Objects are not provisiong between two Active Directory Forest

Dear All,

I have created FIM 2010 environment for synchronizatoin between two different AD forest and i have done all the configuration which is necessary for it but still users are not provisioning in external AD.

If anyone have got step by step document then please share with me and please help me to check all the steps to do this.

Please see the below mentioned steps in which i have done all the steps and if i skipped anything so please let me know.

1- FIM Active Directory Service Agent.

2- FIM MA agent.

3- Synchronization Rules.

4- Management Policy Rules

5 - Work FLows

- FIM ADMA Full Import and Full Sync is working fine

- FIMMA Full Import is working fine

- FIMMA Export is not sending the data to the external AD metaverse.

Regards,

Shakeel Shahid

August 3rd, 2015 9:56am

Assuming all the configurations are correct, and ASSUMING is the big word here, I do see major steps missing, for instance EXPORT TO AD.

If I understand this correctly, you have AD1 as source and AD2 as target.

you need these steps initially

1. Full Import on AD1 MA

2. Full Sync on AD1 MA

3. Export to FIM MA

4. Full Import on FIM MA

5. Full Sync on FIM MA 

6. Export to AD2 MA

7. Full Import on AD2 MA

8. Delta Sync on AD2 MA

Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2015 10:25am

Hi Vladimir,

Thanks for you reply but "Enable Sync Rule provisioning" is checked but it will be easy for me if you can guide me about attribute precedence.

Regards,

Shakeel Shahid

August 10th, 2015 7:17am

Nosh,

I am really thankful to you for you reply and i just wanted to clear that the run profiles are running in a same way but still users are not going to be provisioned. It will be feasible for me if you can share any document with me or if you can give me remote support then please let me know.

Regards,

Shakeel Shahid

Free Windows Admin Tool Kit Click here and download it now
August 10th, 2015 8:11am

Are you sure you have done the rest, configure MAs, synchronization, provisioning, etc.  Are you aware of what needs to be done.  It seems that the plumbing is not there, therefore, you cannot except watter to flow just because you open the faucet. 

This is exactly the same. You need to define synchronization and  provisioning, if that is what you need, and then the steps mentioned are simply opening the faucet. Please read some guides on how that works. Too much to explain in this thread. 

August 10th, 2015 10:59am

Shakeel,

I would recommend reviewing the TechNet article here:

https://technet.microsoft.com/en-us/library/jj150433(v=ws.10).aspx

However, I prefer to use Outbound Scoping Filters to apply Sync Rules,  and not use MPRS/WF/EREs  which is explained and has examples here: 

https://technet.microsoft.com/en-us/library/jj150432(v=ws.10).aspx

Jef

Free Windows Admin Tool Kit Click here and download it now
August 10th, 2015 11:51am

Nosh,

Just wanted to clear you that all the things are working fine but when i am running Export to FIMMA then it is not sending Metaverse information to Target ADMA also i can see all the users in FIM but it is not provisioning users to target AD.

Regards,

Shakeel Shahid

August 11th, 2015 2:03am

You might have unchecked box "Enable Sync Rule provisioning", you might have wrong attribute precedence, basically there are quite many options you could configured wrong.

I suggest you to make a TLG from the very beginning to the end. It will become clear after you done the Lab.

Free Windows Admin Tool Kit Click here and download it now
August 11th, 2015 2:52am

Hello,

Can you show the Synchronization Rule?

I want to see if configurations of Outbound are corrects.

Regards,

Gilberto



August 14th, 2015 9:33am

Hi Gilberto,

Yes i can show you my complete configuration but please tell me that i should email you all the snapshots or you want to take remote of my machine.

Regards,

Shakeel Shahid

Free Windows Admin Tool Kit Click here and download it now
August 17th, 2015 1:27am

Hi Shakeel,

Sends the snapshoot to my email.

gb_oli@hotmail.com or gilberto.limadeoliveira@gmail.com.

We have different time zones.

Regards,

Gilberto

August 17th, 2015 8:35am

Gilberto,

It will be difficult to understand the issue in snapshots but it will be good of you can check my environment on Webex or team viewer also i don't have any issue with time zone. I will be available any time which will be feasible for you. I will be highly thankful to you if you can give me this favor.

Regards,

Shakeel Shahid

Free Windows Admin Tool Kit Click here and download it now
August 30th, 2015 3:15am

Shakeel,

You can contact me between 4pm and 0:00am (gmt -3).

