Follow these steps to create test objects in the source environment to validate the Password Sync workflow.
Setup 2 Users in the source local environment and ensure it is part of the OU filter setup for the Local Environment.
DisplayName: Lab1PWD1
DisplayName: Lab1PWD2
Description: Matched User
Setup a User in the target local environment it is part of the OU filter setup for the Local Environment.
DisplayName: Lab1PWD2
Setup a workstation in the target Active Directory environment for Password validation test.
Follow the below steps to perform Real Time Password Sync workflow and validation.
Select the workflow configured and click on RUN.
Allow the workflow execution to complete.
Validate Lab1PWD1 from source local Active Directory will be created in target.
Validate Lab1PWD2 from source local Active Directory will match to the existing Lab1PWD2 user in target. Source user’s description value will be added to the target user.
Select the workflow configured and click on Run again. This is needed to read the newly created object into system, this will allow Directory Sync can update Password for the user object.
Make Password changes to both Lab1PWD1 and Lab1PWD2 users.
Wait for about 1-2 minutes, navigate to the Environment page and select the source environment. Click on PASSWORD LOGS button and export the logs with default setting.
Once the log is downloaded, open the log file and confirm Directory Sync has read the Password changes from source environment. Below are the sample loggings:
5109,171,League-Lab1 Local,"Read: Detected password change for object CN=Lab1PWD1,OU=CDSUsers,OU=CDSObjects,DC=Lab1,DC=leagueteam,DC=local",,5/23/2020 1:53:52 AM
CN=Lab1PWD2,OU=CDSUsers,OU=CDSObjects,DC=Lab1,DC=leagueteam,DC=local",,5/23/2020 1:53:55 AM
Select the target environment and click on PASSWORD LOGS button and export the log with default setting.
One the log is downloaded, open the log file and confirm Directory Sync has written the Password changes to target environment. Below are the sample loggings:
5111,175,League-Lab2 Local,"Write: Using global catalog server from configured DCs list: Lab2-DC.Lab2.LeagueTeam.local, Domain=lab2.leagueteam.local",,5/23/2020 1:53:59 AM
5112,175,League-Lab2 Local,Write: Connecting to Domain Controller using port: 389,,5/23/2020 1:53:59 AM
5113,175,League-Lab2 Local,Write: Applying changeset e6180232-2ac7-4f7f-b7df-16217c78e3c5,,5/23/2020 1:53:59 AM
5114,175,League-Lab2 Local,Write: Finished applying changeset e6180232-2ac7-4f7f-b7df-16217c78e3c5,,5/23/2020 1:54:01 AM
5113,175,League-Lab2 Local,Write: Applying changeset f6180232-2ac7-4f7f-b7df-16217cd3421,,5/23/2020 1:53:59 AM
5114,175,League-Lab2 Local,Write: Finished applying changeset f6180232-2ac7-4f7f-b7df-16217cd3421,,5/23/2020 1:54:01 AM
Use the target workstation and log into the machine with target Lab1PWD1 user using the most recent password from the source environment. Verify the target user can be logged in and target environment.
Use the target workstation and log into the machine with target Lab1PWD2 user using the most recent password from the source environment. Verify the target user can be logged in and target environment.
This list contains the common errors that may occur during Password Synchronization and troubleshooting steps we can use to address these errors.
Question: Do I need to run my workflow to have my password changes synced?
Answer: Although Password Syncs does not require user to run the workflow if the source and target users are correctly matched by Directory Sync, it is necessary to run the workflow at least once to allow existing target users to be matched with the source users based on the matching rules you have defined. For users created by Directory Sync, running the workflow again will be required to have the new target user matched to the source user. Once users are correctly matched, Directory Sync will monitor the password changes and synced to the target without the need of running the workflow.
Question: Why does Directory Sync generate password read log in the target Active Directory when I have Password Sync enabled from Source to Target?
Answer: Directory Sync needs to read the target user password hash into system so it can compare with the source user password hash to determine if it was changed and synced.
Question: I see BTPass folder being created under ADMIN$, however I do not see BTPassSvc.exe executable in the folder, why?
Answer: The password utility executable may have been flagged as a Malware by the anti-virus software as it was trying to inject the service onto LSASS process. To remediate this behavior, BTPass utility folder and all of its content must be added to the Anti-Virus whitelist policy.
Question: I am getting ‘Error connecting to remote share (WNetAddConnection2 error code: 5)’ from my DirSync Agent when Password Sync is enabled, how can I resolve this error?
Answer: This error typically happens when Directory Sync agent service account do not have the proper access to ADMIN$ share on the domain controller. As part of the Password Sync process, ‘BTPass Utility’ must be copied to the domain controller’s ADMIN$ share folder using the service account credential, please ensure the service account is a member of the administrator group to access the share.
Question: Can I setup a workflow that only perform password sync for existing users and not sync any other attributes?
Answer: Yes, you may setup a workflow template and only includes ‘unicodePwd’ attribute in the template. Alternately, you can setup a workflow that only perform Read and Match operation, once a matching record is created for the source and target user, Directory Sync will sync across passwords when changes are detected for the source users.
© ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center