If somehow the Active Directory server where the remote loader for your AD / Exchange driver is running becomes unavailable (e.g. server crash or Active Directory data base corruption) and you are not directly present to redirect you driver to another AD server, it is good to know how the Password filter cache works.
As we all know the password filter is an option to install in the IDM for password synchronization between Microsoft Active Directory and Novell eDirectory.
The Password filter has to be installed on every Domain Controller in your Domain and must be configured to communicate to your Remote Loader server or IDM server for password synchronization to work.
If the Remote Loader server is somehow unavailable, or if the driver or remote loader is disabled, the password filter will cache the password. And the password change will be processed when all is available again.
How it works:
While configuring the Password Filter you must assign a server where the collect passwords can be collected for processing to eDirectory. If this connection is lost between the DC and the “collector” system the Password Filter will cash a password change in the DC’s registry. In the “HKEY_LOCAL_MACHINE\SOFTWARE\Novell\PwFilter\Data” to be exact. This key is default restricted to show the cash, so you have to change the permissions to view the information underneath. When the connection is restored the cached password changes will be collected, and the cash will be emptied.
On the “collector” system (the system where the remote loader or IDM is running) this setup is similar. The passwords collected will be cashed in the registry until it can be processed by the driver.
In the “Driver settings” you can set “Password Sync Timeout (minutes)”. This will disregard password changes if the synchronization of the password is taking too long.
When do problems occur?:
This all seems to work well, so what is the problem?
Well, the problem is that “Password Sync Timeout” is only checked to the time the password is in the cash of the “collector”. The time the password has been cached on the DC is not checked.
In a day to day work there is no problem, but when a collect becomes unavailable, and some days go by before you can reconfigure the password sync again, the cash on the DC’s will be emptied and the password changes will be pushed to eDirectory, regardless the age of the password.