QMM Migration Merge of user accounts does not appear to be working

Hi All,

I've got a strange issue which I can't seem to work out why it's happening.

Setup is single domain pair from Domain A to Domain B.

Domain B already has a pre-created accounts based on the accounts in Domain A. This is done using FIM. So, effectively, Domain B has a clone of domain A accounts, but not all attributes.

I have a Dir Sync setup focused on one OU (and subtree) in Domain A and will only sync objects if that object has ExtensionAttribute3 set. The sync is setup to skip certain attributes because they are already synced using FIM. sAMAccountName is one of the attributes being skipped.

The domain pair was initially setup to Object Match on SID History and Email.

Adding a value to the ExtensionAttribute3 in Domain A, in the source OU, syncs the account attributes from Domain A to Domain B.

That all works fine. If I make a change to an account in Domain A covered by the sync setup, it gets replicated across.

However, under Domain A source OU, I have accounts that don't have a primary SMTP address and thus when I set ExtenstionAttribute3, they don't get synced to Domain B. This, I expect, is because I have only got Object Matching on SIDHistory and Email.

With this in mind, I turned on AccountName object matching. Since the same sAMAccountName exists in both domains. Having turned this on and run an initial sync, I still do not get these accounts synced across. The service attributes are not set.

If I try and do a migration session on one of these accounts, I get the Conflict of attribute for sAMAccountName. If I skip sAMAccountName in the migration session, it creates a new account in target domain with a $ random number sAMAccountName. In the DSA log it still complains about a conflict. Well, there will be, as both domains have the same sAMAccountNames.

I don't understand why since I have enabled AccountName matching, the sync isn't working and also when I do a migration session (with merge account don't create new), it insists are on creating new.

What have I missed?

Many thanks for taking the time to read this, if you got this far Slight smile

  • You can skip SamAccountName and Match using SamAccountName. If you want to match accounts with different SameAccountNames, you have to use a migration session and an import files.  

  • Thanks Jeff, but I've already done that. It doesn't appear to be matching on sAMAccountName. I don't want to change sAMAccountNames so I don't need to use a migration session and import file.

  • One letter off, You CAN'T skip the SamAccountName AND match using the SamAccountName rule. 

    So the domain pair has to have the Account Name matching rule enabled, using a tab delimited import file for a migration session (see sample below) use a migration session to merge the objects and you can skip the samAccountName attribute on the directory sync settings

    Sample import file

    samaccountname<TAB>samaccountname<CRLF>
    Betty.Smith<TAB>BSmith<CRLF>

    If you skip the samaccountname attribute, the tool can NEVER match using that rule, so it creates a new object. Since the samaccountname is skipped, when it creates the object the sameaccountname, a required attribute, is written as $QMMxxxxxxxx. 

  • OK...

    I'm not changing the sAMAccountName though. So, how would the import file look then?

    I just tried a normal migration session with the account, with AccountName enabled on the pair and sAMAccountName unticked on the session and it still didn't match and created a new account with $ sAMAccountName

  • The import file would contain:

    samaccountname<tab>samaccountname

    <desiredsource object sam><tab><desired matching target object sam>

    You must NOT skip samaccountname in the migration session.

    You must have the Account Name matching rule enabled on your domain pair.

  • Also, select the "Merge and leave" option in your migration session.

  • If you are not changing the samaccountname why skip it in the first place. 

    1. Make sure the Account Name matching rule is enabled in the domain pair. 

    2. Run a migration session and do NOT skip the samaccount name. 

    The objects will match and merge. If if does not, you are doing something else you have not disclosed. 

  • Thanks Jeff, that seams to have fixed it. Well, corrected my understanding.

    The reason why I skipped sAMAccountName was because FIM was doing that job. Anyway, I did as you say..

    1. Make sure the Account Name matching rule is enabled in the domain pair. 

    2. Run a migration session and do NOT skip the samaccount name.

    3. Used an import file <TestUser1><TAB><TestUser1>

    4. Set ExtensionAttribute3 and it's in the Dir Sync.

    Merge was already set on the session job.

    Thanks for your input. Much appreciated