Domain Password Sync
I've got two seperate Windows 2003 domains running AD. They are connected by a Frame Relay connection so both networks can see and communicate and each domain is a seperate site.
I need to keep seperate logins and security for each domain but I want the passwords to be the same for both. We're implementing Microsoft strong password rules and my users need to have one password for both domain resources instead of having to track and change two strong passwords seperately.
Bottom line is I need a password change on domain1 to automatically update and change the password on domain2.
Thanks in advance for any suggestions and help!
Software/Hardware used:
Software/Hardware used:
ASKED:
November 7, 2006 1:26 PM
UPDATED:
November 8, 2006 10:11 AM
Answer Wiki:
This is always a sticky topic and I'm not exactly an expert on the subject yet either.
Basically if you need seperate security using different forests or domains but the users need single sign on, you should create trusts between one domain/forest and the other. This will allow users from one or both domains to access each other's resources (one way or two way).
Ideally, if it's all under one company/entity, administrators should not be quick to create new domains or forests unless absolutely necessary. A best practice is simply to use OUs and Deny rights as required.
Another method that I've not yet tried is the active directory migration tool. It supposedly can migrate passwords using the following: http://technet2.microsoft.com/WindowsServer/f/?en/library/804a418a-e8d4-473d-8517-264c87293fd21033.mspx
There's a host of third party tools as well that can keep passwords in sync. Most are used for migrations but I would imagine they'd work fine in an ongoing situation but it's not ideal. Trusts seem like a much better idea, IMO.
To see all answers submitted to the Answer Wiki: View Answer History.
Hello John,
Microsoft’s Identity Integration Server (MIIS) will do this for you. Since you are only synching between AD, I believe (95% sure) that the free version will work for you. Let me know through a private reply if you would like some help with this kind of project, but it’s not a major undertaking.
BTW, it’s a little strange that you want to keep accounts in both domains for security reasons, but you want to sync the accounts and passwords? You could probably achieve want you want by establishing a trust and then implementing whatever security policy you want to have in place using some of the many, many options to manage authentication and access between trusted domains.
Hope this helps,
Dave
Hey, thanks for the replies! I have been thinking about trying out the trusts – but not sure how that will work out given I’m on 2003 native mode but the other side of the Frame Relay (different company) is in mixed mode…
It’s a long story about the Frame Relay and the two companies that used to be one company and the two networks. But hopefully we’ll be ditching it soon which will be a nice and easy resolution to my question. hehe
I’ll take a look at the options suggested. Thanks again!