I get the list of groups from SQL Table and synchronize them to FIM. That seems to be working OK. But how do I synchronize the members of the group to FIM since member is a reference attribute? The members are also in a SQL Table. Thank you in advance

You can find the gist of this (e.g.: how you need to setup your SQL tables) in Synchronizing Active Directory Objects to SQL Server and Synchronizing SQL Server Objects to Active Directory. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thank you Markus, One issue I encountered is that on the export Synchronization service is trying to create the person object again although they already exist in the portal. Export fails with the error: <AttributeType>AccountName</AttributeType><AttributeValue></AttributeValue><FailureMessage> The specified attribute value must be unique for this Resource Type.</FailureMessage> <AttributeFailureCode>ValueViolatesUniqueness</AttributeFailureCode></AttributeRepresentationFailure></RepresentationFailures> What sould I be looking for to fix that?

Thank you Markus, I followed the guidelines in the document and created two SQL tables with objects and another one with references. The object table has 3 objects: 1 User U1 2 User U2 3 Group G1 References table is like this: 3 member 1 3 member 2 On the management agent the anchor is ObjectID, multi-value attribute column is ReferenceID. In the metaverse I didn’t create new Object types for users and groups, I just use the built in ones. In the Inbound synchronization rule: scope is group, relationship criteria is AccountName to SamAccountName. Users with account name U1 and U2 are already synchronized in the FIM Data Store. They were created by a different MA. One issue I encountered is that on the export to FIM Synchronization service is trying to create the person object again although they already exist. Export fails with the error: <AttributeType>AccountName</AttributeType><AttributeValue></AttributeValue><FailureMessage> The specified attribute value must be unique for this Resource Type.</FailureMessage> <AttributeFailureCode>ValueViolatesUniqueness</AttributeFailureCode></AttributeRepresentationFailure></RepresentationFailures> What sould I be looking for to fix that?

If the objects do already exist, you need to check your relationship criteria. The objects from your new SQL MA should join to the existing object in the metaverse. You could use, for example, accountName as relationship criterion. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

If the objects do already exist, you need to check your relationship criteria. The objects from your new SQL MA should join to the existing object in the metaverse. You could use, for example, accountName as relationship criterion. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hello Markus, I am using accountName in the relationship criteria. It seems that I am doing something wrong though. The SQL Server MA has a Username attribute which flows to the accountName attribute in MV. Username = SamAccountName in the Active Directory. Username is also an Anchor in SQL MA. The relationship criteria on the ISR is accountName = Username. Originally the User accounts got created by a different SQL MA. The anchor on this SQL MA is a UserID (which is a numeric ID, not username). The Relationship in SQL MA is EmployeeID = UserID. Both Username and UserID uniquely identify users. I tried making both Synchronization rules to have same relationship attribute instead of using EmployeeID I used Username on both MAs. With this change I still get the same error message. Do I need to specify any join rule? Thank you so much for your help.

Hello Markus, I am using accountName in the relationship criteria. It seems that I am doing something wrong though. The SQL Server MA has a Username attribute which flows to the accountName attribute in MV. Username = SamAccountName in the Active Directory. Username is also an Anchor in SQL MA. The relationship criteria on the ISR is accountName = Username. Originally the User accounts got created by a different SQL MA. The anchor on this SQL MA is a UserID (which is a numeric ID, not username). The Relationship in SQL MA is EmployeeID = UserID. Both Username and UserID uniquely identify users. I tried making both Synchronization rules to have same relationship attribute instead of using EmployeeID I used Username on both MAs. With this change I still get the same error message. Do I need to specify any join rule? Thank you so much for your help.

This looks so far good to me. The relationship criteria is your join rule. You need to examine the object(s) that is causing the error to be raised. The question is whether the error comes from a dupe (as you know AccountName must be unique) or from a join that fails for some reason. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Interesting thing, if I first export group with a placeholder for user that doesn't exist in FIM yet and after that export the user object. The user object gets created without any errors and the group gets the user reference in the member attribute. Is that normal? I thought that I have to create the user object first and then populate the member attribute.

I had to create users and groups from the same SQL table that contains both Person and Group objects, instead of using two separate tables and two MAs, like I did originally.

Hello Markus, So to make it work I had to create Users and Groups from the same SQL table tblObjects where attributes for both resource types are mixed together. Is there a way to divide the different Object types to different tables? What if I have SamAccountName in Anchor for groups and Users have EmployeeID in Anchor? Thank you in advance for your help, Svetlana

The objects must have the same anchor - something like samAccountName is a bad anchor since this attribute is likely to be changed. To avoid trouble, you should not use it as anchor. While you can work with views, you are better of using something like SSIS to create the data you need for FIM. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thank you Markus, I guess I can use ObjectID for groups anchor then. I see FIM has ObjectID attribute for groups. Alghough Active Directory doesn’t have it. Microsoft’s example “How Do I Provision Groups to AD DS” uses SamAccountName as Relationship criteria…Does it mean I need to use ObjectID for Anchor and SamAccountName in Relationship for provisioning synchronization rule? I use actual tables for data sources. When you suggest using SSIS do you mean it is better to transform source data for FIM into a delimited file instead of table? Is it faster? Is it easier to manage creation of Groups, Users and Group Memberships? Could you clarify for me please? Thank you again, Svetlana

Thank you Markus, I guess I can use ObjectID for groups anchor then. I see FIM has ObjectID attribute for groups. Alghough Active Directory doesn’t have it. Microsoft’s example “How Do I Provision Groups to AD DS” uses SamAccountName as Relationship criteria…Does it mean I need to use ObjectID for Anchor and SamAccountName in Relationship for provisioning synchronization rule? I use actual tables for data sources. When you suggest using SSIS do you mean it is better to have source data for FIM in a delimited file instead of table? Is it faster? Is it easier to manage creation of Groups, Users and Group Memberships? Could you clarify for me please? Thank you again, Svetlana