Installing PasswordSync Into a Single-Tree Network
Prerequisites
The computer hosting the PasswordSync Agent must have one of the following Novell Clients installed.
4.83 SP1 or later for Windows NT/2000
4.82 or later for Windows XP
Computers used to generate any eDirectory password changes must have one of the following Novell Clients installed.
4.81 or later for Windows NT/2000
3.31 or later for Windows 95/98
4.82 or later for Windows XP
If you are synchronizing with a domain outside of the tree where the agent is installed, then the computer hosting the agent must be configured to use WINS or DNS.
HINT: To see whether you need to use WINS or DNS, you can use Windows Explorer to navigate through network neighborhood. If you can't see all domain controllers, then you need to use WINS or DNS.
All domain controllers hosting filters and computers hosting agents must use the same Windows Service Packs; otherwise, passwords are encrypted and decrypted in different ways and password synchronization will fail.
Installing an Agent and Filter
Authenticate to the eDirectory Tree.
At the Windows computer that will host the agent, insert the DirXML CD into the CD drive.
The CD may take a moment to load.
At the Welcome screen, click Next.
Read the license agreement; if you agree to the terms, click I Accept.
At the Components page, mark PasswordSync Agent, then click Next. A summary screen is displayed.
Click Finish, then at notice of completion, click Close.
If Microsoft DLL files required for PasswordSync are out of date, the installation program will copy them to the system directory and you will be prompted to reboot.
In Control Panel, click Password Synchronization.
Specify the tree name, then click OK.
In the PasswordSync Setup dialog box, select the domain that will participate in password synchronization and its associated DirXML driver.
NT Domains: If you type the name of an NT 4 domain rather than browse to it, you must enter the name in uppercase. This requirement is for NT 4 domain names only; Active Directory domain names are not required to be uppercase.
Click OK, then specify the name for the new PasswordSync object and the context where it should be placed.
The default object name is the name of the server where you are installing PasswordSync, followed by -pwdsync.
The default context is that of the container holding the DirXML Driver Set object.
Click OK, then select the container for which PasswordSync will be assigned as a trustee.
The PasswordSync Agent needs the rights to manage passwords in eDirectory and to read the DirXML drivers that control the domains being synchronized.
Select a container high enough in the tree to span all objects that the agent needs to access, including user objects, the domain object, the DirXML driver object, and the server object for the server hosting the DirXML engine.
If you want to make narrower rights assignments, make the following trustee assignments:
For users participating in password synchronization:
Trustee
Attribute
Rights
nadPwdSync object
Password Expiration Interval
compare, read
nadPwdSync object
Password Management
compare, read, write
nadPwdSync object
Password Expiration Time
write
[Public]
[Entry Rights]
browse
[Public]
nadLoginName
compare, read
For nadDomain objects:
Trustee
Attribute
Rights
nadPwdSync object
Server
compare, read
[Public]
[Entry Rights]
browse
[Public]
nadPasswordSync
compare, read
For server objects holding the PwdSync index (by default, this is the server where DirXML is installed):
Trustee
Attribute
Rights
nadPwdSync object
Index Definition
compare, read
nadPwdSync object
[Entry Rights]
browse
When prompted, click Yes to install a PasswordSync Filter. Select domain controllers from those listed, then click Add.
Remote domain controllers will be automatically rebooted when installation is complete. You must manually reboot the local domain controller after installation is complete.
IMPORTANT: Because any domain controller can process a password change request, a filter must be installed on each Active Directory Domain Controller and each NT Primary Domain Controller. You should also install a filter on each NT Backup Domain Controller that could be promoted to a Primary Domain Controller.
If you have several domain controllers, we recommend that you install filters on a few controllers at a time. This will minimize the impact of rebooting many domain controllers at once and will expedite your initial installation. To install filters to domain controllers after initial installation, see Installing Additional Filters .
Click Close, then click Close.
PasswordSync installation is complete for the domain and driver you selected. To synchronize passwords for existing user accounts in this domain, see Synchronizing Passwords for Existing Accounts .
If you have additional DirXML NT Domain or Active Directory drivers, or if you need to provide additional PasswordSync coverage, complete the additional installation processes described in the following table:
Condition
Additional Installation
A single agent can service many domains; however, additional agents provide redundancy and address network topology issues.
For example, to synchronize a domain that is on one end of a WAN link, you can install a PasswordSync Agent on that side of the WAN for more efficient network traffic.
Installing a PasswordSync Filter on a domain controller creates an association between a PasswordSync Agent and the domain controller. If the domain controller is already associated with an agent, installing a filter just updates the filter's list of available PasswordSync Agents.
If this is the first time the domain controller has participated in password synchronization, it has no association with any agent. In this case, the installation will require rebooting the domain controller. You might want to perform this procedure after hours, or select only one domain controller at a time.
NOTE: Remote domain controllers will be rebooted automatically; a local domain controller must be rebooted manually.
At the computer where the Password Synchronization service is installed, click Start > Settings > Control Panel.
Click Password Synchronization.
Select a domain, then click Filters.
Select a domain controller, then click Add.
Click Close. The domain now has a PasswordSync Filter.
Verify that the filter is running by checking the event log on the domain controller.
To access the event log, choose Start > Settings > Control Panel > Administrative Tools > Event Viewer. For Windows 2000, the log is called PwdSync. For NT, messages are logged in the Application log with a source reference of PwdSync.
Installing PasswordSync Into a Multi-Tree Network
Understanding the Process
In the following sections, the two eDirectory trees are labeled Tree 1 and Tree 2. As shown in Figure 23, Tree 2 is configured to synchronize account information using the Active Directory and NT drivers.
