Identity Manager provides the PassSync Troubleshooting Tool to diagnose issues encountered during password synchronization. This tool is a standalone executable that collects the following information to help you analyze synchronization issues:
Domain Controller information
Password filter details
RPC connection details
Ensure you have the appropriate permissions to log in to this tool. For more information, see Logging In with Right Permissions.
You must launch this tool on the computer where Active Directory driver is installed. For more information, see Verifying Remote Loader is Locally Available to PassSync Tool.
This tool is available in the Identity Manager utilities folder located at:
\products\IDM\windows\setup\utilities\PassSyncTroubleshootingTool
Launch PassSync Troubleshooting Tool.
Specify the following details:
Field |
Description |
---|---|
Trace File |
Specifies the location of the trace file where you want to store the trace messages. If you do not specify a path, the file is created in the same directory from where you launched the tool. |
Domain Name |
Specifies the name of the Active Directory domain you are synchronizing passwords to and from. |
Perform the following actions in any order:
Click Check Driver Machine and specify the credentials. For more information, see Verifying the Driver Machine Information.
Click Check Domain Controllers and specify the credentials. For more information, see Verifying the Domain Controller Information.
NOTE:If you do not log in with right permissions, it reports an error. For more information, see Logging In with Right Permissions.
When you click Check Driver Machine and Check Domain Controllers, the trace information is stored in the file specified in Step 2.
The Check Driver Machine option provides the following information about drivers that are installed on a particular domain:
RPC Service: Establishes a remote connection with other computers. The RPC service status in the trace indicates whether the RPC service is running on the computer.
You must have administrative access to start the RPC service. Perform the following actions to start the RPC service:
Right-click on your Start button and click Run.
Type Services.msc and click OK.
Right-click Remote Procedure Call (RPC) and select Start.
Driver Instances: Provides driver file path, connection details, and driver version. It also provides information about the driver instances running on the Remote Loader.
Registry Information: Displays registry key values of the computer running the driver and domain.
The following is a sample trace output displaying these parameters for example.com domain:
Fri Aug 17 02:00:31 2018 : Starting Checks on Driver Machine ..... Fri Aug 17 02:00:34 2018: Logging as default user. Fri Aug 17 02:00:34 2018 : The List of all Domain Controllers - 1. WIN-LIDKNP4JGO5.example.com Fri Aug 17 02:00:34 2018 : RPC Service is running Fri Aug 17 02:00:34 2018 : Full DNS name of the driver machine is WIN-LIDKNP4JGO5.example.com Fri Aug 17 02:00:34 2018 : The version of the Operating System is : Microsoft (build 9200) Fri Aug 17 02:00:34 2018 : An AD driver instance is found configured on Remote Loader Fri Aug 17 02:00:34 2018 : AD Driver which is configured with Connection port 8090 and Command port 8000 is running Fri Aug 17 02:00:34 2018 : List of local files related to Driver are : C:\novell\remoteloader\64bit\ADDriver.dll C:\novell\remoteloader\64bit\ad-driver-Config.txt C:\novell\remoteloader\64bit\ad-driverexample.com-Trace.log Fri Aug 17 02:00:35 2018 : Driver version is "4.1.0.0">AD</pr"20180125_120000"</cook Fri Aug 17 02:00:35 2018 : Driver version is c1fe230"/> and Build ID is "20180125_120000"</cook Fri Aug 17 02:00:35 2018 : Driver version is "4.1.0.0"> Fri Aug 17 02:00:35 2018 : The 'Driver Machine' value in the registry key[SOFTWARE\NOVELL\PASSSYNC] is : 1. Fri Aug 17 02:00:35 2018 : Number of subkeys(passwords cached) under the key[SOFTWARE\NOVELL\PASSSYNC\DATA\example.com]is 1 Fri Aug 17 02:00:35 2018 : Tests on this driver machine are done Press any key to close this trace ...
The Check Domain Controllers option provides the following information about domain controller servers within a server domain:
Basic Diagnostic Checks: Displays the password filter version on each domain controller server. It also displays the hostname of the domain controller server and the computer where the driver is running.
RPC Checks: Displays information whether domain controller servers and drivers are able to connect to password filters via RPC tool.
The following is a sample trace output displaying these parameters for example.com domain:
Sun Aug 19 22:04:40 2018 : Starting Checks on All DCs ..... Sun Aug 19 22:04:41 2018: Logging as default user. Sun Aug 19 22:04:41 2018 : The List of all Domain Controllers - 1. WIN-LIDKNP4JGO5.example.com Sun Aug 19 22:04:41 2018 : Checking the Domain Controller WIN-LIDKNP4JGO5.example.com .... Running Basic Diagnostic Checks. Password filter files installed on this DC are C:\Windows\System32\PWFILTER.DLL and C:\Windows\System32\PSEVENT.DLL This 64 bit System has INCORRECT 32 bit PWFILTER dll version v3.0.0 (20180117) installed The value of 'Host Names' '[WIN-LIDKNP4JGO5.example.com]' in DC[WIN-LIDKNP4JGO5.example.com] is same as the name of driver machine[WIN-LIDKNP4JGO5.example.com] Opened key [SOFTWARE\NOVELL\PWFILTER\DATA]. No items to process. Running RPC Checks. Checking whether this tool can reach the filter through RPC This tool can reach the filter through RPC Checking if the filter can connect to the driver pwFilter can connect to PassSync RPC server on driver machine - 0 Sun Aug 19 22:04:42 2018 : Tests on all DCs are done Press any key to close this trace ...
Ensure the following conditions are met when driver is remotely installed:
All Active Directory servers belong to the same domain that is hosting the Remote Loader server.
RPC service is running and able to connect to PWfilter modules of that Active Directory server.
To verify the status of RPC service and the number of driver instances running in your domain, see Verifying the Driver Machine Information.
Additionally, the following actions can help you troubleshoot the issues:
This tool can only analyze the domains that are registered to the driver computer. If you specify an unregistered domain, it displays the following error in the driver machine trace:
No Such Domain.
Therefore, always specify the registered domain name to this tool.
The following error occurs if the Active Directory driver is configured with the Remote Loader and the PassSync tool is launched from a different computer:
Error occured while opening the registry key [SOFTWARE\NOVELL\RLCONSOLE].
Therefore, you must launch the PassSync tool on the Remote Loader computer where the Active Directory driver is running.
Enable Out of Band Sync attribute for the password change event. This setting processes the password change event before other events in the queue. For more information, see Enabling Out of Band Sync in NetIQ Identity Manager Driver Administration Guide.
You can configure one or more Active Directory driver instances on one Remote Loader. An Active Directory driver instance that you want to synchronize the password require the RPC service to establish a remote connection with the domain controller servers. Therefore, it is recommended to set a delay at the startup for the remaining instances so that the required Active Directory driver instance can use the RPC service to synchronize the passwords in a registry key.
After making the changes to the key, restart the Windows server.
If you do not log in to the server with right permissions, it reports an access denied error. For example, if you log in without the domain administrator rights, it displays the following error when running the domain controller check:
Error occurred while opening the registry key[SOFTWARE\NOVELL\PWFILTER\DATA]. Access is denied.
To resolve this issue:
Run regedit and right click the HKLM\Software\Novell\PwFilter\Data key.
Select Permissions.
Select Advanced and add Administrators Group.
Set the Read permission.
Verify that Replace all child object permission entries with inheritable permission entries from this object is selected.