On Tue, 08 Sep 2009, Doug Tucker wrote: > > > > OK! The logging was a tremendous help to at least seeing where the > > > failure is. When the password change is made on the PDC, passync DOES > > > catch it and replicate to 389. However, if the password change occurs > > > on the BDC, even though we see the change replicated to the PDC, passync > > > is NOT catching it and replicating to 389. Does anyone have any ideas? > > > > > > > I believe The Password Sync Service must be installed on every Active > > Directory domain controller. > > It appeared that way for no other reason than it wasn't working, but I > can't find anything in the documentation to indicate that, and someone > else that responded indicated he sees the change after the BDC > replicates it to the PDC. Was just hoping for some official word that > states that this must be done. I'm not seeing anything in the docs either, but it would make sense, since I'm relatively sure that when the password syncs from one Active Directory replica to another (no such thing as PDCs and BDCs these days, y'know), I'd assume it's passing the hash and not the password, so there'd be no way to get it into your LDAP server. If that's the case (and I'm pretty sure it is), you'd need PassSync set up on all of your Active Directory servers, since any of them could be the one the user gave the actual password to.
