Domain to Standalone server password synchronization
Hello,
A 3d party vendor would like to install an application in our DMZ. When this application is installed on a member server the user logs on using their Active Directory credentials. If this application is installed on a standalone server it will
still work, however each user needs to have their own local user account.
We have over 700 users that require access to this application. It is not feasible to create 700 local user accounts on the standalone server in our DMZ. Making the server a domain member in the DMZ is not an option.
I believe I could create a simple script to export and import the user account names, however I don't know of any way to also copy over the password information out of Active Directory. Is it possible to export passwords from AD and import them to
local users on a standalone machine?
July 28th, 2010 8:19pm
Hi,
I am afraid that Microsoft does not have a tool to meet the requirement -- export password from AD and import them to local users on a standalone machine.
If the application can work with AD LDS, you may check if AD LDS can meet your requirements. For your reference, I've included an article about how to use ADAM as a user authentication store for SharePoint 2007.
http://blogs.msdn.com/b/scaravajal/archive/2007/10/23/sharepoint-2007-and-adam.aspx
In addition, you can check if Identity Lifecycle Manager can meet the requirement.
Microsoft Identity Lifecycle Manager 2007 Frequently Asked Questions
http://www.microsoft.com/windowsserver/ilm2007/faq.mspx
Here is a forum for ILM discussion:
http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/threads
Hope the information is helpful.
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2010 9:11am
Hi Joson,
As I mentioned previously the server behaves very differently based on whether or not it is a domain member. It appears that there are two solutions that I can pursue. I can install the server in the DMZ as a standalone server and then write
a script to create several hundred user accounts. This is really not an ideal situation.
It appears that if I want to avoid this I have no choice but to make this server a domain member server. This is not acceptable to our security team because several ports would need to be opened from this computer to our internal network (389,53, probably
others) would then need to be opened.
My question is this:
I can temporarily place this server on our internal network and add it to our domain. I can then move it into the external network. After this server is back in the DMZ can I use any of these options for authentication?
AD LDS
AD Read-only DC
AD FS
I don't think AD LDS will work because I believe AD LDS will still require port 389 to be open. If that's the case I might as well open all the required ports and use normal AD DS.
Placing a Read-only DC in the DMZ probably won't sit well with security and also, the server will need access to a writeable DC or the computer account will eventually be locked out (right?)
I believe I'm going to have the same problem with AD FS because if I need to open port 389 then why not just connect to AD directly?
August 10th, 2010 8:00pm