6.5 Diagnosing Password Synchronization Issues

Identity Manager provides the PassSync Troubleshooting Tool to diagnose issues encountered during password synchronization. This tool is a standalone executable that collects the following information to help you analyze synchronization issues:

  • Domain Controller information

  • Password filter details

  • RPC connection details

Ensure you have the appropriate permissions to log in to this tool. For more information, see Logging In with Right Permissions.

You must launch this tool on the computer where Active Directory driver is installed. For more information, see Verifying Remote Loader is Locally Available to PassSync Tool.

This tool is available in the Identity Manager utilities folder located at:

\products\IDM\windows\setup\utilities\PassSyncTroubleshootingTool

6.5.1 Using PassSync Troubleshooting Tool

  1. Launch PassSync Troubleshooting Tool.

  2. Specify the following details:

    Field

    Description

    Trace File

    Specifies the location of the trace file where you want to store the trace messages.

    If you do not specify a path, the file is created in the same directory from where you launched the tool.

    Domain Name

    Specifies the name of the Active Directory domain you are synchronizing passwords to and from.

  3. Perform the following actions in any order:

    1. Click Check Driver Machine and specify the credentials. For more information, see Verifying the Driver Machine Information.

    2. Click Check Domain Controllers and specify the credentials. For more information, see Verifying the Domain Controller Information.

NOTE:If you do not log in with right permissions, it reports an error. For more information, see Logging In with Right Permissions.

When you click Check Driver Machine and Check Domain Controllers, the trace information is stored in the file specified in Step 2.

6.5.2 Verifying the Driver Machine Information

The Check Driver Machine option provides the following information about drivers that are installed on a particular domain:

  • RPC Service: Establishes a remote connection with other computers. The RPC service status in the trace indicates whether the RPC service is running on the computer.

    You must have administrative access to start the RPC service. Perform the following actions to start the RPC service:

    1. Right-click on your Start button and click Run.

    2. Type Services.msc and click OK.

    3. Right-click Remote Procedure Call (RPC) and select Start.

  • Driver Instances: Provides driver file path, connection details, and driver version. It also provides information about the driver instances running on the Remote Loader.

  • Registry Information: Displays registry key values of the computer running the driver and domain.

The following is a sample trace output displaying these parameters for example.com domain:

Fri Aug 17 02:00:31 2018 : Starting Checks on Driver Machine .....

Fri Aug 17 02:00:34 2018: Logging as default user.

Fri Aug 17 02:00:34 2018 :
The List of all Domain Controllers -
1. WIN-LIDKNP4JGO5.example.com

Fri Aug 17 02:00:34 2018 : RPC Service is running
Fri Aug 17 02:00:34 2018 : Full DNS name of the driver machine is WIN-LIDKNP4JGO5.example.com

Fri Aug 17 02:00:34 2018 : The version of the Operating System is : Microsoft  (build 9200)
Fri Aug 17 02:00:34 2018 : An AD driver instance is found configured on Remote Loader
Fri Aug 17 02:00:34 2018 : AD Driver which is configured with Connection port 8090 and Command port 8000 is running

Fri Aug 17 02:00:34 2018 : List of local files related to Driver are :
        C:\novell\remoteloader\64bit\ADDriver.dll
        C:\novell\remoteloader\64bit\ad-driver-Config.txt
        C:\novell\remoteloader\64bit\ad-driverexample.com-Trace.log
Fri Aug 17 02:00:35 2018 : Driver version is "4.1.0.0">AD</pr"20180125_120000"</cook
Fri Aug 17 02:00:35 2018 : Driver version is c1fe230"/> and Build ID is "20180125_120000"</cook
Fri Aug 17 02:00:35 2018 : Driver version is "4.1.0.0">
Fri Aug 17 02:00:35 2018 : The 'Driver Machine' value in the registry key[SOFTWARE\NOVELL\PASSSYNC] is : 1.

Fri Aug 17 02:00:35 2018 : Number of subkeys(passwords cached) under the key[SOFTWARE\NOVELL\PASSSYNC\DATA\example.com]is 1


Fri Aug 17 02:00:35 2018 : Tests on this driver machine are done

Press any key to close this trace ...

