allenmorris Absent Member.
Absent Member.
391 views

AD Password change not being seen by RemoteLoader


Hello,

Have a weird problem getting our Production AD password sync started.

I have this working in Development, though when I moved everything to
Prod the Remote Loader looks to dropping password changes.

New users created using iManager in the IDV tree are created in AD and
the passwords are synced a crossed. Passwords changed by Ctl-atl-del and
by the admin console in AD are changed in AD, though dropped in RL.

Any suggestions on where to look are greatly appreciated.

Allen

DirXML: [08/12/15 12:16:05.28]:
DirXML Log Event -------------------
Driver = \PHSIDV\pembroke\services\Pluto Driver Set\Active
Directory Driver
Thread = Publisher Channel
Level = success
DirXML: [08/12/15 12:17:05.22]: ADDriver: get object changes - 0x0000
DirXML: [08/12/15 12:17:05.22]: ADDriver: process object change entry
DirXML: [08/12/15 12:17:05.22]: ADDriver: Processing change from AD:
isDeleted: NULL, whenCreated NULL, name NULL
DirXML: [08/12/15 12:17:05.22]: ADDriver: Publisher MODIFY
DirXML: [08/12/15 12:17:05.22]: ADDriver: Publisher Modify-
effectiveClassQuery dn=CN=Kris
Keller,OU=Users,OU=Faculty,OU=WardParkway,DC=pembrokehill,DC=org
className=user
DirXML: [08/12/15 12:17:05.22]: ADDriver: accountExpires
DirXML: [08/12/15 12:17:05.22]: ADDriver: description
DirXML: [08/12/15 12:17:05.22]: ADDriver: dirxml-uACAccountDisable
DirXML: [08/12/15 12:17:05.22]: ADDriver: displayName
DirXML: [08/12/15 12:17:05.22]: ADDriver: facsimileTelephoneNumber
DirXML: [08/12/15 12:17:05.22]: ADDriver: givenName
DirXML: [08/12/15 12:17:05.22]: ADDriver: initials
DirXML: [08/12/15 12:17:05.22]: ADDriver: l
DirXML: [08/12/15 12:17:05.22]: ADDriver: logonHours
DirXML: [08/12/15 12:17:05.22]: ADDriver: mail
DirXML: [08/12/15 12:17:05.22]: ADDriver: ou
DirXML: [08/12/15 12:17:05.22]: ADDriver: physicalDeliveryOfficeName
DirXML: [08/12/15 12:17:05.23]: ADDriver: postOfficeBox
DirXML: [08/12/15 12:17:05.23]: ADDriver: postalCode
DirXML: [08/12/15 12:17:05.23]: ADDriver: sAMAccountName
DirXML: [08/12/15 12:17:05.23]: ADDriver: sn
DirXML: [08/12/15 12:17:05.23]: ADDriver: st
DirXML: [08/12/15 12:17:05.23]: ADDriver: streetAddress
DirXML: [08/12/15 12:17:05.23]: ADDriver: telephoneNumber
DirXML: [08/12/15 12:17:05.23]: ADDriver: title
DirXML: [08/12/15 12:17:05.23]: ADDriver: userPrincipalName
DirXML: [08/12/15 12:17:05.23]: Loader: Received document from
publicationShim
DirXML: [08/12/15 12:17:05.23]: Loader: XML Document:
DirXML: [08/12/15 12:17:05.23]: <nds dtdversion="2.2">
<source>
<product build="20120330_120000"
instance="\PHSIDV\pembroke\services\Pluto Driver Set\Active Directory
Driver" version="4.0.0.0">AD</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<init-params>
<publisher-state>
<cookie>TVNEUwMAAABf4fa1ItXQAQAAAAAAAAAAiAAAAHsBCwAAAAAAAAAAAAAAAAB7AQsAAAAAAJsKrIAwzMdHvn6FEeUoGloBAAAAAAAAAAUAAAAAAAAAdwyVdyAj80SfLQDx/hMtzsVwDgAAAAAAmwqsgDDMx0e+foUR5SgaWn8BCwAAAAAAI+uJqJW6ik667ymDQH0JaiUhCAAAAAAABosgxFGcv0mrA2yT3Qu0l885CwAAAAAAWwmy/RHmX02Brq9CDCgcwL/BAwAAAAAA</cookie>
</publisher-state>
</init-params>
</input>
</nds>
DirXML: [08/12/15 12:17:05.23]: Loader: Writing driver state to file
DirXML: [08/12/15 12:17:05.23]: Loader: Document consists only of state;
not sending to remote side
DirXML: [08/12/15 12:17:05.23]: Loader: Returning to publisher:
DirXML: [08/12/15 12:17:05.23]: Loader: XML Document:
DirXML: [08/12/15 12:17:05.23]: <nds ndsversion="8.6" dtdversion="1.0">


