Iniciar sesión
 
InicioBibliotecaAprendizajeDescargaSoporteComunidadForos
Recursos para Profesionales de TI >
Is cross synchronization possible using IIFP between 2 forest root domains?

Locked Is cross synchronization possible using IIFP between 2 forest root domains?

  • miércoles, 20 de octubre de 2010 13:49
     
     
    Inicie sesión para votar
    0

    I'm looking for a possible solution to support cross synchronization of AD objects & attributes (inclusing passwords) between two forest root domains. So modifications done in domain A should be pushed to domain B and vice versa. 

    After some research my conclusion is that this is not possible:

    - Password synchronization (using PCNS) results in cyclical loops

    - Implementing (an indentically configured) IIFP in both forest root domains results in two sources and two targets

    Can someone please verify if this conclusion makes any sense?

    Many thanks.

    /Martijn

     

     

       

    Todas las respuestas

    • miércoles, 20 de octubre de 2010 14:25
       
       
      Inicie sesión para votar
      0

      Martijn,

      You are correct:

      - you should only synchronize passwords in one direction. Otherwise you will indeed experience loops (that will stop after the number you allow in your configuration)

      However:

      - you need only 1 IIFP server. This server will have one GalSync type MA for each of the domains you are connecting to. Each of these MAs indeed then has a source and target.

      Paul.

      Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
         
      • miércoles, 20 de octubre de 2010 16:25
         
         
        Inicie sesión para votar
        1

        Just FYI, officially IIFP (free version of MIIS 2003 SP2) is end of life.
        Not supported any more, strictly speaking..

        But the community force is with you!

        Kind regards,
        Peter

        Peter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be)

        [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
        By marking a post as Answered or Helpful, you help others find the answer faster.]
           
        • jueves, 21 de octubre de 2010 10:51
           
           
          Inicie sesión para votar
          0

          Thanks for your quick replies!

          It's good to know the product is officially end of life...

          The two forest root domains can be considered as 'identical' private clouds. No messaging system is used.

          @Paul: Are you suggesting that it IS possible to enable cross synchronization of AD objects & attributes by configuring Active Directory MA's for both domains on a single IIFP server? If so, could you please give me a hint how to configure the MA's (specifically the join&projection rules and the attribute flows)?

          If each MA has a source and target, what process handles the prioritization between these MA's?

          Even if it is possible it all sounds rather tricky.

          Many thanks for your time!

          Regards,

          Martijn

             
          • jueves, 21 de octubre de 2010 11:30
             
             Respondida
            Inicie sesión para votar
            1

            Martijn,

            Yes, for attribute flows, you can configure an MA to sync in both directions, by adding import and export attribute flows.
            It should not be tricky, if you properly plan and design for it.

            But guiding you attribute by attribute will take some time and also depends on your wishes and requirements (which objects, which attributes, amount of attributes, complex rules or not...).

            Make sure you understand the basic ILM processes and configurations.
            Take a look at the current ILM resources article, there are quite some interesting resources to get you up to speed (even virtual labs, ...)

            Did you already check the "Getting started" and the ILM walkthrough scenarios?
            They provide a step-by-step guidance on the basics for configuring MAs (and an AD MA too...).

            For the join, you need to use/find an attribute per object type that is uniquely identifying an object in your datasource(s)...
            There are quite some considerations you need to think of, when handling AD (for example the sAMAccountname is unique per domain, but not per forest...).
            Which object types do you want to synchronize? (Users, contacts, groups, OU, ...)

            The prioritization is handled on the attribute level by the attribute flow precedence in the metaverse.
            By default you define a priority list, but you can use manual precedence to implement whatever logic you want to handle prioritization.

            Hope this helps to get you started!

            Kind regards,
            Peter

            Peter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be)

            [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
            By marking a post as Answered or Helpful, you help others find the answer faster.]
            • Marcado como respuesta MartijnP jueves, 21 de octubre de 2010 11:45
            •  
               
            • jueves, 21 de octubre de 2010 11:45
               
               
              Inicie sesión para votar
              0

              Thanks again for your quick response and your tips! I'll dive into the deep and hope to come with a proper solution..

              Regards,

              Martijn

                 
              • viernes, 25 de mayo de 2012 13:43
                 
                 
                Inicie sesión para votar
                0

                Hi,

                Can someone send me the doc for IIFP password sync?

                My environment:

                Two windows 2008 active directory forest with 1 way trust, can IIFP support password sync???

                Regards,