Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Is MIIS a Good Solution For Us? 2 Forests-1 password

0 views
Skip to first unread message

LA Law

unread,
May 8, 2009, 11:28:06 AM5/8/09
to
Hi,

I’m trying to figure if MIIS is a workable solution for us. We are trying
to enable our users to logon to two forests/domains, but use one password.
Our situation is that there are two forests/domains: a large
UniversityDomain and a smaller LawSchoolDomain. I’m an administrator in the
LawSchoolDomain. UniversityDomain will not let LawSchoolDomain create any
trust relationships with it. All users in LawSchoolDomain also have user
accounts in UniversityDomain with the same user names. UniversityDomain will
allow LawSchoolDomain administrators to create new user accounts, group
policy objects, and join workstations and servers. But UniversityDomain will
not allow LawSchoolDomain to do any upper-level domain administration or
perform any maintenance on the domain controllers. Considering
LawSchoolDomain’s limited abilities in UniversityDomain, is there a way
LawSchoolDomain could use MIIS to make UniversityDomain an authoritative
source for user passwords? In other words, when a user logs on to a
LawSchoolDomain’s computer, can the password used be the password in
UniversityDomain? Any passwords would need to be reset in the authoritative
UniversityDomain, but that would be okay.

From my reading, I see that PCNS gets installed on the authoritative domain
controller, and “pushes” changed passwords down to MIIS to for sync to
subordinate DC’s. However, we would not be able to install or configure PCNS
on the authoritative DC. What I was thinking was perhaps there was a way our
LawSchoolDomain DC could use MIIS to perform a challenge/response to user
accounts in the UniversityDomain, or maybe use another method to make the
UniversityDomain authoritative for passwords.

Thanks!
Mark


Meinolf Weber [MVP-DS]

unread,
May 9, 2009, 10:00:02 AM5/9/09
to
Hello LA,

Just to get you correct, one forest with 2 domains or two forests with one
domain each?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

LA Law

unread,
May 9, 2009, 8:31:01 PM5/9/09
to

Hi Meinolf,
Thanks for responding. The second scenario...two forests with one domain
each. We are different divisions, grew up separately from each other, and
they will not allow us to create any trusts with them. We just want our
users to have one password when logging into each domain.
Thanks again,
Mark

LA Law

unread,
May 13, 2009, 11:39:10 AM5/13/09
to
Hi:
Does anyone know if this is possible?

-mark

Meinolf Weber [MVP-DS]

unread,
May 13, 2009, 2:22:07 PM5/13/09
to
Hello LA,

Sorry for the late response. It is possible, see also here about:
http://technet.microsoft.com/en-us/library/cc720589(WS.10).aspx

Additional see this posting, answer from "Will Qian - MSFT":
http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/669e0c81-b208-4828-abeb-57cd0ed67437

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

LA Law

unread,
May 21, 2009, 9:25:07 AM5/21/09
to
Thanks Meinolf.
It looks like we will be pursuing this further. The other team is
coordinating with us, and I have a lot of testing ahead of me.

cheers,
-Mark

0 new messages