All 1 entries tagged Domain
March 28, 2014
It is straightforward to sync objects to and from an untrusted domain with FIM.
When I tried it, it didn’t work at first and I found a bunch of misinformation about whether it’s even possible to have a FIM system in one domain/forest sync objects to an untrusted domain. Some blogs insist there needs to be a forest trust in place, and in one Microsoft example they assume that a trust has been set up. Not so; no trust is needed.
The key is to ensure that both the domain hosting FIM and untrusted domains can resolve each other’s names in DNS - here's how I did it.
Before you configure the AD MA:
1. On the untrusted domain, set up a DNS forwarder to point to the domain that hosts FIM
2. In the domain that hosts FIM, in DNS, set-up a Conditional Forwarder pointing to the untrusted domain. A conditional forwarder tells your domain ‘if you get DNS requests for untrusteddomain, send them to this ip address to be resolved’
TIP: if you want the conditional forwarder to be replicated throughout your AD (seriously, you do) tick the 'Store this...' box. Also, don't worry about the Big Rex X - it goes away once DNS has resolved the netbios name of your untrusted domain.
3. Test your DNS config by pinging the untrusted domain (ping untrusteddomain.myorg.co.uk -4) from the domain that's hosting FIM. Now check that the untrusted domain server can ping the domain that's hosting FIM (ping domain.myorg.co.uk -4). When you can, you’re good to go.
4. Create a new AD MA in the FIM Synchronization manager
5. Configure the connection parameters like this;
6. Click OK, and you should be presented with a list of partitions in the untrusted domain.