If you are experiencing problems after the initial configuration, you can use the list below to verify that the components are connected correctly:
Verify that the Password Change Notifier has been installed on all
How: Verify that the service Specops Password Sync Notifier Service is running on each Domain Controller. You can find this in the Services application or you can query the service on the Domain Controllers using PowerShell.
View the event log on the Domain Controller’s to verify that the
Domain Controller has been restarted. The start event from the
Notifier Filter and Notifier Service should be logged to the event
How: An event will be written to the application event log as Change Notifier Service with event ID 152.
Verify that the Sync Server service is started on the Sync Server.
How: An event will be written to the application event log as Sync Server with event ID 150.
- Verify that the following configuration has been made:
- Sync Scope created and target user located beneath the Sync Scope.
- Sync Server added to the Sync Scope.
- Sync Point created and configured to use the Sync Server.
- Specops Password Sync GPO created, configured to use the Sync Point, and linked to affect the target user.
If you are still experiencing problems after the initial configuration and installation, you can use the component troubleshooting procedure to identify the source of the problem. The procedure below follows the chain of actions that take place when a password is changed. The steps below require a test account configured with Specops Password Sync Policy.
- From the selected Domain Controller, open Active Directory users and Computers.
- Reset the password of the test account.
- Monitor the Application event log on the domain controller. The event log should contain entries from the Change Notifier Filter and Notifier service indicating that the password was received.
- Verify that the Sync Server service is running.
- Monitor the Event log on the Sync Server. The event log should contain an entry for the new sync job.
If you have identified in discrepancies in the event log, they can be attributed to one of the following problems that can occur in the communication between the Change Notifier and Sync Server:
- Firewall blocking the communication: The Change Notifier on the domain controllers need to connect to the Sync Server (default port tcp/4377) to deliver the sync jobs.
- Domain Controller or the Sync Server does not trust the certificate of the remote partner: The Sync-Server may be using a self-signed certificate that is not trusted by the domain controllers.
If you cannot identify any problems in the event log, the source of the problem may be outside of the product. You can use the FileWriter provider to test the system.
Test the system using the File Writer provider
The File Writer Provider can be used to test the Specops Password Sync component configuration. When the File Writer receives a password change request, it writes the user name and a timestamp to a log file, allowing you to verify if the system is setup correctly. The File Writer provider does not communicate with any external system.
The File Writer installation package can be found in the directory you extracted the Specops Password Setup package from (default: “C:\temp”). The path to installation package is:
The File Writer Provider should be installed on the Sync Server. The Specops Password Sync Server service must be restarted after the installation in order to be visible in the Specops Password Sync Administration Tool. When the File Writer provider has been installed, you can follow the below procedure to test it:
Create a new Sync Point and configure it to use the File Writer
You must select the Sync Server where the File Writer is installed.
- Follow the Component Troubleshooting procedure to reset the password.
- Monitor the appropriate event logs. If the system is working, you will see a number of entries indicating that the File Writer provider successfully completed the synchronization.