Hi I am doing a gal sync between multiple sites. I have site 1 syncing its mail enabled users to site 2 in form of contacts... sucessfully. Now I want to sync from site 2 to site 3. On my agent I have only selected 2 OUs. Site2OU & Site3OU. However when I sync from site 2 to site 3, contacts created from site 1 also get synced over!!!!!!! I just don't understand. I tried moving site 1 contacts to different locations to no avail. What am I missing here?

If you're using classic code provisioning, sometimes you can end up with multiple connectors if you don't actually have a check to see if there is a connector already present. Simple code snippet to help you out (vb.net): Connected_AD_MA = mventry.ConnectedMAs("Your_MA_Name") If Connected_AD_MA.Connectors.Count = 0 Then ' < do all your provisioning here > End If Clean out the datasource where the duplicate connectors exist and validate that things are working correctly using the preview function. Take an object in the source connector space and run a preview in full synchronization mode and see what happens. That should help you isolate where the duplicate entry is coming from. Thanks B

When I go to "Metaverse object properties" / "Connectors" in FIM under properties of the contact..... I see 4 different connectors. 3 provisioning rules and one join rule. 2 of these provisioning rules and the join rule are from 3 management agents that I created for other sides. Do I have to disconnect these? If so, how? I am lost as I see duplicates on other sites. All these started happening after I introudeced 3rd and 4th agent for the new site (3rd site and 4th one coming). Thanks

It depends from which situation you start, BUT if you start from a situation where each forests only has mail objects from it's own, it's quit easy. J ust make sure each forest has a dedicated OU where FIM can create contacts from the other forests. This is an OU completely managed by FIM. In the GAL MA it's referenced as the TARGET I think. The other OU's in that forest should only contain objects which that forest is authoritative for. These are references as the SOURCE OU's I think. http://setspn.blogspot.com

That's how I have it but it is still replicating contacts that was synced to it. Site 1: Fimobjects OU (site1OU, site2OU, site3OU, site4OU) Only site1OU and site2OU are chosen under "configure directory partitions" / Containers Target: Site2OU (Has users that needs to be synced to other site) Source: Site1OU (Where contacts get created Site 2: Fimobjects OU (site1OU, site2OU, site3OU, site4OU) Only site1OU and site2OU are chosen under "configure directory partitions" / Containers Target: Site1OU (Has users that needs to be synced to other site) Source: Site2OU (Where contacts get created

Ok, I read your question again, and I'll try to explain. What you are seeing is by design. This is how your AD's could look like: AD1: - OU: Site1 users with mailbox - OU: GALSYNC => GALSYNC will contain contacts of AD2, AD3 AD2: - OU: Site2 users with mailbox - OU: GALSYNC => GALSYNC will contain contacts of AD1, AD3 AD3: - OU: Site3 users with mailbox - OU: GALSYNC => GALSYNC will contain contacts of AD1, AD2 The goal of GALsync is to provide each forest with a complete list of all e-mail addresses in use across all forest. So FIM will take the mailboxes of each forest and store those in it's metaverse as a person object. There's always one forest contributing such a person object, whilst ALL other forests will receive a contact for that mailbox in their GALSYNC OU. I'm not saying you couldn't tune/alter this behavior, but that's how it works out of the box. And I'm leaving mail-enabled users, distribution lists and regular contacts out of the picture for simplicity. http://setspn.blogspot.com

Understood, but when the 3rd site is introduced to this picture; things go wrong... The 3rd site replicates "its own users + site 1 contacts + site 2 contacts" and I just don't get it because all I want to get back is 3rd site user contacts :-( I checked my agent. i have only chosen the required OUs (not other site OUs). Here is the message I get when I run "full sync" or "delta sync". Microsoft.MetadirectoryServices.UnexpectedDataException: An authoritative Microsoft.MetadirectoryServices.Impl.CSEntryImpl-object in Site1_agent with DN CS Site1_agent user CN=Site1 Test3 user,OU=NYC,OU=FIMObjects,DC=admin,DC=site1,DC=com attempts to join when it should be projected. There is another authoritative object representing the same entity in the metaverse: CS Site2_agent user CN=Site2 Test3 user,OU=NYC,OU=FIMObjects,DC=admin,DC=site1,DC=com . This object will not be propagated to any other forests until this conflict is resolved by removing or modifying one of the objects so that they no longer collide. Also Microsoft Identity Integration Server will try to maintain these objects if it has the permissions and may rewrite the attributes unless appropriate action is taken.

This message means there is another object that is authoritative object(mailbox). It tells you the dn fo this object. In this case it is in MA Site1_agent. If you get this when you ran an MA other than Site1_agent, then this means this MA also contains an object that is mailbox/authoritative object that has similar mail attribute values. GALSYNC is not designed to have a mailbox in multiple places; it assumes you have one mailbox and want contacts in other target environments. If you have users who have mailboxes in multiple environments, than the easiest way to fix this is to move them out of scope, they probably don't need to go through this process anyway if they exist already as mailboxes in more than one AD/Exchange org. Glenn Zuckerman, Microsoft Product Support