Domain Password Sync

Microsoft Windows
SQL Server
I've got two seperate Windows 2003 domains running AD. They are connected by a Frame Relay connection so both networks can see and communicate and each domain is a seperate site. I need to keep seperate logins and security for each domain but I want the passwords to be the same for both. We're implementing Microsoft strong password rules and my users need to have one password for both domain resources instead of having to track and change two strong passwords seperately. Bottom line is I need a password change on domain1 to automatically update and change the password on domain2. Thanks in advance for any suggestions and help!

Answer Wiki

Thanks. We'll let you know when a new response is added.

This is always a sticky topic and I’m not exactly an expert on the subject yet either.

Basically if you need seperate security using different forests or domains but the users need single sign on, you should create trusts between one domain/forest and the other. This will allow users from one or both domains to access each other’s resources (one way or two way).

Ideally, if it’s all under one company/entity, administrators should not be quick to create new domains or forests unless absolutely necessary. A best practice is simply to use OUs and Deny rights as required.

Another method that I’ve not yet tried is the active directory migration tool. It supposedly can migrate passwords using the following:

There’s a host of third party tools as well that can keep passwords in sync. Most are used for migrations but I would imagine they’d work fine in an ongoing situation but it’s not ideal. Trusts seem like a much better idea, IMO.

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • WinSecDave
    Hello John, Microsoft's Identity Integration Server (MIIS) will do this for you. Since you are only synching between AD, I believe (95% sure) that the free version will work for you. Let me know through a private reply if you would like some help with this kind of project, but it's not a major undertaking. BTW, it's a little strange that you want to keep accounts in both domains for security reasons, but you want to sync the accounts and passwords? You could probably achieve want you want by establishing a trust and then implementing whatever security policy you want to have in place using some of the many, many options to manage authentication and access between trusted domains. Hope this helps, Dave
    0 pointsBadges:
  • JohnHMSO
    Hey, thanks for the replies! I have been thinking about trying out the trusts - but not sure how that will work out given I'm on 2003 native mode but the other side of the Frame Relay (different company) is in mixed mode... It's a long story about the Frame Relay and the two companies that used to be one company and the two networks. But hopefully we'll be ditching it soon which will be a nice and easy resolution to my question. hehe I'll take a look at the options suggested. Thanks again!
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: