Microsoft Recommends That You Run a Full Import After You Restore a Connected Directory (823783)

SUMMARY

As a best practice, Microsoft recommends that you run a full import, by using a Full Import (Stage only) run profile, against a connected directory after it has been restored from backup. This practice helps prevent the loss of transactions and keeps your Microsoft Identity Integration Server (MIIS) and Identity Integration Feature Pack (IIFP) directories in synchronization with all the other connected directories.

Microsoft considers this a best practice because many connected directories, such as the Microsoft Active Directory directory service, use a watermark to track transactions. MIIS and IIFP management agents depend on the accuracy of this watermark. However, if Active Directory is restored, for example, this may change the state of the connected directory, and the watermark may no longer be accurate. Therefore, it is a best practice to run a full import, as opposed to a delta import. A full import will discover the whole directory, but a delta import will only discover changes against the connected directory. When you run a full import, you make sure that a new watermark is established (if the old one is no longer accurate) and that all data has converged. After the full run is performed and data consistency has been verified, scheduled delta runs can be resumed.

Microsoft also recommends, if it is relevant to the connected directory architecture and configuration, that you make sure that replication between directories has occurred if older data is being restored to the server that the MIIS management agent will ultimately connect to. This is not required, because data will eventually converge. However, you may experience unexpected issues on the metaverse and on other connected directories if you do not make sure that replication between directories has occurred in this scenario.

For example, consider a scenario where both of the following conditions are true, and therefore objects are missing in the restored version of the directory:

The backup is an older version of the directory.
Replication from a new version is unsuccessful (fails).

Depending on the metaverse object-deletion rules and the Management Agent (MA) deprovisioning options that are configured, metaverse objects and other provisioned connected directory objects may be deleted. After replication is restored, the missing objects will be cycled through the system; however, after the missing objects are found, they may have different security identifiers (SIDs) than they did before. (Again, this depends on the specifics of the connected directory's implementation.)

Each connected directory has different delta tracking mechanisms and replication models. Make sure that you work with the specific connected directory vendor to make sure that appropriate disaster recovery steps are implemented successfully before any reconnection with MIIS or IIFP.

MORE INFORMATION

When you run a Full Import (Stage Only) run profile, this permits MIIS to run a full import without processing the changes. Therefore, the MIIS administrator can use the MA statistics and the preview functionality to examine the pending changes to the metaverse before fully processing the data through the metaverse. Note the following information from the MIIS and the IIFP operation guides:

Full Import (Stage only)-Imports all objects and attributes from the connected data source to the connector space, and then stops the run. Any pending changes must be processed by another run profile step, such as Delta Synchronization or Full Synchronization.

Note You can also find additional information about the different types of run profiles in these guides.

After the newly imported data has been validated, a Delta Synchronization can be run, assuming that no rules have changed. If rules have changed, you will be warned that you should run a Full Synchronization. However, a Delta Synchronization is better (when applicable), because Full Synchronization is an intensive procedure that takes longer to run and requires additional CPU cycles. These additional resources are necessary because a Full Synchronization evaluates every object regardless of a pending change. (Attribute values in the metaverse are still updated only when values are different.) For more information about how to create and execute run profiles, search on "run profile" in the operations guide product Help files.