locked
password synchronization between two Forests RRS feed

  • Question

  • Hello

    I have some questions about password synchronization between two Forests that communication connection between them
    1. Is password synchronization can work between two FORESTS no communication between them?
    2. Do I need that all my installed DC PCNS Service?
    3. Can I specify that only some users are synchronized passwords?
    4. Is ILM know synchronize files HASH or just import them per domain else?
    5. Are there any security risk in the process of synchronizing passwords?
    6. Is the installation on DC SERVICE sea activities can degrade performance of the DC current change passwords of users?
    7. I'll be glad if someone could refer to articles with information about

    Thanks

    Monday, January 4, 2010 8:18 PM

Answers

  • Hello

    I have some questions about password synchronization between two Forests that communication connection between them
    1. Is password synchronization can work between two FORESTS no communication between them? No. The source forest must be able to communicate with the ILM sync server over netbios ports. ILM Sync Server needs to be able to communicate over NetBios Ports to the destination forest. ILM needs to be in a forest that trusts the source forest.
    2. Do I need that all my installed DC PCNS Service? Yes the PCNS service must be installed on all DC's in the source domain(s) in the source forest that will be participating in the password synch.
    3. Can I specify that only some users are synchronized passwords? Yes you specify an inclusion group -- only put in the users you want, you can also specify an exclusion group.
    4. Is ILM know synchronize files HASH or just import them per domain else? Please reword this question. ILM does encrypt the password, but it is only there in a transitory fashion.
    5. Are there any security risk in the process of synchronizing passwords? There is a slight risk because now passwords in the other forest match so  the surface area for attack has increased.
    6. Is the installation on DC SERVICE sea activities can degrade performance of the DC current change passwords of users? There is a small hit in processing and network traffic but AFAIK its impact is negligible.
    7. I'll be glad if someone could refer to articles with information about

    Thanks -- You're welcome


    inline above
    Here is more info
    http://technet.microsoft.com/en-us/library/cc720654(WS.10).aspx

    David Lundell www.ilmBestPractices.com
    Monday, January 4, 2010 9:55 PM
  • In case of password synchronization, password changes are captured and forwarded to the destination.
    You can't import values from files to accompish this.

    Cheers,
    Markus 

    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Thursday, February 18, 2010 11:42 AM

All replies

  • Hello

    I have some questions about password synchronization between two Forests that communication connection between them
    1. Is password synchronization can work between two FORESTS no communication between them? No. The source forest must be able to communicate with the ILM sync server over netbios ports. ILM Sync Server needs to be able to communicate over NetBios Ports to the destination forest. ILM needs to be in a forest that trusts the source forest.
    2. Do I need that all my installed DC PCNS Service? Yes the PCNS service must be installed on all DC's in the source domain(s) in the source forest that will be participating in the password synch.
    3. Can I specify that only some users are synchronized passwords? Yes you specify an inclusion group -- only put in the users you want, you can also specify an exclusion group.
    4. Is ILM know synchronize files HASH or just import them per domain else? Please reword this question. ILM does encrypt the password, but it is only there in a transitory fashion.
    5. Are there any security risk in the process of synchronizing passwords? There is a slight risk because now passwords in the other forest match so  the surface area for attack has increased.
    6. Is the installation on DC SERVICE sea activities can degrade performance of the DC current change passwords of users? There is a small hit in processing and network traffic but AFAIK its impact is negligible.
    7. I'll be glad if someone could refer to articles with information about

    Thanks -- You're welcome


    inline above
    Here is more info
    http://technet.microsoft.com/en-us/library/cc720654(WS.10).aspx

    David Lundell www.ilmBestPractices.com
    Monday, January 4, 2010 9:55 PM
  • Hello David

    Regard to the first question I read that if I use ILM I do not have to set the Trust between two Forests

    Thanks


    Tuesday, January 5, 2010 4:35 AM
  • at a minimum ILM must be in the source forest or the source forest must trust the forest in which ILM is installed. Most peole implement a two trust between the two forests, but one of my colleagues has gotten PCNS working with just a one way trust between the forests.
    David Lundell www.ilmBestPractices.com
    Tuesday, January 5, 2010 2:48 PM
  • Hello david

    I ask this question because we do not want to open between the two domains RPC Port, what is it requires a Forest Trust. What you're saying enough for ILM Server to be on source Forest so I do not have Trust, right?

    Last question I return to it, if I have files HASH Can I file to import them using ILM to the destination Forest without using the password synchronization is done ?

    thanks
    Tuesday, January 5, 2010 6:04 PM
  • In case of password synchronization, password changes are captured and forwarded to the destination.
    You can't import values from files to accompish this.

    Cheers,
    Markus 

    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Thursday, February 18, 2010 11:42 AM