Have 3 AD drivers, each to a separate AD domain. All three domains are in the same AD forest. Provisioning users only. By design a user in the ID Vault should have an account in only one of the three domains at any time. This is implemented via entitlements.
Testing using Microsoft Active Directory Migration Tool (ADMT) to migrate users in bulk from one domain to another domain within forest (intra forest migration)
I expected the following to work.
- Migrate user using ADMT
- IDM receives an add event from new domain and ignores this because we are using user account entitlement for each AD domain.
- IDM receives a delete event from old domain and transforms that to a remove association event.
- Grant entitlement to new domain, revoke entitlement to old domain. This results in associating the user object with the new domain.
My problem is that step 3 never happens. Everything else works fine. I end up with an orphaned association for the old domain.
This is an intra forest migration ADMT and does not seem to generate a delete event that the IDM driver can see. The object is no longer available in the old domain, I can't find it via Active Directory Users and Computers or a LDAP search.
Does anyone have any experience with ADMT and what it actually does with the object? The ADMT documentation says it "moves" the object. Is it possible to actually move an object between domains within an AD forest rather than implement the move as a copy/delete like I expected.
Any suggestions on workarounds? Maybe the add association event in the new domain could trigger the generation of remove association events from the other two domains?
ADMT migrate not generating delete event
Threaded Mode
