none
FIM PCNS Two Way Password sync between two distinct forests

    Question

  • Hello Everyone,

    i was wondering if anyone had any idea on a way to synchronize passwords with PCNS for 2 AD Forests both ways (from forest 1 to forest 2 and from forest 2 to Forest 1)

    thanks !



    Hitch Bardawil

    Friday, September 19, 2014 11:30 AM

Answers

  • Hi Hitch,

    There is a setting on the AD management agent that limits the number of resets that will be performed against a given target, i.e. Specify maximum number of password changes for a 24 hour period.  You could try setting that down to 1 on both of your AD MAs so that it interrupts the looping behaviour. 

    You'd obviously have to test this out, and consider that if the user changes their password a second time in the same day, it won't get synchronized.  Setting the Minimum Password Age password policy to 2 days could alleviate this risk. 

    Have fun testing!

    Marc


    Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
    http://www.avaleris.com

    • Marked as answer by HitchB52 Friday, September 19, 2014 1:01 PM
    Friday, September 19, 2014 12:33 PM

All replies

  • Hi,

    Using PCNS in both way will create a loop, so it's not a good idea.

    Regards,


    Sylvain

    Friday, September 19, 2014 12:16 PM
  • yea i know that i'm just wondering if there is some trick or alternative to make that work :)

    (isolate a DC without PCNS as a destination of the sync for example )

    cheers


    Hitch Bardawil

    Friday, September 19, 2014 12:20 PM
  • Hi Hitch,

    There is a setting on the AD management agent that limits the number of resets that will be performed against a given target, i.e. Specify maximum number of password changes for a 24 hour period.  You could try setting that down to 1 on both of your AD MAs so that it interrupts the looping behaviour. 

    You'd obviously have to test this out, and consider that if the user changes their password a second time in the same day, it won't get synchronized.  Setting the Minimum Password Age password policy to 2 days could alleviate this risk. 

    Have fun testing!

    Marc


    Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
    http://www.avaleris.com

    • Marked as answer by HitchB52 Friday, September 19, 2014 1:01 PM
    Friday, September 19, 2014 12:33 PM
  • Awsome thanks ! :)

    Hitch Bardawil

    Friday, September 19, 2014 1:00 PM
  • Did you end up doing it? We might have a similar need. I'm thinking about using groups to determine which account is able to trigger a synchronization on password change.
    • Edited by ltgrenier Thursday, April 18, 2019 5:17 PM
    Thursday, April 18, 2019 5:16 PM