Password Sync Initialization Failed

Hi There,

We are using IDM 4.7 on a windows system and have configured all the DC's through pass sync tool and all are running and even using pass sync utility tool i can see that user's password are there inside Driver machine cache. But when i am starting i get the following issue/error.

Error:
<nds dtdversion="2.2">
<source>
<product build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver " version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<status level="warning" type="driver-status">
<description>Password Sync Initialization Failed: Password Sync has been Disabled.</description>
</status>
</input>
</nds>



and also see below driver information

[12/17/18 15:49:26.599]:adnew.log :  Name: ConnectedSystemName Value: ~drv.name~
[12/17/18 15:49:26.599]:adnew.log : Name: enable-password-subscribe Value: true
[12/17/18 15:49:26.600]:adnew.log : Name: enable-password-publish Value: true
[12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-nds Value: true
[12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-dp Value: false
[12/17/18 15:49:26.601]:adnew.log : Name: enforce-password-policy Value: true
[12/17/18 15:49:26.601]:adnew.log : Name: reset-external-password-on-failure Value: true
[12/17/18 15:49:26.601]:adnew.log : Name: notify-user-on-password-dist-failure Value: true
[12/17/18 15:49:26.602]:adnew.log : Name: UAProvURL Value: http://localhost:8180/IDMProv
[12/17/18 15:49:26.602]:adnew.log : Name: UAProvAdmin Value: CN=uaadmin.OU=sa.O=data
[12/17/18 15:49:26.602]:adnew.log : Name: service-account-dn Value:
[12/17/18 15:49:26.602]:adnew.log : Name: NOVLLIBLDAP.host Value: 127.0.0.1
[12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.port Value: 389
[12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.user Value: cn=admin,ou=sa,o=system
[12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.password Value: NOVLLIBLDAP.password
[12/17/18 15:49:26.604]:adnew.log : Name: NOVLLIBLDAP.base Value: o=data
[12/17/18 15:49:26.604]:adnew.log : Name: NOVLLIBLDAP.scope Value: sub
[12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.users Value: data\users
[12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.groups Value: data\groups
[12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.treename Value: NTL_IDM_VAULT
[12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.driverdn Value: \NTL_IDM_VAULT\system\driverset1\Active Directory Driver

<authentication-info>
<server>172.xxx.xx.x</server>
<user>domain/IdmAdmin</user>
<password><!-- content suppressed --></password>
</authentication-info>
<driver-options>
<auth-options display-name="Show authentication options">show</auth-options>
<auth-method display-name="Authentication Method">Negotiate</auth-method>
<signing display-name="Digitally sign communications">no</signing>
<sealing display-name="Digitally sign and seal communications">yes</sealing>
<use-ssl display-name="Use SSL for LDAP connection between Driver Shim and AD">no</use-ssl>
<impersonation display-name="Logon and impersonate">yes</impersonation>
<xchg-options display-name="Show Exchange Management Options">hide</xchg-options>
<xchg-prov display-name="Enable Exchange mailbox provisioning">disabled</xchg-prov>
<exch-move display-name="Allow Exchange mailbox move">yes</exch-move>
<exch-delete display-name="Allow Exchange mailbox delete">yes</exch-delete>
<exch-api-type display-name="Exchange Management interface type">use-exch-2010</exch-api-type>
<exchange-server display-name="Exchange Server FQDN"></exchange-server>
<access-options display-name="Show access options">show</access-options>
<pollingInterval display-name="Driver Polling Interval">1</pollingInterval>
<pub-heartbeat-interval display-name="Publisher heartbeat interval">1</pub-heartbeat-interval>
<pub-password-expire-time display-name="Password Sync Timeout (minutes)">5</pub-password-expire-time>
<pub-filter-password-time-to-live display-name="DC Passwords TimeToLive (minutes)">5</pub-filter-password-time-to-live>
<search-domain-scope display-name="Search domain scope">yes</search-domain-scope>
<advanced-options display-name="Show advanced options">show</advanced-options>
<enable-delete-protected-2008 display-name="Enable Deletion of protected objects in Windows server 2008">no</enable-delete-protected-2008>
<retry-ldap-auth-unknown display-name="Retry LDAP Auth unknown error">no</retry-ldap-auth-unknown>
<enable-incremental-values display-name="Enable DirSync Incremental Values">no</enable-incremental-values>
</driver-options>
</init-params>
</input>
</nds>


Please guys help me out . What i'm doing wrong
  • On 12/17/2018 04:14 AM, frankabhinav wrote:
    >
    > We are using IDM 4.7 on a windows system and have configured all the
    > DC's through pass sync tool and all are running and even using pass sync
    > utility tool i can see that user's password are there inside Driver
    > machine cache. But when i am starting i get the following issue/error.
    >
    > Error:
    >
    > Code:
    > --------------------
    > <nds dtdversion="2.2">
    > <source>
    > <product build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver " version="4.0.2.1">AD</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <status level="warning" type="driver-status">
    > <description>Password Sync Initialization Failed: Password Sync has been Disabled.</description>
    > </status>
    > </input>
    > </nds>
    > --------------------


    This appears to be IDM 4.7, perhaps with some patches; which version of
    windows, and which domain functional level, do you have? It probably does
    not matter much, but it would be nice to know.

    > and also see below driver information


    This is some good information, but full traces are better.

    > Code:
    > --------------------
    > [12/17/18 15:49:26.599]:adnew.log : Name: ConnectedSystemName Value: ~drv.name~
    > [12/17/18 15:49:26.599]:adnew.log : Name: enable-password-subscribe Value: true
    > [12/17/18 15:49:26.600]:adnew.log : Name: enable-password-publish Value: true
    > [12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-nds Value: true


    This looks like a backward setting, along with...

    > [12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-dp Value: false


    this one. If you have not changed these, I would probably do so. Under
    the driver config object's properties, under 'GCVs in particular in
    Designer, there is a Password Sync tab, with a tool built in to help you
    with the correct radio buttons and checkboxes (which in turn control the
    usual GCV drop-downs, which normally you should not modify manually
    anymore in lieu of that nice tool). Typically publishing to distribution
    password is the way to go, not NDS passwords.

    > [12/17/18 15:49:26.601]:adnew.log : Name: enforce-password-policy Value: true


    I typically switch this to 'false' too, particularly as active directory
    password policies have historically been a bit of a mess to match up with
    eDirectory policies, and these days the focus is on length more than
    complexity for actual security.

    > [12/17/18 15:49:26.601]:adnew.log : Name: reset-external-password-on-failure Value: true


    I'd also switch this one normally, since the reverse often fails in
    microsoft active directory (MAD) due to password history on that side.

    > [12/17/18 15:49:26.601]:adnew.log : Name: notify-user-on-password-dist-failure Value: true


    I also do not lie this one with MAD, but again maybe just my
    preference/experience.

    > [12/17/18 15:49:26.602]:adnew.log : Name: UAProvURL Value: http://localhost:8180/IDMProv
    > [12/17/18 15:49:26.602]:adnew.log : Name: UAProvAdmin Value: CN=uaadmin.OU=sa.O=data
    > [12/17/18 15:49:26.602]:adnew.log : Name: service-account-dn Value:
    > [12/17/18 15:49:26.602]:adnew.log : Name: NOVLLIBLDAP.host Value: 127.0.0.1
    > [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.port Value: 389
    > [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.user Value: cn=admin,ou=sa,o=system
    > [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.password Value: NOVLLIBLDAP.password
    > [12/17/18 15:49:26.604]:adnew.log : Name: NOVLLIBLDAP.base Value: o=data
    > [12/17/18 15:49:26.604]:adnew.log : Name: NOVLLIBLDAP.scope Value: sub
    > [12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.users Value: data\users
    > [12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.groups Value: data\groups
    > [12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.treename Value: NTL_IDM_VAULT
    > [12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.driverdn Value: \NTL_IDM_VAULT\system\driverset1\Active Directory Driver
    >
    > <authentication-info>
    > <server>172.xxx.xx.x</server>


    Normally when using the Negotiate method you should have either the Remote
    Loader (RL) directly on a domain controller (DC), which is what I would
    recommend, or else you need to point to a particular DC using its DNS
    name, not its IP address. This could be part of your current symptom.

