Q. I want to use Identity Lifecycle Manager (ILM) to synchronize passwords between two forests. What trusts do I need?
October 3, 2009
A. The trust relationships required depend on the configuration. To synchronize passwords between different forests, you have two critical components.
Password Change Notification Service (PCNS)—This is responsible for pushing password changes from the Active Directory to an identity store/synchronization engine such as ILM. PCNS is installed on the domain controllers in the domain where password changes need to be captured. There is an Active Directory (AD) schema change required for PCNS to function
The Synchronization Engine—this actually acts on the new passwords and updates other objects. In this case, ILM.
PCNS and ILM must be in the same forest or have a two-way Kerberos forest trust between them, but no trust is needed between the ILM instance and the target forest where you're updating passwords. All you need in ILM is a connector to the target forest and to match up the user in the source forest with the user in the target forest in the metaverse via a join rule (so the password is mapped to the right user). For example, both accounts may have the same sAMAccoutName. This scenario allows you to have one forest, Forest A, where users change their passwords, and have ILM installed with PCNS in Forest A. The ILM can then project the updated passwords onto matching users in Forest B without the need for a trust.
Unfortunately, the above scenario is not the predominant one. It's more common to have multiple source forests where users change their passwords, and you want those passwords to be updated into a central AD forest, which is where you'd like to have ILM installed. For this to work, you do need forest trusts between the target forest and all the source forests so PCNS can communicate with ILM in the target forest. You must use a forest trust to enable the Kerberos mutual authentication to allow ILM to accept the request from a host in a remote forest.
If you want to have two (or more) forests replicating passwords with each other in both directions (so users can change their password in either forest), custom configuration and possibly coding is required. By default, if each forest notifies the other forest of a password change when the forest receives the notification, each would make the change then notify the other forest of a password change, and an infinite loop would occur. In most implementations, you need one of the forests to be authoritative for password changes.
Microsoft offers a step-by-step guide for the configuration of password synchronization at its site.
The short answer to the question is that you require a forest trust between the forests running PCNS and the forest that runs ILM.
Editor's Note: For more on relationships between forests, see the FAQ Q. I have users in another forest who I want to have Exchange mailboxes in my Exchange organization. What are my options?
Related Reading:
Q: How are Active Directory (AD) security group memberships replicated between different domain controller (DC) AD instances? Does AD handle replications differently in Windows Server 2003 than in Windows 2000?
How AD’s Reset Password and Change Password Permissions Differ
Learn How to Calculate and Display a User's Password Expiration Date
Password Synchronization
Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.
About the Author
You May Also Like