updating the anchor value for SQL MA from FIM provisioning code

I'm provisioning a record from AD into a SQL table using FIM 2010 R2 Synchronization Engine.

The provisioning works fine. I'm taking the AD user object and FIM runs the provisioning code to create a record in SQL table. Here is my table design. Basically I'm taking the AD user and FIM is writing a record in SQL for that user. This part is working fine.

CREATE TABLE [dbo].[tbl_FGPP_Members](
	[MemberObjectGUID] [varbinary](50) NULL,
	[MemberDN] [nvarchar](255) NOT NULL,
	[MemberObjectType] [nvarchar](10) NOT NULL,
	[Member_ADDomain] [nvarchar](16) NULL,
	[Member_sAMAccountName] [nvarchar](64) NULL
) ON [PRIMARY]

So on FIM SQL management agent I'm using 'MemberDN' as the anchor attribute. I could have used MemberObjectGuid but for troubleshooting memberDN is better as it contains a string value (distinguished name of the user from AD).

When an AD account is renamed or moved within an AD domain, it's distinguishedName will change. Since MemberDN is the anchor which is taking the distinguishedName value from AD in the provisioning code, I cannot just create a flow rule to update it. I was told, I could write some code to update it from the MVExtension provisioning code. So here is how I'm trying to do it:

        void IMVSynchronization.Provision (MVEntry mventry)
        {
           ConnectedMA sqlFGPPUser;


            switch (mventry.ObjectType)
            {


                case "FGPPUser100":
                    sqlFGPPUser = mventry.ConnectedMAs["DGROUPS - USERS SQL MA"];
                    mvObjectType = "FGPP100SQLUser";

                    if (sqlFGPPUser.Connectors.Count == 0)
                    {
                        createFGPPUsersInSQL(mventry, sqlFGPPUser);
                    }

                    else if (sqlFGPPUser.Connectors.Count == 1)
                    {                        
                        updateFGPPUsersInSQL(mventry, sqlFGPPUser);                                            }
                    
break;
}



        void updateFGPPUsersInSQL(MVEntry mventry, ConnectedMA sqlFGPPUser)
        {
            CSEntry csentry;
            ReferenceValue dn;

            csentry = sqlFGPPUser.Connectors.ByIndex[0];
            dn = sqlFGPPUser.EscapeDNComponent(mventry["ADdistinguishedName"].Value);

            if (mventry["ADdistinguishedName"].Value.ToLower() != csentry.DN.ToString().ToLower())
            {
                try
                {
                    csentry.DN = dn;
                }
                catch (Exception Ex)
                {
                    throw new Exception("Exception Message: Exception encountered while renaming the MemberDN " + Ex.Message.ToString());
                }
            }
        }

However, when I rename the AD user and import and then run sync run profile, I get the following error:

System.Exception: Exception Message: Exception encountered while renaming the MemberDN attribute MemberDN is read-only
   at Mms_Metaverse.MVExtensionObject.updateFGPPUsersInSQL(MVEntry& mventry, ConnectedMA& sqlFGPPUser) in D:\FIM C# Code\FGPP100\FGPP100\MVExtension\MVExtension.cs:line 526
   at Mms_Metaverse.MVExtensionObject.Microsoft.MetadirectoryServices.IMVSynchronization.Provision(MVEntry mventry) in D:\FIM C# Code\FGPP100\FGPP100\MVExtension\MVExtension.cs:line 566

What am I doing wrong? :(


  • Edited by gtrivedi1980 Thursday, June 18, 2015 5:32 PM correction
June 18th, 2015 5:29pm

There is a way. A much easier way. All you need to do is deprovisiob old objet. New one will be created automatically. So on Metaverse you set deletion rule to say when ad ma is disconected, delete mv object. Then on sql ma you select delete connector under deprovisionin
Free Windows Admin Tool Kit Click here and download it now
June 19th, 2015 9:44am

But, why do you go this route anyways. Why dont you flow sAMAccountName or another attribute that does not change to sql table and make it anchor. It would save you a lot o
June 19th, 2015 9:45am

