Troubleshooting Password Synchronization from the Active Directory Filter to the Active Directory Driver.

  • 3554990
  • 11-Apr-2007
  • 30-Apr-2014

Environment

NetIQ Identity Manager Driver - Active Directory
Novell Identity Manager Driver- Active Directory Driver
Novell Identity Manager Password Synchronization

Situation

Troubleshooting Password Synchronization from the Active Directory Filter to the Active Directory Driver.
How can problems connecting to Domain Controller filters be solved. Also, What causes an Event ID 9.

Resolution

The Password must be picked up by a PWDFilter API that is installed on every Domain Controller and then passed to the driver.

Before this can happen, on startup, the driver must create an RPC connection with each Domain Controller to make sure that passwords can sync. The driver uses the following steps to obtain the connection.
Step 1– The driver must get a list of Domain Controllers. To get the list, it uses the Microsoft Locator DsGetDcName command. The Locator DsGetDcName application programming interface (API) call is implemented by the Netlogon service. Please see the following Microsoft document on how this is done.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbc_nar_azuo.mspx?mfr=true
If this fails you will see an error 2453 Could not find domain controller for this domain. When this happens follow the steps in the following Microsoft document to troubleshoot the problem.
How Domain Controllers Are Located in Windows
http://support.microsoft.com/kb/247811
As well as Microsoft Document 247811, the following Microsoft Document on Netdiag can help troubleshoot problems that may happen. http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnbd_trb_obva.mspx?mfr=true

Step 2- The driver follows the normal Microsoft steps of getting the Domain Controller information to get a list of Domain Controllers and then contacts them using Microsofts' Remote Procedure Calls.

If network or Microsoft RPC problems exist with any of the Domain Controllers, an Event ID 9 will show up in the Application event log and passwords will not sync from the problem Domain Controllers until the issue is resolved. However, Domain Controllers that connect successfully will continue to sync passwords.

In addition, when the driver contacts the filters via an RPC, an RPC is made back to the driver. Because of this, the RPC to the filter can succeed but the RPC back to the driver could return an error. Since the second RPC was made within the first RPC the error from the second RPC is returned through the first one. Therefor, RPC should be checked from both directions.

You can find what servers to work on and what the issue may be by doing the following steps.

Step 1- Get a level 5 trace on the Remote Loader (if not using Remote Loader, get a level 5 trace from the engine) of the driver starting up. In that trace you will see each Domain Controller contacted and whether or not there was a problem.

A successful line will read as follows:
SetFilterInfo() returned 0x00000000
An unsuccessful line may read something such as follows:
SetFilterInfo() returned 0x000006D9 or some other RPC error code

Step 2- Fix the problem by checking the Microsoft support site for more information.

For example, 0x000006D9 translates into a "There are no more endpoints available from the endpoint". mapper." error.
The Microsoft support site has this information.
How to troubleshoot RPC Endpoint Mapper errors
http://support.microsoft.com/?id=839880 or
For another example, SetFilterInfo() returned 0x000006BA, go to http://support.microsoft.com/kb/831051 This is the only error that will not return an Event ID 9.
Also, please consult Microsoft for the latest documents on for more recent versions of Windows.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.