Could it cause directory sync issues if I place a new AD driver on the
production tree to sync the production tree structure to a new AD forest
instead of the ID Vault? This would include password synchronization as

I currently have an IDM deployment using a flat ID Vault that is the
Identity Authority. The ID vault receives user change information via a
text driver (the data is a PeopleSoft export). The entire tree
structure is flat in the ID vault. User ID's are then sorted into a
production tree placed into appropriate containers in both eDir and AD
based on the users department. Group memberships are still managed
manually at this client site, and are not synchronized to the ID Vault.
All user creations occur int he ID Vault, but it does sync users
created in the production tree as well as the production forest.

The AD forest build was intended just for systems that required AD for
one reason or another, network has been a long time eDirectory network.
Company wants to start using AD for users now, and I now need to sync
the production tree with a new AD forest. The new forest is to mirror
the current tree, and sync groups and group memberships as well.
Getting the groups to sync with the ID vault so I could then sync them
with a new AD forest with the existing drivers is just beyond me, and we
are seeking the assistance of IDM consultants to help do this. The
drivers have a lot of XML coding, that a lot of folks that have worked
on these drivers in the past have gotten lost on. I am hoping we can go
another path if the IDM consultants we find are unable to make heads or
tails of these drivers either.

I would like to install an AD driver in mirror mode on the production
tree's IDM engine server and sync it with the new AD forest we need to
build. In this fashion, the driver setup is fairly basic in what it is
doing, simply mirror the production eDirectory tree. I just don't know
IDM well enough to know if this will cause other issues for me. I will
still need to have the ID Vault operational for some time so the legacy
method for inputting users can still be used. So users add/removes will
first come into the ID Vault, sync to production eDir and Legacy AD.
Then production eDir will sync out to new production AD. I would hope
this would be fine to do, but after past projects that have seen entire
group memberships wiped out, user ID's accidentally deleted, and all
sorts of other damage IDM can do if you don't know it very well, I
thought I would ask.

thank you

Provogeek's Profile:
View this thread: