So we have got a domain (e.g. contoso.local) which is replicated over 4 DCs. All DCs are in the same Subnet. All users reside in the same OU in this one domain. All Workstations are in their own OU as well.
Now we got a small (5 people) office, which is not connected with a WAN. There is a FRITZ!Box for the internet connection in this office and all users work locally on their computers.
The plan is to put a physical server as a project in this office. This server should be a new DC with its own domain (something like smalloffice.contoso.local). The new DC is going to be connected to our Network via VPN.
The users for this office are going to be created via an identity managemnet software as an object into our big, local domain contoso.local. So I would like to migrate them once into the new domain. I read, that you can either use ADMT or MIM for that. The following problem would be, that every time one of the five users changes their password, only the userobject in contoso.local will be modified.
How can I get this object synchronized with the new DC/domain smalloffice.contoso.local (like overwriting the old password in the new domain using the new password from the old main domain)?
Would it be enough to put the new Domain as a separate domain into our existing forest and just letting them replicate using the innate ADDS feature?
Or should you use MIM to migrate the users and then let them synchronize every time the password gets changed?