We help IT Professionals succeed at work.

Sync Windows Accounts and passwords between Windows domains without TRUST relationships


I need to sync accounts from one directory to another directory such that users can access a service using their same password in both domains.  

Trusts are NOT an option, this is a service-provider type relationship (think Office365 or Azure, but not those service exactly).

AD-LDS is NOT the right solution, I went down that road very far...this will work perfectly with TRUSTS.

I was thinking that Forefront Identity Manager / FIM 2010 / MIIS Server 2003 would do it, but docs and white papers are sparse on exact implementation scenarios...is this what I need to use?  Is there something else?  I understand that the password will not sync EXACTLY, and that after being implemented passwords will need to be changed on the SOURCE domain to force the sync to the target domain.

Any advice is appreciated, thanks!
Watch Question

Are you look to do something like AD FS with DirSync?
Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
There needs to be some sort of communication between the domains for something like this to happen. From my knowledge i do not think this can be done. With the criteria you are specifying.


Yes, if it's not a cloud base service such as 0365, azure, etc of which you would could use AD FS/ DirSync.
Then you need to establish a TRUST. There's are a lot of options to keep things secure. You can do a ONE-WAY Trust and in addition limit who has access.


I was thinking about something like this:

Pass-Trough authentication on several LDAP directories - with OpenLDAP ldap backend (http://ltb-project.org/wiki/documentation/general/sasl_delegation).  I want to synchronize multiple Active Directories to a single LDAP database, whether that is AD LDS or OpenLDAP.  I have an application that is able to use any LDAP directory for authentication (Openfire) and I need to have a single LDAP instance that has all users in it.  

With AD-LDS, I can do this only if the domains are trusted, since the AD-LDS syncs the SID of the user object and forwards the authentication call to the Domain Controller responsible for the SID in question (USER authenticates to LDAP directory with username and password, SID is looked up when user is identified, and password and SID is passed to the responsible DC).  I need to be able to do this WITHOUT the trust.  

It seems that this is described as being possible by either using a 2nd separate LDAP directory as a META directory for transformation (like the METAVERSE directory in Forefront Identity manager).  I could do this with OpenLDAP and SASL v2 binds with a SASL Daemon, but it looks like I'm going to have to have a Linux server in the middle running 2 separate LDAP instances to do this.  I'm not afraid of doing this with Linux if it works, but I'd REALLY like to keep this on a Windows platform.  I'm not sure I can do this....

Has anyone done this using OPENLDAP / SASL / on Windows?


Circling back to this question:

What about if we took this from another direction:

Is there a way to SYNC accounts from (1) AD to another AD, and keep passwords in SYNC when they change?  We are talking about (2) different things here:

1. Sync a source OU to a target OU in a target Active Directory.
2. Sync PASSWORDS from source AD/ source OU to target AD / target OU whenever passwords change.

What do we all think?


While not the solution that we were looking for, this seems to be the most accurate solution available.  Thanks!