We have a setup where passwords are syncing from Target to the Source tenant, this allows users to access the legacy environment with the same password even after the AD migration. Since last week users are reporting that passwords that are changed in the target tenant are no longer syncing with the source tenant.
I changed my password in the target tenant and indeed it didn’t sync back to the source. Sync log set to High from last 24 hours - Profile settings exported
Found multiple errors in the log
[BTPassAsm] - Unable to retrieve user information for 600268 : Error = 2221
There can be a few causes:
1. Antivirus not excluding the product folders and files in source and target DC
2. Sync. schedule is too frequent, not allowing sync to complete.
3. Object attribute set to not sync
4. Multiple users moved out of original OU to a new OU
Resolution 1
Verify if AV-Antivirus is running on both the source/target DC's and if the AV software is preventing the password syncs from completion. On the source/target DCs you can remove the BTPass directories, and run another password sync which will automatically create those directories. However if the AV solution is not properly excluded, or removed from the source/target DCs in scope with DSP-DirSync Pro server, then the same behavior will be noted.
1) Ensure the below paths are excluded from AV scan/action.
On Domain Controllers: (ensure AV exclusions are set on source and target DCs)
C:\Windows\BTPass\
On Directory Sync Pro Server:
C:\Program Files\Binary Tree\DirSync\BTPass\
C:\Program Files\Binary Tree\DirSync\BtPaExec.exe (available in version 20.10.x or higher)
To remediate missing one or more of the three files listed below in BTPass directories, exclude the relevant files/directories from antivirus (AV) scanning. Replicate these exclusions to both the source and target domain controllers (DCs), including the DSP-DirSync Pro server.
Run a repair installation on the DSP (DirSync Pro) server.
Delete the BTPass folder on both the source and target DCs, then re-run a sync. The folders will be pushed and recreated during the next synchronization.
BTPassUtil.exe
BTPassSvc.exe
BTPassAsm.dll
Test the password sync manually against a single account.
2) Add exclusions to the Attack Surface Reduction (ASR) rules in Windows Defender on the domain controllers and the DirSync Pro server.
For more details, we recommend reviewing the KB article:
“DirSync Password Sync isn’t working when Windows Defender is installed, error: 'VirtualAllocEx failed: 5'”
Resolution 2
Confirm the sync schedule has plenty of time to finish before another sync is scheduled to run.
Resolution 3
Confirm that the users whose passwords weren't set are configured correctly for reverse sync so they are in scope of the LDAP Query. Check that they don't have the following on their object - extensionattribute8=donotsync
Resolution 4
Confirm user objects were not moved to another OU in the Source or Target
If this is the case, correct this by updating the migration profile or moving the users back to the correct OU.
Perform a profile Reset
AD Pro should find the users and syncing should be successful
