Dear friends,

Let me tell you the details. I have domain a domain A and domain B, created trust between the domains. Joined machines to Domain A and can login as Domain B user. We have an exchange in domain B and the Domain A users have mailboxes in it(Domain B have additional suffix).

My Question: Can we add a replica of users (in an OU) in domain B to domain A, this is required for some applications in the domain A environment. I know trust creation is the solution but the requirement is the presence of objects in domain A.

Eg : user1 object must be available in domain A and domain B with same password. I know the question itself is confusing.

Please advise.

Regards,

My Question: Can we add a replica of users (in an OU) in domain B to domain A, this is required for some applications in the domain A environment. I know trust creation is the solution but the requirement is the presence of objects in domain A.

You need to implement FIM in your environment and create Management Agents for each domain and then you will be able to synchronize users in both domains. Other than that I do not believe you can do anything to sync the password.

• Sync Users between domains with Forefront 2010

Hi Exchangetvm,

Syncing password and having replica users would mean, a management overhead. On top of it complexity in troubleshooting issues would be tedious.

You might now also need two-way password sync etc., even one-way password sync will pose a security risk or account lockouts if the sync is not good enough.

You should look for other options, rather than getting this done this way.

• You might look at the possibility of using a AD-LDS instance of the AD of domainA. Its just as Mahdi said, this is like using FIM, but in a alternate way.
• If you have Forefront Identity Manager (FIM), you can use it to synchronize the users from AD into AD LDS and then manually populate the AD LDS specific attributes through LDP, ADSIEdit, or a custom or 3rd party application. If you don't have FIM, however, you can use ADAMSync to synchronize data from your Active Directory to AD LDS. It is important to remember that ADAMSync DOES NOT synchronize user passwords! If you want the AD LDS user account to use the same password as the AD user, then userproxy transformation is what you need.
• In the References section, I've included links that explain the purpose and configuration of userproxy. The short version is that you can use this section of code to create userproxy objects rather than AD LDS user class objects. Userproxy objects are a special class of user that links back to an Active Directory domain account to allow the AD LDS user to utilize the password of their corresponding user account in AD. It is NOT a way to logon on to AD from an external network. It is a way to allow an application that utilizes AD LDS as its LDAP directory to authenticate a user via the same password they have in AD. Communication between AD and AD LDS is required for this to work and the application that is requesting the authentication does not receive a Kerberos ticket for the user.

• Exchange Online DirSync uses similar concept(your requirement, not ADLDS), but ADFS is preferred over it.

Is there a place I can go to see all the feature differences between FIM, Dirsync and AAD Sync?

Yes, see the full matrix here.

References:

Microsoft Azure Active Directory Sync tool

New Office 365 directory synchronization tool shipped called Azure Active Directory Synchronization Services

Active Directory - The UnicodePwd Mystery of AD LDS

Understanding Proxy Authentication in AD LDS - userproxy transformation

Synchronize with Active Directory Domain Services

Checklist: Synchronize Data from AD DS to AD LDS

Hi,

Any update about the issue?

Regards.

Is there any method in 2008 AD to accomplish this?