none
FIM 2010 AD user account sync between 2 separate forests, with password RRS feed

  • Question

  • Hi,

    I have a scenario, where I need to one-way sync basic user account information between 2 totally different forests:

    Org A --> Org B

    All Org A users must be in Org B ( I only need sam, firstname, lastname, upn and PASSWORD). When done, every single user in Org A will have an account in Org B with the same username and password.

    ADFS is used between the two organizations.

    Can FIM 2010 do a password sync from Org A to B?
    I beliver FIM does the sync based on user OU, with the option to filter on user attributes - is there a way to sync based on AD group?

    I want to change as little as possible in Org A (Org B is not an issue). Am I right in thinking all I would need in Org A is a management agent and then in Org B would be the FIM server with just the FIM syncrhonization service?

    Thanks


    IT Support/Everything

    Monday, July 23, 2012 8:03 AM

Answers

  • Carol, just to confirm fim 2010 cannot export users with their passwords from Org A to B?

    Is there much that needs to be installed in Org A to achieve the sync?

    Thx


    IT Support/Everything

    You're correct. FIM has no in-box capability to extract passwords from Active Directory. ADMT is the tool you should look at.

    As far as sync, you need to install the Password Change Notification Service (PCNS) on every DC in Org A.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by Aetius2012 Friday, August 24, 2012 8:54 AM
    Monday, July 23, 2012 5:30 PM
    Moderator

All replies

  • FIM password sync only syncs passwords at the point of password change. If you want to do a one-time migration of exiting accounts with their passwords see the AD Migration Tool.

    http://www.wapshere.com/missmiis

    Monday, July 23, 2012 10:47 AM
  • Carol, just to confirm fim 2010 cannot export users with their passwords from Org A to B?

    Is there much that needs to be installed in Org A to achieve the sync?

    Thx


    IT Support/Everything

    Monday, July 23, 2012 3:29 PM
  • Carol, just to confirm fim 2010 cannot export users with their passwords from Org A to B?

    Is there much that needs to be installed in Org A to achieve the sync?

    Thx


    IT Support/Everything

    You're correct. FIM has no in-box capability to extract passwords from Active Directory. ADMT is the tool you should look at.

    As far as sync, you need to install the Password Change Notification Service (PCNS) on every DC in Org A.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by Aetius2012 Friday, August 24, 2012 8:54 AM
    Monday, July 23, 2012 5:30 PM
    Moderator