Import and Sync AD Users and Passwords Between Two Separate AD Forests (MIM 2016 SP1) RRS feed

  • Question

  • Hi everyone,

    I know similar questions were already published, but I still can't find the answer on how to do it...

    So, here is what I need and what I did so far -

    I need to synchronize users from an OU of CompanyA AD to an OU of CompanyB OU. The two companies are NOT CONNECTED to each other in any way (Trust, VPN, etc.). CompanyA has a service that it sells to clients which uses AD for authentication. Usually, CompanyA creates users for clients in its AD, but this time CompanyB wants to use that service with their own AD. Because of that, CompanyA needs to see/synchronize the users and passwords in a specific OU on CompanyB AD to their own AD.

    From what I read, it's possible to do with MIM. Please correct me if I'm wrong.

    Now, I already deployed MIM 2016 (On server 2016, SQL 2016, SharePoint 2016) in CompanyA network, using the guide here but I'm not sure what is the next step. As I said, the two companies are not connected in any way.

    So my questions are -

    - How do I connect CompanyB to CompanyA MIM / Network? Do I need to deploy MIM on CompanyB network? Or do I only install an agent on CompanyB network that connects to CompanyA MIM?

    - Can the connection/synchronization be done via the internet / HTTPS? (as the companies are not connected to each other, but connected to the internet).

    Apologies if it's a dumb question, maybe I'm just missing something, but I really don't know how to continue...

    I hope MIM can do this and that someone can help me figure this out.


    Tuesday, March 7, 2017 4:23 PM


  • Hello,

    since the MIM AD conenctor call Active Directory by the standard ports for AD you need at least some kind of VPN connection between the MIM server and both AD. It also makes things easier if you have name resolution in addition.

    You don't need trusts between the forests but these bare network connection.

    MIM Server then need to be installed in either one of the Domain I would preferr the one which is the PW source forest. Then connect these AD by a AD connector first.

    Setup a 2nd AD connector for the dest forest and enable password synchronization from A to B.

    You will need to install PCNS (Password Change Notification Service) on all DCs whithin A.


    Peter Stapf - ExpertCircle GmbH - My blog:

    • Marked as answer by Avisa Monday, March 13, 2017 4:37 PM
    Tuesday, March 7, 2017 6:24 PM