--
allenmorris
------------------------------------------------------------------------
allenmorris's Profile: https://forums.netiq.com/member.php?userid=1565
View this thread: https://forums.netiq.com/showthread.php?t=54041

Labels (1)
0 Likes
16 Replies
Knowledge Partner
Knowledge Partner

Re: AD Password change not being seen by RemoteLoader

allenmorris wrote:

> Driver" version="4.0.0.0">AD</product>


First of all, get your environment updated to the current versions (AD driver
is at v4.0.1.0, iirc), and do not forget the RL patches. 🙂

Then try out the new Password sync troubleshooting tool that comes with IDM 4.5
and is described in detail by Geoffrey at
https://www.netiq.com/communities/cool-solutions/active-directory-password-troub
leshooter-tool-part-1/ (ask for part 2, if part 1 does not help at all!)

Good luck!
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Password change not being seen by RemoteLoader

On 8/12/2015 3:42 PM, Lothar Haeger wrote:
> allenmorris wrote:
>
>> Driver" version="4.0.0.0">AD</product>

>
> First of all, get your environment updated to the current versions (AD driver
> is at v4.0.1.0, iirc), and do not forget the RL patches. 🙂
>
> Then try out the new Password sync troubleshooting tool that comes with IDM 4.5
> and is described in detail by Geoffrey at
> https://www.netiq.com/communities/cool-solutions/active-directory-password-troub
> leshooter-tool-part-1/ (ask for part 2, if part 1 does not help at all!)


If you have learned nothing from my writing, part1 is never of any help.
It is part 13 that usually has the real answer you were looking for. 🙂

(Working on a Validator series... Would anyone be interested in a
shorter book on Validator? I think I could whip that out pretty fast...)





0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Password change not being seen by RemoteLoader


geoffc;259818 Wrote:
> On 8/12/2015 3:42 PM, Lothar Haeger wrote:
> > allenmorris wrote:
> >
> >> Driver" version="4.0.0.0">AD</product>

> >
> > First of all, get your environment updated to the current versions (AD

> driver
> > is at v4.0.1.0, iirc), and do not forget the RL patches. 🙂
> >
> > Then try out the new Password sync troubleshooting tool that comes

> with IDM 4.5
> > and is described in detail by Geoffrey at
> > http://tinyurl.com/o9d83qu
> > leshooter-tool-part-1/ (ask for part 2, if part 1 does not help at

> all!)
>
> If you have learned nothing from my writing, part1 is never of any
> help.
> It is part 13 that usually has the real answer you were looking for.
> 🙂
>
> (Working on a Validator series... Would anyone be interested in a
> shorter book on Validator? I think I could whip that out pretty
> fast...)


That depends on witch part you intend to focus on, I would certainly
read part 13 or the summery but you can skip the rest this time 🙂


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=54041

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Password change not being seen by RemoteLoader

allenmorris wrote:

> Any suggestions on where to look are greatly appreciated.


You did install a PW filters on all DCs (and rebooted them afterwards), did you?
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
allenmorris Absent Member.
Absent Member.

Re: AD Password change not being seen by RemoteLoader


Hello,

Thanks for your great suggestions.

Will download the latest AD and the tools off the 4.5 DVD.

Yes, PW filter is installed on all.

Thanks again.


--
allenmorris
------------------------------------------------------------------------
allenmorris's Profile: https://forums.netiq.com/member.php?userid=1565
View this thread: https://forums.netiq.com/showthread.php?t=54041

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Password change not being seen by RemoteLoader


Hi Allen,
Usually Dev/QA environment is much more simple than production (just one
DC that also host RL)
What kind of configuration you have? (How many AD domains/Domain level)

Where you installed RemoteLoader? (DC/Member server)
Do you have PassSync filter installed on ALL your DCs?

Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54041

0 Likes
allenmorris Absent Member.
Absent Member.

Re: AD Password change not being seen by RemoteLoader


Al, thanks for your reply.

Dev is simpler, we have two DCs, the master and the box running the RL.

We now have 5 DCs. A Master for the whole school, a Master on our other
campus, the RL box, and two print servers, one at each campus.

I've added the PWfilter on each of the DCs, through the PassSync
console.

I did test, since my original post, that when using the User admin
console on the RL the password gets synced to IDM.

I checked the registry on the DCs, it looked correct. And can ping the
RL box by URL from each DC.

Allen


--
allenmorris
------------------------------------------------------------------------
allenmorris's Profile: https://forums.netiq.com/member.php?userid=1565
View this thread: https://forums.netiq.com/showthread.php?t=54041

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Password change not being seen by RemoteLoader


Thank you, Allen.
I just want to summarize your info:
1. You have 5 DC
2. Remote Loader installed on one of the DC
3. PWfilter installed on every DC
4. AD driver version 4.0.0.0

Lothar already gave you very good direction for Pwd troubleshooting.
Please keep us updated about your development.


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54041

0 Likes
allenmorris Absent Member.
Absent Member.

Re: AD Password change not being seen by RemoteLoader


I ran the testing software on the Domain.

I received the same error Geoffrey did; "Error occurred while opening
registry key.... Access is denied."

I noticed this yesterday when I tried removing the dlls from the DCs and
adding them back.

Does anyone know where this access denied is coming from? I am using the
Domain administrator account.

Any suggestions are greatly appreciated.

Allen


--
allenmorris
------------------------------------------------------------------------
allenmorris's Profile: https://forums.netiq.com/member.php?userid=1565
View this thread: https://forums.netiq.com/showthread.php?t=54041

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Password change not being seen by RemoteLoader


allenmorris;259803 Wrote:
> I ran the testing software on the Domain.
>
> I received the same error Geoffrey did; "Error occurred while opening
> registry key.... Access is denied."
>
> I noticed this yesterday when I tried removing the dlls from the DCs and
> adding them back.
>
> Does anyone know where this access denied is coming from? I am using the
> Domain administrator account.
>
> Any suggestions are greatly appreciated.
>
> Allen


Hi Allen,
Like usual we have many ways to deal with this problem (and seize
ownership of the Registry subkeys)


All this info from MS forums, please look to this carefully.
1>
> First be sure you run RegEdit as Administrator
> Right click the key in the left hand pane ... select permissions from
> the context menu
> In the permissions dialog, click the advanced button.
> In the advanced security settings dialog switch to the Owner tab
> I assume your usercode is a member of the local Administrators group
> Click the Replace owner on subcontainers and objects box.
> If Administrators is NOT the owner, select it in the change owner to
> box...press Apply...OK.
> You are now back at the Permissions dialog box.
> Select Administrators and give them Full control by selecting the Full
> Control checkbox in the Allow column...press Apply ... Ok
> It has been a while since I have had to do this ... so I might be off a
> little on the steps.
> The key is IGNORE any messages that say you don't have enought
> rights...
> You must do each key... one at a time....:)
>


2.
>
> to be able taking the ownership, you should logged in with administrator
> privileges. the easiest way is to enable the built-in and hidden super
> administrator account.
> goto start menu, find the icon to open cmd -don't open/run it-, right
> click on it->run as administrator.
> then on the cmd console, type:
> net user administrator /active:y
> press enter. if everything ok, there should be prompted: ...
> successfully.
> logoff windows. you should see the Administrator account. it usually has
> no password.
> login using administrator, then you can take the ownership on most files
> including the registry key
>

3.
>
> I come here searching for a solution, and since there arent any one, I
> found it by myself. So I will write here in case of someone get the same
> problem.
>
> First, we need download and install SubInACL from here (
> http://www.microsoft.com/en-us/download/details.aspx?id=23510 )
>
> Now open notepad and paste the following:
> subinacl /keyreg HKEY_CLASSES_ROOT /setowner=###
> subinacl /subkeyreg HKEY_CLASSES_ROOT /setowner=###
>
> subinacl /keyreg HKEY_CURRENT_USER /setowner=###
> subinacl /subkeyreg HKEY_CURRENT_USER /setowner=###
>
> subinacl /keyreg HKEY_LOCAL_MACHINE /setowner=###
> subinacl /subkeyreg HKEY_LOCAL_MACHINE /setowner=###
>
> subinacl /keyreg HKEY_USERS /setowner=###
> subinacl /subkeyreg HKEY_USERS /setowner=###
>
>
> Note: Replace ### with your Administrators group. This may change
> depending of your Windows language. For english is "Administrators" for
> Spanish wich is my case is "Administradores" (both without quotes).
> Save the file as setowner.cmd on the directory "C:\Program Files
> (x86)\Windows Resource Kits\Tools" (where subinacl.exe is located).
> Open command prompt and run the following:
>
> cd “C:\Program Files\Windows Resource Kits\Tools”
>
> Press enter and type:
> setowner.cmd
>
> Press enter again and wait till it finish. Some keys may fail, this is
> ok.
> After this finished you can see that if you try to access to some of
> those keys without owner, now they still havent any, but now they
> display a text saying that even if the key have not assigned an owner
> you may still able to change permissions.
> Now we need create a new cmd file in the same location than setowner.cmd
> with the following:
>
> subinacl /keyreg HKEY_CLASSES_ROOT /grant=####=f /grant=system=f
> /grant=****=f /setowner=####
> subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=####=f /grant=system=f
> /grant=****=f /setowner=####
>
> subinacl /keyreg HKEY_CURRENT_USER /grant=####=f /grant=system=f
> /grant=****=f /setowner=####
> subinacl /subkeyreg HKEY_CURRENT_USER /grant=####=f /grant=system=f
> /grant=****=f /setowner=####
>
> subinacl /keyreg HKEY_LOCAL_MACHINE /grant=####=f /grant=system=f
> /grant=****=f /setowner=####
> subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=####=f /grant=system=f
> /grant=****=f /setowner=####
>
> subinacl /keyreg HKEY_USERS /grant=####=f /grant=system=f /grant=****=f
> /setowner=####
> subinacl /subkeyreg HKEY_USERS /grant=####=f /grant=system=f
> /grant=****=f /setowner=####
>
>
> Note: Replace ### with your Administrators group. This may change
> depending of your Windows language. For english is "Administrators" for
> Spanish wich is my case is "Administradores" (both without quotes).
> Replace **** with your username.
>
> Save the file as changeperm.cmd
> Run again the command prompt and this time run the last saved file
> changeperm.cmd
> After this have done you can check the not owner keys and see that now
> all of them have rights to system, administrators and your user wich
> means that your registry is fixed and restored to the default state.
> I hope it works for everyone like it did for me.
> PS: In case that this doesnt work, check carefully your commands for
> typos and try them login in safe mode.
>



