DirXML Password Synchronization for Windows 1.0 Troubleshooting Guide
(Last modified: 21Oct2005)
This document (10083320) is provided subject to the disclaimer at the end of this document.
goal
DirXML Password Synchronization for Windows 1.0 Troubleshooting Guide
fact
Novell eDirectory 8.7 for All Platforms
Novell eDirectory 8.6 for All Platforms
Novell DirXML
Novell Account Management 2.1 for Windows 2000
symptom
Password Sync is not working
Password changes don't propagate from eDirectory to Active Directory/NT
Password changes don't propagate from Active Directory/NT to eDirectory
nadLoginName attribute not being added to associated user objects
fix
The following is a methodology for troubleshooting Password Sync issues: 11. If the user does not have nadLoginName attribute, verify that the Password Synchronization option is set to yes under the Driver Parameters section on the properties of the Driver object. If the parameters section is blank, create a new dummy driver and cut and paste the information from the edit Driver parameters XML and add it to the existing driver. 12. Verify that the domain object beneath the driver object has a DirXML association (by default in a pending state, but manual is fine). For the AD driver, the Associated Object ID will be the Domain GUID. For the NT driver, this will be the name of the domain in upper case. 16. If you see this warning in the event viewer when changing a password for a user in AD: "The user USERNAME in directory ADDOMAINNAME could not be mapped to a user in directory EDIRTREENAME. The error code is in the data.", check the Password Synchronization for Windows 1.0 Documentation. There is some very good information on potential causes for this warning. The section of the documentation is Installing Password Sync -> Setting Up the Password Sync Service -> Step 5: Validating Password Synchronization. USERNAME, ADDOMAINNAME, and EDIRTREE would obviously be replaced by whatever your names for these respective resources would be. 17. If you are running the 4.9x client or the 3.34 client with NMAS enabled the passwords will not synchronize. The solution that explains this issue is Password synchronization from NDS to AD fails with 4.9 or 3.34 client 18a. If the event viewer on the Windows machine running the Password Sync Agent is not registering a password change attempt from NDS, make sure that a) tt is NOT a Windows 2003 machine. This is not supported with Password Synchronization for Windows 1.0. b) the pwdnotfy.dll is in the WINNT\System32\ directory, c) the filters are all listed by the agent as "Running" and not just "Installed". Update: A 2003 server should now be supported with the latest patches. 18b. If you still don't see anything in the event viewer, the problem can be difficult to diagnose. BUT, assuming all prior steps above have checked out, it is almost certain to be a Microsoft problem at this point. Troubleshooting would involve: 1) Making sure the Novell Client is requesting nadLoginName attribute for the user object whose password is being changed, 2) That the client is getting the information back to know where the Windows machine is running the Password sync agent, 3) That it is able to communicate with the Windows machine running the password sync agent 4) That the Password sync agent machine is able to communicate and write the password. That the PDC, DC, and workstations are at the same encryption level. Encryption levels are updated with Windows service packs.
2. Do the Filters show running on ALL Domain Controllers? Start | Settings | Control Panel | Password Synchronization Icon. Does it show ALL Domain Controllers? If some are showing as "Installed", attempting to readd the Filter will change it to a "Running" state - which is what is should be at. If there are some DC's NOT listed at all but belong to your domain, verify the Computer Browser service is running on them.
3. What Novell client version is installed on the Domain Controller or the machine with Password Sync Service installed on it and the workstations changing passwords? Verify Novell Client 4.83 SP1 (or greater) is installed
5. Is the nadLoginName attribute added to the publisher filter for AD and both publisher and subscriber for NT? See Step 4: Configure the DirXML Driver Password Sync Documentation.
7. Do passwords sync when changing the password from 1.) Novell Client Workstation 2.) Active Directory Users and Computers 3.) ConsoleOne
9. Is there any information in the Password log in the Event Viewer?
10. For an associated user - use DSBROWSE to verify the user has the nadLoginName attribute (this will NOT show on the "Other" tab in ConsoleOne). If the user does not have the nadLoginName attribute, verify from ConsoleOne that the Dirxml Driver has Admin as a Security Equal to under the Membership tab. If so, verify the DirXML Driver has effective Supervisor rights on the user object, if not there is either an IRF filtering those rights out, the assignment on the Memberships tab is faulty (remove that user assignment and try someone else), or the user assigned does not have Supervisor rights to the associated user.
document
Document Title: | DirXML Password Synchronization for Windows 1.0 Troubleshooting Guide |
Document ID: | 10083320 |
Solution ID: | NOVL89482 |
Creation Date: | 19May2003 |
Modified Date: | 21Oct2005 |
Novell Product Class: | NetWare Novell eDirectory |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.