Glenn wrote: > David - At least once a week on our 8,000-user systems, synchronization > breaks. Usually it is because the Passsync service on the AD server stops > running. Other times, Passync is running, but passwords do not sync. > Sometimes passwords sync only one way. Sometimes password sync works when we > change the user's password on the domain controller, but it does not work > when we change the user's password on the user's Windows XP computer. > You do know that the passsync service is completely autonomous from the FDS server-side sync functionality ? Initiating a re-sync on FDS should have no affect on passsync, since they are separate. > Sometimes password sync breaks and other attributes continue to synchronize. > This would make perfect sense, since the two are implemented in different software, running on different machines. > Often while this is going on, new accounts are not replicated from one system > to the other. An aggravating factor seems to be accounts that have > attributes allowed in Fedora Directory but not allowed in Active Directory, > such as duplicate names or user IDs. > Hmm...the FDS windows sync code is supposed to strip off illegal schema to prevent this problem, but perhaps it isn't working properly in your case. > The remedy for these problems seems to be to stop and restart Passsync and do > a full resync from the Fedora Directory Server console. Duplicate entries > must be changed so they are acceptable to AD, and a resync is necessary to > get them to replicate. > If you're running an 8k user site with this code you might think about investing some money in having someone fix it. It sounds like you have hit one or more quite serious bugs that would probably not take too long to diagnose and fix.