On Demand Migration Current - Active Directory Password Propagation Service User Guide

Password change logs in CSV format are available in the source directory at ProgramData > Quest > DS Password Change Service > PsChangeAuditxxxxxxxx.csv.

How do I configure an SRV record for the Password Change Service FQDN?

Please review the MS link on how to create an SRV record in General. Also, we provided the below step by step instructions for your reference.

1. Log on to the DNS server and open the DNS Manager
2. Open DNS and choose the zone to create the SRV record for (Current domain, forward lookup zone).
3. From the Context menu, select Other New Records..., navigate to Service Location (SRV), and choose Create Record.
4. Fill in the form (shown in the following figure), specifying “_qdspwchange“ to the Service: input box.
   • Enter an FQDN of the host computer (for example, Server1.contoso.com) to the Host offering the Password Change Service.
   • Select _http (_https) in the Protocol: field.
   • Select 443 in the Port number: input box.

How do I configure LDAPS?

Microsoft provides an article on how to enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) with a third-party certification authority: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-over-ssl-3rd-certification-authority.

How do I preconfigure the SSL Certificate?

Microsoft provides instructions on how to install an IIS server certificate: https://learn.microsoft.com/en-us/dotnet/framework/wcf/samples/iis-server-certificate-installation-instructions.

How do I find a certificate’s thumbprint?

Microsoft provides a how-to article on how to retrieve the thumbprint of a certificate: https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-retrieve-the-thumbprint-of-a-certificate.

Do Passwords pass through On Demand Migration servers?

Password Propagation Service syncs directly from the source Active Directory to the target Active Directory without transmitting passwords to On Demand Migration. User mapping data captured by the On Demand Migration Directory Sync Service is used solely to map the source and target user objects and Active Directory to facilitate the synchronization of passwords.

Can I enable Legacy/Modern Password Copy while using Password Propagation Service?

Password Propagation Service provides password synchronization functions for environments that have RC4 encryption disabled. Legacy and Modern Password can copy passwords, but it can only copy NTLM or RC4 Password Hash. For this reason, if the environment has RC4 disabled, we cannot enable both Password Copy and Password Propagation Service at the same time. Password copy can be enabled to copy the NTLM/RC4 passwords, but once RC4 is disabled in the environment, Password Propagation Service should be used instead.

How can I trigger passwords to be synced to the target user when using Password Propagation Service?

Unlike Password Copy (Legacy and Modern) which will copy the Password Hash to the target user object, Password Propagation will set the password to the target object when the password is changed in the source. Therefore, passwords can only be synced/set in the target if the source user password was changed by either the end user or the administrator.

Do I need to add all domain controllers from my target Active Directory in the Password Change Service Environment setting on my local server?

No, you do not need to add all domain controllers in your target Active Directory. Only one domain controller per domain is needed.