    If you do put the RL on a DC, then you can clear out the authentication
    context field entirely (by default the driver will talk locally, meaning
    to the DC on which the RL is hosted, and then you can change sealing back
    to 'no' as it is redundant.

    > <user>domain/IdmAdmin</user>


    The correct way to specify the domain and username is with a backslash,
    not a slash (sometimes redundantly called a forward slash). This could be
    part of your current symptom.

    > <password><!-- content suppressed --></password>
    > </authentication-info>
    > <driver-options>
    > <auth-options display-name="Show authentication options">show</auth-options>
    > <auth-method display-name="Authentication Method">Negotiate</auth-method>
    > <signing display-name="Digitally sign communications">no</signing>
    > <sealing display-name="Digitally sign and seal communications">yes</sealing>
    > <use-ssl display-name="Use SSL for LDAP connection between Driver Shim and AD">no</use-ssl>
    > <impersonation display-name="Logon and impersonate">yes</impersonation>
    > <xchg-options display-name="Show Exchange Management Options">hide</xchg-options>
    > <xchg-prov display-name="Enable Exchange mailbox provisioning">disabled</xchg-prov>
    > <exch-move display-name="Allow Exchange mailbox move">yes</exch-move>
    > <exch-delete display-name="Allow Exchange mailbox delete">yes</exch-delete>
    > <exch-api-type display-name="Exchange Management interface type">use-exch-2010</exch-api-type>
    > <exchange-server display-name="Exchange Server FQDN"></exchange-server>
    > <access-options display-name="Show access options">show</access-options>
    > <pollingInterval display-name="Driver Polling Interval">1</pollingInterval>
    > <pub-heartbeat-interval display-name="Publisher heartbeat interval">1</pub-heartbeat-interval>
    > <pub-password-expire-time display-name="Password Sync Timeout (minutes)">5</pub-password-expire-time>
    > <pub-filter-password-time-to-live display-name="DC Passwords TimeToLive (minutes)">5</pub-filter-password-time-to-live>
    > <search-domain-scope display-name="Search domain scope">yes</search-domain-scope>
    > <advanced-options display-name="Show advanced options">show</advanced-options>
    > <enable-delete-protected-2008 display-name="Enable Deletion of protected objects in Windows server 2008">no</enable-delete-protected-2008>
    > <retry-ldap-auth-unknown display-name="Retry LDAP Auth unknown error">no</retry-ldap-auth-unknown>
    > <enable-incremental-values display-name="Enable DirSync Incremental Values">no</enable-incremental-values>
    > </driver-options>
    > </init-params>
    > </input>
    > </nds>
    > --------------------


    If you could post the full RL trace of the startup that may give more
    information, but hopefully the suggestions above will resolve the issue.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • ab <ab@no-mx.forums.microfocus.com> wrote:
    > On 12/17/2018 04:14 AM, frankabhinav wrote:
    >>
    >> We are using IDM 4.7 on a windows system and have configured all the
    >> DC's through pass sync tool and all are running and even using pass sync
    >> utility tool i can see that user's password are there inside Driver
    >> machine cache. But when i am starting i get the following issue/error.
    >>
    >> Error:
    >>
    >> Code:
    >> --------------------
    >> <nds dtdversion="2.2">
    >> <source>
    >> <product build="20170106_120000"
    >> instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver "
    >> version="4.0.2.1">AD</product>
    >> <contact>NetIQ Corporation</contact>
    >> </source>
    >> <input>
    >> <status level="warning" type="driver-status">
    >> <description>Password Sync Initialization Failed: Password Sync has been
    >> Disabled.</description>
    >> </status>
    >> </input>
    >> </nds>
    >> --------------------

    >
    > This appears to be IDM 4.7, perhaps with some patches; which version of
    > windows, and which domain functional level, do you have? It probably does
    > not matter much, but it would be nice to know.
    >
    >> and also see below driver information

    >
    > This is some good information, but full traces are better.
    >
    >> Code:
    >> --------------------
    >> [12/17/18 15:49:26.599]:adnew.log : Name: ConnectedSystemName Value: ~drv.name~
    >> [12/17/18 15:49:26.599]:adnew.log : Name: enable-password-subscribe Value: true
    >> [12/17/18 15:49:26.600]:adnew.log : Name: enable-password-publish Value: true
    >> [12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-nds Value: true

    >
    > This looks like a backward setting, along with...
    >
    >> [12/17/18 15:49:26.600]:adnew.log : Name: publish-password-to-dp Value: false

    >
    > this one. If you have not changed these, I would probably do so. Under
    > the driver config object's properties, under 'GCVs in particular in
    > Designer, there is a Password Sync tab, with a tool built in to help you
    > with the correct radio buttons and checkboxes (which in turn control the
    > usual GCV drop-downs, which normally you should not modify manually
    > anymore in lieu of that nice tool). Typically publishing to distribution
    > password is the way to go, not NDS passwords.
    >
    >> [12/17/18 15:49:26.601]:adnew.log : Name: enforce-password-policy Value: true

    >
    > I typically switch this to 'false' too, particularly as active directory
    > password policies have historically been a bit of a mess to match up with
    > eDirectory policies, and these days the focus is on length more than
    > complexity for actual security.
    >
    >> [12/17/18 15:49:26.601]:adnew.log : Name: reset-external-password-on-failure Value: true

    >
    > I'd also switch this one normally, since the reverse often fails in
    > microsoft active directory (MAD) due to password history on that side.
    >
    >> [12/17/18 15:49:26.601]:adnew.log : Name:
    >> notify-user-on-password-dist-failure Value: true

    >
    > I also do not lie this one with MAD, but again maybe just my
    > preference/experience.
    >
    >> [12/17/18 15:49:26.602]:adnew.log : Name: UAProvURL Value: http://localhost:8180/IDMProv
    >> [12/17/18 15:49:26.602]:adnew.log : Name: UAProvAdmin Value: CN=uaadmin.OU=sa.O=data
    >> [12/17/18 15:49:26.602]:adnew.log : Name: service-account-dn Value:
    >> [12/17/18 15:49:26.602]:adnew.log : Name: NOVLLIBLDAP.host Value: 127.0.0.1
    >> [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.port Value: 389
    >> [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.user Value: cn=admin,ou=sa,o=system
    >> [12/17/18 15:49:26.603]:adnew.log : Name: NOVLLIBLDAP.password Value:
    >> NOVLLIBLDAP.password
    >> [12/17/18 15:49:26.604]:adnew.log : Name:
    >> NOVLLIBLDAP.base Value: o=data
    >> [12/17/18 15:49:26.604]:adnew.log : Name: NOVLLIBLDAP.scope Value: sub
    >> [12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.users Value: data\users
    >> [12/17/18 15:49:26.604]:adnew.log : Name: idv.dit.data.groups Value: data\groups
    >> [12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.treename Value: NTL_IDM_VAULT
    >> [12/17/18 15:49:26.605]:adnew.log : Name: dirxml.auto.driverdn Value:
    >> \NTL_IDM_VAULT\system\driverset1\Active Directory Driver
    >>
    >> <authentication-info>
    >> <server>172.xxx.xx.x</server>

    >
    > Normally when using the Negotiate method you should have either the Remote
    > Loader (RL) directly on a domain controller (DC), which is what I would
    > recommend, or else you need to point to a particular DC using its DNS
    > name, not its IP address. This could be part of your current symptom.
    >
    > If you do put the RL on a DC, then you can clear out the authentication
    > context field entirely (by default the driver will talk locally, meaning
    > to the DC on which the RL is hosted, and then you can change sealing back
    > to 'no' as it is redundant.
    >
    >> <user>domain/IdmAdmin</user>

