The Active Directory driver must be configured to run on only one Windows machine. However, for password synchronization to occur, you must install a password filter (pwFilter.dll) on each domain controller and configure the registry to capture passwords to send to the Identity Vault.
The password filter is automatically started when the domain controller is started. The filter captures password changes that users make by using Windows clients, encrypts the changes, and sends them to the driver to update the Identity Vault.
To simplify installation and administration of password filters, an Identity Manager PassSync utility is added to the Control Panel when the driver is installed. This utility gives you two choices for setting up the password filters, depending on whether you want to allow remote access to the registry on your domain controllers:
If you allow remote access to the registry of each domain controller from the machine where you are running the driver, use the procedure in this section to configure the password filter. It allows the Identity Manager PassSync utility to configure each domain controller from one machine.
If you configure all the domain controllers from one machine, the Identity Manager PassSync utility provides the following features to help you during setup:
Lets you specify which domain you want to participate in password synchronization.
Automatically discovers all the domain controllers for the domain.
Lets you remotely install the pwFilter.dll on each domain controller.
Automatically updates the registry on the machine where the driver is running and on each domain controller.
Lets you view the status of the filter on each domain controller.
Lets you reboot a domain controller remotely.
Rebooting the domain controller is necessary when you first add a domain for password synchronization, because the filter that captures password changes is a DLL file that starts when the domain controller is started.
Because setting up the filter requires rebooting the domain controller, you might want to perform this procedure after hours, or reboot only one domain controller at a time. If the domain has more than one domain controller, keep in mind that each domain controller where you want Password Synchronization to function must have the filter installed and must be rebooted.
Confirm that port 135 (the RPC endpoint mapper) is accessible on the domain controllers and on the machine where the Active Directory driver is configured to run.
If you are using NetBIOS over TCP, you also need these ports:
137: NetBIOS name service
138: NetBIOS datagram service
139: NetBIOS session service
A firewall could prevent the ports from being accessible remotely.
Log in with an administrator account on the computer where the driver is installed.
At the computer where the driver is installed, click
In the dialog box that is displayed, click
to specify that this is the machine where the driver is installed.You only receive this prompt the first time you run the utility. After you complete the configuration, you are not shown this prompt again unless you remove this domain from the list.
Click
, then browse to and select the domain that you want to participate in password synchronization.The drop-down list displays known domains. If no domains are listed, or a 1208 error is displayed, you must turn on the TID7000896 for more information.
to get the list of computers on the network. Go to and start . By default, it is disabled. Refer to theThe Identity Manager PassSync utility discovers all the domain controllers for that domain, and installs pwFilter.dll on each domain controller. It also updates the registry on the computer where you are running the drivers, and on each domain controller. This might take a few minutes.
The pwFilter.dll doesn’t capture password changes until the domain controller has been rebooted. The Identity Manager PassSync utility lets you see a list of all the domain controllers and the status of the filter on them. It also lets you reboot the domain controller from inside the utility.
(Optional) Specify a computer in the domain, then click
.If you leave the
field blank, PassSync queries the local machine. Therefore, if you are running PassSync on a domain controller, you don’t need to specify a name. PassSync queries the local machine (in this case, a domain controller) and gets (from the database) the list of all domain controllers in the domain.If you aren’t installing on a domain controller, specify the name of a computer that is in the domain and that can get to a domain controller.
If you receive an error message indicating that PassSync can’t locate a domain, specify a name.
Click
to use the domain’s DNS name.You can select
, but the DNS name provides more advanced authentication and the ability to more reliably discover domains in bigger installations. However, the choice depends on your environment.Select the name of the domain you want to participate in password synchronization from the list, then click
.The utility displays the names of all the domain controllers in the selected domain and the status of the filter.
The status for each domain controller should display the filter state as
. However, it might take a few minutes for the utility to complete its automated task, and in the meantime the status might say .Click
to place the filter on the server. Once installed, the filter shows Installed - Needs Reboot status. To complete the installation of the filter, click .You can choose to reboot the domain controllers at a time that makes sense for your environment. Just keep in mind that password synchronization won’t be fully functional until every domain controller has been rebooted.
When the status for all domain controllers is
, test password synchronization to confirm that it is working.If you do not want to allow remote access to the registry of each domain controller, you must set up the password filters on each domain controller separately. To do this, go to each domain controller, install the driver files so you have the Identity Manager PassSync utility, and use the utility on each machine to install the password filter and update the registry.
In this procedure, you install the driver so that you have the Identity Manager PassSync utility. Then you use the utility to install the pwFilter.dll file, specify the port to use, and specify which host machine is running the Identity Manager Driver for Active Directory.
Because setting up the filter requires rebooting the domain controller, you might want to perform this procedure after hours, or reboot only one domain controller at a time. If a domain has more than one domain controller, keep in mind that each domain controller where you want Password Synchronization to function must have the filter installed and must be rebooted.
This procedure is for any domain controller that does not have the Active Directory driver installed on it.
Confirm that the following ports are available on both the domain controller and the machine where the Identity Manager Driver for Active Directory is configured to run:
135: The RPC endpoint mapper
137: NetBIOS name service
138: NetBIOS datagram service
139: NetBIOS session service
On the domain controller, use the Identity Manager Installation to install only the Identity Manager Driver for Active Directory.
Installing the driver installs the Identity Manager PassSync utility.
Click
In the dialog box that displays, click
to specify that this machine is not running the Active Directory driver.After you complete the configuration, you are not shown this prompt again unless you remove the password filter by using the
button in the Password Filter Properties dialog box.After you click
, the Password Filter Properties dialog box appears, with a status message indicating that the password filter is not installed on this domain controller.Click the pwFilter.dll.
button to install the password filter,For the
setting, specify whether to use dynamic port or static port.Use the static port option only if you have decided to configure your remote procedure call (RPC) for the domain controller differently than the default.
Click
to specify the hostname of the machine running the Identity Manager driver, then click .This step is necessary so that the password filter knows where to send the password changes. The password filter captures password changes, and must send them to the Identity Manager driver to update the Identity Manager data store.
Verify that the information specified in Step 6 through Step 8 is correct, then click .
Reboot the domain controller to complete the installation of the password filter.
You can choose to reboot at a time that makes sense for your environment. Just keep in mind that password synchronization won’t be fully functional until every domain controller has the password filter installed and has been rebooted.
After the installation is complete and the domain controller is rebooted, the password filter is loaded automatically whenever the domain controller starts up.
Check the status for the password filter again by clicking
, and double-clicking the Identity Manager PassSync utility.Confirm that the status says Running.
Repeat Step 2 through Step 11 for each domain controller that you want to participate in Password Synchronization.
When the status says Running for all the domain controllers, test password synchronization to confirm that it is working by having a user change his or her password using the Windows Client. This should initiate the synchronization process.