locked
Active Directory to ADLDS sync - Password Sync RRS feed

  • Question

  • Hi All,

    I have a SharePoint AD that needs to be migrated to a new ADLDS instance. Essentially we are migrating off of SharePoint and building a new custom app to faciliate what SharePoint was performing.

    With that being said, we know we can dump the list of users and the schema's of said users of the current AD environment (SharePoing 2003, Windows Server 2000) and import to the new ADLDS, but that is only part of what we need.

    Unfortunately, we have 6k users within the current SharePoint and we would like to migrate all attributes of said users / groups etc & passwords to the new ADLDS instance.

    In the research thus far, we have found no tool to perform the password sync component we are seeking.

    It is believed that ADLDS does not support domain trusts from a Domain to ADLDS (something about kerberos keys (I think)) and ADLDS has no abilitity to comminicate via a TRUST between itself and an AD.

    Can anyone advise if this can be done via 3rd party utilities or MS specific utilities?

    • Edited by cvanoosbree Thursday, December 6, 2012 3:45 AM
    Thursday, December 6, 2012 3:42 AM

Answers

  • Hi All,

    I have a SharePoint AD that needs to be migrated to a new ADLDS instance. Essentially we are migrating off of SharePoint and building a new custom app to faciliate what SharePoint was performing.

    With that being said, we know we can dump the list of users and the schema's of said users of the current AD environment (SharePoing 2003, Windows Server 2000) and import to the new ADLDS, but that is only part of what we need.

    Unfortunately, we have 6k users within the current SharePoint and we would like to migrate all attributes of said users / groups etc & passwords to the new ADLDS instance.

    In the research thus far, we have found no tool to perform the password sync component we are seeking.

    It is believed that ADLDS does not support domain trusts from a Domain to ADLDS (something about kerberos keys (I think)) and ADLDS has no abilitity to comminicate via a TRUST between itself and an AD.

    Can anyone advise if this can be done via 3rd party utilities or MS specific utilities?

    You can't import password to the AD LDS instance in any way. But, you can sync password using ILM or FIM 2010. To sync password using 3rd part tool, quest has one.

    http://blogs.technet.com/b/idaguys/archive/2009/06/19/overiview-of-authentication-in-ad-lds.aspx

    http://www.quest.com/quest-one-quick-connect-express-for-active-directory/

    You need to install & configure AD LDS instance to the domain joined member machine. The domain part of the forest can have domain/forest trust relationship. AD LDS alone can't have trust relationship with each other.

    AD LDS is not the replacement of the AD, but it provides capability for the apps or services required to perform DS based query. AD LDS also becomes handy when you require to modify schema for different apps.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Cicely Feng Friday, December 7, 2012 2:57 AM
    • Marked as answer by cvanoosbree Friday, December 7, 2012 3:02 AM
    Thursday, December 6, 2012 8:15 AM

All replies

  • Hi All,

    I have a SharePoint AD that needs to be migrated to a new ADLDS instance. Essentially we are migrating off of SharePoint and building a new custom app to faciliate what SharePoint was performing.

    With that being said, we know we can dump the list of users and the schema's of said users of the current AD environment (SharePoing 2003, Windows Server 2000) and import to the new ADLDS, but that is only part of what we need.

    Unfortunately, we have 6k users within the current SharePoint and we would like to migrate all attributes of said users / groups etc & passwords to the new ADLDS instance.

    In the research thus far, we have found no tool to perform the password sync component we are seeking.

    It is believed that ADLDS does not support domain trusts from a Domain to ADLDS (something about kerberos keys (I think)) and ADLDS has no abilitity to comminicate via a TRUST between itself and an AD.

    Can anyone advise if this can be done via 3rd party utilities or MS specific utilities?

    You can't import password to the AD LDS instance in any way. But, you can sync password using ILM or FIM 2010. To sync password using 3rd part tool, quest has one.

    http://blogs.technet.com/b/idaguys/archive/2009/06/19/overiview-of-authentication-in-ad-lds.aspx

    http://www.quest.com/quest-one-quick-connect-express-for-active-directory/

    You need to install & configure AD LDS instance to the domain joined member machine. The domain part of the forest can have domain/forest trust relationship. AD LDS alone can't have trust relationship with each other.

    AD LDS is not the replacement of the AD, but it provides capability for the apps or services required to perform DS based query. AD LDS also becomes handy when you require to modify schema for different apps.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Cicely Feng Friday, December 7, 2012 2:57 AM
    • Marked as answer by cvanoosbree Friday, December 7, 2012 3:02 AM
    Thursday, December 6, 2012 8:15 AM
  • Thanks for your response Awinish. I had figured as much and Quest was mentioned before from some of my collegues as it was braught up in the past.

    At least for now, I know, based on further research that passwords cannot be stored / dumped and or imported from one place to another.

    From the Quest (or 3rd party solution) it seems that the ADLDS instance would need to be trusted with the other domain for it to work. I would have to take this to my Security team to advise if this is an acceptable approach, and or devise some sort of migration excersize for this to happen in order to determine whether its plausable or not

    Thanks for your response

    Friday, December 7, 2012 3:02 AM