    >
    > The correct way to specify the domain and username is with a backslash,
    > not a slash (sometimes redundantly called a forward slash). This could be
    > part of your current symptom.
    >
    >> <password><!-- content suppressed --></password>
    >> </authentication-info>
    >> <driver-options>
    >> <auth-options display-name="Show authentication options">show</auth-options>
    >> <auth-method display-name="Authentication Method">Negotiate</auth-method>
    >> <signing display-name="Digitally sign communications">no</signing>
    >> <sealing display-name="Digitally sign and seal communications">yes</sealing>
    >> <use-ssl display-name="Use SSL for LDAP connection between Driver Shim and
    >> AD">no</use-ssl>
    >> <impersonation display-name="Logon and
    >> impersonate">yes</impersonation>
    >> <xchg-options display-name="Show
    >> Exchange Management Options">hide</xchg-options>
    >> <xchg-prov display-name="Enable Exchange mailbox provisioning">disabled</xchg-prov>
    >> <exch-move display-name="Allow Exchange mailbox move">yes</exch-move>
    >> <exch-delete display-name="Allow Exchange mailbox delete">yes</exch-delete>
    >> <exch-api-type display-name="Exchange Management interface
    >> type">use-exch-2010</exch-api-type>
    >> <exchange-server display-name="Exchange Server FQDN"></exchange-server>
    >> <access-options display-name="Show access options">show</access-options>
    >> <pollingInterval display-name="Driver Polling Interval">1</pollingInterval>
    >> <pub-heartbeat-interval display-name="Publisher heartbeat
    >> interval">1</pub-heartbeat-interval>
    >> <pub-password-expire-time display-name="Password Sync Timeout
    >> (minutes)">5</pub-password-expire-time>
    >> <pub-filter-password-time-to-live display-name="DC Passwords TimeToLive
    >> (minutes)">5</pub-filter-password-time-to-live>
    >> <search-domain-scope display-name="Search domain scope">yes</search-domain-scope>
    >> <advanced-options display-name="Show advanced options">show</advanced-options>
    >> <enable-delete-protected-2008 display-name="Enable Deletion of protected
    >> objects in Windows server 2008">no</enable-delete-protected-2008>
    >> <retry-ldap-auth-unknown display-name="Retry LDAP Auth unknown
    >> error">no</retry-ldap-auth-unknown>
    >> <enable-incremental-values display-name="Enable DirSync Incremental
    >> Values">no</enable-incremental-values>
    >> </driver-options>
    >> </init-params>
    >> </input>
    >> </nds>
    >> --------------------

    >
    > If you could post the full RL trace of the startup that may give more
    > information, but hopefully the suggestions above will resolve the issue.
    >


    Hi.

    If you are runnoning the driver shim on a member server, this setting needs
    to be set to yes as well for password sync to work.

    <use-ssl display-name="Use SSL for LDAP connection between Driver Shim and
    AD">no</use-ssl>