--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54041

0 Likes
allenmorris Absent Member.
Absent Member.

Re: AD Password change not being seen by RemoteLoader


al_b,

Thank you for your detailed post.

I did find a post at Microsoft on changing the permissions.

I concentrated on the "Data" key. First, the domain Administrator was
the owner of the key and had full permissions as Owner. System also had
permissions. The Domain Administrated had "Special Permissions"
explicitly assigned, sorry I didn't write them down.

The funny thing was that the Domain Administrator had explicit "Full"
permissions assignment to the PWfilter key, though not the Data key. I
just when ahead and gave the Domain Administrator "Full" permissions to
the Data key.

I reran the tool and all process came back correct.

I then tested changing a users password. The DCs can now communicate
with the RL and process the password change.

It's still not functioning correctly, I'm getting an Error 8021 "Failed
to set NMAS Password", but that is an issue for another post.

As always thanks so very much for you assistance.

Allen


--
allenmorris
------------------------------------------------------------------------
allenmorris's Profile: https://forums.netiq.com/member.php?userid=1565
View this thread: https://forums.netiq.com/showthread.php?t=54041

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: AD Password change not being seen by RemoteLoader

On 08/13/2015 10:34 AM, allenmorris wrote:
>
> It's still not functioning correctly, I'm getting an Error 8021 "Failed
> to set NMAS Password", but that is an issue for another post.


When you start the other thread, include a level three trace from the
engine side of this error, and include as many details about your password
policy as possible. Chances are this is a simple configuration issue, or
a password that is just too weak to be allowed, though rights may also
apply perhaps.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
allenmorris Absent Member.
Absent Member.

Re: AD Password change not being seen by RemoteLoader


Thank you everyone for your replies.

The final solution had to do with the Firewall on the prod RL Server.
In Dev. there is no Firewall so we never encountered the issue.

In the Firewall settings there is a place where you can enable
communication between servers. On the server running the RL you need to
"Allow" incoming communications to the DirXML Remote Loader Executable.

This in done in Firewall | allow programs | Allow another program.

Hope this helps others.

Allen


--
allenmorris
------------------------------------------------------------------------
allenmorris's Profile: https://forums.netiq.com/member.php?userid=1565
View this thread: https://forums.netiq.com/showthread.php?t=54041

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Password change not being seen by RemoteLoader


allenmorris;260118 Wrote:
> Thank you everyone for your replies.
>
> The final solution had to do with the Firewall on the prod RL Server.
> In Dev. there is no Firewall so we never encountered the issue.
>
> In the Firewall settings there is a place where you can enable
> communication between servers.
>
> ON THE SERVER RUNNING THE RL YOU NEED TO \"ALLOW\" INCOMING
> COMMUNICATIONS TO THE DIRXML REMOTE LOADER EXECUTABLE.
> THIS IN DONE IN FIREWALL | ALLOW PROGRAMS | ALLOW ANOTHER PROGRAM.
>
> Hope this helps others.
>
> Allen


Hi Allen,
Thank you that you shared your solution!


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54041

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.