Step-by-Step Guide to Deploying Password Synchronization
Updated: August 22, 2005
Applies To: Windows Server 2003 R2
Password Synchronization helps integrate Windows and UNIX networks by simplifying the process of maintaining secure passwords in both environments. Users are freed of the difficulty of maintaining separate passwords for their Windows and UNIX accounts or having to remember to change the password wherever it is used.
With Password Synchronization, whenever a user's password is changed on a Windows-based computer or domain, the password can also be automatically changed on every UNIX host for which the user has an account. Password Synchronization can also be configured to change the user's Windows password when the user's UNIX password is changed.
Password Synchronization Components
Password Synchronization is a combination of three software components:
The Password Synchronization service running on one or more Windows-based computers
The Password Synchronization daemon running on one or more UNIX computers
The Password Synchronization pluggable authentication module (PAM) installed on one or more UNIX computers.
Password Synchronization Deployment Scenarios
You can deploy Password Synchronization in the following scenarios:
You can use Password Synchronization to synchronize passwords between one or more Windows-based computers and one or more stand-alone UNIX hosts.
You can use Password Synchronization to synchronize passwords within an NIS domain that has a UNIX-based NIS master server. For more information about synchronizing passwords within NIS domains, see Synchronizing passwords within an NIS domain.
You can use Password Synchronization to synchronize passwords within an NIS domain that has a Windows-based master server.
In this Guide
Requirements for Installing Password Synchronization
This Step-by-Step guide is intended to help you install and configure Password Synchronization on computers running Windows Server 2003 R2.
Password Synchronization is not available for installation except on Active Directory domain controllers.
You must be logged on to the computer as a member of both the Schema Administrators and Enterprise Administrators groups to install Password Synchronization. The Password Synchronization installation process verifies that users have both Schema Administrator and Enterprise Administrator access permissions before installation can progress.
You must install Password Synchronization on a partition that is formatted with the NTFS file system. If you are installing Password Synchronization as an upgrade to a previous version that was installed on a partition formatted with the FAT file system, you must convert the FAT partition to NTFS before you can perform the upgrade. File system operations on FAT partitions are not supported.
Password Synchronization requires 3 MB of free hard disk space. It is recommended that the computer have at least 16 MB of RAM in addition to the recommended minimum configuration for the operating system.
Password Synchronization cannot be run from a network server. All files must be installed on the local computer.
Before you install and configure Password Synchronization, it is strongly recommended that you read Best practices for Password Synchronization in the Password Synchronization Help.
Important Security Considerations for Password Synchronization
It is strongly recommended that you perform the Windows Server 2003 Service Pack 1 (SP1) compatibility check when selecting Enable Windows to NIS (AD) Password Sync on the Configuration tab in the Password Synchronization Properties dialog box. To protect the security of user account passwords in your enterprise, it is strongly recommended that you allow Password Synchronization to identify all domain controllers in the forest that are not running Windows Server 2003 SP1 or later releases.
Password Synchronization prompts you to allow the compatibility check when you select the Enable Windows to NIS (AD) Password Sync option. With Windows Server 2003 SP1 or a later release installed on all the domain controllers in a forest, the risk of exposing user password hashes to unauthorized viewers is greatly reduced. When Windows Server 2003 SP1 is not the minimum functional level of all the domain controllers in a forest, it is possible for any authenticated user on the domain to view the password hash for any UNIX user whose account has been migrated to Active Directory.
In the event an unauthorized user breaks the password hash for a UNIX-based user account in Active Directory, the Windows-based password for the account is no longer secure.