    --
    Best regards
    Marcus
  • Hi There

    The issue still remain the same. I have attached the full log

    I can also view users inside HKLM\SOFTWARE\NOVELL\PwFilter

    [12/28/18 18:48:49.469]:adnew.log :Trace Level: 5
    [12/28/18 18:48:49.469]:adnew.log :Reading driver information from the \NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS object.
    [12/28/18 18:48:49.470]:adnew.log :Reading driver information from the \NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS object.
    [12/28/18 18:48:49.470]:adnew.log :Reading named passwords list.
    [12/28/18 18:48:49.471]:adnew.log :Description : LDAP Search Password
    [12/28/18 18:48:49.471]:adnew.log :Named passwords:
    [12/28/18 18:48:49.471]:adnew.log : Name: NOVLLIBLDAP.password
    [12/28/18 18:48:49.472]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-EngineControlValues.
    [12/28/18 18:48:49.473]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/NOVLACOMSET-GCVs#DirXML-ConfigValues.
    [12/28/18 18:48:49.475]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Library/NOVLLIBLDAP-ConnectionProfile#DirXML-ConfigValues.
    [12/28/18 18:48:49.476]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/NOVLCOMSET-GCVs#DirXML-ConfigValues.
    [12/28/18 18:48:49.477]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1#DirXML-ConfigValues.
    [12/28/18 18:48:49.478]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/NOVLADDCFG-GCVs#DirXML-ConfigValues.
    [12/28/18 18:48:49.480]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/NOVLADPWDSYN-GCVs#DirXML-ConfigValues.
    [12/28/18 18:48:49.481]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-ConfigValues.
    [12/28/18 18:48:49.482]:adnew.log :Global Configuration Values:
    [12/28/18 18:48:49.482]:adnew.log : Name: drv.domain.dns.name Value: IN.BITS-Tech.com
    [12/28/18 18:48:49.482]:adnew.log : Name: drv.subPlacementType Value: mirrored
    [12/28/18 18:48:49.483]:adnew.log : Name: drv.user.container Value: ou=IDM,DC=IN,DC=BITS-Tech,DC=com
    [12/28/18 18:48:49.483]:adnew.log : Name: drv.pubPlacementType Value: mirrored
    [12/28/18 18:48:49.483]:adnew.log : Name: name-map-display Value: hide
    [12/28/18 18:48:49.484]:adnew.log : Name: FullNameMap Value: true
    [12/28/18 18:48:49.484]:adnew.log : Name: LogonNameMap Value: true
    [12/28/18 18:48:49.484]:adnew.log : Name: UpnMap Value: edir-name-auth
    [12/28/18 18:48:49.484]:adnew.log : Name: ConnectedSystemName Value: ~drv.name~
    [12/28/18 18:48:49.485]:adnew.log : Name: enable-password-subscribe Value: true
    [12/28/18 18:48:49.485]:adnew.log : Name: enable-password-publish Value: true
    [12/28/18 18:48:49.485]:adnew.log : Name: publish-password-to-nds Value: true
    [12/28/18 18:48:49.485]:adnew.log : Name: publish-password-to-dp Value: true
    [12/28/18 18:48:49.486]:adnew.log : Name: enforce-password-policy Value: false
    [12/28/18 18:48:49.486]:adnew.log : Name: reset-external-password-on-failure Value: false
    [12/28/18 18:48:49.486]:adnew.log : Name: notify-user-on-password-dist-failure Value: false
    [12/28/18 18:48:49.487]:adnew.log : Name: UAProvURL Value: http://localhost:8180/IDMProv
    [12/28/18 18:48:49.487]:adnew.log : Name: UAProvAdmin Value: CN=uaadmin.OU=sa.O=data
    [12/28/18 18:48:49.487]:adnew.log : Name: service-account-dn Value:
    [12/28/18 18:48:49.487]:adnew.log : Name: idv.dit.data.users Value: data\users
    [12/28/18 18:48:49.488]:adnew.log : Name: idv.dit.data.groups Value: data\groups
    [12/28/18 18:48:49.488]:adnew.log : Name: dirxml.auto.treename Value: NTL_IDM_VAULT
    [12/28/18 18:48:49.488]:adnew.log : Name: dirxml.auto.driverdn Value: \NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS
    [12/28/18 18:48:49.489]:adnew.log : Name: dirxml.auto.driverguid Value: {8E5734C2-003A-463c-8B26-FFFADAB18C83}
    [12/28/18 18:48:49.489]:adnew.log : Name: dirxml.auto.localserverdn Value: CN=BITS-TZ-MFIM-NDS,OU=servers,O=system
    [12/28/18 18:48:49.490]:adnew.log :Using default reciprocal attribute map
    [12/28/18 18:48:49.490]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-PersistentData.
    [12/28/18 18:48:49.491]:adnew.log :Loaded persistent data
    [12/28/18 18:48:49.491]:adnew.log :
    <persistent-data>
    <op-counters last-reset-time="1544698959819">
    <subscriber/>
    <publisher>
    <counters index="0">
    <status>26</status>
    <init-params>21</init-params>
    </counters>
    <counters index="1">
    <status>26</status>
    <init-params>21</init-params>
    </counters>
    <counters index="2">
    <status>26</status>
    <init-params>21</init-params>
    </counters>
    <counters index="3">
    <status>26</status>
    <init-params>21</init-params>
    </counters>
    <counters index="4">
    <status>47</status>
    </counters>
    </publisher>
    </op-counters>
    </persistent-data>
    [12/28/18 18:48:49.668]:adnew.log :Found subscriber system\driverset1\Active Directory Driver BITS\Subscriber.
    [12/28/18 18:48:49.864]:adnew.log :Found publisher system\driverset1\Active Directory Driver BITS\Publisher.
    [12/28/18 18:48:49.865]:adnew.log :Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-DriverFilter.
    [12/28/18 18:48:49.866]:adnew.log :Loaded filter.
    [12/28/18 18:48:49.866]:adnew.log :
    <filter>
    <filter-class class-name="User" publisher="sync" publisher-create-homedir="true" publisher-track-template-member="true" subscriber="ignore">
    <filter-attr attr-name="nspmDistributionPassword" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
    <filter-attr attr-name="CN" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Description" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="DirXML-ADAliasName" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Facsimile Telephone Number" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Full Name" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Given Name" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Initials" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Internet EMail Address" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="L" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Login Allowed Time Map" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Login Disabled" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
    <filter-attr attr-name="Login Expiration Time" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
    <filter-attr attr-name="Physical Delivery Office Name" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Postal Code" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Postal Office Box" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="S" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="SA" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Surname" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Telephone Number" publisher="sync" subscriber="ignore"/>
    <filter-attr attr-name="Title" publisher="sync" subscriber="ignore"/>
    </filter-class>
    <filter-class class-name="Organizational Unit" publisher="sync" subscriber="ignore">
    <filter-attr attr-name="Description" publisher="sync" subscriber="sync"/>
    <filter-attr attr-name="OU" publisher="ignore" subscriber="ignore"/>
    </filter-class>
    </filter>
    [12/28/18 18:48:49.874]:adnew.log :Creating subscriber thread.
    [12/28/18 18:48:50.023]:adnew.log ST:Subscriber thread starting.
    [12/28/18 18:48:50.074]:adnew.log ST:Initializing driver shim.
    [12/28/18 18:48:50.075]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-ApplicationSchema.
    [12/28/18 18:48:50.112]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-ConfigManifest.
    [12/28/18 18:48:50.115]:adnew.log ST:Loading native shim addriver.dll.
    [12/28/18 18:48:50.152]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-ShimConfigInfo.
    [12/28/18 18:48:50.154]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-DriverStorage.
    [12/28/18 18:48:50.155]:adnew.log ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <init-params src-dn="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS">
    <authentication-info>
    <server>BITS-tz-dc3.in.BITS-tech.com</server>
    <user>INBITS-TECH\IdmAdmin</user>
    <password><!-- content suppressed --></password>
    </authentication-info>
    <driver-options>
    <auth-options display-name="Show authentication options">show</auth-options>
    <auth-method display-name="Authentication Method">Negotiate</auth-method>
    <signing display-name="Digitally sign communications">no</signing>
    <sealing display-name="Digitally sign and seal communications">yes</sealing>
    <use-ssl display-name="Use SSL for LDAP connection between Driver Shim and AD">yes</use-ssl>
    <impersonation display-name="Logon and impersonate">yes</impersonation>
    <xchg-options display-name="Show Exchange Management Options">hide</xchg-options>
    <xchg-prov display-name="Enable Exchange mailbox provisioning">disabled</xchg-prov>
    <exch-move display-name="Allow Exchange mailbox move">yes</exch-move>
    <exch-delete display-name="Allow Exchange mailbox delete">yes</exch-delete>
    <exch-api-type display-name="Exchange Management interface type">use-exch-2010</exch-api-type>
    <exchange-server display-name="Exchange Server FQDN"></exchange-server>
    <access-options display-name="Show access options">show</access-options>
    <pollingInterval display-name="Driver Polling Interval">3</pollingInterval>
    <pub-heartbeat-interval display-name="Publisher heartbeat interval">3</pub-heartbeat-interval>
    <pub-password-expire-time display-name="Password Sync Timeout (minutes)">15</pub-password-expire-time>
    <pub-filter-password-time-to-live display-name="DC Passwords TimeToLive (minutes)">15</pub-filter-password-time-to-live>
    <search-domain-scope display-name="Search domain scope">yes</search-domain-scope>
    <advanced-options display-name="Show advanced options">hide</advanced-options>
    <enable-delete-protected-2008 display-name="Enable Deletion of protected objects in Windows server 2008">no</enable-delete-protected-2008>
    <retry-ldap-auth-unknown display-name="Retry LDAP Auth unknown error">no</retry-ldap-auth-unknown>
    <enable-incremental-values display-name="Enable DirSync Incremental Values">no</enable-incremental-values>
    </driver-options>
    </init-params>
    </input>
    </nds>
    [12/28/18 18:48:50.164]:adnew.log ST:ADDriver: Driver::init
    [12/28/18 18:48:50.164]:adnew.log ST:ADDriver: MadDriver::onInit()
    [12/28/18 18:48:50.164]:adnew.log ST:ADDriver: MadConnMgr::initialize
    [12/28/18 18:48:50.165]:adnew.log ST:DriverShim.init() returned:
    [12/28/18 18:48:50.165]:adnew.log ST:
    <nds dtdversion="1.1" ndsversion="8.7">
    <source>
    <product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status level="success"/>
