Workflows assigned a handful of Synchronization Rules against the user as Expected Rule Entries (EREs), which had already applied to the user when it first came to existence and provisioned.
These duplicate EREs when flowed from the FIM Service to the FIM Synchronization Service were throwing the errors.
It was smart enough to know that the provisioning event was not required because an existing ERE had already been assigned.
When the Sync Service flows the status of the duplicate ERE back to the FIM Service, the duplicate is deleted and world order is restored with this ‘magic’.
I didn’t find much in the forums or public domain about this scenario, so I hope this helps somebody in the future.
I’m now working on getting the full synchronization cycle actioned!
Everything was going well right up to the point I went to export changes to the two AD Forests that were separated by firewalls.
I received the ‘kerberos-no-logon-server’ error as shown below from the run profile output.
I have a complex customer environment where Microsoft Identity Manager is managing identities across three Active Directory Forests.The Forests all serve different purposes and are contained in different network zones.Accordingly there are firewalls between the zone where the MIM Sync Server is located and two of the other AD Forests as shown in the graphic below.But I did stumble on a mention of kerberos being used when provisioning users to Active Directory and setting the initial password. I had provided the networking engineers with my firewall port requirements.Those are (no PCNS required for this implementation) ; My old school immediate thought was to Telnet to each of the ports to see if the firewall was allowing me through.But with a couple of forests to test against and UDP ports as well, it wasn’t going to be that easy.