Topic
4 replies Latest Post - ‏2013-02-12T23:24:49Z by trup
trup
trup
13 Posts
ACCEPTED ANSWER

Pinned topic Password Synchronization plugin for AD - Config issue

‏2013-02-06T19:00:59Z |
Hello,

I am setting up the Password Synchronization plug-in for AD, I did setup AD agent and plug-in on one of the domain controller (DC) server.
When we do pwd reset on Windows, password is not getting changed for other accounts in ITIM and nothing coming in Password Synchronization plug-in logs(no logging at all) at C:\Tivoli\PasswordSynch\log.

We did enabled logging using PFConfig window.

We have 4 DCs and I setup plug-in only on one DC right now for testing purpose, is that Ok? or Do I need to setup Plug-in on all DCs?

Thanks for help.
Updated on 2013-02-12T23:24:49Z at 2013-02-12T23:24:49Z by trup
  • HomerJSimpson
    HomerJSimpson
    157 Posts
    ACCEPTED ANSWER

    Re: Password Synchronization plugin for AD - Config issue

    ‏2013-02-06T19:03:25Z  in response to trup
    The Adapter can run on any Windows box in the Domain (doesn't even have to be a DC).
    BUT...the Password Sync MUST run on all DC's in the Domain (since any DC can process the password change).
    • SystemAdmin
      SystemAdmin
      9855 Posts
      ACCEPTED ANSWER

      Re: Password Synchronization plugin for AD - Config issue

      ‏2013-02-06T19:24:16Z  in response to HomerJSimpson
      This is the normal rule - but there may be exceptions.

      In AD you can set the priority of the DCs - and if the priority is sufficiently low no password changes will go to the DCs - this is commonly used where DCs are placed in zones for AD management purposes only (no user maintenance).

      For testing you cannot assure this in a normal environment - normally if you change password DIRECTLY on the DC it will not leave the box (e.g. using the administrative password change in Users and Computers) - but you cannot be sure...

      HTH
      Regards
      Franz Wolfhagen
  • trup
    trup
    13 Posts
    ACCEPTED ANSWER

    Re: Password Synchronization plugin for AD - Config issue

    ‏2013-02-06T23:20:52Z  in response to trup
    Thanks for your help and suggestions.

    I setup Reverse Pwd Synch plug-in for AD now on All DCs, I did confirm password got changed in AD but not in ITIM. I can still log-in with old password in ITIM console.
    I also checked log folder for all plug-ins installed on different DCs, none of the plug-in generated logs.

    Here I am trying fix the prod issue where AD windows environment upgraded to Windows 2008 from 2003 but TIM environment (TIM express 4.6) is not upgraded. TIM Express 4.6 only supports 2000 and 2003.

    Though I know it is not supported but AD agent able to create AD Account, Delete, recon etc so I thought Plug-in might work as well. But no luck. I am working with IBM PMR.

    Let me know if anybody tried like this where two incompatible versions worked.

    Thanks.
    • trup
      trup
      13 Posts
      ACCEPTED ANSWER

      Re: Password Synchronization plugin for AD - Config issue

      ‏2013-02-12T23:24:49Z  in response to trup
      Though officially configuration is not supported. But to fix the production issue,

      I installed TIM 5.1 AD adapter and Password Synchronization plug-in in TIMX (TIM 4.6 Express) environment.

      I haven't imported TIM 5.1 AD profile though.

      Reverse password synchronization, reconciliation, and other AD Account life cycle operations working fine for Windows 2008 environment.

      Issue fixed for now, we are going to observe.