Sync Windows Accounts and passwords between Windows domains without TRUST relationships


I need to sync accounts from one directory to another directory such that users can access a service using their same password in both domains.  

Trusts are NOT an option, this is a service-provider type relationship (think Office365 or Azure, but not those service exactly).

AD-LDS is NOT the right solution, I went down that road very far...this will work perfectly with TRUSTS.

I was thinking that Forefront Identity Manager / FIM 2010 / MIIS Server 2003 would do it, but docs and white papers are sparse on exact implementation this what I need to use?  Is there something else?  I understand that the password will not sync EXACTLY, and that after being implemented passwords will need to be changed on the SOURCE domain to force the sync to the target domain.

Any advice is appreciated, thanks!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you look to do something like AD FS with DirSync?
Will SzymkowskiSenior Solution ArchitectCommented:
There needs to be some sort of communication between the domains for something like this to happen. From my knowledge i do not think this can be done. With the criteria you are specifying.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Yes, if it's not a cloud base service such as 0365, azure, etc of which you would could use AD FS/ DirSync.
Then you need to establish a TRUST. There's are a lot of options to keep things secure. You can do a ONE-WAY Trust and in addition limit who has access.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

jkeegan123Author Commented:
I was thinking about something like this:

Pass-Trough authentication on several LDAP directories - with OpenLDAP ldap backend (  I want to synchronize multiple Active Directories to a single LDAP database, whether that is AD LDS or OpenLDAP.  I have an application that is able to use any LDAP directory for authentication (Openfire) and I need to have a single LDAP instance that has all users in it.  

With AD-LDS, I can do this only if the domains are trusted, since the AD-LDS syncs the SID of the user object and forwards the authentication call to the Domain Controller responsible for the SID in question (USER authenticates to LDAP directory with username and password, SID is looked up when user is identified, and password and SID is passed to the responsible DC).  I need to be able to do this WITHOUT the trust.  

It seems that this is described as being possible by either using a 2nd separate LDAP directory as a META directory for transformation (like the METAVERSE directory in Forefront Identity manager).  I could do this with OpenLDAP and SASL v2 binds with a SASL Daemon, but it looks like I'm going to have to have a Linux server in the middle running 2 separate LDAP instances to do this.  I'm not afraid of doing this with Linux if it works, but I'd REALLY like to keep this on a Windows platform.  I'm not sure I can do this....

Has anyone done this using OPENLDAP / SASL / on Windows?
jkeegan123Author Commented:
Circling back to this question:

What about if we took this from another direction:

Is there a way to SYNC accounts from (1) AD to another AD, and keep passwords in SYNC when they change?  We are talking about (2) different things here:

1. Sync a source OU to a target OU in a target Active Directory.
2. Sync PASSWORDS from source AD/ source OU to target AD / target OU whenever passwords change.

What do we all think?
jkeegan123Author Commented:
While not the solution that we were looking for, this seems to be the most accurate solution available.  Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.