6.5.3 Verifying the Domain Controller Information

The Check Domain Controllers option provides the following information about domain controller servers within a server domain:

  • Basic Diagnostic Checks: Displays the password filter version on each domain controller server. It also displays the hostname of the domain controller server and the computer where the driver is running.

  • RPC Checks: Displays information whether domain controller servers and drivers are able to connect to password filters via RPC tool.

The following is a sample trace output displaying these parameters for example.com domain:

Sun Aug 19 22:04:40 2018 : Starting Checks on All DCs .....

Sun Aug 19 22:04:41 2018: Logging as default user.

Sun Aug 19 22:04:41 2018 :
The List of all Domain Controllers -
1. WIN-LIDKNP4JGO5.example.com

Sun Aug 19 22:04:41 2018 : Checking the Domain Controller WIN-LIDKNP4JGO5.example.com ....

Running Basic Diagnostic Checks.

Password filter files installed on this DC are C:\Windows\System32\PWFILTER.DLL and C:\Windows\System32\PSEVENT.DLL

This 64 bit System has INCORRECT 32 bit PWFILTER dll version v3.0.0 (20180117) installed

The value of 'Host Names' '[WIN-LIDKNP4JGO5.example.com]' in DC[WIN-LIDKNP4JGO5.example.com] is same as the name of driver machine[WIN-LIDKNP4JGO5.example.com]

Opened key [SOFTWARE\NOVELL\PWFILTER\DATA].
No items to process.

Running RPC Checks.

Checking whether this tool can reach the filter through RPC
This tool can reach the filter through RPC

Checking if the filter can connect to the driver
pwFilter can connect to PassSync RPC server on driver machine  - 0

Sun Aug 19 22:04:42 2018 : Tests on all DCs are done

Press any key to close this trace ...

6.5.4 Troubleshooting Tips

Ensure the following conditions are met when driver is remotely installed:

  • All Active Directory servers belong to the same domain that is hosting the Remote Loader server.

  • RPC service is running and able to connect to PWfilter modules of that Active Directory server.

    To verify the status of RPC service and the number of driver instances running in your domain, see Verifying the Driver Machine Information.

Additionally, the following actions can help you troubleshoot the issues:

Specifying the Registered Domain Name

This tool can only analyze the domains that are registered to the driver computer. If you specify an unregistered domain, it displays the following error in the driver machine trace:

No Such Domain.

Therefore, always specify the registered domain name to this tool.

Verifying Remote Loader is Locally Available to PassSync Tool

The following error occurs if the Active Directory driver is configured with the Remote Loader and the PassSync tool is launched from a different computer:

Error occured while opening the registry key [SOFTWARE\NOVELL\RLCONSOLE].

Therefore, you must launch the PassSync tool on the Remote Loader computer where the Active Directory driver is running.

Using Out of Band Sync

Enable Out of Band Sync attribute for the password change event. This setting processes the password change event before other events in the queue. For more information, see Enabling Out of Band Sync in NetIQ Identity Manager Driver Administration Guide.

Enabling the Password Synchronizing Driver Instance to Use RPC Service

You can configure one or more Active Directory driver instances on one Remote Loader. An Active Directory driver instance that you want to synchronize the password require the RPC service to establish a remote connection with the domain controller servers. Therefore, it is recommended to set a delay at the startup for the remaining instances so that the required Active Directory driver instance can use the RPC service to synchronize the passwords in a registry key.

After making the changes to the key, restart the Windows server.

Logging In with Right Permissions

If you do not log in to the server with right permissions, it reports an access denied error. For example, if you log in without the domain administrator rights, it displays the following error when running the domain controller check:

Error occurred while opening the registry key[SOFTWARE\NOVELL\PWFILTER\DATA]. Access is denied. 

To resolve this issue:

  1. Run regedit and right click the HKLM\Software\Novell\PwFilter\Data key.

  2. Select Permissions.

  3. Select Advanced and add Administrators Group.

  4. Set the Read permission.

  5. Verify that Replace all child object permission entries with inheritable permission entries from this object is selected.