Hi ,I am new to this Product of Microsoft and learning thorught Microsoft Technet. according to the learning and my requirement i tried to create a senario where all data should be sync with AD and ILM only. so for this i created a MA for AD and one for ILM. My question here is as mentioned under Publishing Active Directory Users From Two Authoritative Data Sources, if i do not use HR MA for data from file. can i create my required senario. if yes then while creatingAD MA i do not find any Attributefor 'FirstName' and 'LastName' so thati canSelect them in 'Inbound Attribute Flow' .please help me ang guide me to understand ILM.Thanks in Advance.Mohit Goyal

Hi Mohit, of course you can avoid creating an HR text file management agent; the resulting scenario will be even simpler. In Active Directory the first and last name attributes are named 'givenName' and 'sn' respectively. You might use something like AdsiEdit or ldp (which comes with the Remote Server Administration Tools - here's the link for vista 32 bits ) to explore the structure of your existing Active Directory and find out the attribute names you need. Cheers, Paolo

okay thank you and i made changes to Attribute flow accordingly i added two users in ILM Protal and while checking thier dynamic membership i can see those users and in user`s provisioning i see sync status pending which i suppose is normal unil i run MA agents. While i run ILM MA under full sync profile i get error "sync-rule-flow-provisioning-failed" and i am stuck. Please help....Mohit Goyal

Hi Mohit, check if the error details in the agent run report give you more details; it's difficult to say what's the cause without more information; maybe you are trying to flow a null value? Cheers, Paolo

if i check Trace Stack window it gives me error details "Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector."Is this something realted to Outbound sync rule where i create attribute flow under destination DN= ? if it is pleaselet me know where i missedAlso i have created both Inbound and outbound rules in one sync rule, i hope it sould work. also one more thing, when technet said we have to take attribute from HR Data then we set an anchor as Employee ID but in my senario i do not find any option to set anchor. does this anchor thing matters?Mohit Goyal

You need to create an outbound flow for the DN attribute and select this flow as initial flow.Cheers,MarkusMarkus Vilcinskas, Technical Content Developer, Microsoft Corporation

Hi Markus,I did that and i got success but the users which got added to AD under mentioned OU by me are disabled accounts and if i try to login through those user accounts into ILM portal i end up with no success. also i could not find any of the entries i made in Protal for these users. Did i missed anythingpart from Technet instruction?Also wanted to know whenever a new user will be created, a Sequence of MA should be run manually?please helpThanks in advance...... Mohit Goyal

Hi Mohit, to have enabled accounts you must flow the constant value 512 to userAccountControl in your outbound rule - I think it's mentioned in the "Publishing Active Directory Users From Two Authoritative Data Sources " document, check it. The Management Agents can be run with scripts - click the "Script" button from the "Configure run profiles" dialog to have ILM generate a script for you - then you can run the scripts periodically. Cheers, Paolo

Hi Paolo,I understand it and i followed each and every step mentioned in this document and passed 512 value in userAccountControl in outbound rule but got account disabled. Also i noticed in AD none of the information was entered in user profile i.e. first name , last name, manger`s name etc none was present. also user login name was something alphanumaric which hard to remember. it sould come according the info i entered in portal.i dont know where i missed.Mohit Goyal

You have missed to update the flow precedence.The steps are in the document.Cheers,MarkusMarkus Vilcinskas, Technical Content Developer, Microsoft Corporation

Part of the reason that the information might not show up is because the precidence was not set correctly. As for the accounts being disabled this is possible if no password is provisioned.

I've hit this same error, it happened because I botched the 'AD Outbound Sync' rule in the portal. Once I'd configured the export flows, they spanned across two pages so I went to page 1, marked a few as 'initial flow' then went to page 2 and marked the rest as 'initial flow'. Clicking 'Finish and Submit' only remembered the 'initial flow' setting from one of the pages and the 'employeeID' attribute did not get remembered.In the end I can repro the error, and prove that correcting the flow rule (as Markus pointed out early in the thread) is a good solution.CraigMartin Oxford Computer Group http://identitytrench.com