AD and ILM provisioning
I would like to test out the use of ILM with AD. I am currently hav ethe setup ready to go but have not run it. I wil not be using a text delimited file as the accounts are already found on A.D. Now the guide ILM "2" (Release Candidate) Publishing Active Directory Users From Two Authoritative Data Sources makes use of the additional file to provision users to both ILM and AD. My setup consists of creating an inbound rule and and an outbound rule for AD. When i tried creating an inbound/outbound rule for my AD MA the outbound information would get wiped out after saving. So i had to create separate rules. Is this the correct way to go?
Also say i have different OU and depending on the users employeetype i would like to have them go into the different OUs. ex. student to the student OU and faculty to the Active_employee group. Where would i do this? With a Rule or a policy? this is an area where i am confused. how to manage my users. Any assistance would be welcomed.
June 29th, 2009 11:24pm
Re. #1Yes, in the current public build, ILM "2" RC, you have to create separate inbound and outbound synchronisation rules due to a bug. This won't be the case in the next build.Re. #2One approach is to create one outbound synchronisation rule for everything except the DN. Then create two other outbound synchronisation rules, one per DN and configure the DN-rules to depend on the main OSR. In the action w/f where you've configured a synchronisation rule activity add both of the DN-OSRs to the w/f and use the "Based on attribute value" option, instead of just Add, and change the "Attribute to bind" to Employee Type for each and enter Student in the student rule and faculty to the faculty rule.Apologies for any vague or incorrect terminology. I'm not in front of the portal at the moment but think this is how I did it in one of my labs.Note. If you're using Student and Faculty for employeeType you'll need to change the default regular expression defined in the binding of that attribute to the person (user) class, i.e. change ^(Contractor|Full Time Employee|Intern)?$ to ^(Student|Faculty)?$
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2009 3:07pm
So let me see if i understand.I create a second and third OSR: in the general Info tab i gave it a name and then for dependency make it depend on the Main OSR. The only attribute that will flow will be the DN though. In my Action W/F i did include all three OSR. Would i have to modify my MPR as far as: Target Resources go? This is the one area that still gets me confused. What exactly does the Target Resource definition before request and Target Resource definition after request do. Is there a very good explanation as to what this are for and how to use them.
June 30th, 2009 5:20pm
You might want to take a look at ILM "2" (Release Candidate) Management Policy Rules.Cheers,MarkusMarkus Vilcinskas, Technical Content Developer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2009 7:01pm
ok after doing everything that was stated in earlier statements i get the error: "sync-rule-flow-provisioning-failed" "Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector.I do have the dn value set up in my sync rules and then my workflow calls out all three sync rules. With the second two as stated referencing the first and set to go by value. Even when i tried it without this complexity thrown in. Simple setup with only one sync rule and the dn included i would get this same error. any ideas as to why i would get the error.Thanks,
July 15th, 2009 12:47am
Have you checked "initial flow only" for the DN attribute flow?
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2009 11:47am
yes i have gone through all the guides to find verify that all the information is correct. can't find a reason. I even went back to make sure i indeed had made it an initial flow.
July 15th, 2009 4:33pm
Let me try and give you a clearer picture of what I have done. In following the guide: ILM "2" (Release Candidate) Publishing Active Directory Users From Two Authoritative Data Sources I have created an MA for both AD and ILM. I have 6 Sync Rules as follows:1st AD outbound Sync rule (initial flow set for userAccountControl, unicodePwd, and sAMAccountName (being used as relationship criteria there for i read had to be set as well))2nd AD outbound SR FTE- only DN for users going to the Full Time Employee group dependent on the First rule (initial Flow set)3rd AD outbound SR Intern- only DN for users going to the Intern group dependent on the first rule (initial flow set)4th AD inbound Sync Rule1 Workflow that contains all three action activities:1st normal AD outbound sync rule2nd AD outbound SR FTE (based on attribute value binded to employee Type and the add value set to Full Time Employee, no remove value)3rd AD outbound SR Intern (based on attribute value binded to employee Type and the add value set to Intern, no remove value)1 Mngt policyGranted rights , requestor: all people; operation: create and modify; target resources: before(all people),after(all people),all attributes; policy workflow: the workflow above.Run the profiles as stated: ILM = Full Import, Full Sync, Export,Delta ImportAD = FI,FSprecedence setsince no HR i just go ahead and run the Export for ILM again then DI and FS at this point of course the error shows up for the test accounts for Britta and Jossef.Any Idea as to where i go wrong.
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2009 6:51pm
Yes, in your whole confoguration :o)What you need is one SR for the FTEs, one for the Interns, one MPR that attaches the FTE SR and one for the Intern SR.FIM does does not merge somehow all linked SRs an tries to calculate the best solution; SRs are applied by SR.This is why you get the error.The first SR, which is probably also configured to create an object in the target doesn't have DN fails.Cheers,MarkusMarkus Vilcinskas, Technical Content Developer, Microsoft Corporation
July 15th, 2009 7:10pm
do you think it is possible to just delete the SRs and recreate them and this won't corrupt the system. I know in the past it would sometimes happen.
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2009 7:21pm
This is why you should take backups (snapshots) of certain configurations.Yes, RC0 reacts sometimes not "nicly" on these types of changes.Cheers,MarkusMarkus Vilcinskas, Technical Content Developer, Microsoft Corporation
July 16th, 2009 5:33am