Password Sync between 2 AD Forest using FIM 2010 R2

I’m working on a Cross Forest Migration from Windows 2003 Active Directory (AD) to 2012 Active Directory (AD) recently, and i manage to migrate all users, groups together with password by following the following link ADMT Series by using ADMT 3.2 with Password Export Server (PES)

Please refer to the following lesson learned from this project [alert-note]
1. There is some issues to download Password Export Server 3.2 for x86 from Microsoft site
2. The Forest & Domain functional level must be minimum Windows 2003
3. Windows 2003 AD Domain Controller need to be rebooted after installing Password Export Server (PES)
4. Multiple Users & Groups accounts can be migrated by using ADMT 3.2 Management Console – Do not required script

Since my client decided to stay with Windows 2003 AD & Windows 2012 AD for another few months for them to slowly migrate their existing Application Server to new Windows 2012 AD Domain. They are asking whether is it possible to implement Password Replication Solution to replicate users’ password from Windows 2003 to 2012 and this is where Microsoft Forefront Identify Manager 2010 R2 come into picture

Please refer to the following steps taken for FIM 2010 R2 to perform Password Replication from Windows 2003 AD to 2012 AD by following the following link found Password Sync using FIM 2010 between Parent & Child Domain

A. Preparation of Windows 2003 AD Domain Controllers (Source Domain)

  1. Download and install Windows 2003 Support CD
  2. Download and Copy Password Change Notification Service from FIM 2010 R2 Installation Media
  3. Extend Schema using
Extend Schema using msiexec /i PCNS.msi SCHEMAONLY=TRUE
  1. Install on All Windows 2003 AD Domain Controllers (To capture the password changes) – Server Reboot is required
    FIM-01 Register SPN using the following command – aventis-sql01.aventis.local (SQL 2014 Server + FIM 2010 R2) and aventis\fim1 (services account for FIM)
setspn -a PCNSCLNT/aventis-sql01.aventis.local aventis\fim1
  Registering ServicePrincipalNames for CN=FIM1,OU=Service Account,DC=AVENTIS,DC=L
  Updated object

Test SPN had been registered with aventis\fim1 (Service Account)

setspn -L aventis\fim1
  Registered ServicePrincipalNames for CN=FIM1,OU=Service Account,DC=AVENTIS,DC=LO

Associate pcnscfg with SPN register previously

C:\Program Files\Microsoft Password Change Notification>pcnscfg.exe ADDTARGET /N
:PasswordSync /A:aventis-sql01.aventis.local /S:PCNSCLNT/aventis-sql01.aventis.l
ocal /fi:"Domain Users" /f:3
Warning: The Service Principal Name you specified could not be found on any
accounts in this domain. This target configuration will not be able to deliver
passwords if the Service Principal Name is not configured properly.

  Target Name...........: PasswordSync
  Target GUID...........: 24F3F206-1F4F-4842-ACF4-89B119843318
  Server FQDN or Address: aventis-sql01.aventis.local
  Service Principal Name: PCNSCLNT/aventis-sql01.aventis.local
  Authentication Service: Kerberos
  Inclusion Group Name..: CTCGSB\Domain Users
  Exclusion Group Name..:
  Keep Alive Interval...: 0 seconds
  User Name Format......: 3
  Queue Warning Level...: 0
  Queue Warning Interval: 30 minutes
  Disabled..............: False

B. Preparation of Windows 2012 AD Domain Controllers (Target Domain)

  1. Installation of 1 x SQL 2014 Server
  2. Installation of SQL 2012 Native Client for Database Connectivity
  3. Install FIM 2010 R2 on SQL 2014 Server (All in 1 server in my lab)

Configuration of Management Agent for Target Domain (Aventis.local)

Click on Containers and select only identified users located in particular OU for password synchronization (Not required is need to synchronization for entire domain)

Check User

Select sAMAccountName

Configure Join and Project Rules as above

 sAMAcounntName –> uid 

Enable Password Management Configuration of Management Agent for Target Domain (ctcgsb.local)

Click on Containers and select only identified users located in particular OU for password synchronization (Not required is need to synchronization for entire domain) and Enable the partition as a password synchronization source and click on Target to Select Aventis.local (Target Domain) Follow the same setting for the less of the screen shot in Configuration of Management Agent for Target Domain (Aventis.local)

Do NOT Enabled Password Management on the last page 

Click on Tool –> Options and Enable Synchronization Rule Provisioning and Enable Password Synchronization 

Click Full Import and Full Sync for 2 Management Agent and manually run it

Change Password on Windows 2003 AD Domain (Source Domain)

  1. Manually reset ctcgsb4 (User account) password in ADUC and the following message will appear Event viewer to show that password is replicated



Powershell to check the ctcgsb4 located in Aventis.local (Target Domain) Password Changed successfully and ctcgsb4 can login to Windows 7 using the new password set in Windows 2003 AD (Source Domain)

I will implement this soon in my client production environment, and will post more detail steps by steps documentation soon.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top