Sync passwords between Active Directory domains

There are many reasons why you might want to sync a password between two Active Directory (AD) domains. We commonly see requests from customers who are looking at migrating their users from one domain to another. This could be for many reasons including acquisition/divesting, domain upgrades, or even syncing to another AD domain that hosts a service (for example, email).

There are a few solutions on the market that handle this type of process, but they tend to run as a batch process, i.e. the sync happens every X hour. This can create confusion for users who change their password in the source domain, but then can’t login with the new password on the target (resource) domain.

This is where Specops Password Sync is different. Our solution will sync passwords on-demand as they are changed – whether it was changed by a user, or reset by an admin/service desk.

Another very useful feature is that the target domain does not need to “trust” the source domain, and no software is required to be installed in the target domain. All we need is a set of credentials from the target domain that has delegated password reset rights to the accounts that are to be synced.

How Specops Password Sync works

First, we need a way to detect password changes. This role is performed by a service called the Change Notifier. This should be installed on every writable DC in the source domain. When a change is detected, the Notifier service will check to see if the user is affected by a Specops Password Sync Policy before passing the change to the Sync Server (or servers – if you want resilience). The Sync Server has something called a Sync Point configured.

The Sync Point contains all the details about the target domain using an AD Provider.

  • Admin Credentials
  • Unlock account if locked
  • Domain names/DC name/IP Address
  • Name Mapping – If the usernames are different between the names this will contain details of how the source username can be manipulated into the target username for each affected user. You can use an alternate AD attribute if required e.g. mail or UPN
  • Retry/wait settings – just in case the other domain isn’t available at that immediate moment in time, the system can be programmed to retry at certain intervals
  • Email Notification Settings – Success, Warning (retrying), Failure (retried but gave up eventually) to let the user (and admin) know what’s going on

The AD Provider itself uses RPC to connect to the Target domain, this can be quite “noisy” from an IP port perspective. To reduce the number of firewall ports you need to open, you can achieve the same result using the LDAPS (Secure LDAP) Provider.

This only requires a single port TCP 636, but needs a little more configuration on the Sync Provider itself. You are also limited to a single target DC rather than any DC in the target domain.

For questions about Specops Password Sync, contact us today!

(Last updated on August 9, 2023)


darren james

Written by

Darren James

Darren James is a Senior Product Manager at Specops Software, an Outpost24 company. Darren is a seasoned cybersecurity professional with more than 20 years of experience in the IT industry. He has worked as a consultant across various organizations and sectors, including central and local governments, retail and energy. His areas of specialization include identity and access management, Active Directory, and Azure AD. Darren has been with Specops Software for more than 12 years and brings his expertise to the support and development of world-class password security and authentication solutions. 

Back to Blog