Domain to Standalone server password synchronization
Hello, A 3d party vendor would like to install an application in our DMZ. When this application is installed on a member server the user logs on using their Active Directory credentials. If this application is installed on a standalone server it will still work, however each user needs to have their own local user account. We have over 700 users that require access to this application. It is not feasible to create 700 local user accounts on the standalone server in our DMZ. Making the server a domain member in the DMZ is not an option. I believe I could create a simple script to export and import the user account names, however I don't know of any way to also copy over the password information out of Active Directory. Is it possible to export passwords from AD and import them to local users on a standalone machine?
July 28th, 2010 8:19pm

Hi, I am afraid that Microsoft does not have a tool to meet the requirement -- export password from AD and import them to local users on a standalone machine. If the application can work with AD LDS, you may check if AD LDS can meet your requirements. For your reference, I've included an article about how to use ADAM as a user authentication store for SharePoint 2007. http://blogs.msdn.com/b/scaravajal/archive/2007/10/23/sharepoint-2007-and-adam.aspx In addition, you can check if Identity Lifecycle Manager can meet the requirement. Microsoft Identity Lifecycle Manager 2007 Frequently Asked Questions http://www.microsoft.com/windowsserver/ilm2007/faq.mspx Here is a forum for ILM discussion: http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/threads Hope the information is helpful. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2010 9:11am

Hi Joson, As I mentioned previously the server behaves very differently based on whether or not it is a domain member. It appears that there are two solutions that I can pursue. I can install the server in the DMZ as a standalone server and then write a script to create several hundred user accounts. This is really not an ideal situation. It appears that if I want to avoid this I have no choice but to make this server a domain member server. This is not acceptable to our security team because several ports would need to be opened from this computer to our internal network (389,53, probably others) would then need to be opened. My question is this: I can temporarily place this server on our internal network and add it to our domain. I can then move it into the external network. After this server is back in the DMZ can I use any of these options for authentication? AD LDS AD Read-only DC AD FS I don't think AD LDS will work because I believe AD LDS will still require port 389 to be open. If that's the case I might as well open all the required ports and use normal AD DS. Placing a Read-only DC in the DMZ probably won't sit well with security and also, the server will need access to a writeable DC or the computer account will eventually be locked out (right?) I believe I'm going to have the same problem with AD FS because if I need to open port 389 then why not just connect to AD directly?
August 10th, 2010 8:00pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics