AD Passwords not syncing when more than one AD driver is installed.

  • 7022664
  • 15-Feb-2018
  • 28-Mar-2018


Identity Manager 4.6
Active Directory driver
Windows remote loader.


Password synchronization between the Active Directory and the Identity Vault works most of the time but occasionally stops synchronizing. Passwords build up in the cache and there are no errors in the logs. 
Restarting the remote loader several time will fix it.
There are two AD drivers defined on the remote loader.


Setting “Password Sync Timeout” to 0 on the driver(s) that are not configured to handle password sync achieves this behavior. In the documentation we describe it like this:
Password Sync Timeout (minutes): Specify the number of minutes for the driver to attempt to synchronize a given password. The driver does not try to synchronize the password after this interval has been exceeded.

The recommended value is at least three times the value of the polling interval. For example, if the Driver Polling Interval is set to 10 minutes, set the Password Sync Timeout to 30 minutes.

If this value is set to 0, password synchronization is disabled for this driver.


Two (or more) AD drivers are defined, pointing to the same domain. Only one of these is configured for password sync. These AD drivers are all deployed, being configured to connect to different instances of the RL, which are all running on the same Windows box. 

When the RL bound to the driver that is configured for password sync is started first, password sync flows correctly. However, if the RL bound to the driver that is not configured for password sync is started first, the password sync module binds to this instance instead, and password sync requests merely get queued until such time that the RLs are all stopped, and the RL binding to the password-sync driver is again started first. At this time, the cached password sync requests are all processed.