Hi folks -
We have an environment with 2 AD forests, and 'other' LDAP-type directories that support applications. We also have an AD LDS instance that is considered the authoritative source for all identities in the environment. Managing users and groups within the environment is cumbersome currently, so we're looking to FIM to help sync identity information between directories, provide a self service capability so that users could update their information in one location, and help manage group memberships for each of the component directories.
So far with a single FIM service and sync engine, we have found that we are unable to manage group memberships across these forests and directories for reasons that might seem obvious to those with extensive experience in trying to do so. What it seems we may need to do is stand up a FIM service for each forest and LDAP directory, and I'm just doing a check to see if there are other options out there (possible outside the FIM world) toward managing groups within multiple directories.
Thanks!