AD to AD Object Sync (inc password + continuous)

Hi

Environment:
Internal Windows 2008 R2 (FFL/DFL) AD
Internal Windows 2012 R2 (FFL/DFL) AD
No trust (could potentially exist)

External OpenLDAP

I have a requirement to provide a continuous object (user+group) sync from multiple ldap sources (mostly AD but a single instance of OpenLDAP).

There are currently no trusts between these directories so I was hoping to get some guidance on the following options:

1: Deploy a FIM setup
2: Create a trust a use ADMT as a object migration/merge tool (create PES for passwords)
3: Use DirSync (Non Azure)
4: 3rd party tool like 'Binarytree'

I was hoping to see if there were any options I may have missed and or any preferred methods for basic user/group object sync between AD (on-prem).

Thanks
Bry
bryan oakley-wigginsSenior Cloud EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Out of all of the possible options you have I would recommned using Microsoft FIM. Below is a checklist / HowTo for setting Microsoft FIM up. This is not an easy task by any means but it will be the most effective for what you are trying to accomplish.

Microsoft FIM
https://technet.microsoft.com/en-us/library/hh332710(v=ws.10).aspx


Will.
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
Hi Will

Thanks for your comment. I am leaning towards FIM - I have used the DirSync previously (and FIM) - Just wondered about OpenLDAP?

Any thoughts?

Thanks
Bry
Will SzymkowskiSenior Solution ArchitectCommented:
I have not had a chance to use OpenLDAP so i am not sure if it can work for exactly what you are doing. However Microsoft FIM should be able to do what you are asking.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
Agreed with my thinking of FIM being most appropriate (for AD anyhow), so happy to assign points. Most likely looking at a connector for OpenLDAP.

Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.