Password Propagation Service is a component of Directory Sync that allows password synchronization in environments without RC4 Encryption. Unlike the Legacy Password Monitor Service, which requires RC4 Encryption, Password Propagation Service simply copies the password from the source to the target.
When a password changes in the source, the password filter installed on every domain controller in the source environment will capture the password and use the Password Propagation Service to set the password in the target using LDAPS security.
Security
For Password Change Service
-
Windows Server 2019 or 2022
-
An Administrator Account to install and configure the Password Change Service. It must have access rights to all domains and objects in scope for all users require the password propagation service.
-
An Account has with Full Write access to the target user objects in-scope for the password changes.
-
Windows Internet Information Server (IIS) must be preconfigured with certificate provisioned.
-
TLS 1.2 or higher
-
.NET Framework 4.7.2
-
Third-party anti-virus or threat prevention programs may block the execution of password tasks. These programs may need to be uninstalled from both the Domain Controller and otherwise carefully whitelist all files related to Password Filter to allow proper operation.
C:\ProgramData\Quest\DS Password Change Service
For Password Filter
-
Windows Server 2019 or 2022
-
An Administrator Account to install and configure the Password Change Service
-
Must be installed on all domain controllers in the source environment
-
Third-party anti-virus or threat prevention programs may block the execution of password tasks. These programs may need to be uninstalled from both the Domain Controller and otherwise carefully whitelisted to allow proper operation.
C:\Program Files\Quest\DS Password Change Relay Service
-
TLS 1.2 or higher
-
.NET Framework 4.7.2
Network Ports
Below are the general requirements for On Demand Migration Directory Sync:
-
Connecting to the Directory Sync web interface uses TCP port 443 (HTTPS).
-
Agent connections are initiated by the agent and require port 443 access to Directory Sync SaaS application.
-
Agent connections to the DCs use ports 88, 135, 137-139, 389 (UDP), 445, 1027, 3268 and 49152-65535.
-
Copying SIDHistory is an operation initiated by the agent and performed by the domain controllers.
-
Source/Target Domain Controller FQDNs must be resolvable by each other.
-
Open TCP ports 88, 135, 137-139, 389 (UDP), 445, 1027, 3268 and 49152-65535.
Below are the general requirements for Password Propagation Service:
Installing and configuring the Password Propagation Service requires the following actions:
-
Enabling the Password Propagation Service option on the Environment Passwords Setting page and downloading the Password Propagation Service Download.
-
Installing the Password Change Service in the source environment.
-
Configuring the Password Propagation Server for the target environment where the passwords will be changed.
Note: The Password Propagation Service must be preconfigured with Windows Internet Information Server (IIS) with certificate provisioned.
-
Manually installing Password Filter on every Domain Controller in the source Active Directory forest.
