Identity Synchronization for Windows has limited support for WAN deployments and can be synchronized with the Directory Server or Active Directory domain controllers that are only available over the WAN. However, the Identity Synchronization for Windows Core and all the connectors must be installed on the same LAN.
The setup in this scenario was achieved by installing the following:
Identity Synchronization for Windows Core.
Directory Server Connector.
Active Directory Connector on the same machine where Identity Synchronization for Windows Core and Directory Server Connector are installed.
Windows NT Connector on a machine in the same LAN.
In this case study, the Active Directory Connector communicates across the WAN with the Active Directory domain controller on the west coast. A domain controller is available on the east coast, but because it is not the PDC FSMO role owner, synchronization would be significantly delayed if it was selected.
When the Directory Server domain controller and Active Directory domain controller are separated by a WAN, you have the option of installing Identity Synchronization for Windows in one of the following:
On the same LAN as Directory Server
On the same LAN as Active Directory
Somewhere in between
In general, the best performance is achieved when Identity Synchronization for Windows is installed on the same LAN as Directory Server.
Identity Synchronization for Windows has been tested in a variety of WAN environments, but it requires minimum a link with at least T1 (1.44 Mb/sec) speeds and a round-trip latency of no more than 300 milliseconds.