Solved

Sync AD Passwords across Domains

Posted on 2014-03-14
4
1,199 Views
Last Modified: 2014-03-14
Hi,

We have two separate AD forests, each containing a single domain.

The "primary" forest and it's domain is our Company, the "secondary" forest and it's domain is of another company that we bough. They are now part of our Wide Area Network and need to access their own systems as well as some of our systems (one common intranet for the "group" etc.)

We have not setup a Domain Trust between us (for a few reasons) and as an alternative we have created their users (same usernames) on our Domain and would now like to find out if there's a way to sync their AD User passwords to the matching user on our side on our domain.

Example:

Their Domain is COMPANY2
Our Domain is COMPANY1

They had a User "COMPANY2\JoeSoap" with password "MySecretPassword"
We created a COMPANY1\JoeSoap with password "Password1"

The user can now use one login (JoeSoap) but he's got two passwords and because it being normal users they get confused when to use which password.

I now need to know how can I sync the password "MySecretPassword" back to COMPANY1\JoeSoap so that he also has this password (without asking each and every user for their password ofcourse...) Is there for instance any kind of LDAP tool or similar that can take a password from one user and sync to a matching username even thought it's on another domain and will have a differnet SID ?

Thanks a lot,
Reinhard
0
Comment
Question by:ReinhardRensburg
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39928608
There is no good way to accomplish what you want. Although given the situation you laid out, a trust is exactly what you want. A domain trust isn't an open gate. You can still control and manage resources by security groups or other means. All a domain trust does is allow authentication of a claim to occur.
0
 

Author Comment

by:ReinhardRensburg
ID: 39928651
Dear Cliff,

Thanks a lot for your reply,

We had a chat to our service provider that supports our infrastructure and their exact words were:

It would be best to move everything into your domain as a long term measure. Creating a trust would be suitable and easy, but is very short term and can be quite an overhead from an operational and administration point of view.

In your opinion would you agree with this as being a short-term solution? I am unsure as to what "overhead" they are referring to, but as you stated a trust is merely allowing authentication of a claim to occur, and this seems to me is exactly what we need.

Thanks a lot,
Reinhard
0
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39928661
There is a small amount of overhead as you are now managing two separate AD infrastructures, group policies, and other pieces. How much overhead depends on the environment, and whether it is a short term solution or could be long-term is also very subjective. There are instances where a plan to merge makes sense. And there are times when a newly bought company will keep some autonomy and keeping separation is desirable. So I do not *necessarily* agree, but it isn't entirely inaccurate either.

Regardless, for the short term for sure, a trust makes far more sense than maintaining duplicate accounts.
0
 

Author Closing Comment

by:ReinhardRensburg
ID: 39928667
Hi Cliff,

Thanks that makes sense, I think I now understand what they meant with "overhead", they mean that we would have to still separately manage their domain's Group Policies etc. which is fine as they have another Company looking after it in any way, and in time we can merge the domains.

Thanks, I think I've got my answer, there is not really any danger in doing a domain trust, as long as one is happy with managing Group Policies, integrated DNS etc. separately for that period of time (which will work for us).

Regards,
Reinhard
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question