Setting Up Password Synchronization Filters

After you install the driver, you need to set up the filter to capture passwords.

The driver needs to be installed on only one Windows machine. The other domain controllers don't need the driver installed, but each domain controller does need a filter.dll file installed to capture passwords so they can be sent to Identity Manager. To simplify your setup and administration, a DirXML PassSync utility is provided that lets you do this for all domain controllers from the Windows machine where the driver is installed.

When you install the driver on a Windows machine, this utility is added to the Control Panel. The name of the utility is DirXML PassSync. The same utility is used for both NT domains and Active Directory, and it does the following things:

• Lets you specify which domain you want to participate in password synchronization.
• Automatically discovers all the domain controllers for the domain.
• Automatically installs a filter (pwfilter.dll) on each domain controller to capture password changes. This filter is automatically started when the domain controller is started. The filter captures password changes made by users through Windows clients. The filter sends the password changes to the driver, and the driver updates the Identity Manager data store.

  The filter that is installed is registered to the driver. Data is synchronized among the domain controllers in the domain, eventually synchronizing with the domain controller being monitored by the driver. Password data is then synchronized with eDirectory via Identity Manager.

  When passwords are changed on a participating domain controller, the filter captures the password, encrypts it, and notifies the driver. The driver then synchronizes this password via Identity Manager to eDirectory. This password can be configured to update the Universal Password in eDirectory, or the Distribution Password. For information on the difference between these two implementations, see the "Implementing Password Synchronization" in the Novell Nsure Identity Manager 2 Administration Guide.

• Automatically updates the registry on the machine where the driver is running and on each domain controller, to allow password changes to be captured by the filter and sent to the driver.
• Lets you view the status of the filter on each domain controller.
• Lets you reboot a domain controller from within the utility. This is necessary when you first add a domain for password synchronization, because the filter that captures password changes is a .dll file that starts when the domain controller is started.

You must complete some simple steps in the DirXML PassSync utility to configure password synchronization before Identity Manager Password Synchronization will work.

(In Password Synchronization 1.0, similar tasks were accomplished using a standalone service called an agent, but in Identity Manager Password Synchronization this functionality is part of the driver.)

Setting up the filter requires a reboot of the domain controller, so you might want to perform this procedure after hours, or reboot only one domain controller at a time.

To set up Password Synchronization filters for your domain:

1. At the computer where the driver is installed, click Start > Settings > Control Panel.

   
   

2. Double-click DirXML PassSync.

3. The first time you open the utility, it asks whether this is the machine where the DirXML driver is installed. Click Yes.

   After you complete the configuration, you are not shown this prompt again unless you remove this domain from the list.

   注:  You must use the DirXML PassSync utility on the machine where the driver is installed. The No option in this dialog box is not supported at this time.

   A list appears, labeled Synchronized Domains.

   
   

4. To add a domain you want to participate in password synchronization, click Add and specify the domain name.

   
   

5. Log in with administrator rights.

   The DirXML PassSync utility discovers all the domain controllers for that domain, and installs pwfilter.dll on each domain controller. It also updates the registry on the computer where you are running the drivers, and on each domain controller. This might take a few minutes.

   The pwfilter.dll doesn't capture password changes until the domain controller has been rebooted. The DirXML PassSync utility lets you see a list of all the domain controllers and the status of the filter on them. It also lets you reboot the domain controller from inside the utility.

6. Click the name of the domain in the list, then click Filters.

   The utility displays the names of all the domain controllers and the status of the filter on each of them.

   The status for each domain controller should indicate that it needs rebooting. However, it might take a few minutes for the utility to complete its automated task, and in the meantime the status might say Unknown.

   
   

7. Reboot each domain controller.

   You can choose to reboot them at a time that makes sense for your environment. Just keep in mind that password synchronization won't be fully functional until every domain controller has been rebooted.

8. When the status for the domain controllers says Running, test password synchronization to confirm that it is working.

9. To add more domains, click okay to return to the list of domains, and repeat ステップ 4 through ステップ 8.