    </output>
    </nds>
    [12/28/18 18:48:50.199]:adnew.log ST:Initializing subscriber system\driverset1\Active Directory Driver BITS\Subscriber for \NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS.
    [12/28/18 18:48:50.200]:adnew.log ST:Loading startup policies.
    [12/28/18 18:48:50.200]:adnew.log ST:Policy not found.
    [12/28/18 18:48:50.200]:adnew.log ST:Loading shutdown policies.
    [12/28/18 18:48:50.201]:adnew.log ST:Policy not found.
    [12/28/18 18:48:50.201]:adnew.log ST:Loading Subscriber input transformation policies.
    [12/28/18 18:48:50.201]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/NOVLADDCFG-itp-SubscriberUserAdd#XmlData.
    [12/28/18 18:48:50.202]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.203]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/NOVLADDCFG-itp-FormatConversions#XmlData.
    [12/28/18 18:48:50.204]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.206]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/NOVLPWDSYNC-itp-EmailOnFailedPwdSub#XmlData.
    [12/28/18 18:48:50.207]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.208]:adnew.log ST:Loading Subscriber output transformation policies.
    [12/28/18 18:48:50.209]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/NOVLADDCFG-otp-FormatConversions#XmlData.
    [12/28/18 18:48:50.210]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.211]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/NOVLADDCFG-otp-ExchangeEntitlementQuery#XmlData.
    [12/28/18 18:48:50.212]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.213]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/NOVLPWDSYNC-otp-EmailOnFailedPwdPub#XmlData.
    [12/28/18 18:48:50.214]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.215]:adnew.log ST:Loading Subscriber schema mapping policies.
    [12/28/18 18:48:50.215]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/NOVLADDCFG-smp#XmlData.
    [12/28/18 18:48:50.216]:adnew.log ST:Found schema map.
    [12/28/18 18:48:50.217]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/NOVLADDCFG-smp#XmlData.
    [12/28/18 18:48:50.218]:adnew.log ST:Found schema map.
    [12/28/18 18:48:50.218]:adnew.log ST:Loading policies.
    [12/28/18 18:48:50.219]:adnew.log ST:Loading Subscriber event transformation policies.
    [12/28/18 18:48:50.219]:adnew.log ST:Policy not found.
    [12/28/18 18:48:50.219]:adnew.log ST:Loading Subscriber object matching policies.
    [12/28/18 18:48:50.220]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLADDCFG-sub-mp-Scoping#XmlData.
    [12/28/18 18:48:50.221]:adnew.log ST:Global Configuration Value replacements made in vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLADDCFG-sub-mp-Scoping#XmlData:
    [12/28/18 18:48:50.222]:adnew.log ST:
    <policy xmlns:jstring="">www.novell.com/.../java.lang.String">
    <description>Find matching object in Active Directory</description>
    <rule>
    <description>remember relative position in hierarchy</description>
    <comment xml:space="preserve">This rule marks events in the given containers for processing by adding the unmached-src-dn and attempt-to-match operation properties. You can add subtrees in the Identity Vault for inclusion by adding if-src-dn conditionals here. If you are using mirrored placement, the unmatched-src-dn is used later in the placement rule. The attempt-to-match property determines whether the matching policies following this initializing policy should try to match the object or whether its out of scope.</comment>
    <conditions>
    <and>
    <if-src-dn op="in-subtree">data\users</if-src-dn>
    <if-op-property mode="nocase" name="attempt-to-match" op="not-equal">false</if-op-property>
    </and>
    </conditions>
    <actions>
    <do-set-op-property name="unmatched-src-dn">
    <arg-string>
    <token-unmatched-src-dn convert="true"/>
    </arg-string>
    </do-set-op-property>
    <do-set-op-property name="attempt-to-match">
    <arg-string>
    <token-text xml:space="preserve">true</token-text>
    </arg-string>
    </do-set-op-property>
    </actions>
    </rule>
    </policy>
    [12/28/18 18:48:50.226]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.227]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLADDCFG-sub-mp#XmlData.
    [12/28/18 18:48:50.228]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.229]:adnew.log ST:Loading Subscriber object creation policies.
    [12/28/18 18:48:50.229]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLADDCFG-sub-cp-Users#XmlData.
    [12/28/18 18:48:50.230]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.231]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLADDCFG-sub-cp-Groups#XmlData.
    [12/28/18 18:48:50.232]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.233]:adnew.log ST:Loading Subscriber object placement policies.
    [12/28/18 18:48:50.233]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLADDCFG-sub-pp#XmlData.
    [12/28/18 18:48:50.234]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.235]:adnew.log ST:Loading Subscriber command transformation policies.
    [12/28/18 18:48:50.235]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLADDCFG-sub-ctp-GroupMemberResolution#XmlData.
    [12/28/18 18:48:50.236]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.237]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLADDCFG-sub-ctp-HandleMovesAndRenames#XmlData.
    [12/28/18 18:48:50.238]:adnew.log ST:Global Configuration Value replacements made in vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLADDCFG-sub-ctp-HandleMovesAndRenames#XmlData:
    [12/28/18 18:48:50.239]:adnew.log ST:
    <policy>
    <rule>
    <description>associate mirror root</description>
    <comment xml:space="preserve">In a mirrored configuration, it is important to have the two mirror roots (the one in the IDV and the one in AD) associated with one another. If the roots are not associated, objects cannot be moved into the mirror root on the publisher channel.</comment>
    <conditions>
    <and>
    <if-operation mode="case" op="equal">move</if-operation>
    <if-xpath op="true">translate(./parent/@src-dn,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')=translate('\NTL_IDM_VAULT\data\users','ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')</if-xpath>
    <if-global-variable mode="nocase" name="drv.subPlacementType" op="equal">mirrored</if-global-variable>
    <if-local-variable name="mirrorRootAssociated" op="not-available"/>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="mirrorRootInstance" scope="policy">
    <arg-node-set>
    <token-query datastore="src" scope="entry">
    <arg-dn>
    <token-global-variable name="idv.dit.data.users"/>
    </arg-dn>
    </token-query>
    </arg-node-set>
    </do-set-local-variable>
    <do-set-local-variable name="parentAsso">
    <arg-string>
    <token-xpath expression="$mirrorRootInstance/association/text()"/>
    </arg-string>
    </do-set-local-variable>
    <do-trace-message>
    <arg-string>
    <token-local-variable name="parentAsso"/>
    </arg-string>
    </do-trace-message>
    <do-if>
    <arg-conditions>
    <and>
    <if-local-variable mode="regex" name="parentAsso" op="not-equal">. </if-local-variable>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-set-local-variable name="adRootInstance" scope="policy">
    <arg-node-set>
    <token-query scope="entry">
    <arg-dn>
    <token-global-variable name="drv.user.container"/>
    </arg-dn>
    </token-query>
    </arg-node-set>
    </do-set-local-variable>
    <do-add-association direct="true">
    <arg-dn>
    <token-global-variable name="idv.dit.data.users"/>
    </arg-dn>
    <arg-association>
    <token-xpath expression="$adRootInstance/association/text()"/>
    </arg-association>
    </do-add-association>
    <do-append-xml-element expression="parent" name="association"/>
    <do-append-xml-text expression="parent/association">
    <arg-string>
    <token-xpath expression="$adRootInstance/association/text()"/>
    </arg-string>
    </do-append-xml-text>
    </arg-actions>
    <arg-actions/>
    </do-if>
    <do-set-local-variable name="mirrorRootAssociated" scope="driver">
    <arg-string>
    <token-text xml:space="preserve">true</token-text>
    </arg-string>
    </do-set-local-variable>
    </actions>
    </rule>
    </policy>
    [12/28/18 18:48:50.248]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.249]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLADDCFG-sub-ctp-UserNameMap#XmlData.
    [12/28/18 18:48:50.251]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.252]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLPWDSYNC-sub-ctp-TransformDistPwd#XmlData.
    [12/28/18 18:48:50.253]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.254]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLPWDSYNC-sub-ctp-DefaultPwd#XmlData.
    [12/28/18 18:48:50.255]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.256]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLPWDSYNC-sub-ctp-CheckPwdGCV#XmlData.
    [12/28/18 18:48:50.257]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.258]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Subscriber/NOVLPWDSYNC-sub-ctp-AddPwdPayload#XmlData.
    [12/28/18 18:48:50.259]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.260]:adnew.log ST:Mapping sensitive attribute names to application space
    [12/28/18 18:48:50.262]:adnew.log ST:Initializing subscriber shim.
    [12/28/18 18:48:50.264]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-ShimConfigInfo.
    [12/28/18 18:48:50.265]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-DriverStorage.
    [12/28/18 18:48:50.266]:adnew.log ST:Applying policy: % CCNOVLADDCFG-smp%-C.
    [12/28/18 18:48:50.266]:adnew.log ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <init-params src-dn="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS">
    <authentication-info>
    <server>BITS-tz-dc3.in.BITS-tech.com</server>
    <user>INBITS-TECH\IdmAdmin</user>
    <password><!-- content suppressed --></password>
    </authentication-info>
    <driver-filter/>
    </init-params>
    </input>
    </nds>
    [12/28/18 18:48:50.268]:adnew.log ST:ADDriver: Subscriber::init
    [12/28/18 18:48:50.269]:adnew.log ST:SubscriptionShim.init() returned:
    [12/28/18 18:48:50.269]:adnew.log ST:
    <nds dtdversion="1.1" ndsversion="8.7">
    <source>
    <product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status level="success"/>
    </output>
    </nds>
    [12/28/18 18:48:50.270]:adnew.log ST:Applying input transformation policies.
    [12/28/18 18:48:50.270]:adnew.log ST:Applying policy: % CCNOVLADDCFG-itp-SubscriberUserAdd%-C.
    [12/28/18 18:48:50.271]:adnew.log ST: Applying to status #1.
    [12/28/18 18:48:50.271]:adnew.log ST: Evaluating selection criteria for rule 'Populate DirXML-ADContext on initial user add'.
