To automatically synchronize passwords from an Active Directory domain to another data system, complete these steps:
- Install Capture Agent on each domain controller in the Active Directory domain you want to be the source for password synchronization operations.
Capture Agent tracks changes to the user passwords in the source Active Directory domain and provides this information to Synchronization Service, which in turn synchronizes passwords in the target connected systems you specify.
For more information on how to install Capture Agent, see Managing Capture Agent.
- Connect the Synchronization Service to the Active Directory domain where you installed Capture Agent in step 1.
Alternatively, you can configure a connection to Active Roles that manages the source Active Directory domain.
- Connect the Synchronization Service to the data system where you want to synchronize user object passwords with those in the source Active Directory domain.
- For some target data systems (such as SQL Server) you must specify the data you want to participate in the password synchronization by configuring an SQL query.
- If the target data system is an LDAP directory service accessed via the generic LDAP connector, you must specify the target object type for which you want to synchronize passwords and the attribute where you want to store object passwords.
- Ensure that user objects in the source Active Directory domain are properly mapped to their counterparts in the target connected system.
For more information about mapping objects, see Mapping objects.
Synchronization Service automatically maps objects between the source Active Directory domain and the target connected system if you configure sync workflows to manage the creation and deprovision operations between the source AD domain (or Active Roles that manages that domain) and the target connected system.
For more information on sync workflows, see Synchronizing identity data.
- Create a password synchronization rule for the target connected system.
For more information, see Creating a password sync rule.
After you complete the above steps, the Synchronization Service starts to automatically track user password changes in the source AD domain and synchronize passwords in the target connected system.
If necessary, you can fine-tune the password synchronization settings by completing these optional tasks:
- Modify the default Capture Agent settings.
- For more information, see Configuring Capture Agent.
- Modify the default Synchronization Service settings related to password synchronization.
- For more information, see Configuring Synchronization Service.
- Specify a custom certificate for encrypting the password sync traffic between the Capture Agent and the Synchronization Service. By default, a built-in certificate is used for this purpose.
- For more information, see Specifying a custom certificate for encrypting password sync traffic.
- Configure the Synchronization Service to automatically run your PowerShell script after the password synchronization completes.
For more information, see Using PowerShell scripts with password synchronization.