Troubleshooting

The information below is intended for administrators who are responsible for troubleshooting Specops Password Sync. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Password Sync.

Best Practices


Installation troubleshooting

If you are experiencing problems after the initial configuration, you can use the list below to verify that the components are connected correctly:

  1. Verify that the Password Change Notifier has been installed on all Domain Controllers.
    How: Verify that the service Specops Password Sync Notifier Service is running on each Domain Controller. You can find this in the Services application or you can query the service on the Domain Controllers using PowerShell.
  2. View the event log on the Domain Controller’s to verify that the Domain Controller has been restarted. The start event from the Notifier Filter and Notifier Service should be logged to the event log.
    How: An event will be written to the application event log as Change Notifier Service with event ID 152.
  3. Verify that the Sync Server service is started on the Sync Server.
    How: An event will be written to the application event log as Sync Server with event ID 150.
  4. Verify that the following configuration has been made:
  5. Sync Scope created and target user located beneath the Sync Scope.
  6. Sync Server added to the Sync Scope.
  7. Sync Point created and configured to use the Sync Server.
  8. Specops Password Sync GPO created, configured to use the Sync Point, and linked to affect the target user.

Component troubleshooting

If you are still experiencing problems after the initial configuration and installation, you can use the component troubleshooting procedure to identify the source of the problem. The procedure below follows the chain of actions that take place when a password is changed. The steps below require a test account configured with Specops Password Sync Policy.

  1. From the selected Domain Controller, open Active Directory users and Computers.
  2. Reset the password of the test account.
  3. Monitor the Application event log on the domain controller. The event log should contain entries from the Change Notifier Filter and Notifier service indicating that the password was received.
  4. Verify that the Sync Server service is running.
  5. Monitor the Event log on the Sync Server. The event log should contain an entry for the new sync job.

If you have identified in discrepancies in the event log, they can be attributed to one of the following problems that can occur in the communication between the Change Notifier and Sync Server:

  • Firewall blocking the communication: The Change Notifier on the domain controllers need to connect to the Sync Server (default port tcp/4377) to deliver the sync jobs.
  • Domain Controller or the Sync Server does not trust the certificate of the remote partner: The Sync-Server may be using a self-signed certificate that is not trusted by the domain controllers.

If you cannot identify any problems in the event log, the source of the problem may be outside of the product. You can use the FileWriter provider to test the system.

Test the system using the File Writer provider

The File Writer Provider can be used to test the Specops Password Sync component configuration. When the File Writer receives a password change request, it writes the user name and a timestamp to a log file, allowing you to verify if the system is setup correctly. The File Writer provider does not communicate with any external system.

The File Writer installation package can be found in the directory you extracted the Specops Password Setup package from (default: “C:\temp”). The path to installation package is:

\Products\SpecopsPasswordSync\SpecopsPasswordSyncTestProviders-xXX.msi

The File Writer Provider should be installed on the Sync Server. The Specops Password Sync Server service must be restarted after the installation in order to be visible in the Specops Password Sync Administration Tool. When the File Writer provider has been installed, you can follow the below procedure to test it:

  1. Create a new Sync Point and configure it to use the File Writer provider.
    You must select the Sync Server where the File Writer is installed.
  2. Follow the Component Troubleshooting procedure to reset the password.
  3. Monitor the appropriate event logs. If the system is working, you will see a number of entries indicating that the File Writer provider successfully completed the synchronization.

Common Issues


Password does not synchronize for admin account

Possible cause

Specops Password Sync by default will not synchronize password changes for privileged accounts. This default behavior is good security practice.

Possible solution

To allow password synchronization for admin accounts you will need to manually add this registry setting on all Domain Controllers: Privileged accounts by definition have access to critical business data and systems. It is often desirable to ensure these privileged users maintain different complex passwords on each system. Making the below change should not be done without taking the security implications into consideration.

  1. From the Registry Editor, browse to HKLM\Software\Specopssoft\Specops Password Sync\ChangeNotifier .
  2. Right-click, select New, and click DWORD (32-bit) Value.
  3. In the value name field enter AllowSyncForAdministrators.
  4. In the value data field enter 1.
  5. Click OK.

Event Logging


The Specops Password Sync components log the operations that have been performed to the application log on the appropriate server.

Password Change Notifier filter events

Event type ID Description
Information 150 Filter has been loaded.
Information 151 A password change will take place for the user indicated in the event log message.
This message will only appear once per password change, even if the change arrives from multiple GPOs and/or involves multiple Sync Points.
Information 152 User is member of a Windows protected group.
Specops Password Sync does not synchronize the passwords of users who are members of protected groups. To avoid this message you should ensure that protected accounts are not affected by Specops Password Sync GPOs.
Warning 250 Failed to queue a password sync job.
Warning 251 The policy contains no Sync Points.
Warning 252 Failed to get Sync Points from policy.
Warning 253 The XML data containing the policy is invalid.
Warning 254 User is not in the scope of management.
Warning 255 The configuration for this Sync Point was invalid.
Warning 256 The Sync Server for this Sync Point is not authorized to be used within this Sync Scope.
This is an unexpected configuration error. Open the Specops Password Sync Admin tools and update the valid Sync Servers for the scope and Sync Servers to use for the Sync Point.
Error 350 Failed to initialize password filter.
Error 351 Crashed while initializing password filter.
Error 352 Exception during password sync.
Error 353 Exception during password change.
Error 354 Crashed during password sync.

