Best practice to link AD LDS user with AD user

We have an application that uses AD LDS (ADAM) which contains a extended user class ( custom attributes, specific to our application). One of our clients wants our users linked to their domain users (AD). When they create a user in their system, a user on our side has to be created. When they delete a user on their system, the corresponding user should be deleted on our side. The same with basic properties (name, email, ...). The application specific attributes will be modified by our tool.

What is the best or most reliable way to keep those users i开发者_如何学Cn sync? The client does not allow us to modify their schema.

I was thinking myself to create a webservice to add/ delete / modify a user on our side which kan be called from within their system. But Maybe there are better solutions. Thanks.

Personaly I will use ADAMSync for that. You can a kind of 'how do I' in Synchronize ADAM (or LDS) with Active Directory Domain Services.

ADAMSync.exe and ADShemaAnalyser.exe are part of the binary installed with ADAM.

In the case you are affectively using ADAM, be careful to install the ADAM SP1.

You can use the free Identity Integration Feature Pack from MS to sync selected attributes between AD and AD-LDS. You can download it here http://www.microsoft.com/download/en/details.aspx?id=11149

I'm not sure if it supports server 2008. It may be included in server 2008 as a role now.