ActiveDirectory

How to Sync Passwords between Child and Parent Domain with FIM 2010 R2

For those of you in a multi domain environment due to the structure of your company or from migrations from legacy directory services into AD, there often is the need to synchronize various directory objects with other directory objects, especially if you have a resource domain and an account domain.  Recently in working with an Active Directory infrastructure that was setup with disabled user accounts in the parent root domain (was originally setup as a resource forest for Exchange, however external domains had been brought in as child domains), and then had child domains with accounts in them, the need arose to synchronize only passwords from the child domain up to the forest root parent domain.

My first thought here was Forefront Identity Manager 2010.  The latest version of FIM 2010 is in R2 trim and is really a very powerful product for synchronizing directories.  It is not too difficult to set it up between child and parent domain, however, there are a lot of moving parts and pieces that are a bit tedious to setup.  The steps we need to complete are:

  • Upgrade the forest schema
  • Setup the SPN
  • Install the PCNS service on all the child domain controllers
  • Setup the management agents in FIM 2010 R2
  • Setup the run profiles for the management agents
  • Run the “run” profiles to get the correct joins
  • Set the logging levels on the PCNS

Upgrading the schema

The first thing we need to do is upgrade the forest schema to understand the FIM and PCNS extensions.  You need to do this of course in the forest root on the schema master.  To do this you need to copy the PCNS MSI installation file to the DC and run a special switch against the MSI found below.  Also, make sure you are a member of the Schema Admins group to make the schema changes.

msiexec /i PCNS.msi SCHEMAONLY=TRUE

pcns01
pcns02
pcns03
pcns04

 

Setting up the SPN

Setting up the SPN for PCNS service to use is easy enough to setup as well.  Use the following syntax to setup the SPN to use:

setspn -A PCNSCLNT/fim2010.testl.local TESTDOMAINfimservice

Keep in mind the account you use for the SPN needs to be the same account that you use on your FIM 2010 R2 box to run the synchronization service.

setspn

Just a side note, if you make an error in setting up the SPN, the syntax below allows you to delete the SPN you created:

setspn -D PCNSCLNT/fim2010.test.local TESTadministrator

Setup PCNS on all domain controllers

PCNS will need to be setup on all domain controllers that you want to capture password change requests.  For instance in the scenario mentioned in synchronizing child domain accounts to parent domain, the PCNS service needs installed on the child domain controllers.

pcns_dc01
pcns_dc02
pcns_dc03
pcns_dc04
pcns_dc05
pcns_dc06

 

A reboot will be in order after installing the PCNS on your DCs so be sure to plan ahead for that.

Setup the Management agents in FIM

This is probably the most frustrating part from a documentation standpoint.  There are a lot of documents out there that tell you how to setup the PCNS service and SPN account, etc as well as a few of the options you need turned on in the management agent config, however, a very important part to getting the PCNS sync to work between child and parent domain are the join and projection rules and attribute flow.

Create the first source Active Directory Domain Services management agent and select the directory partition that you want to synchronize from.  Be sure to enable Password Synchronization as we will come back to this one after creating the second target management agent.

ma_source01

Under the Select Object Types, be sure to select user.


ma_source02

Under the select attributes menu, select cn, displayName, givenName, ObjectSID, SAMAccountName, and sn.


ma_source03

Select user and then click new Projection Rule and select the person option Declared.  Then select the New Join Rule and set SAMAccountName direct to accountName


ma_source04

Setup the Attribute Flow as pictured below.


ma_source05

Notice that in the source management agent, we don’t have the Enable password management enabled as this is the source.


ma_source06

Be sure after you have configured the target agent (steps to follow) that you go back under the Configure Directory Partitions and select Password Synchronization and Targets.  Select your target management agent with a checkbox and hit Ok.


ma_source07

 

Target Agent configuration

The below is very similar to the source management agent.  Take note of the differences such as not enabling the Enable this partition as a password synchronization source.

ma_target01
ma_target02
ma_target03
ma_target04
ma_target05
ma_target06

 

Setup Run Profiles

Setup Run Profiles on both agents that look like this:

run_profiles

After setting up the management agents for both source and target (child and parent) domain, Run the Full Import Stage Only followed by the Full Synchronization which gets the source objects in the metabase.

After you run the target management agent, you should see joins listed:

joins

These indicate the users in the source and target that match your criteria.

Set Logging levels on both the FIM 2010 R2 server and DCs:

The default logging is not good enough on the FIM Synchronization service or the PCNS service.  Set the logging as follows on both:

Create a REG DWORD value called FeaturePwdSyncLogLevel under the following location and set it to 3
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesFIMSynchronizationServicesLogging 

  • 0 = Minimal Logging 

  • 1 = Normal logging (default) 

  • 2 = High logging 

  • 3 = Verbose logging 

For PCNS, there are four logging levels that are controlled by adding the EventLogLevel (REG_DWORD) entry to the following registry subkey:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesPCNSSVCParametersLogging

  • 0 = Minimal Logging 

  • 1 = Normal logging (default) 

  • 2 = High logging 

  • 3 = Verbose logging 

Test a password reset:

After you have done the following you should be at a point to test the PCNS service and see a successful synchronization of a user account password in a source domain (child) with the parent domain.

 

 

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.