I am setting up the Password Synchronization plug-in for AD, I did setup AD agent and plug-in on one of the domain controller (DC) server.
When we do pwd reset on Windows, password is not getting changed for other accounts in ITIM and nothing coming in Password Synchronization plug-in logs(no logging at all) at C:\Tivoli\PasswordSynch\log.
We did enabled logging using PFConfig window.
We have 4 DCs and I setup plug-in only on one DC right now for testing purpose, is that Ok? or Do I need to setup Plug-in on all DCs?
Thanks for help.
This topic has been locked.
4 replies Latest Post - 2013-02-12T23:24:49Z by trup
Pinned topic Password Synchronization plugin for AD - Config issue
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-02-12T23:24:49Z at 2013-02-12T23:24:49Z by trup
HomerJSimpson 270003289F157 PostsACCEPTED ANSWER
Re: Password Synchronization plugin for AD - Config issue2013-02-06T19:03:25Z in response to trupThe Adapter can run on any Windows box in the Domain (doesn't even have to be a DC).
BUT...the Password Sync MUST run on all DC's in the Domain (since any DC can process the password change).
SystemAdmin 110000D4XK9855 PostsACCEPTED ANSWER
Re: Password Synchronization plugin for AD - Config issue2013-02-06T19:24:16Z in response to HomerJSimpsonThis is the normal rule - but there may be exceptions.
In AD you can set the priority of the DCs - and if the priority is sufficiently low no password changes will go to the DCs - this is commonly used where DCs are placed in zones for AD management purposes only (no user maintenance).
For testing you cannot assure this in a normal environment - normally if you change password DIRECTLY on the DC it will not leave the box (e.g. using the administrative password change in Users and Computers) - but you cannot be sure...
Re: Password Synchronization plugin for AD - Config issue2013-02-06T23:20:52Z in response to trupThanks for your help and suggestions.
I setup Reverse Pwd Synch plug-in for AD now on All DCs, I did confirm password got changed in AD but not in ITIM. I can still log-in with old password in ITIM console.
I also checked log folder for all plug-ins installed on different DCs, none of the plug-in generated logs.
Here I am trying fix the prod issue where AD windows environment upgraded to Windows 2008 from 2003 but TIM environment (TIM express 4.6) is not upgraded. TIM Express 4.6 only supports 2000 and 2003.
Though I know it is not supported but AD agent able to create AD Account, Delete, recon etc so I thought Plug-in might work as well. But no luck. I am working with IBM PMR.
Let me know if anybody tried like this where two incompatible versions worked.
Re: Password Synchronization plugin for AD - Config issue2013-02-12T23:24:49Z in response to trupThough officially configuration is not supported. But to fix the production issue,
I installed TIM 5.1 AD adapter and Password Synchronization plug-in in TIMX (TIM 4.6 Express) environment.
I haven't imported TIM 5.1 AD profile though.
Reverse password synchronization, reconciliation, and other AD Account life cycle operations working fine for Windows 2008 environment.
Issue fixed for now, we are going to observe.