none
AD forest to forest sync RRS feed

  • Question

  • What is the best tool to synchronize (nightly) Active Directory attributes, to include custom attributes that we created, from one forest to several other forests.  For example, we maintain an email directory, but the email address needs to be synched to other domains in other forests. Credential mapping is needed since the target account names, sAMAccountNames, etc. may differ from the source. Powershell, csvde etc. too basic, we need a commercial solution.

    I've done some research here I understand consolidating to one forest would be best; however, politics and cost make that unfeasible. I just need to get some attributes over to these other domains.

    Friday, March 28, 2014 6:12 PM

All replies

  • Hello!

    Sounds like a job for FIM. Do you have a reason FIM wont work?

    /Robert


    Saturday, March 29, 2014 8:50 AM
  • FIM would work here as long you can identify attributes which can be used to resolve that userA from Forest1 belongs to the same person as user45 from Forest2 and root_abcd account from Forest3. These attributes may of course differ (for example you can use extensionAttribute14 for Forest1-Forest2, sAMAccountName between Forest2 and Forest3 and let's sat mail between Forest1 and Forest3 (I assume that there would be some users in 2 of those forests for example)).

    Or you can think about logic of joining them (some part of DN in Forest1 would be the same as EmployeeID in Forest2).

    But yes, it looks like a task for FIMSynchronizationService and you even don't need FIMService/Portal licenses :)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Saturday, March 29, 2014 4:38 PM