Does the newest release of Forefront Identity Manager 2010 support Bi-Directional password changes? (E.g. Both domains are authoritive sources for password changes to each other.) I noticed that the PCNS contains a "tracking Id" for each password change event. Isn't it possible to build logic within FIM and the PSNC to track the same password change originating from another authoritive source before being redelivered to FIM from the target PSNC?

The short answer is no. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

What is the scenario you are trying to solve? As Markus says, you cannot have a bi-directional sync, but you can have two different ADs being the source so you can usually achieve the scenario without bi-directional sync. /AndreasThis posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/copyright.htm

In our enviornment we have two different forests: 1. Forest A contains multiple domains (of trust) with all of our employees and exchange. All of the computers \ servers are configured to authenticate to this forest. 2. Forest B contains our User Authentication Repository, where all of users from Forest A reside plus application specific accounts (it is used for Single Sign-On as the centralized source for authentication). All web \ Win32 applications are designed to authenticate against this forest & domain We were wondering if it's possible that if a user changed their password (via a web portal or application) that's pointing to Forest B, if we can make that authoritive and update the corresponding user in Forest A. We would also want the reverse, where if a user logs into their workstation and resets the password, it would update their corresponding account in Forest B as well. While one solution is to not allow any password changes in Forest B, we were wondering if there is another technical solution to avoid password change looping? Thanks for your support.

What is the scenario you are trying to solve? As Markus says, you cannot have a bi-directional sync, but you can have two different ADs being the source so you can usually achieve the scenario without bi-directional sync. /Andreas I'm trying to solve something simliar where there are two AD domains that are both connected to FIM. There's a requirement so that the user can reset their password in either domain and it will update the password in the other domain. You say you can have both AD's as sources for PCNS; wouldn't this cause an endless loop where one updates the other which then fires off to update the other and so on?

What is the scenario you are trying to solve? As Markus says, you cannot have a bi-directional sync, but you can have two different ADs being the source so you can usually achieve the scenario without bi-directional sync. /Andreas I'm trying to solve something simliar where there are two AD domains that are both connected to FIM. There's a requirement so that the user can reset their password in either domain and it will update the password in the other domain. You say you can have both AD's as sources for PCNS; wouldn't this cause an endless loop where one updates the other which then fires off to update the other and so on?

What is the scenario you are trying to solve? As Markus says, you cannot have a bi-directional sync, but you can have two different ADs being the source so you can usually achieve the scenario without bi-directional sync. /Andreas I'm trying to solve something simliar where there are two AD domains that are both connected to FIM. There's a requirement so that the user can reset their password in either domain and it will update the password in the other domain. You say you can have both AD's as sources for PCNS; wouldn't this cause an endless loop where one updates the other which then fires off to update the other and so on? Yes. If they're both going to be sources they have to be different sets of users in either end.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

What is the scenario you are trying to solve? As Markus says, you cannot have a bi-directional sync, but you can have two different ADs being the source so you can usually achieve the scenario without bi-directional sync. /Andreas I'm trying to solve something simliar where there are two AD domains that are both connected to FIM. There's a requirement so that the user can reset their password in either domain and it will update the password in the other domain. You say you can have both AD's as sources for PCNS; wouldn't this cause an endless loop where one updates the other which then fires off to update the other and so on? Yes. If they're both going to be sources they have to be different sets of users in either end.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

If you put in a policy rule to AD that said passwords can only be reset 1 or 2 times every 24 hours would this stop the loop? Or would PCNS just keep trying and AD keep rejecting the update until the 24 hours is up and then continue the process after that? Or maybe another solution that someone suggested was to re-write PCNS. I admit I'm a little ignorant here. Would this be a large undertaking to re-write PCNS? And even if I had the means to have it re-written, would it even be possible to accomodate what I'm trying to do? That is, sync both ways across two domains for the same user. Do MS release the source for .dlls like this? I've had a bit of a search around but haven't found too much. Are there any resources you'd recommend to investigate this sort of thing?

If you put in a policy rule to AD that said passwords can only be reset 1 or 2 times every 24 hours would this stop the loop? Or would PCNS just keep trying and AD keep rejecting the update until the 24 hours is up and then continue the process after that? Or maybe another solution that someone suggested was to re-write PCNS. I admit I'm a little ignorant here. Would this be a large undertaking to re-write PCNS? And even if I had the means to have it re-written, would it even be possible to accomodate what I'm trying to do? That is, sync both ways across two domains for the same user. Do MS release the source for .dlls like this? I've had a bit of a search around but haven't found too much. Are there any resources you'd recommend to investigate this sort of thing?

If you put in a policy rule to AD that said passwords can only be reset 1 or 2 times every 24 hours would this stop the loop? Or would PCNS just keep trying and AD keep rejecting the update until the 24 hours is up and then continue the process after that?

If you put in a policy rule to AD that said passwords can only be reset 1 or 2 times every 24 hours would this stop the loop? Or would PCNS just keep trying and AD keep rejecting the update until the 24 hours is up and then continue the process after that?