    [12/28/18 18:48:50.272]:adnew.log ST: (if-operation equal "add-association") = FALSE.
    [12/28/18 18:48:50.272]:adnew.log ST: Rule rejected.
    [12/28/18 18:48:50.272]:adnew.log ST:Policy returned:
    [12/28/18 18:48:50.272]:adnew.log ST:
    <nds dtdversion="1.1" ndsversion="8.7">
    <source>
    <product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status level="success"/>
    </output>
    </nds>
    [12/28/18 18:48:50.273]:adnew.log ST:Applying policy: % CCNOVLADDCFG-itp-FormatConversions%-C.
    [12/28/18 18:48:50.274]:adnew.log ST: Applying to status #1.
    [12/28/18 18:48:50.274]:adnew.log ST: Evaluating selection criteria for rule 'streetAddress: Convert CR-LF to LF'.
    [12/28/18 18:48:50.274]:adnew.log ST: Rule selected.
    [12/28/18 18:48:50.275]:adnew.log ST: Applying rule 'streetAddress: Convert CR-LF to LF'.
    [12/28/18 18:48:50.275]:adnew.log ST: Action: do-reformat-op-attr("streetAddress",token-replace-all("\r\n","\r",token-local-variable("current-value"))).
    [12/28/18 18:48:50.275]:adnew.log ST: Evaluating selection criteria for rule 'logonHours: Convert to Login Allowed Time Map form'.
    [12/28/18 18:48:50.276]:adnew.log ST: Rule selected.
    [12/28/18 18:48:50.276]:adnew.log ST: Applying rule 'logonHours: Convert to Login Allowed Time Map form'.
    [12/28/18 18:48:50.276]:adnew.log ST: Action: do-reformat-op-attr("logonHours",token-xpath("jadutil:translateTimeMap2eDir($current-value)")).
    [12/28/18 18:48:50.277]:adnew.log ST: Evaluating selection criteria for rule 'accountExpires: Convert to Identity Vault time format'.
    [12/28/18 18:48:50.277]:adnew.log ST: Rule selected.
    [12/28/18 18:48:50.278]:adnew.log ST: Applying rule 'accountExpires: Convert to Identity Vault time format'.
    [12/28/18 18:48:50.278]:adnew.log ST: Action: do-reformat-op-attr("accountExpires",token-xpath("jadutil:translateFileTime2Epoch($current-value)")).
    [12/28/18 18:48:50.278]:adnew.log ST: Evaluating selection criteria for rule 'lockedByIntruder: Enable Locked By Intruder'.
    [12/28/18 18:48:50.279]:adnew.log ST: (if-operation equal "modify") = FALSE.
    [12/28/18 18:48:50.279]:adnew.log ST: Rule rejected.
    [12/28/18 18:48:50.279]:adnew.log ST: Evaluating selection criteria for rule 'lockedByIntruder: Disable Locked By Intruder'.
    [12/28/18 18:48:50.280]:adnew.log ST: (if-operation equal "modify") = FALSE.
    [12/28/18 18:48:50.280]:adnew.log ST: Rule rejected.
    [12/28/18 18:48:50.280]:adnew.log ST: Evaluating selection criteria for rule 'lockoutTime: Convert to Identity Vault time format'.
    [12/28/18 18:48:50.281]:adnew.log ST: Rule selected.
    [12/28/18 18:48:50.281]:adnew.log ST: Applying rule 'lockoutTime: Convert to Identity Vault time format'.
    [12/28/18 18:48:50.281]:adnew.log ST: Action: do-reformat-op-attr("lockoutTime",token-xpath("jadutil:translateFileTime2Epoch($current-value)")).
    [12/28/18 18:48:50.282]:adnew.log ST:Policy returned:
    [12/28/18 18:48:50.282]:adnew.log ST:
    <nds dtdversion="1.1" ndsversion="8.7">
    <source>
    <product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status level="success"/>
    </output>
    </nds>
    [12/28/18 18:48:50.283]:adnew.log ST:Applying policy: % CCNOVLPWDSYNC-itp-EmailOnFailedPwdSub%-C.
    [12/28/18 18:48:50.283]:adnew.log ST: Applying to status #1.
    [12/28/18 18:48:50.284]:adnew.log ST: Evaluating selection criteria for rule 'Send e-mail on a failure when subscribing to passwords'.
    [12/28/18 18:48:50.284]:adnew.log ST: (if-global-variable 'notify-user-on-password-dist-failure' equal "true") = FALSE.
    [12/28/18 18:48:50.285]:adnew.log ST: Rule rejected.
    [12/28/18 18:48:50.285]:adnew.log ST: Evaluating selection criteria for rule 'Send e-mail on failure to reset connected system password using the Identity Vault password'.
    [12/28/18 18:48:50.285]:adnew.log ST: (if-global-variable 'notify-user-on-password-dist-failure' equal "true") = FALSE.
    [12/28/18 18:48:50.286]:adnew.log ST: Rule rejected.
    [12/28/18 18:48:50.286]:adnew.log ST:Policy returned:
    [12/28/18 18:48:50.286]:adnew.log ST:
    <nds dtdversion="1.1" ndsversion="8.7">
    <source>
    <product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status level="success"/>
    </output>
    </nds>
    <policy>
    <rule>
    <description>break if not a move or rename</description>
    <comment xml:space="preserve">Make sure we got a move or rename event.</comment>
    <conditions>
    <and>
    <if-operation mode="regex" op="not-equal">move|rename</if-operation>
    </and>
    </conditions>
    <actions>
    <do-break/>
    </actions>
    </rule>
    <rule>
    <description>setup for move validation</description>
    <comment>Gather information needed for move validation.</comment>
    <conditions>
    <and>
    <if-operation op="equal">move</if-operation>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="cached-object-value">
    <arg-string>
    <token-parse-dn length="-2" start="0">
    <token-dest-attr name="DirXML-ADContext"/>
    </token-parse-dn>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="current-object-value">
    <arg-string>
    <token-src-dn convert="true" length="-2" start="0"/>
    </arg-string>
    </do-set-local-variable>
    </actions>
    </rule>
    <rule>
    <description>setup for rename validation</description>
    <comment xml:space="preserve">Gather information needed for rename validation.</comment>
    <conditions>
    <and>
    <if-operation op="equal">rename</if-operation>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="cached-object-value">
    <arg-string>
    <token-parse-dn start="-1">
    <token-dest-attr name="DirXML-ADContext"/>
    </token-parse-dn>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="current-object-value">
    <arg-string>
    <token-src-dn convert="true" start="-1"/>
    </arg-string>
    </do-set-local-variable>
    </actions>
    </rule>
    <rule>
    <description>move or rename validation</description>
    <comment>The driver shim cannot tell the difference between a move and a rename in Active Directory so publishes both. The last known object DN is cached in the Identity Vault and then used to decide whether a given move or rename operation is real. This rule will veto moves and renames that are already reflected in the cached value.</comment>
    <conditions>
    <and>
    <if-local-variable mode="regex" name="cached-object-value" op="equal">.*</if-local-variable>
    <if-local-variable mode="nocase" name="cached-object-value" op="equal">$current-object-value$</if-local-variable>
    </and>
    </conditions>
    <actions>
    <do-veto/>
    </actions>
    </rule>
    <rule>
    <description>move or rename cached context update</description>
    <comment xml:space="preserve">Update cached context when move or rename is valid.</comment>
    <conditions>
    <and>
    <if-local-variable mode="regex" name="cached-object-value" op="equal">.*</if-local-variable>
    </and>
    </conditions>
    <actions>
    <do-set-dest-attr-value direct="true" name="DirXML-ADContext">
    <arg-value>
    <token-src-dn/>
    </arg-value>
    </do-set-dest-attr-value>
    </actions>
    </rule>
    <rule>
    <description>veto moves for container classes</description>
    <comment xml:space="preserve">eDirectory does not support moves of a container object unless it is its own partition but even then moves come with a risk. This policy will simply veto moves of all container classes regardless of whether they are partition roots or not.</comment>
    <conditions>
    <and disabled="true">
    <if-class-name mode="regex" op="equal">User|Group|Organization Unit|Organization|domain</if-class-name>
    </and>
    <and>
    <if-class-name mode="regex" op="not-equal">User|Group</if-class-name>
    <if-dest-attr mode="nocase" name="Object Class" op="equal">ndsContainerLoginProperties</if-dest-attr>
    </and>
    </conditions>
    <actions>
    <do-veto/>
    </actions>
    </rule>
    <rule>
    <description>associate mirror root</description>
    <comment xml:space="preserve">In a mirrored configuration, it is important to have the two mirror roots (the one in the IDV and the one in AD) associated with one another. If the roots are not associated, objects cannot be moved into the mirror root on the publisher channel.</comment>
    <conditions>
    <and>
    <if-operation mode="case" op="equal">move</if-operation>
    <if-xpath op="true">translate(./parent/@src-dn,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')=translate('ou=IDM,DC=IN,DC=BITS-Tech,DC=com','ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')</if-xpath>
    <if-global-variable mode="nocase" name="drv.pubPlacementType" op="equal">mirrored</if-global-variable>
    <if-local-variable name="mirrorRootAssociated" op="not-available"/>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="mirrorRootInstance" scope="policy">
    <arg-node-set>
    <token-query scope="entry">
    <arg-dn>
    <token-global-variable name="idv.dit.data.users"/>
    </arg-dn>
    </token-query>
    </arg-node-set>
    </do-set-local-variable>
    <do-if>
    <arg-conditions>
    <and>
    <if-xpath op="not-true">$mirrorRootInstance/association/text()</if-xpath>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-add-association direct="true">
    <arg-dn>
    <token-global-variable name="idv.dit.data.users"/>
    </arg-dn>
    <arg-association>
    <token-xpath expression="./parent/association"/>
    </arg-association>
    </do-add-association>
    </arg-actions>
    <arg-actions/>
    </do-if>
    <do-set-local-variable name="mirrorRootAssociated" scope="driver">
    <arg-string>
    <token-text xml:space="preserve">true</token-text>
    </arg-string>
    </do-set-local-variable>
    </actions>
    </rule>
    </policy>
    [12/28/18 18:48:50.967]:adnew.log ST:Found DirXMLScript policy.
    [12/28/18 18:48:50.969]:adnew.log ST:Loading Publisher object matching policies.
    [12/28/18 18:48:50.970]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Publisher/NOVLADDCFG-pub-mp-Scoping#XmlData.
    [12/28/18 18:48:50.971]:adnew.log ST:Global Configuration Value replacements made in vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS/Publisher/NOVLADDCFG-pub-mp-Scoping#XmlData:
    [12/28/18 18:48:50.972]:adnew.log ST:
    <policy>
    ">
    <source>
    <product asn1id="" build="20170106_120000" instance="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS" version="4.0.2.1">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status level="success">Configured publisher polling interval to 3</status>
    <status level="success">Configured heartbeat interval to 3</status>
    <status level="success">Configured Password Expiration Time to 15</status>
    </output>
    </nds>