Change Notifier service events

Event type ID Description
Information 151 Service start initiated from service control manager.
Information 152 Service start completed.
Information 153 Service stop initiated from service control manager.
Information 154 Service stop completed.
Information 155 Service has started to serve a Sync Point.
Information 156 Service detected an updated Sync Point configuration and started using it.
Information 157 An obsolete Sync Point queue folder was deleted. This happens during service startup when a queue folder is detected for a Sync Point that no longer exists.
Information 158 License check started.
Information 159 License check completed.
Information 160 License is valid.
Warning 251 Notifier service failed to send password change notification to Sync Server. This will repeat until the notification has been successfully sent.
Warning 252 There is no Sync Server defined for this Sync Scope.
You will need to configure the Sync Server(s) within the Sync Scope.
Warning 253 License is about to expire or be exceeded.
Error 350 An exception occurred in the Notifier service.
This is an unexpected error that should be reported to Specops Support.
Error 351 An excepted error occurred for a Sync Point.
This is an unexpected error that should be reported to Specops Support.
Error 352 Service failed to start.
Error 353 Invalid Sync Point configuration.
Error 354 Failed to process a password change.
Error 355 Service stopped serving a Sync point due to an exception.
Error 356 The Password Change Notifier filter is not loaded and therefore password changes will not be synchronized. This occurs if the server has not been restarted after installation. You will need to reboot the server.
Error 357 Sync Server URL does not match the DNS name.
This is a configuration error and password changes for this Sync Point will not be synchronized.
Error 358 The Sync Server specified for this Sync Point is not allowed within the Sync Scope.
From the Specops Password Sync Administration Tool, you can verify that the specified Sync Server(s) are listed as Sync Servers for this Sync Scope.
Error 359 Failed to read Sync Point configuration.
Error 360 License check failed.
Error 361 License is invalid.
Error 362 Failed to send license email.
Error 363 No valid license was found.

Sync Server events

Event type ID Description
Information 150 Specops Password Sync Server started.
Information 151 Specops Password Sync Server stopped.
Information 152 A password for a sync point was updated.
Information 153 The “Domain Controllers” group was added to the “Specops Password Change Notifiers” group.
Information 154 The "Domain Controllers" group was not added to the "Specops Password Change Notifiers" group because it is already added.
Information 155 A successful password change was made by a provider.
Information 156 A provider was loaded.
Warning 250 A valid provider was not found.
Warning 251 Could not send email to user.
Error 350 Failed to start the Specops Password Sync Server.
Error 351 Failed to stop the Specops Password Sync Server.
Error 353 Password change event referring to an unknown Sync Point.
Error 354 Failed to change password for a user.
Error 355 Failed to change password for a user. Further attempts will not be made.
Error 356 Failed to change password for a user because the configured Sync Point refers to an unsupported provider.
Error 357 No password was configured for the provider on the Sync Point.
Error 358 Failed to transform the user name.
Error 359 Could not find the “Domain Controllers” group to the “Specops Password Change Notifiers” group.
Error 360 Could not add the “Domain Controllers” group to the “Specops Password Change Notifiers” group.
Error 362 Failed to load provider.
Error 363 Failed to send email.
Error 365 Invalid SMTP configuration on Sync Scope.
Error 366 Could not consume reset data.
Error 367 Failed to load meta data for provider.
Error 368 Password change was rejected by the server.
Error 369 Failed to change password because the Sync Point has an invalid configuration for the provider.
Error 370 Unhandled exception occurred in the Specops Password Sync Server.

Debug logging

You can configure the components of Specops Password Sync to log their internal activity to a verbose debug log. The debug log allows you to follow the events leading up to the error. Debug logging is enabled by changing the relevant registry key from “0” to “1.” Additional logging will be returned by using the higher debug levels “2” or “3.”

Registry key Description
HKLM\Software\Specopssoft\Specops
Password Sync\Admin Tools\Debug
Controls debug logging for the admin tools.
Log files (SPS.AdminTools.log) are stored under
%LocalAppData%\Specopssoft\
Default value = 0
Note: Must be enabled on a computer that has the Administration Tools installed.
HKLM\Software\Specopssoft\Specops
Password Sync\ChangeNotifier\Debug
Controls debug logging for the Change Notifier filter.
Log files (spsflt*.log) are stored under %SystemRoot%\Debug\
Default value = 0
Note: Must be enabled on the Domain Controller.
HKLM\Software\Specopssoft\Specops
Password
Sync\ChangeNotifierService\Debug
Controls debug logging for the Change Notifier service.
Log files (spsChangeNotifier*.log) are stored under
%SystemRoot%\Debug\
Default value = 0
Note: Must be enabled on the Domain Controller.
HKLM\Software\Specopssoft\Specops
Password Sync\Server\Debug
Controls debug logging for the Sync Server service.
The default log file path is “C:\SPS.SyncServer.log”.
Default value = 0
Note: Must be enabled on Specops Password Sync Server.
Do not leave the debug logging turned on unless you need it. Verbose logging over an extended amount of time can create large log files which have the potential of filling your system disk partition.