format test RRS feed

  • Question

  • PCNS is used to capture the password changes, so you don't need to install PCNS in a target forest to set passwords.

    Regarding the trusts, look at the Automated Password Synchronization Solution Guide for MIIS 2003

    In an optimal configuration, PCNS and MIIS 2003 are in the same forest because they authenticate to each other using Kerberos authentication.

    PCNS and MIIS 2003 can be in different forests if two conditions are met:

    • A Kerberos realm forest trust must be established between the forests hosting PCNS and MIIS 2003. This requires that both forests and domains are running in Windows 2003 functional mode. For more information on forest trusts see Trust types at http://go.microsoft.com/fwlink/?LinkId=106059.
    • DNS is configured such that Kerberos can function properly between forests.

    You can synchronize passwords one way between forests without trust if MIIS 2003 and PCNS are in the same forest. For example, if you want to install both PCNS and MIIS 2003 in Forest A, and you want to configure them to synchronize passwords to Forest B; the credentials in the MIIS 2003 management agent for Forest B will provide the necessary authentication without the trust requirement.

    Each domain controller whose password changes are to be managed by PCNS must have:

    • PCNS installed.
    • The capability to contact the MIIS 2003 server via Remote Procedure Call (RPC).

    /../ (end quote) 


    Peter Geelen - Sr. Consultant IDA (http://www.fim2010.be)

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
    By marking a post as Answered or Helpful, you help others find the answer faster.]

    Wednesday, October 6, 2010 9:32 PM