If the antivirus (AV) solution is not properly excluded or removed from the source/target domain controllers (DCs) and the DSP-DirSync Pro server, password synchronization may fail. One of the key conditions for successful legacy password synchronization is the correct configuration of AV exclusions.
AV Exclusion Behavior and BTPass Folder Issue:
During troubleshooting, we observed inconsistent behavior from the antivirus (AV) solution regarding the C:\Windows\BTPass folder and MPAD password executables on domain controllers (DCs). On the target DC used by MPAD, the BTPass folder was found to be empty, and the executables were flagged as quarantined — despite no new logs or events being recorded by the AV solution.
Interestingly, on another DC where the BTPass folder was not empty and the AV solution did not report any quarantined files, the functionality still failed. This discrepancy raised concerns, and upon further investigation, the Security team confirmed that no antivirus exclusions were configured for the target domain.
This case highlights that AV solutions may not reliably reflect their actions in logs or quarantine status, and their reporting should not be solely relied upon when diagnosing issues related to file exclusions or quarantines.
Recommendation: Always verify exclusion policies directly with your security team and consider manual validation of folder contents and executable status when troubleshooting related issues. Consider adding AV exclusions centrally.
1) Ensure the below paths are excluded from AV scan/action.
On Domain Controllers: (ensure AV exclusions are set on source and target DCs)
C:\Windows\BTPass\
On Directory Sync Pro Server:
C:\Program Files\Binary Tree\DirSync\BTPass\
C:\Program Files\Binary Tree\DirSync\BtPaExec.exe (available in version 20.10.x or higher)
To remediate missing one or more of the three files listed below in BTPass directories, exclude the relevant files/directories from antivirus (AV) scanning. Replicate these exclusions to both the source and target domain controllers (DCs), including the DSP-DirSync Pro server.
Run a repair installation on the DSP (DirSync Pro) server.
Delete the BTPass folder on both the source and target DCs, then re-run a sync. The folders will be pushed and recreated during the next synchronization.
BTPassUtil.exe
BTPassSvc.exe
BTPassAsm.dll
2) Add exclusions to the Attack Surface Reduction (ASR) rules in Windows Defender on the domain controllers and the DirSync Pro server.
For more details, we recommend reviewing the KB article:
“DirSync Password Sync isn’t working when Windows Defender is installed, error: 'VirtualAllocEx failed: 5'”
