Synchronization from FIM 2010 to AD I am new to FIM and setting up a FIM 2010 lab as per FIM evaluation guide and when i try to run FIMMA to sync with AD i get the following 2 errors. sync-rule-flow-provisioning-failed Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The partition filter criteria for management agent "Demo local ADMA" do not include an object with DN "CN=Contractors Applications,OU=FIMobjects,DC=Demo,DC=com" and object classes group. Micrsync-rule-flow-provisioning-failedosoft.MetadirectoryServices.ProvisioningBySyncRuleException: The partition filter criteria for management agent "Demo local ADMA" do not include an object with DN "CN=FTE Applications,OU=FIMobjects,DC=Demo,DC=com" and object classes group. Any help to resolve this issue is highly appreciated. Tks

Have you selected the "group" object type in your AD MA as an object of interest?http://setspn.blogspot.com

Also, is OU=FIMobjects,DC=Demo,DC=com selected as one of the Containers in the AD MA?http://www.wapshere.com/missmiis

Hi. Yes "group" is selected under object types in ADMA. "FIMObjects" is slelcted under containers in ADMA. Tks in advance.

What is happening here is that the FIM Sync engine can't find the CS (connector space) OBJECT "OU=FIMobjects,DC=Demo,DC=com" in the connector space - the node in the tree below which it is trying to provision a new group object "CN=FTE Applications". There are a number of possible reasons for this, and 2 have been eliminated. Try the following: Check that you've run a full import on the AD MA ... or a delta import if you have changed the OU structure since you last ran a full import - if you're sure that this exists, do an RDN search on the AD MA CS for "OU=FIMobjects" and make sure it appears in the search results. If you don't see it straight away, try "CN=FIMObjects" in case you've not declared it as an OU. Refresh the AD MA schema ... unlikely cause but worth eliminating Check that you've specified the correct spelling of the "partition filter name" in your sync rule ... you have an outbound rule which has the "create in external directory" checkbox set ON and there are objects which are not matching so FIM is trying to PROVISION a new AD object ... look for the export flow rule for "dn" and make sure that is correct HTHBob Bradley, www.unifysolutions.net (FIMBob?)

Please see Troubleshooting Common FIM Provisioning Errors for more details on this. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

OK got it, it was a silly mistake by me and a typo in the evaluation guide as well. But now i have another question. My sync rules work without errors and the 2 security groups are created in AD but the group memberships is not updated in AD and correct me if i am wrong, but as per my understanding this has to be updated as well. In FIM portal under SG’s the two groups are there and i can successfully view the criteria based membership for both the groups. So is it possible to populate the AD group membership using FIM? if so provide any guidance on it. Tks.

See the How Do I Guides for more details on this. How do I Provision Groups to Active Directory Domain Services explains how to process group membership. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Lakshantha, I got the same error on Full synchronization for FIMMA. What was the typo in evaluation guide and what' the resolution? Thanks in Advance Tek-Nerd

Hi Tek-Nerd, In FIM evaluation guide on page 60 under "To set the groupType" it says, b. On the Source tab, select Number from the attributes list, and then type -2147483646 in the associated textbox. And under "Select Initial Flow Only for the following flows" it says, b. 2147483650=>groupType Notice that its talking about the same object but the last two digits of group type is different from one another so i configured mine to the later one and it worked. Tks.