Maybe OT? ....configuring FIM 2010 R2....

  • Last Post 22 June 2015
ahobbs posted this 19 June 2015

Hey all
We want to use FIM to provision user accounts between domains located in separate AD forests.
I've managed to install FIM Sync Service > create a new AD MA > import & sync user accounts from source AD to the MV but I'm struggling to get the user accounts to export to the new target domain.
Can we do this with just the FIM Synchronisation Service or do we need to install the web portal as well? I've been reading articles which suggest I need the web portal.
Any advice appreciated...

Order By: Standard | Newest | Votes
ThomasVuylsteke posted this 22 June 2015

Whether or not you need the FIM Portal (and FIM Service) is up to you… The FIM Portal brings you declarative provisioning. Which means you can easily provision

users to targets like AD without writing code. The downside is that it requires user licenses (CAL). The alternative is to write some code yourself and just get everything done in the Synchronization service.


The code to provision to AD is pretty simple. Here’s a sample:


Kind regards,




KenHooveroxfordcomputergroupcom posted this 22 June 2015

Correct, you don’t need the FIM portal to create users but you do have to plug some code in.  The portal does make it codeless but also brings in

CAL costs.


Also, FIM can’t sync passwords between AD’s on its own, you need to configure PCNS and then PWs will be updated in the target when users change

them in the source.


Ken Hoover



Ken Hoover



ahobbs posted this 22 June 2015

Hi Ken,
A previous list member mentioned the requirement to create some code to provision users so we may opt for that in the short term. My colleague is hoping to get funding for this.
What I found interesting was your comment on PCNS....we wanted to configure FIM with PCNS to handle the sync of passwords between the two forests but I'm led to believe it requires a two way forest trust for it to be supported in production which is something we can't create due to political reasons. Have you heard this?
I thought AAD Sync could sync identities and passwords between on-prem and azure without PCNS so why would FIM be any different?
Kind Regards,