To synchronize passwords in an environment with multiple eDirectory trees,
Then, you migrate object information required by PasswordSync from Tree 2 to Tree 1. This step is explained in Migrating PasswordSync Data .
Figure 24 eDirectory Driver Configuration for PasswordSync
Finally, you install a PasswordSync Agent into Tree 1 to communicate password changes between this tree and participating domains. This step is explained in Installing a PasswordSync Agent for Tree 1 .
Without this PasswordSync setup, password changes made in Tree 1 would be synchronized to Tree 2, but would not be synchronized with Active Directory or NT.
Figure 25 PasswordSync Agent for Tree 1
HINT: To keep these trees straight in the procedures that follow, you might want to label Figure 25 with the actual tree names for the trees you are synchronizing, then reference this graphic as you complete the setup process.
To allow Tree 1 to participate fully in password synchronization, complete the following procedures:
The nadDomain objects from Tree 2 must be migrated to Tree 1. Additionally, you should force an update of the Tree 2 user objects that are participating in password synchronization.
To migrate PasswordSync data from the Tree 2 to Tree 1:
Launch iManager by going to http://serveripaddress/nps/iManager.html.
IMPORTANT: This URL is case sensitive.
Authenticate to Tree 2, then click DirXML Management > Overview.
Locate the DirXML eDirectory driver.
In the Driver Overview page for the eDirectory driver, click Migrate from eDirectory, then click Add.
Select the nadDomain object representing the domain already participating in password synchronization, then click OK.
This object will be inside the driver object that is participating in password synchronization.
Click Add.
Select the container holding all the users whose account data is already being synchronized by the AD or NT driver, then click OK.
You need to install a PasswordSync Agent to direct password communication between Tree 1 and Active Directory or NT Domains.
Prerequisites
The PasswordSync Agent should be installed on a computer running Windows 2000 or Windows NT4 SP6. This computer cannot already host an agent.
This computer does not need to be host eDirectory, but must have at least Novell Client 4.83 SP1 or later and connectivity to both the Active Directory or NT domains and the corporate tree between which passwords will be synchronized.
If you are synchronizing with a domain outside of the tree where the agent is installed, then the computer hosting the agent must be configured to use WINS or DNS.
Installation
Log in to Tree 1 as Administrator or equivalent.
Log in to the domain as Administrator or equivalent.
At the Windows computer where the agent will be installed, insert the DirXML CD into the CD drive. The CD may take a moment to load.
At the Welcome screen, click Next.
Read the license agreement; if you agree to the terms, click I Accept.
At the Components page, mark PasswordSync Agent, then click Next. A summary screen is displayed.
Click Finish, then at notice of completion, click Close.
In Control Panel, click Password Synchronization.
Specify the tree name for Tree 1, then click Ok.
In the PasswordSync Setup dialog box, select a domain and its associated DirXML driver; in this case, the DirXML driver for eDirectory.
If the domain is in another tree or forest, the computer on which the PasswordSync Agent is being installed must be configured with the address of a WINS server in the target tree or forest.
NT Domains: If you type the name of an NT 4 domain rather than browse to it, you must enter the name in uppercase. This requirement is for NT 4 domain names only; Active Directory domain names are not required to be uppercase.
Click OK, then specify the name for the new PasswordSync object and the context where it should be placed.
The default object name is the name of the server where you are installing PasswordSync, followed by -pwdsync.
The default context is that of the container holding the DirXML Driver Set object.
Select the container for which PasswordSync will be assigned as a trustee.
The PasswordSync Agent needs the rights to manage passwords in eDirectory and to read the DirXML drivers that control the domains being synchronized.
IMPORTANT: Select a container high enough in the tree to span all objects that the agent needs to access, including user objects, the domain object, the DirXML driver object, and the server object for the server hosting the DirXML engine.
If you want to make narrower rights assignments, make the following trustee assignments:
For users participating in password synchronization:
Trustee
Attribute
Rights
nadPwdSync object
Password Expiration Interval
compare, read
nadPwdSync object
Password Management
compare, read, write
nadPwdSync object
Password Expiration Time
write
[Public]
[Entry Rights]
browse
[Public]
nadLoginName
compare, read
For nadDomain objects:
Trustee
Attribute
Rights
nadPwdSync object
Server
compare, read
[Public]
[Entry Rights]
browse
[Public]
nadPasswordSync
compare, read
For server objects holding the PwdSync index (by default, this is the server where DirXML is installed):
Trustee
Attribute
Rights
nadPwdSync object
Index Definition
compare, read
nadPwdSync object
[Entry Rights]
browse
When prompted, click Yes to install a PasswordSync Filter. Select domain controllers from those listed, then click Add.
IMPORTANT: Even if Password Filters have been installed on the domain controllers when the PasswordSync Agent was installed in Tree 2, these Password Filters must be updated by the PasswordSync Agent servicing Tree 1 because configuration information is written to eDirectory during this process.
Because any domain controller can process a password change request, a filter must be installed on each Active Directory Domain Controller and each NT Primary Domain Controller. You should also install a filter on each NT Backup Domain Controller that could be promoted to a Primary Domain Controller.
If you have several domain controllers, we recommend that you install filters on a few controllers at a time. This will minimize the impact of rebooting many domain controllers at once and will expedite your initial installation. To install filters to domain controllers after initial installation, see Install a Password Filter .
Remote domain controllers will be rebooted automatically when installation is complete. You must reboot the local domain controller manually after installation is complete.
representing the domain already participating in password synchronization, then click OK.