Regards,

Gilberto

September 1st, 2015 1:16pm

Hello Shakeel,

You had created an Outbound Synchronization Rule, but you havent set any criteria to bind the user with a SR.

What I did to fix it:

  1. I created an attribute with name SRTargetAD in FimServices Portal,  bound the attribute to user resource type and added an attribute to administrator Filter Permissions;
  2. Created the same attribute on Metaverse to ObjectClass Person;
  3. Refreshed the FIMMA schema on Synchronization Service, selected the new attribute and created a flow to Import and Export this attribute;
  4. On the Portal, I changed the Apply Rule from TargetAD Outbound SR to To all Metaverse resources... as displayed below:
  5.  
  6. In the scope of TargetAD SR, added the Outbound System scoping Filter with criteria SrTargetAD=true:
  7. Then, I edited the Inbound Attribute Flow of SouceAD SR to set this attribute equal a true to all imported users from this MA.
  8. On the Sychronization Service I did:
    1. FIMMA: Full Import + Full Sync (To import Edited SRs)
    2. SourceAD: Full Import + Full Sync (To import users and set SrTargetAD= true)
    3. FIMMA: Export (To create and export attribute flow to FIMMA)
    4. TargetAD: Export  (To provision and export atributes to TargetAD) 

After all this steps, the user got provisioned in the TargetAD.

Please let me know if you have any further question.

Regards,

Gilberto



Free Windows Admin Tool Kit Click here and download it now
September 4th, 2015 2:48pm

Hello Shakeel,

You had created an Outbound Synchronization Rule, but you havent set any criteria to bind the user with a SR.

What I did to fix it:

  1. I created an attribute with name SRTargetAD in FimServices Portal,  bound the attribute to user resource type and added an attribute to administrator Filter Permissions;
  2. Created the same attribute on Metaverse to ObjectClass Person;
  3. Refreshed the FIMMA schema on Synchronization Service, selected the new attribute and created a flow to Import and Export this attribute;
  4. On the Portal, I changed the Apply Rule from TargetAD Outbound SR to To all Metaverse resources... as displayed below:
  5.  
  6. In the scope of TargetAD SR, added the Outbound System scoping Filter with criteria SrTargetAD=true:
  7. Then, I edited the Inbound Attribute Flow of SouceAD SR to set this attribute equal a true to all imported users from this MA.
  8. On the Sychronization Service I did:
    1. FIMMA: Full Import + Full Sync (To import Edited SRs)
    2. SourceAD: Full Import + Full Sync (To import users and set SrTargetAD= true)
    3. FIMMA: Export (To create and export attribute flow to FIMMA)
    4. TargetAD: Export  (To provision and export atributes to TargetAD) 

After all this steps, the user got provisioned in the TargetAD.

Please let me know if you have any further question.

Regards,

Gilberto



September 4th, 2015 6:47pm

Hi,

Actually my user provisioning is working fine now but some time while user creation fim is giving an error and the error is mentioned below.

Error:-

The description for Event ID 0 from source FIMSynchronizationService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:



There is an error in Exch2010Extension AfterExportEntryToCd() function when exporting an object with DN CN=Fahad Arif,OU=Migrated Users,DC=federalnet,DC=intra.

Type: Microsoft.MetadirectoryServices.ExtensionException

Message:
**** ERROR ****

Property RoleAssignmentPolicy can't be set on this object because it requires the object to have version 0.10 (14.0.100.0) or later. The object's current version is 0.0 (6.5.6500.0).

**** END ERROR ****


Stack Trace:    at Exch2010Extension.Exch2010ExtensionClass.AfterExportEntryToCd(Byte[] origAnchor, String origDN, String origDeltaEntryXml, Byte[] newAnchor, String newDN, String failedDeltaEntryXml, String errorMessage)

the message resource is present but the message is not found in the string/message table

Free Windows Admin Tool Kit Click here and download it now
September 10th, 2015 4:50am

Shakeel,

I don't have experience with exchange provisioning.

Look this Thread: https://social.technet.microsoft.com/Forums/en-US/ca1e8511-11e8-46d0-8843-dd4becd9e589/provisioning-mailenabled-user-to-exchange-server-2010?forum=ilm2

The problem can be an attribute flow.

Att

Gilberto

September 10th, 2015 6:55pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics