Synchronizing user passwords

Applies To: Windows Server 2003 R2

Synchronizing user passwords

Server for NIS provides limited support for keeping passwords synchronized between a user's Windows and UNIX accounts. Whenever a user's Windows password is changed, Password Synchronization (which you can install with Server for NIS for this purpose) captures the new password, encrypts it, and then stores the password in the passwd map in Active Directory. The new password is then propagated to UNIX-based Network Information Service (NIS) secondary servers and clients when Server for NIS performs its periodic map update.

If Server for NIS is installed in a Windows domain with multiple domain controllers, it is recommended that you install Password Synchronization on all domain controllers in the domain. This is because any domain controller can potentially respond to a request to change a user's password, and so it is recommended that Password Synchronization be running on that domain controller to ensure that the NIS passwd map is updated. If you install Password Synchronization on a domain controller solely to support Server for NIS in this fashion, it is not necessary to configure UNIX hosts to work with Password Synchronization running on the domain controller. On the other hand, you can configure Password Synchronization on a domain controller and selected UNIX hosts to provide two-way password synchronization. This will allow users of the UNIX hosts to use the passwd command (instead of yppasswd) on those hosts to change their NIS domain password as well.

When synchronizing passwords, Server for NIS can use either crypt or Message Digest 5 (MD5). Server for NIS can support different encryption methods for multiple domains, but all UNIX computers in a particular domain must use the same encryption method. See Set the encryption method for a domain for how to specify the encryption method.