    </nds>
    [12/28/18 18:48:56.237]:adnew.log PT:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status event-id="0" level="success"><application>DirXML</application>
    <module>Active Directory Driver BITS</module>
    <object-dn></object-dn>
    <component>Publisher</component>
    </status>
    </output>
    </nds>
    [12/28/18 18:48:56.238]:adnew.log PT:ADDriver: rootDSE information needed.

    [12/28/18 18:48:56.239]:adnew.log PT:ADDriver: Make unauthenticated connection to rootDSE

    [12/28/18 18:48:57.709]:adnew.log PT:ADDriver: unauthenticated connection to rootDSE succeeded

    [12/28/18 18:48:57.709]:adnew.log PT:ADDriver: read rootDSE information
    [12/28/18 18:48:57.731]:adnew.log PT:ADDriver:
    LDAP Session Information

    LDAP version: 3
    Domain DNS name:
    Server DNS name: BITS-TZ-DC3.IN.BITS-Tech.com
    Host reachable: 1
    Using SSL: 1

    Naming contexts
  • On 12/28/2018 07:04 AM, frankabhinav wrote:
    >
    > The issue still remain the same. I have attached the full log


    I see the engine-side log here, and it looks like you do NOT have a Remote
    Loader (RL) involved, which is unusual, but if your engine is on windows
    (also unusual) then that's probably okay, though I'd recommend using the
    RL anytime you can, and in this particular case by putting it on the
    domain controller (DC) itself where you are currently pointing IDM,
    specifically BITS-tz-dc3.in.BITS-tech.com

    If BITS-tz-dc3.in.BITS-tech.com happens to be the IDM engine host (this
    machine), then clear that authentication context field entirely so it is
    now empty, and try again. If you are running on a DC in the domain
    to/from which you are synchronizing you do not need to specify anything at
    all, since normally the driver shim will talk to the local machine if
    nothing else is specified, and this typically works best, which is part of
    the reason most places (in my experience) run the Remote Loader on a DC.

    > I can also view users inside HKLM\SOFTWARE\NOVELL\PwFilter


    Based on this key I presume you mean on a DC; which one? If this current
    machine, then this machine itself is a DC, in which case see above. If
    some other machine, then knowing which, and how many you have, may be nice.

    Also, I presume if the engine host is NOT a DC in the domain that it is at
    least a member server in the domain, not just some standalone box, and tat
    you have had your microsoft active directory (MAD) admins setup
    relationships properly so that it is trusted by DCs. I do not know the
    steps to do that properly, but the IDM MAD driver docs point to something
    from microsoft to help with that. Better yet, run on a DC itself, but not
    the IDM engine, rather the RL.

    > <filter>
    > <filter-class class-name="User" publisher="sync" publisher-create-homedir="true" publisher-track-template-member="true" subscriber="ignore">
    > <filter-attr attr-name="nspmDistributionPassword" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>


    Why do you have nspmDistributionPassword changed to 'Sync' from 'Notify'?
    That is incorrect; please put it back.

    > <filter-attr attr-name="CN" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Description" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="DirXML-ADAliasName" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Facsimile Telephone Number" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Full Name" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Given Name" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Initials" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Internet EMail Address" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="L" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Login Allowed Time Map" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Login Disabled" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
    > <filter-attr attr-name="Login Expiration Time" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
    > <filter-attr attr-name="Physical Delivery Office Name" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Postal Code" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Postal Office Box" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="S" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="SA" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Surname" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Telephone Number" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Title" publisher="sync" subscriber="ignore"/>
    > </filter-class>
    > <filter-class class-name="Organizational Unit" publisher="sync" subscriber="ignore">
    > <filter-attr attr-name="Description" publisher="sync" subscriber="sync"/>
    > <filter-attr attr-name="OU" publisher="ignore" subscriber="ignore"/>
    > </filter-class>
    > </filter>
    > [12/28/18 18:48:49.874]:adnew.log :Creating subscriber thread.
    > [12/28/18 18:48:50.023]:adnew.log ST:Subscriber thread starting.
    > [12/28/18 18:48:50.074]:adnew.log ST:Initializing driver shim.
    > [12/28/18 18:48:50.075]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-ApplicationSchema.
    > [12/28/18 18:48:50.112]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-ConfigManifest.
    > [12/28/18 18:48:50.115]:adnew.log ST:Loading native shim addriver.dll.
    > [12/28/18 18:48:50.152]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-ShimConfigInfo.
    > [12/28/18 18:48:50.154]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-DriverStorage.
    > [12/28/18 18:48:50.155]:adnew.log ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.6.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <init-params src-dn="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS">
    > <authentication-info>
    > <server>BITS-tz-dc3.in.BITS-tech.com</server>


    This IDM engine, on whatever box, is trying to reach out to
    BITS-tz-dc3.in.BITS-tech.com, which is a different box and a DC, to
    authenticate with a user in the INBITS-TECH domain named IdmAdmin and that
    is all fine, assuming it is true. If any of that statement is not true,
    then you need to fix settings.

    > <user>INBITS-TECH\IdmAdmin</user>
    > <password><!-- content suppressed --></password>
    > </authentication-info>
    > <driver-options>
    > <auth-options display-name="Show authentication options">show</auth-options>
    > <auth-method display-name="Authentication Method">Negotiate</auth-method>
    > <signing display-name="Digitally sign communications">no</signing>
    > <sealing display-name="Digitally sign and seal communications">yes</sealing>
    > <use-ssl display-name="Use SSL for LDAP connection between Driver Shim and AD">yes</use-ssl>


    Sadly I can never remember all the situations for SSL and Sealing to be
    used between the MAD shim (addriver.dll) and the DC. If you are running
    on a DC itself, you turn all of these to 'no' and clear out the
    Authentication Context field above and it just works nicely. Luckily the
    documentation covers this, so if you have gone through that I suppose it's
    fine; others may give better pointers here.

    How many DCs do you have in this domain? I this a test or Production domain?

