none
Active Directory password sync

    Question

  • We have two independent domains and would like to sync users passwords across them without setting up trusts, is there a way to do this? Thanks.

    Tuesday, February 28, 2017 1:04 PM

Answers

  • Hi,

    Easiest way would be to build out a trust. Trust relationships allow users in the trusted domain to access resources in the trusting domain. A user who is logged on to the trusted domain can be authenticated to connect to a resource server in the trusting domain. Also, a user can use an account in the trusted domain to log on to the trusted domain from a computer in the trusting domain.

    I have never heard of a free password sync product which can accomplish this so I would recommend trust between domains. 

    • Proposed as answer by AlvwanModerator Tuesday, February 28, 2017 1:43 PM
    • Marked as answer by Dave_17 Wednesday, March 1, 2017 12:48 PM
    Tuesday, February 28, 2017 1:16 PM
  • We have two independent domains and would like to sync users passwords across them without setting up trusts, is there a way to do this? Thanks.

    You can't AFAIK.

    Even with having appropriate trust, you will still need some tools like FIM and PCNS on all clients in order to capture password changes and flow them to your destination domain.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    • Proposed as answer by AlvwanModerator Tuesday, February 28, 2017 1:43 PM
    • Marked as answer by Dave_17 Wednesday, March 1, 2017 12:48 PM
    Tuesday, February 28, 2017 1:31 PM
    Moderator
  • Hi,

    According to my research, we could use Identity Lifecycle Manager(ILM) to sync password between domains, but if these two domains are located in different forests, a forest trust must be established. This is required for Kerberos mutual authentication for the ILM  server to accept the request from a remote forest host. For more information please refer this link:

    Synchronizing Passwords from an Authoritative Active Directory Forest to a Receiving Active Directory Forest

    https://technet.microsoft.com/en-us/library/cc720594(v=ws.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 28, 2017 1:43 PM
    Moderator

All replies

  • We have two independent domains and would like to sync users passwords across them without setting up trusts, is there a way to do this? Thanks.

    You can't AFAIK.

    Even with having appropriate trust, you will still need some tools like FIM and PCNS on all clients in order to capture password changes and flow them to your destination domain.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    • Proposed as answer by AlvwanModerator Tuesday, February 28, 2017 1:43 PM
    • Marked as answer by Dave_17 Wednesday, March 1, 2017 12:48 PM
    Tuesday, February 28, 2017 1:31 PM
    Moderator
  • Hi,

    According to my research, we could use Identity Lifecycle Manager(ILM) to sync password between domains, but if these two domains are located in different forests, a forest trust must be established. This is required for Kerberos mutual authentication for the ILM  server to accept the request from a remote forest host. For more information please refer this link:

    Synchronizing Passwords from an Authoritative Active Directory Forest to a Receiving Active Directory Forest

    https://technet.microsoft.com/en-us/library/cc720594(v=ws.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 28, 2017 1:43 PM
    Moderator