DirXML Password Synchronization for Windows 1.0 Troubleshooting Guide

(Last modified: 21Oct2005)

This document (10083320) is provided subject to the disclaimer at the end of this document.

goal

DirXML Password Synchronization for Windows 1.0 Troubleshooting Guide

fact

Novell eDirectory 8.7 for All Platforms

Novell eDirectory 8.6 for All Platforms

Novell DirXML

Novell Account Management 2.1 for Windows 2000

symptom

Password Sync is not working

Password changes don't propagate from eDirectory to Active Directory/NT

Password changes don't propagate from Active Directory/NT to eDirectory

nadLoginName attribute not being added to associated user objects

fix

The following  is a methodology for troubleshooting Password Sync issues:

1.   Does the Password Sync Service show as "Started" on the Domain Controller?  Start | Settings | Control Panel | Administrative Tools | Services
 
2.   Do the Filters show running on ALL Domain Controllers?  Start | Settings | Control Panel | Password Synchronization Icon. Does it show ALL Domain Controllers? If some are showing as "Installed", attempting to readd the Filter will change it to a "Running" state - which is what is should be at. If there are some DC's NOT listed at all but belong to your domain, verify the Computer Browser service is running on them.
 
3.   What Novell client version is installed on the Domain Controller or the machine with Password Sync Service installed on it and the workstations changing passwords?  Verify Novell Client 4.83 SP1 (or greater) is installed

4.   Does the Password Sync object have the correct rights in the documentation? See Step 2: Install the PasswordSync Service in the Password Sync Documentation.
 
5.   Is the nadLoginName attribute added to the publisher filter for AD and both publisher and subscriber for NT?  See Step 4: Configure the DirXML Driver Password Sync Documentation.  

6.   Can the clients and the domain controllers ping the DC running the Password Sync Service by Short name - ie "ping dc1"  (do not use the DNS name like dc1.novell.com) 
From a workstation - Open a command prompt and type "ping DC1" - Verify there is a response back?  WINS MUST be configured for Password Sync to function properly 
 
7.   Do passwords sync when changing the password from 1.) Novell Client Workstation 2.) Active Directory Users and Computers 3.)  ConsoleOne 

8.  Where is the password being changed?  Any password changes from the eDirectory side have to go through the Novell client for the Password Sync Agent to pick up the change.  See Sample Password Scenarios in the online documentation for Password Synchronization 1.0.
 
9.   Is there any information in the Password log in the Event Viewer? 
  
10.  For an associated user - use DSBROWSE to verify the user has the nadLoginName attribute (this will NOT show on the "Other" tab in ConsoleOne). If the user does not have the nadLoginName attribute, verify from ConsoleOne that the Dirxml Driver has Admin as a Security Equal to under the Membership tab. If so, verify the DirXML Driver has effective Supervisor rights on the user object, if not there is either an IRF filtering those rights out, the assignment on the Memberships tab is faulty (remove that user assignment and try someone else), or the user assigned does not have Supervisor rights to the associated user.

11.  If the user does not have nadLoginName attribute, verify that the Password Synchronization option is set to yes under the Driver Parameters section on the properties of the Driver object.  If the parameters section is blank, create a new dummy driver and cut and paste the information from the edit Driver parameters XML and add it to the existing driver.

12. Verify that the domain object beneath the driver object has a DirXML association (by default in a pending state, but manual is fine). For the AD driver, the Associated Object ID will be the Domain GUID. For the NT driver, this will be the name of the domain in upper case.

13.  Verify that the domain object beneath the driver object has a link to the password sync object in the eDirectory tree.  It will be listed under the passwordsync tab on the Domain object.

14.  Verify you are on the latest patch for Password Sync 1.0.  Go to http://support.novell.com | click on Patches and Fixes | Select Novell Directory Services | Select DirXML Password Synchronization for Windows 1.0 | The most recent patches will be listed here.

15. If seeing the Password Synchronization service the following error occurs:   "Error 2147746132: Class not registered."
Refer to NOVL76686 - Passwords will not synchronize from NDS to Active Directory and vise versa. 

16. If you see this warning in the event viewer when changing a password for a user in AD: "The user USERNAME in directory ADDOMAINNAME could not be mapped to a user in directory EDIRTREENAME. The error code is in the data.", check the Password Synchronization for Windows 1.0 Documentation. There is some very good information on potential causes for this warning. The section of the documentation is Installing Password Sync -> Setting Up the Password Sync Service -> Step 5: Validating Password Synchronization.  USERNAME, ADDOMAINNAME, and EDIRTREE would obviously be replaced by whatever your names for these respective resources would be.

17.  If you are running the 4.9x client or the 3.34 client with NMAS enabled the passwords will not synchronize.  The solution that explains this issue is Password synchronization from NDS to AD fails with 4.9 or 3.34 client 

18a. If the event viewer on the Windows machine running the Password Sync Agent is not registering a password change attempt from NDS, make sure that a) tt is NOT a Windows 2003 machine. This is not supported with Password Synchronization for Windows 1.0. b) the pwdnotfy.dll is in the WINNT\System32\ directory, c) the filters are all listed by the agent as "Running" and not just "Installed". Update: A 2003 server should now be supported with the latest patches.

18b. If you still don't see anything in the event viewer, the problem can be difficult to diagnose. BUT, assuming all prior steps above have checked out, it is almost certain to be a Microsoft problem at this point. Troubleshooting would involve: 1) Making sure the Novell Client is requesting nadLoginName attribute for the user object whose password is being changed, 2) That the client is getting the information back to know where the Windows machine is running the Password sync agent, 3) That it is able to communicate with the Windows machine running the password sync agent 4) That the Password sync agent machine is able to communicate and write the password. That the PDC, DC, and workstations are at the same encryption level. Encryption levels are updated with Windows service packs. Steps 1, 2, and 3 can be verified with a packet trace. Step 4 is done with Password Synchronization debug code - especially if the Password Sync Agent is running on a DC. At this point, verify the AD domain replication and communication (including LDAP) between DCs, and that the Password Sync Agent machine can contact the PDC emulator via it's short name (remember WINS). If the problem still occurs, call Novell Technical Support who can put on debug code and read the output.

.

document

Document Title:	DirXML Password Synchronization for Windows 1.0 Troubleshooting Guide
Document ID:	10083320
Solution ID:	NOVL89482
Creation Date:	19May2003
Modified Date:	21Oct2005
Novell Product Class:	NetWare Novell eDirectory

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.