I’m trying to figure if MIIS is a workable solution for us. We are trying
to enable our users to logon to two forests/domains, but use one password.
Our situation is that there are two forests/domains: a large
UniversityDomain and a smaller LawSchoolDomain. I’m an administrator in the
LawSchoolDomain. UniversityDomain will not let LawSchoolDomain create any
trust relationships with it. All users in LawSchoolDomain also have user
accounts in UniversityDomain with the same user names. UniversityDomain will
allow LawSchoolDomain administrators to create new user accounts, group
policy objects, and join workstations and servers. But UniversityDomain will
not allow LawSchoolDomain to do any upper-level domain administration or
perform any maintenance on the domain controllers. Considering
LawSchoolDomain’s limited abilities in UniversityDomain, is there a way
LawSchoolDomain could use MIIS to make UniversityDomain an authoritative
source for user passwords? In other words, when a user logs on to a
LawSchoolDomain’s computer, can the password used be the password in
UniversityDomain? Any passwords would need to be reset in the authoritative
UniversityDomain, but that would be okay.
From my reading, I see that PCNS gets installed on the authoritative domain
controller, and “pushes” changed passwords down to MIIS to for sync to
subordinate DC’s. However, we would not be able to install or configure PCNS
on the authoritative DC. What I was thinking was perhaps there was a way our
LawSchoolDomain DC could use MIIS to perform a challenge/response to user
accounts in the UniversityDomain, or maybe use another method to make the
UniversityDomain authoritative for passwords.
Thanks!
Mark
Just to get you correct, one forest with 2 domains or two forests with one
domain each?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
-mark
Sorry for the late response. It is possible, see also here about:
http://technet.microsoft.com/en-us/library/cc720589(WS.10).aspx
Additional see this posting, answer from "Will Qian - MSFT":
http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/669e0c81-b208-4828-abeb-57cd0ed67437
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
cheers,
-Mark