Active Directory to Active Directory sync

There are a few different options when synchronizing passwords from one Active Directory to another.

  • Active Directory sync provider: this is the preferred provider to use when synchronizing passwords from one Active Directory to another. It can be used if the ADs have a trust relationship configured and Kerberos authentication is configured and working.
  • Windows LDAP sync provider: for Active Directories that don't have a trust relationship, or where Kerberos isn't configured and working properly. This provider uses basic authentication.
  • Kerberos sync provider: while this provider can be used for ADs with a trust relationship configured and Kerberos authentication is working, it is recommended to use the Active Directory sync provider.
  • LDAP sync provider: this provider is for generic LDAP servers, with more configuration options. To synchronize password between two Active Directory systems, it is recommended to use the Active Directory sync provider or the Windows LDAP sync provider.

You can find all the prerequisites and parameters for the various sync providers on the sync provider configuration page.

Testing

Enabling LDAP over SSL with Self-Signed certificate

To enable the test client to talk to the remote Active Directory Domain Services via this provider, using a secure LDAP connection, we can use a self-signed certificate.

  1. Log in to the remote DC
  2. Open PowerShell in elevated mode and run the following code:
    NOTE
    Replace the DnsName to your server's FQDN name
    Copy
    $name = "remote.domain"
         $cert = New-SelfSignedCertificate -DnsName $name -CertStoreLocation Cert:\LocalMachine\My

         $path = "HKLM:\Software\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates"
         if(!(Test-Path $path)) { New-Item -Force $path }

         Copy-Item -Path "HKLM:\Software\Microsoft\SystemCertificates\My\Certificates\$($cert.Thumbprint)" -Destination $path

The created certificate will be immediately used by the AD DS. There is no need to reboot the machine.

Testing the LDAP connection

To test the LDAP connections, use a tool like LDP. Ensure secure communication is established and accounts are accessible.

  1. Start LDP
  2. Click Start
  3. Click Run, then type ldp and then click OK. You should see a message at the top saying : "Established connection to xxx.xxx.xxx".

SPS Test Client

You can find the Test Client in the SPS Admin Tool installation directory, i.e. C:\Program Files\Specopssoft\Specops Password Sync\Admin Tools\PasswordSync.ProviderTestApp.exe

  1. Select Active Directory Ldap from the list of Sync Providers
  2. Configure the Sync Provider