Active Directory : Automatic synchronization between two forests
Hello,
I have two domains in different forests:
Domain A and Domain B
A bidirectional trust relationship has been configured between the two drills to allow Domain A users to connect to Domain B.
I want to automate the synchronization of users, groups and password.
Example:
When I create a user on Domain A the creation on Domain B will be done automatically as well as the synchronization of the password.
I tried with ADMT it works against it is not automatic.
Do you have a way to make automatic synchronization from ADMT or another free software that does.
Thank you
I have two domains in different forests:
Domain A and Domain B
A bidirectional trust relationship has been configured between the two drills to allow Domain A users to connect to Domain B.
I want to automate the synchronization of users, groups and password.
Example:
When I create a user on Domain A the creation on Domain B will be done automatically as well as the synchronization of the password.
I tried with ADMT it works against it is not automatic.
Do you have a way to make automatic synchronization from ADMT or another free software that does.
Thank you
Cliff Galiher
There is no good supported way to do this, but normally you wouldn't want to. It defeats the purpose of having two forests and deploying the trust in the first place. Even in a migration scenario, you'd migrate the resources first so you can do a one-time sync with ADMT.
ASKER
Unfortunately my client requires the option
Well you should probably explain to your client that this isn’t how bi-directional trusts works.
You have two domains that are linked in a forest. If you create a user in domain A they don’t need to be created in domain B because they are already authorized there.
Creating account for both domains literally defeats the purpose of having a trust. In that case you should just merge the domains.
What are trying to accomplish? What is your end goal in this implementation? You may be falling into the age old trap of spending so much time ask if you can do it d instead of asking if you should.
You have two domains that are linked in a forest. If you create a user in domain A they don’t need to be created in domain B because they are already authorized there.
Creating account for both domains literally defeats the purpose of having a trust. In that case you should just merge the domains.
What are trying to accomplish? What is your end goal in this implementation? You may be falling into the age old trap of spending so much time ask if you can do it d instead of asking if you should.
ASKER
the customer has already been informed of this, the purpose of the maneuver and to separate the two forests in 1 year without recreating the users ... etc.
If a simpler solution than FIM exists or ADMT it would be nice.
If a simpler solution than FIM exists or ADMT it would be nice.
Why would you want two separate forest with identical users? For a split? Then you’d have to clean up both domains.
There’s not an easy way to do this because there’s no use case for it.
There’s not an easy way to do this because there’s no use case for it.
ASKER
Thank you for your interest in my question, but stay in the subject: FIM apartment is what there is another software that allows me to synchronize users from one forest to another with or without approval relationship.
The goal is to have:
Domain A => user TOTO@A.com automatically synchronize to Domain B => user TOTO@B.com, same thing for passwords.
Thank you
The goal is to have:
Domain A => user TOTO@A.com automatically synchronize to Domain B => user TOTO@B.com, same thing for passwords.
Thank you
You can use my process to do password synchronization.
https://www.experts-exchange.com/articles/32998/Two-way-Password-Synchronization-from-one-Active-Directory-Domain-to-another-using-DSInternals.html
The user synchronization will also be a simple Powershell script
https://www.experts-exchange.com/articles/32998/Two-way-Password-Synchronization-from-one-Active-Directory-Domain-to-another-using-DSInternals.html
The user synchronization will also be a simple Powershell script
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.