Confirm that port 135 (the RPC endpoint mapper) is accessible on the domain controllers and on the machine where the Identity Manager Driver for Active Directory is configured to run.

If you are using NetBIOS over TCP, you also need these ports:

A firewall could prevent the ports from being accessible remotely.

At the computer where the driver is installed, click Start > Settings > Control Panel.

Double-click Identity Manager PassSync.

The first time you open the utility, it asks whether this is the machine where the Identity Manager driver is installed.

After you complete the configuration, you are not shown this prompt again unless you remove this domain from the list.

Click Yes.

A list appears, labeled Synchronized Domains.

To add a domain that you want to participate in password synchronization, click Add.

The Add Domain dialog box appears.

Specify or select the domain name that you want to add.

The drop-down list displays known domains.

(Optional) Specify a computer in the domain.

If you leave the Computer edit box blank, PassSync queries the local machine. Therefore, if you are running PassSync on a domain controller, you don’t need to enter a name. PassSync queries the local machine (in this case, a domain controller) and gets (from the database) the list of all domain controllers in the domain.

If you aren’t installing on a domain controller, enter the name of a computer that is in the domain and that can get to a domain controller.

If you receive an error message indicating that PassSync can’t locate a domain, enter a different name.

Decide whether to use the domain’s DNS name.

The DNS name provides more advanced authentication and the ability to more reliably discover domains in bigger installations. However, the choice depends on your environment.

Log in with administrator rights.

The Identity Manager PassSync utility discovers all the domain controllers for that domain, and installs pwfilter.dll on each domain controller. It also updates the registry on the computer where you are running the drivers, and on each domain controller. This might take a few minutes.

The pwfilter.dll doesn’t capture password changes until the domain controller has been rebooted. The Identity Manager PassSync utility lets you see a list of all the domain controllers and the status of the filter on them. It also lets you reboot the domain controller from inside the utility.

Click the name of the domain in the list, then click Filters.

The utility displays the names of all the domain controllers and the status of the filter on each of them.

The status for each domain controller should indicate that it needs rebooting. However, it might take a few minutes for the utility to complete its automated task, and in the meantime the status might say Unknown.

Reboot each domain controller.

You can choose to reboot them at a time that makes sense for your environment. Just keep in mind that password synchronization won’t be fully functional until every domain controller has been rebooted.

When the status for all domain controllers says Running, test password synchronization to confirm that it is working.

To add more domains, click OK to return to the list of domains, and repeat Step 6 through Step 12.

Confirm that these ports are available on both the domain controller and the machine where the Identity Manager Driver for Active Directory is configured to run:

On the domain controller, use the Identity Manager Installation to install only the Identity Manager Driver for Active Directory.

Installing the driver installs the Identity Manager PassSync utility.

Click Start > Settings > Control Panel, then locate the Identity Manager PassSync utility.

Double-click Identity Manager PassSync.

The first time you open the utility, it asks whether this is the machine where the Identity Manager driver is installed.

Click No.

After you complete the configuration, you are not shown this prompt again unless you remove the password filter by using the Remove button in the Password Filter Properties dialog box.

After you click No, the Password Filter Properties dialog box appears, with a status message indicating that the password filter is not yet set up on this domain controller.

Click the Setup button to install the password filter, pwfilter.dll.

For the Port setting, specify whether to use dynamic port or static port.

Use the static port option only if you have decided to configure your remote procedure call (RPC) for the domain controller differently than the default.

Specify the location of the Identity Manager driver, click the Add button, specify the Host Name of the machine that is running the Identity Manager driver in the Password Sync Filter - Add Host dialog box, then click OK.

This step is necessary so that the password filter knows where to send the password changes. The password filter captures password changes, and must send them to the Identity Manager driver to update the Identity Manager data store.

In the Password Filter Properties dialog box, click OK.

Reboot the domain controller to complete the installation of the password filter.

You can choose to reboot at a time that makes sense for your environment. Just keep in mind that password synchronization won’t be fully functional until every domain controller has the password filter installed and has been rebooted.

After the installation is complete and the domain controller is rebooted, the password filter is loaded automatically whenever the domain controller starts up.

Check the status for the password filter again by clicking Start > Settings > Control Panel, and double-clicking the Identity Manager PassSync utility.

Confirm that the status says Running.

Repeat Step 2 through Step 11 for each domain controller that you want to participate in Password Synchronization.

When the status says Running for all the domain controllers, test Password Synchronization to confirm that it is working.