none
Sync GPO across trusted or non-trusted forests/domains RRS feed

  • Question

  • Is it possible or has anyone tried to sync GPOs across 2 or more trusteed or non-trusted forests/domains?

    I have a customer who has standalone ADs in multiple locations and they are using them to manage users, distribution/security groups, computers, user roles and policies (GPO), etc. However, they want to centralize this and build a consolidated centralized Active Directory where they want to maintain all the objects. They want to push out the policy changes from the central AD to the local ADs (you can think of corporate policies to be pused out to different branches).

    So I was thinking of building a (central) AD and the use FIM to sync user, groups, computers, user roles, GPOs, etc. between the central AD and standalone ADs using FIM. Any thoughts or insights would be highly appreciated.

    Thanks!

    Sunday, February 3, 2013 8:36 AM

All replies

  • If your customer wants to build a centralized/consolidated AD ... isn't this the perfect time to try and get rid of the local stand-alone domains (or set them up as child domains). If something like that won't happen, what's the point of building the central AD ... it would become yet another stand-alone domain.

    Anyway, if they absolutely have to stay separate and you'd like to sync GPOs using FIM, then you should look into building a custom MA - I never played with any API to interact with GPOs, but there must be something out there.

    Before trying to do this with FIM I would also do a little investigation if there aren't any tool that could do this for you, or maybe some export/import script that could be a lot easier than trying to do it with FIM.

    Piotr

    Sunday, February 3, 2013 11:51 AM
  • On Sun, 3 Feb 2013 11:51:56 +0000, Piotr Paczocha wrote:

    Before trying to do this with FIM I would also do a little investigation if there aren't any tool that could do this for you, or maybe some export/import script that could be a lot easier than trying to do it with FIM.

    I'm with Piotr here, rather than trying to do this with FIM, I'd have a
    look at Microsoft's Advanced Group Policy Manager, assuming of course that
    the customer in question is an SA customer.

    http://technet.microsoft.com/en-us/library/ee532079.aspx


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Command:  Statement presented by a human and accepted by a computer in such
    a manner as to make the human feel as if he is in control.

    Monday, February 4, 2013 7:20 AM