Hi there,
We had an interesting issue the other day. Some users were noting that
there AD password change were not synching to eDirectory last week.
Having them try to reset the password again sorted them out.
PasswordSync filter and domain controllers are all listed and indicated
running. Most users were unaffected. There are 10 Domain Controllers.

We restarted the AD driver (not the remote loader) to implement a
non-related change and noted loads of password sync events to eDirectory
from AD occurred directly after restart.

Now some users are saying that their old passwords are now effective in
eDirectory instead of their most recent AD passwords. AD password
change time is correct but eDir change time is around the same time as
the AD driver restarted.

The forum discussion 'here' (http://tinyurl.com/p5qr4mh) on
and TID '3614450'

We think the AD Driver restart gave the Remote Loader a "kick" and
flushed "stuck" cached old password changes. The Password Sync event
log on the Remote Loader DC has two events at this restart time saying
"The password filter has been fully initialized" and "Driver is
synchronizing passwords with the domain controller". We see these every
time the driver has been restarted and appear to be routine. No Error
events or anything to indicate that passwords were not synching.

Is there a way to monitor the number of cached passwords and any other
way to detect if this is happening?
The AD driver does not have the setting for DC-PasswordTime-to-Live. Is
there a registry setting that can be directly applied?


kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=53702