AD forest to forest sync

What is the best tool to synchronize (nightly) Active Directory attributes, to include custom attributes that we created, from one forest to several other forests.  For example, we maintain an email directory, but the email address needs to be synched
to other domains in other forests. Credential mapping is needed since the target account names, sAMAccountNames, etc. may differ from the source. Powershell, csvde etc. too basic, we need a commercial solution.
I've done some research here I understand consolidating to one forest would be best; however, politics and cost make that unfeasible. I just need to get some attributes over to these other domains.

FIM would work here as long you can identify attributes which can be used to resolve that userA from Forest1 belongs to the same person as user45 from Forest2 and root_abcd account from Forest3. These attributes may of course differ (for example you can
use extensionAttribute14 for Forest1-Forest2, sAMAccountName between Forest2 and Forest3 and let's sat mail between Forest1 and Forest3 (I assume that there would be some users in 2 of those forests for example)).
Or you can think about logic of joining them (some part of DN in Forest1 would be the same as EmployeeID in Forest2).
But yes, it looks like a task for FIMSynchronizationService and you even don't need FIMService/Portal licenses :)
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

Similar Messages

  • Remove one of three forests from AzureAD Sync

    Hello all!  We are using AzureAD sync and successfully synchronizing three forests.  We now are facing a divestiture and want to remove one of the forests.  We have applied filters and removed all of the users from the forest to be removed,
    but we now want to clean up the AADSync tool.  
    Question:  can we just remove the MA from the forest we no longer want or is there a more appropriate way to remove a forest?  We need to make sure whatever we do does not have an impact on the sync rules from other other forests...
    THANKS!

    Yes, you can "just" remove the MA using the synchronization service manager.
    That's the supported way to do this.
    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

  • Windows Server 2012 R2 - New Forest - Lowest forest fuctional level 2008

    Hi,
    I just setup a new win2k12 r2 forest. I notice the lowest forest functional level that I can select is only Windows Server 2008. How come 2003 is not on there when it is supported in the document below?
    The following table shows the features that are available at each forest functional level.
    http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx
    Thanks

    Windows Server 2003 is in extended support and even the extended support will end next year - So setting up Windows Server 2003 DCs in a brand new forest of this date doesn't make sense (or at least it's not what Microsoft want you to do)
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

  • New DP in other trusted forest - update forest or not ?

    Hello,
    I would publish a new distribution point in a other trusted forest and i would like to know if i really need to prepare that new forest ?
    Or if i just need to discover it from sccm?
    regards,
    Jérémy

    Take a look at this great post:
    http://blogs.technet.com/b/neilp/archive/2012/08/24/cross-forest-support-in-configmgr-2012-part-3-deploying-site-server-site-systems-in-an-untrusted-forest.aspx
    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

  • Sync of passwords between members of a forest trust

    I am needing to sync passwords between 2 separate forests. Want I am hoping to do is have any changes made in Forest A (primary) be transferred to Forest B.
    This is for a separation project separating to colleges into separate entities but we need to share access capabilities between the two colleges in an ongoing basis.
    Forest A is the parent school running server 2008r2 AD's
    Forest B is the my side running server 2012r2 AD's

    Hi,
    You need to install PCNS(Password Change Notification Services) on all of your Domain Controllers in the two forests to achieve this. 
    For more detailed information, please refer to the threads below:
    Password sync forest to forest
    http://social.technet.microsoft.com/Forums/en-US/9bcbea29-424f-470f-b0c1-26149aea36e4/password-sync-forest-to-forest?forum=identitylifecyclemanager
    Password sync between 2 forests
    http://social.technet.microsoft.com/Forums/en-US/94e4b333-0864-400b-8956-9b420aed0a43/password-sync-between-2-forests?forum=identitylifecyclemanager
    Regards,
    Mandy
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • SUP configuration multi forest

    Seeking some advice for the below scenario. Not able to push software updates to client machines in both the forests.
    Two forests A and B with trust. 
    One SCCM 2012 primary server with SUP and WSUS, SQL on seperate box - In Forest A. 
    Firewall Ports are opened. Software / Package deployment works fine for the client machines in both the forest.
    WSUS sync is successful.
    From Cleint machines able to ping and telnet to SCCM/SUP/WSUS (All in One) server, also able to browse through WSUS site created in IIS.
    Not able to push software updates to client machines in both the forests.
    Do we need multiple SUP role in this case.  Is there any work around ?
    Appriciate your help on this.
    Thanks
    Gurudatt

    In general no, there is no reason that you will need a SUP to support an alternate forest.
    Have you reviewed wuahandler.log on a client in this alternate forest?
    Is software distribution successful to clients in this alternate forest?
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • FIM add-ins & password reset across Forests?