There is a way. A much easier way. All you need to do is deprovisiob old objet. New one will be created automatically. So on Metaverse you set deletion rule to say when ad ma is disconected, delete mv object. Then on sql ma you select delete connector under deprovisioning opt

Free Windows Admin Tool Kit Click here and download it now
June 19th, 2015 9:57am

I am sorry, I don't have anything available at this time (At a client site), but this is not code. Simple configurations in FIM MV.  If you want to change the anchor, that means you need to change the schema of your SQL table, and then change the MA configuration.  Otherwise, this weekend I can send you something more clear.
June 19th, 2015 1:09pm

Hi Nosh,

I can change the anchor to something like ObjectGUID. I know that never changes, even if a user moves/ gets renamed in active directory. But setting the anchor as ObjectGUID is bad for people who would be using FIM to troubleshoot sync issues. They will see a bunch of GUIDs on and its not very intuitive. However, I'm not ruling out this option at all. But what I would like to do is the below. Please let me know if this can be done?

I have two MAs.

1. ADMA - used to import AD users and project/join to mv:person.

2. SQLMA - used to export mv:Person to sql table. (anchor MemberDN which holds the distinguishedName of the corresponding user object from AD)

let's say I have an account in ad (cn=oldname, ou=old ou, dc=domain). I import in FIM and export to SQLMA and a record gets written in SQL.

Now what I would like to do is rename the account in AD to : cn=newname, ou=new ou, dc=domain

Now when I import, I want fim to do the following within the same sync run.

1. detect that distinguishedname has changed and delete or disconnect the mv:person object associated with the ADMA cs. also delete the sqlma cs object (I have set the object deletion rules on mv:person {delete mv:person object when the associated cs object is deleted from ADMA} and sqlma deprovision tab {stage a delete on the next export run}).

2. I want to provision a new sqlma cs and flow the new distinguishedname to this sqlma cs.

3. On the next export, SQLMA should create the new record and delete the old record from SQL table.

Is it possible to do this?

Free Windows Admin Tool Kit Click here and download it now
June 19th, 2015 1:32pm

Short answer, yes. This is what I mentioned on my earlier post. YES it is possible and on your case, the only way probably.

All you have to do is find the way to remove old account. New one is created automatically - you need to do nothing extra since the provisioning code will take care of this.

I would still stay aware from DN, though.  If anything I would use sAMAccountName (not sure it is something that changes for you, but still better). 

June 19th, 2015 1:50pm

I would definitely be using the ObjectGUID as the SQL anchor, and not worry about the downside of the GUID being less pleasing on the eye as a DN.  The only alternative is the delete/add scenario you talk about, but it's not worth the effrort really.  In a troubleshooting scenario it's most likely you will start with either a Metaverse or SQL search - the CS search is also possible, for the minor inconvenience of looking up the guid in either the MV or AD.
Free Windows Admin Tool Kit Click here and download it now
June 19th, 2015 2:07pm

Short answer, yes. This is what I mentioned on my earlier post. YES it is possible and on your case, the only way probably.

All you have to do is find the way to remove old account. New one is created automatically - you need to do nothing extra since the provisioning code will take care of this.

I would still stay aware from DN, though.  If anything I would use sAMAccountName (not sure it is something that changes for you, but still better).&n

June 19th, 2015 5:18pm

I would definitely be using the ObjectGUID as the SQL anchor, and not worry about the downside of the GUID being less pleasing on the eye as a DN.  The only alternative is the delete/add scenario you talk about, but it's not worth the effrort really.  In a troubleshooting scenario it's most likely you will start with either a Metaverse or SQL search - the CS search is also possible, for the minor inconvenience of looking up the guid in either the
Free Windows Admin Tool Kit Click here and download it now
June 19th, 2015 5:21pm

You can certainly do an advanced join on DN, but I highly advise you against as this may result on a bad join. 
June 19th, 2015 5:23pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics