Important: This little quirk only occurs with the “SharePoint Profile Synchronization” (aka: FIM Sync) option in SharePoint 2010 and 2013. It does not occur with the “Active Directory Import” (aka: AD Import) option available in SharePoint 2013 and 2016. If possible, I recommend switching to AD Import. You can read through switch considerations in my other post here.
Consider the following scenario:
You have an Active Directory forest that consists of 4 domains:
When setting up a User Profile Synchronization connection, you decide to create four separate connections: one for each domain.
After you run profile synchronization, you find that the Organization Browser / Org chart is not right. Some users are missing their managers.
When manager / direct report relationships are cross-domain, the manager reference cannot be made by FIM Sync.
For example: we’ll say that EMEA\User1, APAC\User2, and NA\User3 all report to NA\Manager1. In this case, the manager value for EMEA\User1 and APAC\User2 are blank, while NA\User3 and any direct reports in the NA domain have their manager property populated correctly as NA\Manager1.
This behavior is by-design. When you split the forest into multiple Sync connections, you are also splitting it into multiple Management Agents in Forefront Identity Manager (FIM). Manager / Direct Report connections cannot be established across separate management agents.
Merge the separate Sync connections into a single Sync connection for the Forest.
Following the example above, we would want to remove the four separate Sync connections and create just one connection for the entire forest. Or optionally, choose one connection to keep and merge the other three into it. This way, all profiles are imported with the same management agent and the manager / direct report relationships can be created successfully.
In this case, a “merge” consists of simply documenting the domains and OUs / containers selected in (for example) Sync Connection A, adding them to Sync Connection B, and then deleting Sync Connection A.
WARNING: to avoid data loss, you must do the following when deleting and re-creating Sync connections:
- Disable the “My Site Cleanup Job” timer job. — This should remain disabled until you’ve run a few Syncs with the new connection and are good with the results.
- Document the current OUs selected, connection filters, and property mappings so that they can be replicated in the new connection.
This is one of the rare situations where it will take more than one Full Sync to fix everything up. After the new connection has been created, you will need to run two Full Syncs. The first one will mark all profiles for deletion because they are linked to a management agent that no longer exists. This is not a problem as long as the Mysite Cleanup Job is disabled. — You did disable the Mysite Cleanup Job right?
Then the second Full Sync will run through and link all the newly-imported users with their existing user profiles. You shouldn’t lose anything, include profile data that users entered themselves like “about me”, “skills”, “interests”, etc.
More keywords for Bing: