Wednesday, September 20, 2017

Announcing Lithnet AutoSync for Microsoft Identity Manager

One of the things that I've always believed was missing from MIM and its predecessors was the ability to automatically 'run' the sync engine. The supported way of 'automating' the sync engine is to develop scripts that call the MIIS WMI methods. However, those scripts usually just cycle through the management agents and run profiles in a predetermined order, at a predetermined interval.

Over the years, I've often thought that there must be a better way than this! When we consider the various operations that can be performed on each management agent, the clues to how to do this start to become clear.

Delta import Performed when a change occurs in a connected system
Delta synchronization Performed when an import operation stages changes in a connector space
Export Performed when a synchronization stages outbound changes in a connector space
Confirming import Performed when an export leaves unconfirmed imports in the connector space

In all cases, except the delta import, the operations occur within the connector spaces of the sync engine itself. This means that the sync engine has the information needed to know when a sync, export and confirming import is required - It's all right there in the run history. All we really have to do, is somehow trigger the initial delta import when we know that changes have been made in the connected system.

Today, I'm releasing my solution to this problem - Lithnet AutoSync.

AutoSync is designed to run the sync engine for you. All you need to do is tell it when to run the import operations. You can do this on a schedule (eg every 15 minutes), or in response to an event if your connected system supports change detection. Built-in triggers are provided for Active Directory, LDS, and the MIM service, and you can write your own triggers using PowerShell. I've put a community PowerShell trigger gallery page up where you'll eventually be able to find and share trigger scripts for various systems.

Once the import has been triggered, AutoSync takes care of the rest. If the import results in staged changes in the connector space, a delta sync is performed. If the delta sync stages outbound changes on other management agents, then export operations are performed. After those exports, confirming imports are performed, and the cycle continues.

AutoSync is fast. By ensuring run profiles are executed only when needed, AutoSync keeps the sync engine from doing work it doesn't need to do. When combined with event-based triggers, the sync engine can respond to changes in connected systems in as close to real-time as possible. AutoSync allows for the fastest propagation of changes possible, while respecting the sync engine rules for overlapping run profiles.

AutoSync follows the Microsoft guidelines when it comes to running multiple management agents simultaneously. While import and export operations are allowed to overlap, synchronizations must be run exclusively.

AutoSync has been in development for over 18 months, and I'm very happy to be sharing this with you today. A special thanks to Piyush Khandelwal is in order, as this project wouldn't have been possible without his many, many hours of diligent testing, bug-finding and feedback. A big thank you to those who have also helped test over the life of the project including Darren Robinson, Søren Granfeldt, and the whole team back at the office who have put up with untold numbers of pre-release builds.

Head over to github to read the getting started guide, and happy auto-syncing!


Jamie Booth said...

Sweet. We will try this out in our DEV environment. I always thought it was crazy that FIM/MIM didn't offer something like this.

Unknown said...

Hi, looking forward to using this, thank you! Trying to install on a server with 2012 R2 and .NET 4.5 (mentioned as a prerequisite), but the installer says it needs .NET 4.6.1. Does it really though?

Unknown said...

Hi, I'm having issues installing this. I'm supplying the following to the installer: a) a service account that is already in the FIMSyncAdmins group (although the group in named differently on my domain), and b) a domain group name which is the FIMSyncAdmins group name. I get the error:

1: Unable to add '\' to the group ". Please add this user manually to the group and press OK to continue, or press Cancel to exit. Value was invalid. Parameter name: sddForm

Any ideas where I am going wrong? I am specifying the account and group names in the format domain\name

Ryan Newington said...

Yeah. It does need 4.6.1. I've updated the prerequisite page. Sorry about that.

Ryan Newington said...

The installer is having trouble locating the group and user you specified. If you have already added the service account manually, you can use the SKIPGROUPCHECK flag found in you'll also need to use the build currently in issue 102 to use this flag. If you are wanting to diagnose the root cause, I'm happy to do that, but can you raise a new issue on the GitHub site. It's a little easier to work together there. Cheers, Ryab