Environment
Novell Identity Manager 4.x
Novell Identity Manager 3.x
Situation
Passwords are not syncing from AD to eDirectory. Passwords are getting stuck under the pwfilter key in the HKLM\SOFTWARE\Novell\PwFilter\Data\'username' \ key in the registry.
A trace level 5 of the remote loader trace running on the Domain Controller shows the following errors.
DirXML: [03/16/06 14:20:21.50]: ADDriver: [PWD]
PwdDsGetDomainControllerInfo() returned 0x00000005
DirXML: [03/16/06 14:20:21.50]: ADDriver: [PWD] *pbValidDC = FALSE
DirXML: [03/16/06 14:20:21.50]: ADDriver: [PWD] - PwdVerifyDomainController
() returned 0x00000005
DirXML: [03/16/06 14:20:21.50]: ADDriver: [PWD] PassSyncExchangeData()
returned 0x00000774
PwdDsGetDomainControllerInfo() returned 0x00000005
DirXML: [03/16/06 14:20:21.50]: ADDriver: [PWD] *pbValidDC = FALSE
DirXML: [03/16/06 14:20:21.50]: ADDriver: [PWD] - PwdVerifyDomainController
() returned 0x00000005
DirXML: [03/16/06 14:20:21.50]: ADDriver: [PWD] PassSyncExchangeData()
returned 0x00000774
Resolution
Potential Resolutions.
1. Verify the Authentication ID specified on the driver properties has the appropriate rights.
From the Active Directory Driver documentation:
At a minimum, this account must be a member of the Administrators group and have Read and Replicating Directory Changes rights at the root of the domain for the Publisher channel to operate. You also need Write rights to any object modified by the Subscriber channel. Write rights can be restricted to the containers and attributes that are written by the Subscriber channel.
2. The Authentication Method, under the Driver Parameters must be set to Negotiate.
If the Authentication Method is already set to Negotiate this can still happen if the connection to MAD cannot be fully authenticated. For example, if the username is in the wrong format (user@domain.com instead of just DOMAIN\user or user) then the authentication fails resulting in the same errors.
3. Try changing the DirXML Loader service to run as the the Application user specified in the properties of the driver, instead of the "Local System Account".
4. Assign the Authentication ID User specified in the properties of the driver, read, write, delete, and inheritance rights on the passsync registry keys "HKLM\SOFTWARE\Novell\PwFilter\Data\" and HKLM\SOFTWARE\Novell\PassSync\Data, and below on the remote loader server. This allows password changes to be read by the Remote Loader under the HKLM\SOFTWARE\Novell\PwFilter\Data\’Username’ key for each user that has changed their password.
5. If the Remote loader is running on a Domain Controller, Try using Administrator for that domain controller and corresponding password. In the Authentication ID specify: Administrator
Additional Information
A list of Microsoft Windows error codes can be found at the following URL: http://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
0x00000005 means ERROR_ACCESS_DENIED
0x00000774 means ERROR_DOMAIN_CONTROLLER_NOT_FOUND
The latter probably happens because of the former due to a failed login to the domain because of the invalid authentication method, invalid username format, or other settings related to authentication. This could also potentially happen if the username specified lacks the rights required for operation. See the MAD driver documentation for full details of authentication types, syntaxes, and rights required.
0x00000005 means ERROR_ACCESS_DENIED
0x00000774 means ERROR_DOMAIN_CONTROLLER_NOT_FOUND
The latter probably happens because of the former due to a failed login to the domain because of the invalid authentication method, invalid username format, or other settings related to authentication. This could also potentially happen if the username specified lacks the rights required for operation. See the MAD driver documentation for full details of authentication types, syntaxes, and rights required.