    > [12/28/18 18:48:56.238]:adnew.log PT:ADDriver: rootDSE information needed.
    >
    > [12/28/18 18:48:56.239]:adnew.log PT:ADDriver: Make unauthenticated connection to rootDSE
    >
    > [12/28/18 18:48:57.709]:adnew.log PT:ADDriver: unauthenticated connection to rootDSE succeeded
    >
    > [12/28/18 18:48:57.709]:adnew.log PT:ADDriver: read rootDSE information
    > [12/28/18 18:48:57.731]:adnew.log PT:ADDriver:
    > LDAP Session Information
    >
    > LDAP version: 3
    > Domain DNS name:
    > Server DNS name: BITS-TZ-DC3.IN.BITS-Tech.com
    > Host reachable: 1
    > Using SSL: 1
    >
    > Naming contexts
  • ab;2492998 wrote:
    On 12/28/2018 07:04 AM, frankabhinav wrote:
    >
    > The issue still remain the same. I have attached the full log


    I see the engine-side log here, and it looks like you do NOT have a Remote
    Loader (RL) involved, which is unusual, but if your engine is on windows
    (also unusual) then that's probably okay, though I'd recommend using the
    RL anytime you can, and in this particular case by putting it on the
    domain controller (DC) itself where you are currently pointing IDM,
    specifically BITS-tz-dc3.in.BITS-tech.com

    If BITS-tz-dc3.in.BITS-tech.com happens to be the IDM engine host (this
    machine), then clear that authentication context field entirely so it is
    now empty, and try again. If you are running on a DC in the domain
    to/from which you are synchronizing you do not need to specify anything at
    all, since normally the driver shim will talk to the local machine if
    nothing else is specified, and this typically works best, which is part of
    the reason most places (in my experience) run the Remote Loader on a DC.

    > I can also view users inside HKLM\SOFTWARE\NOVELL\PwFilter


    Based on this key I presume you mean on a DC; which one? If this current
    machine, then this machine itself is a DC, in which case see above. If
    some other machine, then knowing which, and how many you have, may be nice.

    Also, I presume if the engine host is NOT a DC in the domain that it is at
    least a member server in the domain, not just some standalone box, and tat
    you have had your microsoft active directory (MAD) admins setup
    relationships properly so that it is trusted by DCs. I do not know the
    steps to do that properly, but the IDM MAD driver docs point to something
    from microsoft to help with that. Better yet, run on a DC itself, but not
    the IDM engine, rather the RL.

    > <filter>
    > <filter-class class-name="User" publisher="sync" publisher-create-homedir="true" publisher-track-template-member="true" subscriber="ignore">
    > <filter-attr attr-name="nspmDistributionPassword" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>


    Why do you have nspmDistributionPassword changed to 'Sync' from 'Notify'?
    That is incorrect; please put it back.

    > <filter-attr attr-name="CN" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Description" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="DirXML-ADAliasName" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Facsimile Telephone Number" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Full Name" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Given Name" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Initials" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Internet EMail Address" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="L" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Login Allowed Time Map" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Login Disabled" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
    > <filter-attr attr-name="Login Expiration Time" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
    > <filter-attr attr-name="Physical Delivery Office Name" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Postal Code" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Postal Office Box" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="S" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="SA" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Surname" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Telephone Number" publisher="sync" subscriber="ignore"/>
    > <filter-attr attr-name="Title" publisher="sync" subscriber="ignore"/>
    > </filter-class>
    > <filter-class class-name="Organizational Unit" publisher="sync" subscriber="ignore">
    > <filter-attr attr-name="Description" publisher="sync" subscriber="sync"/>
    > <filter-attr attr-name="OU" publisher="ignore" subscriber="ignore"/>
    > </filter-class>
    > </filter>
    > [12/28/18 18:48:49.874]:adnew.log :Creating subscriber thread.
    > [12/28/18 18:48:50.023]:adnew.log ST:Subscriber thread starting.
    > [12/28/18 18:48:50.074]:adnew.log ST:Initializing driver shim.
    > [12/28/18 18:48:50.075]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-ApplicationSchema.
    > [12/28/18 18:48:50.112]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-ConfigManifest.
    > [12/28/18 18:48:50.115]:adnew.log ST:Loading native shim addriver.dll.
    > [12/28/18 18:48:50.152]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-ShimConfigInfo.
    > [12/28/18 18:48:50.154]:adnew.log ST:Reading XML attribute vnd.nds.stream://NTL_IDM_VAULT/system/driverset1/Active Directory Driver BITS#DirXML-DriverStorage.
    > [12/28/18 18:48:50.155]:adnew.log ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.6.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <init-params src-dn="\NTL_IDM_VAULT\system\driverset1\Active Directory Driver BITS">
    > <authentication-info>
    > <server>BITS-tz-dc3.in.BITS-tech.com</server>


    This IDM engine, on whatever box, is trying to reach out to
    BITS-tz-dc3.in.BITS-tech.com, which is a different box and a DC, to
    authenticate with a user in the INBITS-TECH domain named IdmAdmin and that
    is all fine, assuming it is true. If any of that statement is not true,
    then you need to fix settings.

    > <user>INBITS-TECH\IdmAdmin</user>
    > <password><!-- content suppressed --></password>
    > </authentication-info>
    > <driver-options>
    > <auth-options display-name="Show authentication options">show</auth-options>
    > <auth-method display-name="Authentication Method">Negotiate</auth-method>
    > <signing display-name="Digitally sign communications">no</signing>
    > <sealing display-name="Digitally sign and seal communications">yes</sealing>
    > <use-ssl display-name="Use SSL for LDAP connection between Driver Shim and AD">yes</use-ssl>


    Sadly I can never remember all the situations for SSL and Sealing to be
    used between the MAD shim (addriver.dll) and the DC. If you are running
    on a DC itself, you turn all of these to 'no' and clear out the
    Authentication Context field above and it just works nicely. Luckily the
    documentation covers this, so if you have gone through that I suppose it's
    fine; others may give better pointers here.

    How many DCs do you have in this domain? I this a test or Production domain?

    > [12/28/18 18:48:56.238]:adnew.log PT:ADDriver: rootDSE information needed.
    >
    > [12/28/18 18:48:56.239]:adnew.log PT:ADDriver: Make unauthenticated connection to rootDSE
    >
    > [12/28/18 18:48:57.709]:adnew.log PT:ADDriver: unauthenticated connection to rootDSE succeeded
    >
    > [12/28/18 18:48:57.709]:adnew.log PT:ADDriver: read rootDSE information
    > [12/28/18 18:48:57.731]:adnew.log PT:ADDriver:
    > LDAP Session Information
    >
    > LDAP version: 3
    > Domain DNS name:
    > Server DNS name: BITS-TZ-DC3.IN.BITS-Tech.com
    > Host reachable: 1
    > Using SSL: 1
    >
    > Naming contexts
  • On 01/03/2019 01:14 AM, frankabhinav wrote:
    >
    > yes *ab* my IDM engine is installed on a windows 2012 and i have done
    > the changes you told me to.


    I presume the problem persists; perhaps it is time for updated traces, then.

    > The MAD team won't allow us to install RL on DC and I don't think we
    > need to install RL directly on DC . Furthermore my DC server is on
    > production and firewall is closed only the Mcafee is running. I have
    > checked the Macfee log it was blaocking from reading registery but now
    > we have white-listed .


    Care to explain exactly how you whitelisted things, in case others hit the
    same thing, or what you saw in the McAfee product's logs? Was this on all
    DCs, or somehow system-wide, I presume? Was it also on the box where the
    driver (shim) is running, which in your case is the engine box, but to the
    PassSync (vs. PwFilter) key?

    > Is there anywhere else to look into.


    Traces are usually the key. Alternatively, this is all using microsoft's
    RPC for communication among boxes, so the logs there can sometimes help
    along with the password sync troubleshooting tool, but usually traces
    (level five (5)) give sufficient information for most environments and issues.

    Another option may be to have a test setup, sans things like McAfee and
    other GPO-based changes, to see that things work prior to outside
    interference. If so, then it is possible for you (or the McAfee folks, or
    the MAD admins) to re-impose changes, one at a time perhaps, to see when
    things break.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • frankabhinav;2493094 wrote:
    yes ab my IDM engine is installed on a windows 2012 and i have done the changes you told me to.

    The MAD team won't allow us to install RL on DC and I don't think we need to install RL directly on DC . Furthermore my DC server is on production and firewall is closed only the Mcafee is running. I have checked the Macfee log it was blaocking from reading registery but now we have white-listed .

    Is there anywhere else to look into.


    In addition to everything else, with eDir on Windows, be sure to configure the A/V software not to interfere with any file access under the c:\netiq (or wherever) path. If the A/V software starts getting in the middle of disk i/o for the DIB, you will have problems.

    Same for the remote loader, when in use.

    I've worked with Mcafee before, and it was ok with a simple configuration setting for that. I had a client with Kaspersky that absolutely would not stop interfering with the disk i/o, no matter how they configured it.