Password Synchronization failing to Active Directory intermittently.

  • 3004823
  • 23-May-2006
  • 26-Apr-2012


Microsoft Active Directory
Novell Nsure Identity Manager 2.0
Novell Identity Manager 3.0


Multiple domains synchronized from one server with the Remote Loader.  The Password Sync Applet in Control Panel shows multiple domains.

Passwords intermittently synchronize from one of the multiple domains or do not synchronize from either domain at all.


Password Synchronization 2.0 does not at this time support the synchronizing of passwords to multiple domains from the same remote loader/server.  In order to have two-way synchronization the Negotiate method of authentication must be used and the server with the Remote Loader needs to be in the domain to which passwords are synchronized.  For this reason you cannot have multiple domains' passwords synchronized from the same server.

Having a server be the member of a parent domain is not the same as that server being the member of synchronized child domains.  The server must be a member of the specific domain from which passwords are synchronizing for the Negotiate method to work reliably.

Also because of the nature of the Negotiate method only one driver can control RPC through which passwords come from Active Directory.  Because of this limitation only one driver at a time will receive multiple passwords though they may be from multiple domains.

To resolve both of the above issues it is required that, when passwords are being synchronized through Identity Manager from Active Directory to eDirectory, the Remote Loader must be on a separate server for each AD domain being synchronized.