Current Password sync between domains

A question on Microsoft Identity Manager 2016

Can MIM be used to sync current passwords between domains?

This was not possible in FIM and as far as I can see its not possible with MIM but cannot find a clear answer to this, can anyone help?
John BallanceProfessional ServicesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Not possible. I can't think of a single place where this would even be desirable. Any scenario where a need similar to this is discussed, a domain trust has consistently been the better solution.

FIM/MIM is about identity management across heterogenous environments and improving an interop experience. Active Directory, even with multiple domains, is by definition homogenous and there is no "interop" layer is everything can be done natively.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
John BallanceProfessional ServicesAuthor Commented:
Thanks for answer Cliff, the requirement here is to migrate users between domains keeping current password, we use Quest MM for this currently but we not have a migration where Quest would be overkill and MIM licencing is already provisioned.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
I have done this with ADMT and the PES service for the initial password and FIM for password sync. I don't know why you say it is not possible.

This is a very common requirement as a consultant, doing domain migrations on budget.

You can even do password export/import using DSInternals in a pinch.

Please don't close your questions so quick
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Cliff GaliherCommented:
Syncing not the same as migration. Their use cases and implied feature requirements are different eniufh that you can't use those terms interchangeably.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
Syncing not the same as migration
Migrate with ADMT and PES, sync password changes with FIM

I can extract the hash and import it into another domain with DSInterals

Strange that you cannot think of a situation where this is desirable
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
0
Cliff GaliherCommented:
You seem to be fixated on this, so I'll address this briefly.

1) Your comments and even the article you just linked to keep referencing migration scenarios.  The OP never mentioned migration.  Long term coexistence scenarios are better handled with trusts, and while you can forcibly push hashes around, there are significant security implications with this.  I stand by my assertion that it is not a good long-term solution.

2) The OP didn't ask about other tools, third party tools, etc.  They asked if MIM can do this.  My answer was, and is, no.  If you can show me native MIM functionality that does full (two-way) sync between domains, I'll stand corrected.  Otherwise, I stand by my answer.

Beyond that, it gets into arguing semantics and opinion and I choose to disengage.  You don't need to convince me.  I don't need to convince you.  We can agree to disagree, and you can sleep at night without fixating on this further.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
1) Your comments and even the article you just linked to keep referencing migration scenarios.  The OP never mentioned migration.  Long term coexistence scenarios are better handled with trusts, and while you can forcibly push hashes around, there are significant security implications with this.  I stand by my assertion that it is not a good long-term solution.

No, here is what you said
Not possible. I can't think of a single place where this would even be desirable. Any scenario where a need similar to this is discussed, a domain trust has consistently been the better solution.

2) The OP didn't ask about other tools, third party tools, etc.  They asked if MIM can do this.  My answer was, and is, no.  If you can show me native MIM functionality that does full (two-way) sync between domains, I'll stand corrected.  Otherwise, I stand by my answer.
FIM was quoted because OP said it cannot be done but it can. MIM can do it with an extension rule on the inbound and outbound flow rule

The OP didn't ask about other tools, third party tools, etc
I did, and I will continue to recommend other solutions.

We can agree to disagree, and you can sleep at night without fixating on this further.
A typical Cliff response. I am having a technical discussion with you
0
Cliff GaliherCommented:
If by a "typical" response, you mean I choose to focus on the OP and not my own need to validate my responses then I stand proud knowing that is my typical behavior.  What I'm sure was meant as an insult, I'll take as a compliment.  I wish the OP luck.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
No, I meant your passive-aggressive nature.

My answer was, and is, no.  If you can show me native MIM functionality that does full (two-way) sync between domains, I'll stand corrected.
I have confirmed with our Identity expert that it is possible natively in MIM
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
password sync

From novice to tech pro — start learning today.