We want to use FIM to provision user accounts between domains located in separate AD forests.
I've managed to install FIM Sync Service > create a new AD MA > import & sync user accounts from source AD to the MV but I'm struggling to get the user accounts to export to the new target domain.
Can we do this with just the FIM Synchronisation Service or do we need to install the web portal as well? I've been reading articles which suggest I need the web portal.
Any advice appreciated...
Maybe OT? ....configuring FIM 2010 R2....
- 72 Views
- Last Post 22 June 2015
A previous list member mentioned the requirement to create some code to provision users so we may opt for that in the short term. My colleague is hoping to get funding for this.
What I found interesting was your comment on PCNS....we wanted to configure FIM with PCNS to handle the sync of passwords between the two forests but I'm led to believe it requires a two way forest trust for it to be supported in production which is something we can't create due to political reasons. Have you heard this?
I thought AAD Sync could sync identities and passwords between on-prem and azure without PCNS so why would FIM be any different?
Correct, you don’t need the FIM portal to create users but you do have to plug some code in. The portal does make it codeless but also brings in
Also, FIM can’t sync passwords between AD’s on its own, you need to configure PCNS and then PWs will be updated in the target when users change
them in the source.
Whether or not you need the FIM Portal (and FIM Service) is up to you… The FIM Portal brings you declarative provisioning. Which means you can easily provision
users to targets like AD without writing code. The downside is that it requires user licenses (CAL). The alternative is to write some code yourself and just get everything done in the Synchronization service.
The code to provision to AD is pretty simple. Here’s a sample: