Troubleshooting

The information below is  intended for administrators who are responsible for troubleshooting Specops Password Sync. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Password Sync.

Best Practices

Installation troubleshooting

If you are experiencing problems after the initial configuration, you can use the list below to verify that the components are connected correctly:

  1. Verify that the Password Change Notifier has been installed on all Domain Controllers.
    How: Verify that the service Specops Password Sync Notifier Service is running on each Domain Controller. You can find this in the Services application or you can query the service on the Domain Controllers using PowerShell.
  1. View the event log on the Domain Controller’s to verify that the Domain Controller has been restarted. The start event from the Notifier Filter and Notifier Service should be logged to the event log.
    How: An event will be written to the application event log as Change Notifier Service with event ID 152.
  1. Verify that the Sync Server service is started on the Sync Server.
    How: An event will be written to the application event log as Sync Server with event ID 150.
  1. Verify that the following configuration has been made:
  2. Sync Scope created and target user located beneath the Sync Scope.
  3. Sync Server added to the Sync Scope.
  4. Sync Point created and configured to use the Sync Server.
  5. Specops Password Sync GPO created, configured to use the Sync Point, and linked to affect the target user.

Component troubleshooting

If you are still experiencing problems after the initial configuration and installation, you can use the component troubleshooting procedure to identify the source of the problem. The procedure below follows the chain of actions that take place when a password is changed. The steps below require a test account configured with Specops Password Sync Policy.

  1. From the selected Domain Controller, open Active Directory users and Computers.
  2. Reset the password of the test account.
  3. Monitor the Application event log on the domain controller. The event log should contain entries from the Change Notifier Filter and Notifier service indicating that the password was received.
  4. Verify that the Sync Server service is running.
  5. Monitor the Event log on the Sync Server. The event log should contain an entry for the new sync job.

If you have identified in discrepancies in the event log, they can be attributed to one of the following problems that can occur in the communication between the Change Notifier and Sync Server:

  • Firewall blocking the communication: The Change Notifier on the domain controllers need to connect to the Sync Server (default port tcp/4377) to deliver the sync jobs.
  • Domain Controller or the Sync Server does not trust the certificate of the remote partner: The Sync-Server may be using a self-signed certificate that is not trusted by the domain controllers.

If you cannot identify any problems in the event log, the source of the problem may be outside of the product. You can use the FileWriter provider to test the system.

Test the system using the File Writer provider

The File Writer Provider can be used to test the Specops Password Sync component configuration. When the File Writer receives a password change request, it writes the user name and a timestamp to a log file, allowing you to verify if the system is setup correctly. The File Writer provider does not communicate with any external system.

The File Writer installation package can be found in the directory you extracted the Specops Password Setup package from (default: “C:\temp”). The path to installation package is:

\Products\SpecopsPasswordSync\SpecopsPasswordSyncTestProviders-xXX.msi

The File Writer Provider should be installed on the Sync Server. The Specops Password Sync Server service must be restarted after the installation in order to be visible in the Specops Password Sync Administration Tool. When the File Writer provider has been installed, you can follow the below procedure to test it:

  1. Create a new Sync Point and configure it to use the File Writer provider.
    Note: You must select the Sync Server where the File Writer is installed.
  1. Follow the Component Troubleshooting procedure to reset the password.
  2. Monitor the appropriate event logs. If the system is working, you will see a number of entries indicating that the File Writer provider successfully completed the synchronization.
Common Issues

Password does not synchronize for admin account

Possible cause

Specops Password Sync by default will not synchronize password changes for privileged accounts. This default behavior is good security practice.

Possible solution

To allow password synchronization for admin accounts you will need to manually add this registry setting on all Domain Controllers: Privileged accounts by definition have access to critical business data and systems. It is often desirable to ensure these privileged users maintain different complex passwords on each system. Making the below change should not be done without taking the security implications into consideration.

  1. From the Registry Editor, browse to HKLM\Software\Specopssoft\Specops Password Sync\ChangeNotifier.
  2. Right-click, select New, and click DWORD (32-bit) Value.
  3. In the value name field enter AllowSyncForAdministrators.
  4. In the value data field enter 1.
  5. Click OK.
Event Logging

The Specops Password Sync components log the operations that have been performed to the application log on the appropriate server.

Password Change Notifier filter events

Event typeIDDescription
Information150Filter has been loaded.
Information151A password change will take place for the user indicated in the event log message.
This message will only appear once per password change, even if the change arrives from multiple GPOs and/or involves multiple Sync Points.
Information152User is member of a Windows protected group.
Specops Password Sync does not synchronize the passwords of users who are members of protected groups. To avoid this message you should ensure that protected accounts are not affected by Specops Password Sync GPOs.
Warning250Failed to queue a password sync job.
Warning251The policy contains no Sync Points.
Warning252Failed to get Sync Points from policy.
Warning253The XML data containing the policy is invalid.
Warning254User is not in the scope of management.
Warning255The configuration for this Sync Point was invalid.
Warning256The Sync Server for this Sync Point is not authorized to be used within this Sync Scope.
This is an unexpected configuration error. Open the Specops Password Sync Admin tools and update the valid Sync Servers for the scope and Sync Servers to use for the Sync Point.
Error350Failed to initialize password filter.
Error351Crashed while initializing password filter.
Error352Exception during password sync.
Error353Exception during password change.
Error354Crashed during password sync.

Change Notifier service events

Event typeIDDescription
Information151Service start initiated from service control manager.
Information152Service start completed.
Information153Service stop initiated from service control manager.
Information154Service stop completed.
Information155Service has started to serve a Sync Point.
Information156Service detected an updated Sync Point configuration and started using it.
Information157An obsolete Sync Point queue folder was deleted. This happens during service startup when a queue folder is detected for a Sync Point that no longer exists.
Information158License check started.
Information159License check completed.
Information160License is valid.
Warning251Notifier service failed to send password change notification to Sync Server. This will repeat until the notification has been successfully sent.
Warning252There is no Sync Server defined for this Sync Scope.
You will need to configure the Sync Server(s) within the Sync Scope.
Warning253License is about to expire or be exceeded.
Error350An exception occurred in the Notifier service.
This is an unexpected error that should be reported to Specops Support.
Error351An excepted error occurred for a Sync Point.
This is an unexpected error that should be reported to Specops Support.
Error352Service failed to start.
Error353Invalid Sync Point configuration.
Error354Failed to process a password change.
Error355Service stopped serving a Sync point due to an exception.
Error356The Password Change Notifier filter is not loaded and therefore password changes will not be synchronized. This occurs if the server has not been restarted after installation. You will need to reboot the server.
Error357Sync Server URL does not match the DNS name.
This is a configuration error and password changes for this Sync Point will not be synchronized.
Error358The Sync Server specified for this Sync Point is not allowed within the Sync Scope.
From the Specops Password Sync Administration Tool, you can verify that the specified Sync Server(s) are listed as Sync Servers for this Sync Scope.
Error359Failed to read Sync Point configuration.
Error360License check failed.
Error361License is invalid.
Error362Failed to send license email.
Error363No valid license was found.

Sync Server events

Event typeIDDescription
Information150Specops Password Sync Server started.
Information151Specops Password Sync Server stopped.
Information152A password for a sync point was updated.
Information153The “Domain Controllers” group was added to the “Specops Password Change Notifiers” group.
Information154The "Domain Controllers" group was not added to the "Specops Password Change Notifiers" group because it is already added.
Information155A successful password change was made by a provider.
Information156A provider was loaded.
Warning250A valid provider was not found.
Warning251Could not send email to user.
Error350Failed to start the Specops Password Sync Server.
Error351Failed to stop the Specops Password Sync Server.
Error353Password change event referring to an unknown Sync Point.
Error354Failed to change password for a user.
Error355Failed to change password for a user. Further attempts will not be made.
Error356Failed to change password for a user because the configured Sync Point refers to an unsupported provider.
Error357No password was configured for the provider on the Sync Point.
Error358Failed to transform the user name.
Error359Could not find the “Domain Controllers” group to the “Specops Password Change Notifiers” group.
Error360Could not add the “Domain Controllers” group to the “Specops Password Change Notifiers” group.
Error362Failed to load provider.
Error363Failed to send email.
Error365Invalid SMTP configuration on Sync Scope.
Error366Could not consume reset data.
Error367Failed to load meta data for provider.
Error368Password change was rejected by the server.
Error369Failed to change password because the Sync Point has an invalid configuration for the provider.
Error370Unhandled exception occurred in the Specops Password Sync Server.

Debug logging

You can configure the components of Specops Password Sync to log their internal activity to a verbose debug log. The debug log allows you to follow the events leading up to the error. Debug logging is enabled by changing the relevant registry key from “0” to “1.” Additional logging will be returned by using the higher debug levels “2” or “3.”

Registry keyDescription
HKLM\Software\Specopssoft\Specops
Password Sync\Admin Tools\Debug
Controls debug logging for the admin tools.
Log files (SPS.AdminTools.log) are stored under
%LocalAppData%\Specopssoft\
Default value = 0
Note: Must be enabled on a computer that has the Administration Tools installed.
HKLM\Software\Specopssoft\Specops
Password Sync\ChangeNotifier\Debug
Controls debug logging for the Change Notifier filter.
Log files (spsflt*.log) are stored under %SystemRoot%\Debug\
Default value = 0
Note: Must be enabled on the Domain Controller.
HKLM\Software\Specopssoft\Specops
Password
Sync\ChangeNotifierService\Debug
Controls debug logging for the Change Notifier service.
Log files (spsChangeNotifier*.log) are stored under
%SystemRoot%\Debug\
Default value = 0
Note: Must be enabled on the Domain Controller.
HKLM\Software\Specopssoft\Specops
Password Sync\Server\Debug
Controls debug logging for the Sync Server service.
The default log file path is “C:\SPS.SyncServer.log”.
Default value = 0
Note: Must be enabled on Specops Password Sync Server.

Note: Do not leave the debug logging turned on unless you need it. Verbose logging over an extended amount of time can create large log files which have the potential of filling your system disk partition.