How to get FIM to synchronize to an untrusted domain

It is straightforward to sync objects to and from an untrusted domain with FIM.

When I tried it, it didn’t work at first and I found a bunch of misinformation about whether it’s even possible to have a FIM system in one domain/forest sync objects to an untrusted domain. Some blogs insist there needs to be a forest trust in place, and in one Microsoft example they assume that a trust has been set up. Not so; no trust is needed.

The key is to ensure that both the domain hosting FIM and untrusted domains can resolve each other’s names in DNS - here's how I did it.

Before you configure the AD MA:

1. On the untrusted domain, set up a DNS forwarder to point to the domain that hosts FIM

2. In the domain that hosts FIM, in DNS, set-up a Conditional Forwarder pointing to the untrusted domain. A conditional forwarder tells your domain ‘if you get DNS requests for untrusteddomain, send them to this ip address to be resolved’

TIP: if you want the conditional forwarder to be replicated throughout your AD (seriously, you do) tick the 'Store this...' box. Also, don't worry about the Big Rex X - it goes away once DNS has resolved the netbios name of your untrusted domain.

3. Test your DNS config by pinging the untrusted domain (ping untrusteddomain.myorg.co.uk -4) from the domain that's hosting FIM. Now check that the untrusted domain server can ping the domain that's hosting FIM (ping domain.myorg.co.uk -4). When you can, you’re good to go.

4. Create a new AD MA in the FIM Synchronization manager

5. Configure the connection parameters like this;

6. Click OK, and you should be presented with a list of partitions in the untrusted domain.

Mark Glover : 28 Mar 2014 10:15 |  Tags: Domain Fim Untrusted |  Comments (0) |  Report a problem