I'm provisioning a record from AD into a SQL table using FIM 2010 R2 Synchronization Engine.

The provisioning works fine. I'm taking the AD user object and FIM runs the provisioning code to create a record in SQL table. Here is my table design. Basically I'm taking the AD user and FIM is writing a record in SQL for that user. This part is working fine.

CREATE TABLE [dbo].[tbl_FGPP_Members](
	[MemberObjectGUID] [varbinary](50) NULL,
	[MemberDN] [nvarchar](255) NOT NULL,
	[MemberObjectType] [nvarchar](10) NOT NULL,
	[Member_ADDomain] [nvarchar](16) NULL,
	[Member_sAMAccountName] [nvarchar](64) NULL
) ON [PRIMARY]

So on FIM SQL management agent I'm using 'MemberDN' as the anchor attribute. I could have used MemberObjectGuid but for troubleshooting memberDN is better as it contains a string value (distinguished name of the user from AD).

When an AD account is renamed or moved within an AD domain, it's distinguishedName will change. Since MemberDN is the anchor which is taking the distinguishedName value from AD in the provisioning code, I cannot just create a flow rule to update it. I was told, I could write some code to update it from the MVExtension provisioning code. So here is how I'm trying to do it:

        void IMVSynchronization.Provision (MVEntry mventry)
        {
           ConnectedMA sqlFGPPUser;


            switch (mventry.ObjectType)
            {


                case "FGPPUser100":
                    sqlFGPPUser = mventry.ConnectedMAs["DGROUPS - USERS SQL MA"];
                    mvObjectType = "FGPP100SQLUser";

                    if (sqlFGPPUser.Connectors.Count == 0)
                    {
                        createFGPPUsersInSQL(mventry, sqlFGPPUser);
                    }

                    else if (sqlFGPPUser.Connectors.Count == 1)
                    {                        
                        updateFGPPUsersInSQL(mventry, sqlFGPPUser);                                            }
                    
break;
}



        void updateFGPPUsersInSQL(MVEntry mventry, ConnectedMA sqlFGPPUser)
        {
            CSEntry csentry;
            ReferenceValue dn;

            csentry = sqlFGPPUser.Connectors.ByIndex[0];
            dn = sqlFGPPUser.EscapeDNComponent(mventry["ADdistinguishedName"].Value);

            if (mventry["ADdistinguishedName"].Value.ToLower() != csentry.DN.ToString().ToLower())
            {
                try
                {
                    csentry.DN = dn;
                }
                catch (Exception Ex)
                {
                    throw new Exception("Exception Message: Exception encountered while renaming the MemberDN " + Ex.Message.ToString());
                }
            }
        }

However, when I rename the AD user and import and then run sync run profile, I get the following error:

System.Exception: Exception Message: Exception encountered while renaming the MemberDN attribute MemberDN is read-only
   at Mms_Metaverse.MVExtensionObject.updateFGPPUsersInSQL(MVEntry& mventry, ConnectedMA& sqlFGPPUser) in D:\FIM C# Code\FGPP100\FGPP100\MVExtension\MVExtension.cs:line 526
   at Mms_Metaverse.MVExtensionObject.Microsoft.MetadirectoryServices.IMVSynchronization.Provision(MVEntry mventry) in D:\FIM C# Code\FGPP100\FGPP100\MVExtension\MVExtension.cs:line 566

What am I doing wrong? :(

• Edited by gtrivedi1980 13 hours 51 minutes ago correction

As far as I know you cannot write to anchor attribute. That is read only. 

Thanks Nosh,

Is there some way I can create a new connector and delete the old one from SQL MA Connector space?

