We are investigating the possiblility of FIM supporting multiple independent customer ADs i.e. one FIM instance but several AD MAs targetting many forests.
In our dev environment we have 3 separate virtual domains and I can get them talking to each other by editing the hosts file.
When I try to set the Password or userAccountControl via FIM I get the Kerberos error. OK. I guess we are forced into putting a complete DNS setup for development.
HOWEVER,
if I start a Powershell shell on the FIM server (fim002dfim.fim002d.local) and use ADSI calls I can set the password OK!!! e.g.
#hunt for user and set password
$MYobjDomain = New-Object System.DirectoryServices.DirectoryEntry "LDAP://cust1dc.cust1.local", "cust1\Administrator", "P@ssW0rd"
$MYobjSearcher = New-Object System.DirectoryServices.DirectorySearcher
$MYobjSearcher.SearchRoot = $MYobjDomain
$MYobjSearcher.PageSize = 1000
$MYobjSearcher.Filter = "(&(objectClass=user)(employeeID=$employeeid))"
$MYobjSearcher.SearchScope = "Subtree"
$MYuser = $MYobjSearcher.findone()
if ($MYuser -eq $null -or $MYuser.count -eq 0) {
$x = "No user found on Cust1 with employeeID =" + $employeeid
$x
exit
}
$MYuserDN = $MYuser.path
$MYuserObj = [ADSI]$MYuserDN
$x = $MYuserObj.psbase.invoke("SetPassword",$newPass)
$x = $MYuserObj.Put("pwdLastSet",0)
$x = $MYuserObj.SetInfo()
$xx = "Password reset"
$xx
I am curious why FIM access via the AD Management Agent is so different from ADSI
