Validating Password Synchronization

After PasswordSync is set up, check to make sure that a password change in your eDirectory tree is synchronized to Active Directory and vise versa.

  1. Create an Active Directory or NT user.

  2. Verify that you can log in to eDirectory as that user.

  3. Change the user's eDirectory password.

    For successful synchronization, eDirectory password changes must be made on a computer running the correct version of the Novell Client. For more information about required client versions, see Prerequisites . For more information about the role of the client in password synchronization, see Sample Password Scenarios .

  4. Verify that you can log in to Active Directory or NT as the new user.

You can view PasswordSync transactions in the PwdSync event log. The agent and filters log messages there.

To access the event log, choose Start > Settings > Control Panel > Administrative Tools > Event Viewer. For Windows 2000, the log is called PwdSync. For NT, messages are logged in the Application log with a source reference of PwdSync.

The following section lists common log messages:

Message Explanation

The password synchronization service has started.

The password synchronization service has stopped.

Loaded password provider %1 for directory %2.

Unloaded password provider %1 for directory %2.

Informational messages that occur when the agent is started or stopped.

The password for user %2 in directory %1 has been successfully changed by %3.

Informational message indicating that a password was successfully synchronized.

The password filter has been fully initialized. Domain Name = %2, Computer Name = %1, Host Name = %3.

Informational message indicating that the filter is fully operational for a given domain and domain controller.

The Cryptographic Service Provider has defaulted to %1. Encryption will be downgraded to the standards of this provider. Execution of the password synchronization server will not be affected. If higher encryption standards are required, please contact your network administrator.

Warning message reported at start up indicating that the cryptography being used by the agent isn't as strong as it could be.

The user %1 in directory %2 could not be mapped to a user in directory %3. The error code is in the data.

or

The password for user %1 in directory %2 was not synchronized because the password change timed out.

Warning message indicating that the agent could not map an NT or Active Directory user to the corresponding eDirectory user. This message will only occur for password changes originating in Active Directory or NT.

This is most likely to occur when the nadLoginName attribute isn't populated or the agent doesn't have proper rights to read the information necessary to perform the mapping.

The mapping for nadLoginName is found by searching against an index of the nadLoginName attribute held on an eDirectory server. The reference to the eDirectory server is held in the nadDomain object that represents the Active Directory or NT domain.

The agent may have been unable to find the eDirectory server holding the index. Ensure that

  • The nadDomain object references the eDirectory server.
  • The eDirectory server holds an index of the nadLoginName attribute.
  • The PwdSync object has Browse, Compare, and Read rights to the nadDomain object and the server's indexDefinition attribute.

The agent might have searched the index, but has been unable to find the nadLoginName attribute that matched the search criteria. Ensure that

  • The eDirectory user object has a corresponding nadLoginName.
  • The eDirectory user object exists in a replica on the server referenced by the nadDomain object.

The password synchronization service failed to load. The error code is in the data.

Error message indicating that the agent was not able to start.

The Novell Client might not have been able to find an eDirectory server holding a replica of the partition containing the PwdSync object.

Add the following information to the registry on the computer that is hosting the agent:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWDSYNC\Parameters

Value name: eDir Server IP Address

Value type: REG_SZ

Value data: xxx.xxx.xxx.xx IP Address Here

WARNING:  If you use Registry Editor incorrectly, you might cause serious problems that might require you to reinstall your operating system.

A password change request was made by directory %1. No password provider exists for this directory.

Error message indicating that there is no provider available to service a password change request for a given directory and user.

The PasswordSync Agent uses providers to hold platform-specific information required for synchronization. Providers are represented by nadPwdProvider objects subordinate to the PwdSync objects. Typically, two nadPwdProvider objects should exist under the PwdSync object, one for the eDirectory tree and one for the Active Directory or NT domain.

If the eDirectory provider is missing, PasswordSync must be re-installed. If the Active Directory or NT provider is missing, it can be added through the Password Synchronization applet in the Control Panel on the computer where the agent is installed.

If both providers are present, ensure that the PwdSync object has Browse, Compare, Read, Write, and Add Self rights to the nadPwdProvider objects.

The password for user %1 in directory %2 could not be decrypted. The error code is in the data.

Error message indicating that password data could not be decrypted.

This most likely indicates an encryption level mismatch. Ensure that Service Pack levels match across domains participating in password synchronization.