Share via

MIM 2016 SP2: Manager Attribute Synchronization to AD

celsoglima 371 Reputation points
2021-02-18T22:30:49.84+00:00

I am working on synchronizing the manager attribute to AD, and I am a bit confused why it is not working. The attribute is synchronizing correctly from the data source into the metaverse and the MIM portal. All that is working as expected. I have been reading a lot of the posts in the now archived TechNet forum, and I have been under the impression that once the relationship between the objects is established in the metaverse, the synchronization to AD is handled automatically by the synchronization engine if the attribute mapping exists.

I am using a portal synchronization rule for the AD MA. The attribute is selected in the AD MA and mapped in the synchronization rule.

Did I misunderstand the part that this should work pretty much out of the box once the attribute mapping in the synchronization rule was set? I have tested my set up a few times now with combinations of data import/export, but the synchronization to AD is not happening. Does the anchor attribute in the data source have to be an anchor attribute in AD as well? I am assuming everything in AD is handled with the SSID, right?.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
707 questions
0 comments
Accepted answer
  1. celsoglima 371 Reputation points
    2021-02-25T23:22:43.407+00:00

    Hey Leo,

    Just to let you know I have resolved the issue I was having with the manager attribute not synchronizing to AD as expected. It turned out to be an issue with my data set. I am using a transition MPR to create users in AD. A while back I made a few changes to this test environment as part of something I was testing that affected a good number of user objects in a way I had not realized. I had EREs removed from user objects that were not added back. Once I took care of that and restored the data set to the state it was supposed to be, the manager attribute started flowing as expected. The presence of the test user objects (employee/manager) in the AD MA connector space through me off. I was focusing on them being there and did not see they were not complete which would be an indication something was not set up correctly!

    Thank you so much for taking the time to look at my post and try to help me. I do appreciate that!

    Celso

    1 person found this answer helpful.
    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Leo Erlandsson 1,656 Reputation points
    2021-02-23T07:18:50.04+00:00

    Hi,

    This should indeed work, and we flow manager to AD for most customers.

    I see you've ensured that manager correctly flows into the MetaVerse. What does your portal sync rule look like? manager => manager ?

    Could it be precedence? Have you tried manually syncing and object (previewing) and checking what it looks like there?

    You will need to have the manager in the AD Connector Space, and also the manager in the MetaVerse (and joined correctly).

    This should be a out of the box thing really, yes.

    Br,
    Leo

    0 comments
  2. celsoglima 371 Reputation points
    2021-02-23T22:07:17.807+00:00

    Hey Leo,

    The mapping in the sync rule is manager => manager, and there is only one import flow from the data source. Do I need to have an import flow from the portal to the metaverse as well?

    The manager as a user object does exist in the connector space of the AD MA, and I tried the preview sync a couple of times which includes the manager attribute, but it shows no value assigned to it on the AD MA.

    I don't know if this matters, but I am importing the employee id from the data source as the anchor ID, but the same employee ID is not being used in the AD MA. I am using a different value that derives from the employee ID which maps to samAccountName.

    Celso

    0 comments
  3. Leo Erlandsson 1,656 Reputation points
    2021-02-24T07:35:26.233+00:00

    Hi,

    An import flow from the data source to the MetaVerse should suffice.
    That you only have one import flow rules out Precedence problems (otherwise it could be that AD is more precedent than the data source).

    That you're using diferent anchors for AD and the data source should not matter, as long as the MetaVerse just shows the right information about manager.

    Could you please post some screenshots of the person in the MetaVerse, and also your preview sync against the AD Connector?

    Br,
    Leo

    0 comments
  4. celsoglima 371 Reputation points
    2021-02-24T17:13:24.707+00:00

    Hey Leo,

    I am going to have to get back with you on the screenshots at another time. I just noticed an issue with this test box I am using. I am not sure how I miss this, but there is a good number of attributes not flowing to AD despite them being included in the synchronization rule. I must have some data or configuration corruption. Let me fix that first as it might be the reason why the manager attribute is not flowing as expected. I will get back with you as soon as I can.

    Celso

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.