Sunny Tuesday, September 24, 2013 6:23 PM