SUMMARY
As a best practice, Microsoft recommends that you run a full import, by using a Full Import (Stage only) run profile, against a connected
directory after it has been restored from backup. This practice helps prevent the loss of transactions and keeps your Microsoft Identity Integration Server (MIIS) and Identity Integration Feature Pack (IIFP) directories in synchronization
with all the other connected directories.
Microsoft considers this a best practice because many connected directories, such as the Microsoft Active Directory directory service, use a watermark to track transactions. MIIS and IIFP management agents depend on the accuracy of this watermark.
However, if Active Directory is restored, for example, this may change the state of
the connected directory, and the watermark may no longer be accurate. Therefore, it is a
best practice to run a full import, as opposed to a delta import. A full import will discover the whole directory, but a delta import will only discover changes against the connected directory. When you run a full import, you make sure
that a new watermark is established (if the old one is no longer accurate) and that all data has converged. After the full run is performed and data consistency has been verified, scheduled delta runs can be resumed.
Microsoft also recommends, if it is relevant to the connected directory architecture and configuration, that you make sure that replication between directories has occurred if older data is being restored to the server that the MIIS management agent will ultimately connect to. This is not required, because data will eventually converge. However, you may experience unexpected issues on the metaverse and on other connected directories if you do not make sure that replication between directories has occurred in this scenario.
For example, consider a scenario where both of the following conditions are true, and therefore objects are missing in the restored version of the directory:
- The backup is an older version of the directory.
- Replication from a new version is unsuccessful (fails).
Depending on the metaverse object-deletion rules and the Management Agent (MA) deprovisioning options that are configured, metaverse objects and other provisioned connected directory objects may be deleted. After replication is restored, the missing objects will be cycled through the system; however, after the missing objects are found, they may have different security identifiers (SIDs) than they did before. (Again, this depends on the specifics of the connected directory's implementation.)
Each connected directory has different delta tracking mechanisms and replication models. Make sure that you work with the specific connected directory vendor to make sure that appropriate disaster recovery steps are implemented successfully before any reconnection with MIIS or IIFP.