ActiveDirectory

How to Sync Passwords between Child and Parent Domain with FIM 2010 R2

How to Sync Passwords between Child and Parent Domain with FIM 2010 R2
Brandon LeeJune 26, 2015Last Updated: January 11, 2021
4 minutes read
ma_source06
ma_source06

For those of you in a multi domain environment due to the structure of your company or from migrations from legacy directory services into AD, there often is the need to synchronize various directory objects with other directory objects, especially if you have a resource domain and an account domain. ย Recently in working with an Active Directory infrastructure that was setup with disabled user accounts in the parent root domain (was originally setup as a resource forest for Exchange, however external domains had been brought in as child domains), and then had child domains with accounts in them, the need arose to synchronize only passwords from the child domain up to the forest root parent domain.

My first thought here was Forefront Identity Manager 2010. ย The latest version of FIM 2010 is in R2 trim and is really a very powerful product for synchronizing directories. ย It is not too difficult to set it up between child and parent domain, however, there are a lot of moving parts and pieces that are a bit tedious to setup. ย The steps we need to complete are:

  • Upgrade the forest schema
  • Setup the SPN
  • Install the PCNS service on all the child domain controllers
  • Setup the management agents in FIM 2010 R2
  • Setup the run profiles for the management agents
  • Run the “run” profiles to get the correct joins
  • Set the logging levels on the PCNS

Upgrading the schema

The first thing we need to do is upgrade the forest schema to understand the FIM and PCNS extensions. ย You need to do this of course in the forest root on the schema master. ย To do this you need to copy the PCNS MSI installation file to the DC and run a special switch against the MSI found below. ย Also, make sure you are a member of the Schema Admins group to make the schema changes.

msiexec /i PCNS.msi SCHEMAONLY=TRUE

pcns01
 pcns02
 pcns03
 pcns04

 

Setting up the SPN

Setting up the SPN for PCNS service to use is easy enough to setup as well. ย Use the following syntax to setup the SPN to use:

setspn -A PCNSCLNT/fim2010.testl.local TESTDOMAINfimservice

Keep in mind the account you use for the SPN needs to be the same account that you use on your FIM 2010 R2 box to run the synchronization service.

setspn

Just a side note, if you make an error in setting up the SPN, the syntax below allows you to delete the SPN you created:

setspn -D PCNSCLNT/fim2010.test.local TESTadministrator

Setup PCNS on all domain controllers

PCNS will need to be setup on all domain controllers that you want to capture password change requests. ย For instance in the scenario mentioned in synchronizing child domain accounts to parent domain, the PCNS service needs installed on the child domain controllers.

pcns_dc01
 pcns_dc02
 pcns_dc03
 pcns_dc04
 pcns_dc05
 pcns_dc06

 

A reboot will be in order after installing the PCNS on your DCs so be sure to plan ahead for that.

Setup the Management agents in FIM

This is probably the most frustrating part from a documentation standpoint. ย There are a lot of documents out there that tell you how to setup the PCNS service and SPN account, etc as well as a few of the options you need turned on in the management agent config, however, a very important part to getting the PCNS sync to work between child and parent domain are the join and projection rules and attribute flow.

Create the first sourceย Active Directory Domain Services management agent and select the directory partition that you want to synchronize from. ย Be sure to enableย Password Synchronization as we will come back to this one after creating the second target management agent.

ma_source01

Under the Select Object Types, be sure to selectย user.


 ma_source02

Under the select attributes menu, selectย cn, displayName, givenName, ObjectSID, SAMAccountName,ย andย sn.


 ma_source03

Selectย user and then clickย new Projection Rule and select theย person option Declared. ย Then select theย New Join Rule and set SAMAccountName direct toย accountName


 ma_source04

Setup the Attribute Flow as pictured below.


 ma_source05

Notice that in theย source management agent, we don’t have theย Enable password managementย enabled as this is the source.


 ma_source06

Be sure after you have configured the target agent (steps to follow) that you go back under theย Configure Directory Partitionsย and selectย Password Synchronization andย Targets. ย Select your target management agent with a checkbox and hit Ok.


 ma_source07

 

Target Agent configuration

The below is very similar to the source management agent. ย Take note of the differences such as not enabling theย Enable this partition as a password synchronization source.

ma_target01
 ma_target02
 ma_target03
 ma_target04
 ma_target05
 ma_target06

 

Setup Run Profiles

Setup Run Profiles onย both agents that look like this:

run_profiles

After setting up the management agents for both source and target (child and parent) domain, Run theย Full Import Stage Only followed by theย Full Synchronization which gets the source objects in the metabase.

After you run the target management agent, you should see joins listed:

joins

These indicate the users in the source and target that match your criteria.

Set Logging levels on both the FIM 2010 R2 server and DCs:

The default logging is not good enough on the FIM Synchronization service or the PCNS service. ย Set the logging as follows on both:

Create a REG DWORD value calledย FeaturePwdSyncLogLevelย under the following location and set it to 3
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesFIMSynchronizationServicesLoggingย 

  • 0 = Minimal Loggingย 

  • 1 = Normal logging (default)ย 

  • 2 = High loggingย 

  • 3 = Verbose loggingย 

For PCNS, there are four logging levels that are controlled by adding theย EventLogLevelย (REG_DWORD) entry to the following registry subkey:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesPCNSSVCParametersLogging

  • 0 = Minimal Loggingย 

  • 1 = Normal logging (default)ย 

  • 2 = High loggingย 

  • 3 = Verbose loggingย 

Test a password reset:

After you have done the following you should be at a point to test the PCNS service and see a successful synchronization of a user account password in a source domain (child) with the parent domain.

 

 

Brandon LeeJune 26, 2015Last Updated: January 11, 2021
4 minutes read

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Photo of Brandon Lee

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

adrepl1

Active Directory Replication Time Intervals

June 12, 2013
After enforcement the EventIDs are now errors instead of warnings

Domain Controller PacRequestorEnforcement Registry Key – Enable Audit and Enforcement

February 7, 2022
RSATfeat

How to Install Remote Server Administration Tools Windows 7

June 4, 2012
AD Replication Status Tool Open Source Alternative

AD Replication Status Tool New Open Source Alternative

June 28, 2023

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2024, All Rights Reserved  | VirtualizationHowto.com