Copying an encrypted password hash from one Active Directory domain to another using Modern Password Sync effectively copies a functional password only if the Microsoft RC4 encryption protocol is enabled and used in both environments. When the Microsoft RC4 encryption protocol is disabled or not used to encrypt passwords stored in Active Directory, AES encryption is used to store passwords in Active Directory. This type of encryption is salted so that AES-encrypted passwords copied to another environment do not work for Kerberos authentication.
Microsoft will start issuing Windows updates starting in April 2026 that will disable the RC4 encryption protocol. Active Directory password hashes that are being synchronized by Quest AD migration and directory sync products will not work in the Target environment when RC4 gets disabled. In order to ensure that passwords continue to work it is recommended to change to the Password Propagation Service (PPS) technology. This intercepts password changes in an environment before Active Directory encrypts the password and sets the same password in another environment using secure TLS encrypted communications. This password-setting service can be used in environments where RC4 does not exist.
Please note any passwords synced with Modern Password Sync before this upgrade takes place will cease to work after RC4 Encryption is disabled and will need to be updated.
This KB will describe the steps required to move from Modern Password Monitor Service to the Password Propagation Service.
1. Disable Modern Password Sync
Navigate to Environments in On Demand Directory Sync and select the Domain Controllers tab, deselect Modern Password Copy from the list of Domain Controllers and then select SAVE
Navigate to Environments in On Demand Directory Sync and select the PASSWORDS tab, deselect Password Monitor Service and then select SAVE
Do this on all environments configured for the Password Monitor Service
2. Uninstall Quest Directory Sync Password Filter
Navigate to all the Domain Controllers that were configured for Modern Password Sync and Uninstall the Quest Directory Sync Password Filter software from the DC
3. Enable Password Propagation Service
• In On Demand Migration - Active Directory, select the source environment on the Environment page and click Settings.
• On the Settings page, click the Passwords tab.
• Under Password Monitor, select the Password Propagation Service option.
• Next to Password Propagation Service Download, select a version from the drop-down list and click Download.
• Click New to generate an Authentication Token
• Click Save
4. Install and configure the Password Change Service
The Password Change Service must be installed in the Source Environment and can be installed on the existing Directory Sync Agent Server. Please ensure that the following prerequisites are met before attempting the installation.
• Windows Server 2019 or 2022
• 4 vCore, 16GB RAM
• An Administrator Account to install and configure the Password Change Service. It must have access rights to all domains and objects in scope for all users require the password propagation service.
• An Account has with Full Write access to the target user objects in-scope for the password changes.
• Windows Internet Information Server (IIS) must be preconfigured with certificate provisioned.
• TLS 1.2 or higher
• .NET Framework 4.7.2
• Third-party anti-virus or threat prevention programs may block the execution of password tasks. These programs may need to be uninstalled from both the Domain Controller and otherwise carefully whitelist all files related to Password Filter to allow proper operation.
It is recommended to preconfigure the SSL certificate to be used by the Password Propagation Service configurator. This can be a self-signed certificate generated using the following PS Cmdlet where DnsName and FriendlyName is the FQDN of the server.
New-SelfSignedCertificate -FriendlyName xxxxxxxxx -DnsName xxxxxxxx -KeyUsage DigitalSignature -NotAfter (Get-Date).AddYears(20)
Create a copy of this certificate in the Certificate folder in Trusted Root Certification Authorities after creation
Please note that if you choose to use the self-signed certificate you will need to export this certificate and import it into each source DC to the Certificate folder in Trusted Root Certification Authorities.
Install the Password Change Service, when the screen with the option to select the SSL cert to associate with the PwChange Web Site is presented, select Existing Certificate and then add the cert created above. Continue to configure the Password Propagation Server as per the user guide
5. Install the Password Filter
The Password Filter is installed on every Domain Controller in the source. The filter detects password changes in the source and sends the password information to the Change Service to set in the target. Note – this installation will require a reboot of the DC
1. In On Demand Migration – Active Directory, select the source environment on the Environment page and click Settings.
2. On the Settings page, click the Passwords tab.
3. Under the Password section, download the Password Filter Plugin option.
6. Configure and Test LDAPs
LDAPs is used to securely sync the password to the Target Domain Controller. This must be preconfigured for the Password Service to securely connect and update any changed passwords. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or by using a Self-Signed Certificate created on the Domain Controller and then trusted by the Server running the password propagation service. Below is the process to use a Self-Signed Certificate if no CA is available.
Navigate to the Target Domain Controller that is being used by ODM for Password Propagation and run the following PS Cmdlet, where DNSName and FriendlyName is the FQDN of that Domain Controller:
New-SelfSignedCertificate -FriendlyName xxxxxxxxx -DnsName xxxxxxxx -KeyUsage DigitalSignature -NotAfter (Get-Date).AddYears(20)
Copy the certificate generated by that command to the Certificates Folder under the Trusted Root Certification Authorities Folder. Export that certificate and import it into the Certificates folder of the Trusted Root Certification Authorities Folder on the Password Propagation Server in the Source.
Testing LDAPs
On the server that is running the Password Propagation Service in the source
1. Click on Start, Run and type in LDP.exe
2. On the Connection menu, click Connect
3. Type the name of the domain controller to which you want to connect – Target DC as configured above
4. Type 636 as the port number.
5. Click OK.
RootDSE information should print in the right pane, indicating a successful connection
7. Test Passwords Sync Successfully
1. Change a password in Source of a matched user
2. Navigate to C:\ProgramData\Quest\DS Password Change Relay Service on the DC the password was changed on in the source. An Audit log will display the discovered change.
3. On the Source DC, Event Viewer, Windows Logs, Application an entry will be logged that password change is being relayed to the Password Propagation Server
4. On the Source Password Propagation Server, Event Viewer, Windows Logs, Application an entry will be logged showing the successful update