I've tried the following (when I detect that the distinguishedName on metaverse object is different from whats on the SQL MA CS object, I try to call the csentry.deprovision and try creating a brand new connector.

        void createFGPPUsersInSQL(MVEntry mventry, ConnectedMA sqlFGPPUser, string mvObjectType)
        {
            CSEntry csentry;
            csentry = sqlFGPPUser.Connectors.StartNewConnector(mvObjectType);
            csentry["MemberDN"].Value = mventry["ADdistinguishedName"].Value;

            try
            {
                csentry.CommitNewConnector();
            }
            catch (System.Exception Ex)
            {
                throw new UnexpectedDataException(Ex.Message);
            }
        }


        void updateFGPPUsersInSQL(MVEntry mventry, ConnectedMA sqlFGPPUser)
        {
            CSEntry csentry;
            ReferenceValue dn;            

            csentry = sqlFGPPUser.Connectors.ByIndex[0];
            dn = sqlFGPPUser.EscapeDNComponent(mventry["ADdistinguishedName"].Value);           

            // Check to see if the distinguishedName flowing from AD has changed...
            if (mventry["ADdistinguishedName"].Value.ToLower() != csentry.DN.ToString().ToLower())
            {
                // disconnect the old object.
                csentry.Deprovision();

                // Now try creating a brand new connector.
                if (mventry.ObjectType == "FGPPUser100")
                {
                    ConnectedMA NewSQLFGPPUser;
                    NewSQLFGPPUser = mventry.ConnectedMAs["DGROUPS - USERS SQL MA"];

                    if (NewSQLFGPPUser.Connectors.Count == 0)
                    {
                        createFGPPUsersInSQL(mventry, NewSQLFGPPUser, "FGPP100SQLUser");
                    }

                }
            }
        }


        void IMVSynchronization.Provision (MVEntry mventry)
        {
			//
			// TODO: Remove this throw statement if you implement this method
			//

  
            ConnectedMA sqlFGPPUser;
            string mvObjectType = null;

            switch (mventry.ObjectType)
            {


                case "FGPPUser100":
                    sqlFGPPUser = mventry.ConnectedMAs["DGROUPS - USERS SQL MA"];
                    mvObjectType = "FGPP100SQLUser";

                    if (sqlFGPPUser.Connectors.Count == 0)
                    {
                        createFGPPUsersInSQL(mventry, sqlFGPPUser, mvObjectType);
                    }

                    else if (sqlFGPPUser.Connectors.Count == 1)
                    {                        
                        updateFGPPUsersInSQL(mventry, sqlFGPPUser);  
                    }
                    break;
}
}

However, I get an error like this on Sync run.

Microsoft.MetadirectoryServices.UnexpectedDataException: An object with DN "CN=FGPP-EYIAM-USER-01\,OU=FIM user rename OU\,OU=Dynamic Groups\,OU=FIM 2010 R2\,DC=eyiam\,DC=net" already exists in management agent "DGROUPS - USERS SQL MA".
   at Mms_Metaverse.MVExtensionObject.createFGPPUsersInSQL(MVEntry mventry, ConnectedMA sqlFGPPUser, String mvObjectType) in D:\FIM C# Code\FGPP100\FGPP100\MVExtension\MVExtension.cs:line 498
   at Mms_Metaverse.MVExtensionObject.updateFGPPUsersInSQL(MVEntry mventry, ConnectedMA sqlFGPPUser) in D:\FIM C# Code\FGPP100\FGPP100\MVExtension\MVExtension.cs:line 523
   at Mms_Metaverse.MVExtensionObject.Microsoft.MetadirectoryServices.IMVSynchronization.Provision(MVEntry mventry) in D:\FIM C# Code\FGPP100\FGPP100\MVExtension\MVExtension.cs:line 568

If I look at the connector space of SQL, I do see an object but it has the

Notice the DN is different from whats in the error message. [this part: OU=FIM user rename OU]

After the move in ad, the objects correct distinguishedname is:

CN=FGPP-EYIAM-USER-01,OU=FIM user rename OU,OU=Dynamic Groups,OU=FIM 2010 R2,DC=eyiam,DC=net

Any help will be greatly appreciated.

Thanks.

GT

There is a way. A much easier way. All you need to do is deprovisiob old objet. New one will be created automatically. So on Metaverse you set deletion rule to say when ad ma is disconected, delete mv object. Then on sql ma you select delete connector under deprovisioning options.

But, why do you go this route anyways. Why dont you flow sAMAccountName or another attribute that does not change to sql table and make it anchor. It would save you a lot of trouble.