All entries for March 2014

March 28, 2014

How to get FIM to synchronize to an untrusted domain

It is straightforward to sync objects to and from an untrusted domain with FIM.

When I tried it, it didn’t work at first and I found a bunch of misinformation about whether it’s even possible to have a FIM system in one domain/forest sync objects to an untrusted domain. Some blogs insist there needs to be a forest trust in place, and in one Microsoft example they assume that a trust has been set up. Not so; no trust is needed.

The key is to ensure that both the domain hosting FIM and untrusted domains can resolve each other’s names in DNS - here's how I did it.

Before you configure the AD MA:

1. On the untrusted domain, set up a DNS forwarder to point to the domain that hosts FIM

new conditional forwarder

2. In the domain that hosts FIM, in DNS, set-up a Conditional Forwarder pointing to the untrusted domain. A conditional forwarder tells your domain ‘if you get DNS requests for untrusteddomain, send them to this ip address to be resolved’


TIP: if you want the conditional forwarder to be replicated throughout your AD (seriously, you do) tick the 'Store this...' box. Also, don't worry about the Big Rex X - it goes away once DNS has resolved the netbios name of your untrusted domain.

3. Test your DNS config by pinging the untrusted domain (ping -4) from the domain that's hosting FIM. Now check that the untrusted domain server can ping the domain that's hosting FIM (ping -4). When you can, you’re good to go.

4. Create a new AD MA in the FIM Synchronization manager

5. Configure the connection parameters like this;


6. Click OK, and you should be presented with a list of partitions in the untrusted domain.

March 2014

Mo Tu We Th Fr Sa Su
Feb |  Today  | Apr
               1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Search this blog



Blog archive

Not signed in
Sign in

Powered by BlogBuilder