We have a setup where passwords are syncing from Target to the Source tenant, this allows users to access the legacy environment with the same password even after the AD migration. Since last week users are reporting that passwords that are changed in the target tenant are no longer syncing with the source tenant.
I changed my password in the target tenant and indeed it didn’t sync back to the source. Sync log set to High from last 24 hours - Profile settings exported
Found multiple errors in the log
[BTPassAsm] - Unable to retrieve user information for 600268 : Error = 2221
There can be a few causes:
1. Antivirus not excluding the product folders and files in source and target DC
2. Sync. schedule is too frequent, not allowing sync to complete.
3. Object attribute set to not sync
4. Multiple users moved out of original OU to a new OU
Confirm if AV-Antivirus is running on both the source/target DC's and if the AV software is preventing the password syncs from completion. On the source/target DCs you can remove the BTPass directories, and run another password sync which will automatically create those directories. However if the AV solution is not properly excluded, or removed from the source/target DCs in scope with DSP then the same behavior will be noted.
Confirm the below paths are excluded from AV scan/action.
AV Exclusion List for PSEXEC and BTPass (Binary Tree Password Module)
C:\Windows\BTPass\x64\BTPassSvc.exe
C:\Windows\BTPass\x86\BTPassSvc.exe
C:\Program Files\Binary Tree\DirSync\BTPass\x64\BTPassSvc.exe
C:\Program Files\Binary Tree\DirSync\BTPass\x86\BTPassSvc.exe
C:\Program Files\Binary Tree\DirSync\BtPaExec.exe (available in version 20.10.x or higher)
Ensure you follow below steps:
To remediate if one or more of the 3 files listed below are missing BTPass directories, ensure you exclude the files/directories through AV and replicate the exclusion to the target/source DC's to include the DSP server.
Run a repair install on the DSP-Dirsync Pro Server server of Dirsync.
Finally, delete the BTPass folder on the source and target DC's and re-run a sync.
The folders will be pushed and recreated during the next sync
BTPassUtil.exe
BTPassSvc.exe
BTPassAsm.dll
Test the password sync manually against a single account.
Resolution 2
Confirm the sync schedule has plenty of time to finish before another sync is scheduled to run.
Resolution 3
Confirm that the users whose passwords weren't set are configured correctly for reverse sync so they are in scope of the LDAP Query. Check that they don't have the following on their object - extensionattribute8=donotsync
Resolution 4
Confirm user objects were not moved to another OU in the Source or Target
If this is the case, correct this by updating the migration profile or moving the users back to the correct OU.
Perform a profile Reset
AD Pro should find the users and syncing should be successful
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center