    Hi,
    Forest A (resource forest) has FIM Sync, Service & Portal.
    Forest B is where the user account and domain computer exists.
    Forest A & B are joined by a 2-way trust.
    If we deploy the FIM add-ins and extensions on a workstation in Forest B, will the user be able to reset their password?
    thanks,
    dw

    Yes, in your case users are able to use SSPR functionality. Users must be synct by FIM. You have a trust, so they are able to logon to the Portal. Last but not least DNS allows Name Resolution and correct SPN Settings for the Service account must be done.
    Henry

  • Are admins in different forests automatically adminis in the other forest after a trust is created?

    Hello Community
        In Windows Server when you have a ForestA containing an admin and a ForestB containing
    an admin, if a trust relationship between ForestA and ForestB is created will the admins have
    administrative privileges in each others forest by default after the trust relatioship is created or does the
    admin in one forest have to explicitly give the admin in the other forest admin privileges?
        Thank you
        Shabeaut

    Hi,
    Administrators won’t become administrators of another forest after forest trust is created. Actually, forest trust only provides a secure channel to allow authentication flow across forests, while it doesn’t assign any privileges/permissions
    to administrators/users from the other forest.
    In addition, Domain Admins group is a Global group, which means that it only contains members from the local domain, therefore, we can’t add users from another forest into Domain Admins group of the local forest.
    More information for you:
    How Domain and Forest Trusts Work
    http://technet.microsoft.com/en-us/library/cc773178(v=WS.10).aspx
    Understanding Groups
    http://technet.microsoft.com/en-us/library/dd861330.aspx
    What's the different between builtin local/administrators and Domain Admins in AD 2003?
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/7866aacc-d6b8-412e-ab1e-69d152d1c7c4/whats-the-different-between-builtin-localadministrators-and-domain-admins-in-ad-2003?forum=winserverDS
    Best Regards,
    Amy

  • How do I share Exchange Global Address List (GAL) across different forests without using federated services

    We have two domains in separate forests, One forest has Exchange 2013 server, how do we get a constantly up to date Global Address list of users
    from the "Other" forest?
    Thanks.
    Babu

    Hi,
    We can configure Global Address List (GAL) Synchronization with Forefront Identity Manager (FIM) 2010:
    https://technet.microsoft.com/en-us/video/configuring-global-address-list-gal-synchronization-with-forefront-identity-manager-fim-2010.aspx
    For more and detailed information about GALSync, please refer to:
    http://social.technet.microsoft.com/wiki/contents/articles/1726.global-address-list-synchronization-galsync-resources.aspx
    Regards,
    Winnie Liang
    TechNet Community Support

  • Forest Level Trust to limited number of DC's

    I need to establish a 1-way forest level trust between 2 forests across firewalls. The source forest has a single domain with 13 domain controllers. Is it possible to limit the trust communication to only 2 domain controllers in the source
    domain or do I need to open up the required ports from the target domain controllers to all the DC's in the source forest?

    Hi,
    Based on my understanding of forest trust, if you create a one-way, forest trust between forest A (the trusted forest) and forest B (the trusting forest), members of forest A can access resources located in forest B, but members of forest B cannot access resources
    located in forest A using the same trust. There is no limitation for the number of DCs.
    In addition,for the ports used by trusts, you can refer to the link below:
    How Domain and Forest Trusts Work
    Best regards,
    Susie

  • Untrusted forest with duplicate AD site names

    Can anyone speculate on the behavior when enabling Forest discovery of an untrusted forest that has AD sites with the same names as what are in the installed forest (The forest where Config Mgr lives)?
    My concern is that the currently discovered boundaries (AD Site boundaries) already exist with the Site names so there may be some kind of conflict when Config Mgr tries to create AD Site boundaries based on the untrusted forest's duplicate named AD sites.

    There will be a conflict, but not with Forest discovery per se. I don't think it will really care. The conflict will come when clients actually use the boundaries for content lookup.
    Do the like-named sites represent the same locations in the enterprise? If so, then this should be a non-issue. If not, then you'll have to switch to another boundary type or get the AD folks to rename their sites -- it would be kind of dumb to name two
    different locations the same thing though so I suspect the former is the case.
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • Untrusted Forest Discovery failed

    I'm having a issue with remote untrusted forest.  Forest Discovery fails, but I can publish site server information to this forest. 
    ERROR: [ForestDiscoveryAgent]: Failed to connect to forest domain.com. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.
    Entering function ReportForestConnectionFailureStatusMessage()
    Calling ReportStatus, keys= SMS_AD_FOREST_DISCOVERY_MANAGER, -2147474744, 2
    I have configured conditional forwarders between forests and name resolution works. There shouldn't be any firewall issues either and I tested SRV records via nslookup with this method
    Type nslookup, and then press ENTER.
    Type set type=all, and then press ENTER.
    Type _ldap._tcp.dc._msdcs.<var>Domain_Name</var>, where <var>Domain_Name</var> is the name of your domain, and then press ENTER.
    Nslookup lists correct domain controllers from remote forest.
    Any ideas what could be causing this? I think it's AD related problem.

