Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Introducing Windows NT Into the Configuration

While the term Windows refers to Windows platforms using Active Directory for authentication, the system being discussed in this appendix can use Windows NT in place of (or along with) newer variations of Windows.

Be aware, however, that Windows NT lacks the ability to use on-demand synchronization normally provided by Identity Synchronization for Windows.

The Identity Synchronization for Windows on-demand synchronization process must be able to bind to Windows over LDAP, with a set of candidate credentials, an ability that the Windows NT authentication system lacks. When Identity Synchronization for Windows is configured with Windows NT, it expects password changes to be captured at their source and at the time the change is made. This capture requirement has ramifications when you initially start a system that uses Identity Synchronization for Windows. Specifically, Identity Synchronization for Windows needs to see a password change for any entry before the entry is actually synchronized.

Synchronization in Windows NT environment involves modifying the passwords of all entries in the LDAP store using an LDAP-based utility. As these modifications go through the LDAP store system, Identity Synchronization for Windows forwards the captured passwords to the Windows NT system, and resulting in no stale passwords on these two systems. However, because you created the passwords by deterministic means, these passwords might be easy to guess.

You can limit potential security breaches if you use Windows NT password policy to force all users to change their password at their next login. As each user changes their password, the Identity Synchronization for Windows password DLL installed on the Primary Domain Controller forwards the password change to the LDAP store.