Current Password sync between domains

John Ballance
John Ballance used Ask the Experts™
on
A question on Microsoft Identity Manager 2016

Can MIM be used to sync current passwords between domains?

This was not possible in FIM and as far as I can see its not possible with MIM but cannot find a clear answer to this, can anyone help?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
Not possible. I can't think of a single place where this would even be desirable. Any scenario where a need similar to this is discussed, a domain trust has consistently been the better solution.

FIM/MIM is about identity management across heterogenous environments and improving an interop experience. Active Directory, even with multiple domains, is by definition homogenous and there is no "interop" layer is everything can be done natively.
John BallanceProfessional Services

Author

Commented:
Thanks for answer Cliff, the requirement here is to migrate users between domains keeping current password, we use Quest MM for this currently but we not have a migration where Quest would be overkill and MIM licencing is already provisioned.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
I have done this with ADMT and the PES service for the initial password and FIM for password sync. I don't know why you say it is not possible.

This is a very common requirement as a consultant, doing domain migrations on budget.

You can even do password export/import using DSInternals in a pinch.

Please don't close your questions so quick
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018

Commented:
Syncing not the same as migration. Their use cases and implied feature requirements are different eniufh that you can't use those terms interchangeably.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Syncing not the same as migration
Migrate with ADMT and PES, sync password changes with FIM

I can extract the hash and import it into another domain with DSInterals

Strange that you cannot think of a situation where this is desirable
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Distinguished Expert 2018

Commented:
You seem to be fixated on this, so I'll address this briefly.

1) Your comments and even the article you just linked to keep referencing migration scenarios.  The OP never mentioned migration.  Long term coexistence scenarios are better handled with trusts, and while you can forcibly push hashes around, there are significant security implications with this.  I stand by my assertion that it is not a good long-term solution.

2) The OP didn't ask about other tools, third party tools, etc.  They asked if MIM can do this.  My answer was, and is, no.  If you can show me native MIM functionality that does full (two-way) sync between domains, I'll stand corrected.  Otherwise, I stand by my answer.

Beyond that, it gets into arguing semantics and opinion and I choose to disengage.  You don't need to convince me.  I don't need to convince you.  We can agree to disagree, and you can sleep at night without fixating on this further.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
1) Your comments and even the article you just linked to keep referencing migration scenarios.  The OP never mentioned migration.  Long term coexistence scenarios are better handled with trusts, and while you can forcibly push hashes around, there are significant security implications with this.  I stand by my assertion that it is not a good long-term solution.

No, here is what you said
Not possible. I can't think of a single place where this would even be desirable. Any scenario where a need similar to this is discussed, a domain trust has consistently been the better solution.

2) The OP didn't ask about other tools, third party tools, etc.  They asked if MIM can do this.  My answer was, and is, no.  If you can show me native MIM functionality that does full (two-way) sync between domains, I'll stand corrected.  Otherwise, I stand by my answer.
FIM was quoted because OP said it cannot be done but it can. MIM can do it with an extension rule on the inbound and outbound flow rule

The OP didn't ask about other tools, third party tools, etc
I did, and I will continue to recommend other solutions.

We can agree to disagree, and you can sleep at night without fixating on this further.
A typical Cliff response. I am having a technical discussion with you
Distinguished Expert 2018

Commented:
If by a "typical" response, you mean I choose to focus on the OP and not my own need to validate my responses then I stand proud knowing that is my typical behavior.  What I'm sure was meant as an insult, I'll take as a compliment.  I wish the OP luck.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
No, I meant your passive-aggressive nature.

My answer was, and is, no.  If you can show me native MIM functionality that does full (two-way) sync between domains, I'll stand corrected.
I have confirmed with our Identity expert that it is possible natively in MIM

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial