Hello,
I had to syncronise User Accounts from two different Windows Server 2016 ADs to one new AD. So I had installed the new AD a.doamin.tld and integrated a UCS Server with Active Directory Connecction.
But I don’t have any ideas how I could connect the foreign domain old-a.doamin.tld.or old-b.doamin.tld Could somebody give me a hind?
And is it possible to sync only the user accounts without the password? I would like to set new passwords for the accounts in a.doamin.tld
Thank you for your idea’s
Mic
Hi and welcome to the forum,
unfortunately there is no easy way to sync your users. UCS can sync from an AD domain or take-over the domain, but only from a single one.
I guess you will need to re-create the users ob your second domain as users in the new one.
/CV
Thank you very much!
Best Regards,
Mic
Univention’s ActiveDirectory Connector actually supports connecting to multiple ADs at once. If I’m not mistaken, each instance can be configured to run in either read-only mode (accounts are only read from the AD and written to the UCS server) or in bidirectional mode (accounts are read from both the AD and the UCS server and written to both).
So maybe (and that’s a big maybe as I’ve never tried such a complex setup) you could configure three AD connections:
- Two read-only connections to the 2016 ADs you want to integrate and
- A bidirectional one to the new AD.
The big drawback is that accounts need to be unique, meaning you cannot have jdoe in AD1 and AD2 — they’ll simply overwrite each other. There are no provisions for making them unique during the sync process (e.g. by automatically renaming them to jdoe1 and jdoe2). This not only affects normal user accounts but also administrator. Be prepared for your admin passwords to change suddenly.
I do have experience with running two AD bidirectional instances for keeping user accounts of two separate ADs in sync. That worked well, more or less.
In any case I cannot stress enough that if you chose to go down this road, implement it in a test environment first. The sync process is powerful, and it’s really easy to mess up (e.g. configure a connection you wanted to have read-only to be bidirectional and ending up with a lot of unwanted new accounts in your source AD…). Been there, done that, got the gray hair to prove it.
There are two pieces of documentation for the AD connector you should read no matter what:
- The generic documentation
- About running multiple instances of the AD connector