    LDAP://DCNAME.domain.com/OU=Computers,DC=domain,DC=com 
    I tested this last week and this works. Now I can discover computer objects from untrusted forest. There must be something wrong with the ad/dns infrastructure becasue
    normally you dont need to specify domain controller directly because it should find it with srvlookup.

  • CUC 8.5 UM integration with multiple AD Forest

    Hi Guys,
    I need to do a unity connection 8.5 UM integration with exchange 2003 and 2010 in two different AD Forest. AD 2003/exchange 2003 is in one Forest (Account Forest) with 2003 mailboxes on a corporate network AND AD 2008/exchange 2010 is in second Forest (Resource Forest) with 2010 mailboxes in the CLOUD. There is also a trust relationship between 2 AD Forest. As per unity connection 8.x SRND, we must create separate unified messaging services account (AD account) for each Forest.
    Given the above scenario, I think we need 2 AD accounts, one on AD 2003 (for exchange 2003 mailboxes) and second one on AD 2008 (for exchange 2010 mailboxes). However, in this configuration if mailboxes are moved from 2003 to 2010 we will have to manually disassociate the unity connection subscriber mailbox with unified messaging service account (AD 2003 account) and re-associate it with unified messaging service account (AD 2008 account), is that correct? or is there a way to automate this if the mailboxes are moved to 2010 unity connection automatically detects the change?
    Any pointers in the right direction would be much appreciated.
    Thanks

    Can any one comment on this please? Perhaps TAC engineers might be able to provide some insight?
    Thanks

  • Domain / Forest functional levels

    I've done some research but really need someone to tell me I've got this right in my head...
    I've got 2 domains in the forest, the forest functional level is 2003. Here's the setup:
    domain1.local
    root domain
    2 DCs running W2K8R2
    DFL - 2003
    domain2.local
    1 DC running W2012R2
    1 DC running W2K3 (soon to be retired)
    DFL - 2003
    Can I upgrade the DFL of domain1 to 2008R2?
    Can I upgrade the FFL to 2008R2 while maintaining trust?
    Do the domain and forest functional levels have to match?
    Thanks in advance for any answers!

    > Can I upgrade the DFL of domain1 to 2008R2?
    Yes.
    > Can I upgrade the FFL to 2008R2 while maintaining trust?
    Yes.
    > Do the domain and forest functional levels have to match?
    No.
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Supported AD topology - Two forests with one domain in each

    Hi all,
    I've been tasked with deploying Lync in our environment and I've hit a wall in regards to Lync's AD topology support, my environment is as follows:
    Two forests and each one has a single domain in it. There is a two-way trust relationship between the forests.
    All of our user accounts and computer accounts are in Domain A (in Forest A)
    All of our server accounts and mailboxes (linked with user account in Domain A) are in Domain B (in Forest B)
    If I was to deploy Lync Server in Domain B (Forest B), can my users in Domain A (Forest A) access Lync with all functionality? Are there any special considerations I need to take into account?
    Many thanks,
    Craig

    Hi,
    It is supported by Microsoft for your Lync topology.
    For your Lync topology, it is called Multiple Forests, Central Forest. The resource forest hosts only enterprise application servers and does not contain any primary user accounts. The primary user accounts from other forests are represented as disabled
    user accounts. An ObjectSID of primary user account (from account forest) is mapped to corresponding disabled user account msRTCSIP-OriginatorSID attribute. These disabled user accounts are enabled for Lync Server 2010 and mail-enabled for Microsoft Exchange
    Server if it is deployed.
    You can refer to the link below to deploy Resource Forest Topology for Lync Server 2010:
    http://technet.microsoft.com/en-us/library/gg670909(v=ocs.14).aspx
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

Maybe you are looking for

  • Portal Transaction iView not opening in browser but its open in R/3 screen

    Hi I have 2 senario. First Scenario: I login only into the portal  and  not  login into R/3.  I could access the portal transaction iview in the new broser portal window.  And this is the expected behaviour. second senario I login into Portal as well

  • Ipad4 front camera just stopped working

    My Ipad 4 camera has just stopped working; the rear camera works fine but when you toggle across the whole thing locks? three weeks out of warranty; feels like an Apple 'frig' to me!

  • I have 37 "recovered photos in my iPhoto album, how do I get rid of them

    I have approximately 37 "recovered photos" in my iPhotos and everytime I access my photos, I get an error message that says I have 5 photos have been found in the iPhoto Library that were not imported. Would you like to import them now, and the "yes"

  • RID/getAccessLink() in WPC of KM link

    Hello everybody, I need to show on a news file the link of a xml file made with WPC to itself. I used this code, which works perfect:          <xsl:if test="@type='relatedLinks'">                 <div>Reed more:<a>                           <xsl:attr

  • Pages Table Formatting Bug in 10.10.3

    Running pages 5.5.2 on MBP with OS X 10.10.3, i noticed this.  I have a table on the same page as some text, and in order for the table (which was larger than 1 page) to fit I had to change the formatting to "always stay on page" and disallow text wr