Environment
NetIQ Identity Manager 4.5.4
NetIQ Identity Manager - Password Synchronization
NetIQ Identity Manager - Password Synchronization
Situation
Environment: Identity Manager 4.5.4 and Active Directory Driver 4.0.2.0 running locally on a Windows 2008 member server.
The following error is received in the driver log.
[12/05/16 08:39:46.041]:AD Driver PT:Receiving DOM document from application.
[12/05/16 08:39:46.041]:AD Driver PT:
<nds dtdversion="2.2">
<source>
<product build="20150918_120000" instance="\Novell\Driver Set\Active Directory Driver" version="4.0.2.0">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<status level="warning" type="driver-status">
<description>Password Sync Initialization Failed: Password Sync has been Disabled.</description>
</status>
</input>
No additional errors were seen in the Driver log.
Re-configuring the driver to use a Remote loader and setting the trace level on the remote loader to 5 showed the following errors:
DirXML: [12/06/16 10:26:10.08]: ADDriver: [PWD 3012] - InitializeDomainInfo()
DirXML: [12/06/16 10:26:10.08]: ADDriver: [PWD] PassSyncRPC::InitializeRpcServer()
DirXML: [12/06/16 10:26:10.11]: ADDriver: [PWD] InitializeRpcServer() - waiting to run...
DirXML: [12/06/16 10:26:10.11]: ADDriver: [PWD] InitializeRpcServer() - dwWait = 0x00000001
DirXML: [12/06/16 10:26:10.11]: ADDriver: [PWD] InitializeRpcServer() - check what protocols are supported.
DirXML: [12/06/16 10:26:10.11]: ADDriver: [PWD] InitializeRpcServer() - release the RPC mutex.
DirXML: [12/06/16 10:26:10.12]: ADDriver: [PWD] PassSyncRPC::InitializeRpcServer() returned 0x00000057
The following error is received in the driver log.
[12/05/16 08:39:46.041]:AD Driver PT:Receiving DOM document from application.
[12/05/16 08:39:46.041]:AD Driver PT:
<nds dtdversion="2.2">
<source>
<product build="20150918_120000" instance="\Novell\Driver Set\Active Directory Driver" version="4.0.2.0">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<status level="warning" type="driver-status">
<description>Password Sync Initialization Failed: Password Sync has been Disabled.</description>
</status>
</input>
No additional errors were seen in the Driver log.
Re-configuring the driver to use a Remote loader and setting the trace level on the remote loader to 5 showed the following errors:
DirXML: [12/06/16 10:26:10.08]: ADDriver: [PWD 3012] - InitializeDomainInfo()
DirXML: [12/06/16 10:26:10.08]: ADDriver: [PWD] PassSyncRPC::InitializeRpcServer()
DirXML: [12/06/16 10:26:10.11]: ADDriver: [PWD] InitializeRpcServer() - waiting to run...
DirXML: [12/06/16 10:26:10.11]: ADDriver: [PWD] InitializeRpcServer() - dwWait = 0x00000001
DirXML: [12/06/16 10:26:10.11]: ADDriver: [PWD] InitializeRpcServer() - check what protocols are supported.
DirXML: [12/06/16 10:26:10.11]: ADDriver: [PWD] InitializeRpcServer() - release the RPC mutex.
DirXML: [12/06/16 10:26:10.12]: ADDriver: [PWD] PassSyncRPC::InitializeRpcServer() returned 0x00000057
Resolution
Re-configuring the internal firewalls per the Microsoft Document "The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008" https://support.microsoft.com/en-us/kb/929851 allowed RPC communication to initialize properly and start syncing password changes.
Another option may be to disable the server and internal firewall between the servers completely and see if the password synchronization initializes without errors.
Another option may be to disable the server and internal firewall between the servers completely and see if the password synchronization initializes without errors.
Cause
Customer had previously had configured their internal firewalls using a
set a smaller RPC port range. As referenced in Microsoft document: "How to configure RPC dynamic port allocation to work with firewalls"
https://support.microsoft.com/en-us/kb/154596 However,
it is not valid for use with Windows 2008 server.
Password synchronization uses Windows RPC to synchronize passwords from the remote loader to the Windows Server running the Driver or Remote Loader server running the driver.
Password synchronization uses Windows RPC to synchronize passwords from the remote loader to the Windows Server running the Driver or Remote Loader server running the driver.