Novell Doc: Identity Manager 3.5.1 Driver for NT Domain - Setting Up Password Synchronization Filters

9.5 Setting Up Password Synchronization Filters

The driver needs to be configured to run on only one Windows machine. However, after you install the driver, each of the other domain controllers needs a password filter (pwfilter.dll file) installed and the registry configured to capture passwords so that passwords can be sent to Identity Manager.

The password filter is automatically started when the domain controller is started. The filter captures password changes made by users through Windows clients, encrypts them, and sends them to the driver to update the Identity Manager data store.

NOTE:For information about configuring Password Synchronization, see Implementing Password Synchronization in the Novell Identity Manager 3.5.1 Administration Guide.

To simplify your setup and administration of password filters, an Identity Manager PassSync utility is added to the Control Panel when the driver is installed. This utility gives you two choices for setting up the password filters, depending on whether you want to allow remote access to the registry on your domain controllers:

If you don’t allow remote access to the registry: Set up the password filters on each domain controller separately. To do this, you go to each domain controller, install the driver files so you have the Identity Manager PassSync utility, and use the utility on each machine to install the password filter and update the registry.

See Section 9.5.1, Separately Configuring Password Filters on Each Domain Controller.
If you allow remote access to the registry: From the single machine where you plan to run the driver, configure the password filter for all the domain controllers, using the Identity Manager PassSync utility.

This method lets you configure all the domain controllers from one place.

If you configure all the domain controllers from one machine, the Identity Manager PassSync utility provides the following features to help you during setup:
- Lets you specify which domain you want to participate in password synchronization.
- Automatically discovers all the domain controllers for the domain.
- Lets you remotely install the pwfilter.dll on each domain controller.
- Automatically updates the registry on the machine where the driver is running and on each domain controller.
- Lets you view the status of the filter on each domain controller.
- Lets you remotely reboot a domain controller. This is necessary when you first add a domain for password synchronization, because the filter that captures password changes is a .dll file that starts when the domain controller is started.
See Section 9.5.2, Configuring Password Filters for All Domain Controllers from One Machine.

9.5.1 Separately Configuring Password Filters on Each Domain Controller

This procedure explains how to install and configure the password filter on each domain controller, one at a time.

Use this method if you don’t want to allow remote access to the registry.

In this procedure, you install the driver so that you have the Identity Manager PassSync utility, then you use the utility to install the pwfilter.dll file, specify the port to use, and specify which host machine is running the Identity Manager Driver for NT.

Setting up the filter requires rebooting the domain controller, so you might want to perform this procedure after hours, or reboot only one domain controller at a time. If there is more than one domain controller in the domain, keep in mind that each domain controller where you want Password Synchronization to function must have the filter installed and must be rebooted.

Confirm that the following ports are available on both the domain controller and the machine where the Identity Manager Driver for NT is configured to run:
- 135: The RPC endpoint mapper
- 137: NetBIOS name service
- 138: NetBIOS datagram service
- 139: NetBIOS session service
On the domain controller, use the Identity Manager Installation to install only the Identity Manager Driver for NT.

Installing the driver installs the Identity Manager PassSync utility.
Click Start > Settings > Control Panel.
Double-click Identity Manager PassSync.

The first time you open the utility, it asks whether this is the machine where the Identity Manager driver is installed.
Click No.

After you complete the configuration, you are not shown this prompt again unless you remove the password filter using the Remove button in the Password Filter Properties dialog box.

After you click No, the Password Filter Properties dialog box appears, with a status message indicating that the password filter is not yet set up on this domain controller.
Click the Setup button to install the password filter, pwfilter.dll.
For the Port setting, specify whether to use a dynamic port or a static port.

Use the static port option only if you have decided to configure your remote procedure call (RPC) for the domain controller differently than the default.
Specify the location of the Identity Manager driver, click the Add button, then specify the Host Name of the machine that is running the Identity Manager driver in the Password Sync Filter - Add Host dialog box. Click OK.

This step is necessary so that the password filter knows where to send the password changes. The password filter captures password changes, and must send them to the Identity Manager driver to update the Identity Manager data store.
In the Password Filter Properties dialog box, click OK.
Reboot the domain controller to complete the installation of the password filter.

You can choose to reboot at a time that makes sense for your environment. Just keep in mind that password synchronization won’t be fully functional until every domain controller has the password filter installed and has been rebooted.

After the installation is complete and the domain controller is rebooted, the password filter is loaded automatically whenever the domain controller starts up.
Check the status for the password filter again by clicking Start > Settings > Control Panel, and double-clicking the Identity Manager PassSync utility. Confirm that the status says Running.
Repeat Step 2 through Step 11 for each domain controller that you want to participate in Password Synchronization.
When the status says Running for all the domain controllers, test Password Synchronization to confirm that it is working.

9.5.2 Configuring Password Filters for All Domain Controllers from One Machine

This procedure explains how to install and configure the password filter on each domain controller, all from the same machine where you are running the driver.

Use this method if you allow remote access to the registry.

Confirm that these ports are available on the domain controllers and on the machine where the Identity Manager Driver for NT is configured to run:
- 135: The RPC endpoint mapper
- 137: NetBIOS name service
- 138: NetBIOS datagram service
- 139: NetBIOS session service
At the computer where the driver is installed, click Start > Settings > Control Panel.
Double-click Identity Manager PassSync.

The first time you open the utility, it asks whether this is the machine where the Identity Manager driver is installed.

After you complete the configuration, you are not shown this prompt again unless you remove this domain from the list.
Click Yes.

A list appears, labeled Synchronized Domains.
To add a domain you want to participate in password synchronization, click Add and specify the domain name.
Log in with administrator rights.

The Identity Manager PassSync utility discovers all the domain controllers for that domain, and installs pwfilter.dll on each domain controller. It also updates the registry on the computer where you are running the drivers, and on each domain controller. This might take a few minutes.

The pwfilter.dll doesn’t capture password changes until the domain controller has been rebooted. The Identity Manager PassSync utility lets you see a list of all the domain controllers and the status of the filter on them. It also lets you reboot the domain controller from inside the utility.
Click the name of the domain in the list, then click Filters.

The utility displays the names of all the domain controllers and the status of the filter on each of them.

The status for each domain controller should indicate that it needs rebooting. However, it might take a few minutes for the utility to complete its automated task, and in the meantime the status might say Unknown.
Reboot each domain controller.

You can choose to reboot them at a time that makes sense for your environment. Just keep in mind that password synchronization won’t be fully functional until every domain controller has been rebooted.
When the status for the domain controllers says Running, test password synchronization to confirm that it is working.
To add more domains, click OK to return to the list of domains, and repeat Step 5 through Step 9.