Password Sync feature: It uses the ARS Sync Services Capture Agent running on the Domain Controller which acts as a proxy for the password chance to the DC and intercepts it before it hits AD. It passes it along to the DC but it also encrypts it and sends it to the Sync Service which will perform a password change on the target endpoint:
Note: The password change or reset operation only requires the Capture Agents on all source domain controllers.
pwdHash: The pwdHash value can be updated from Source to Target or vice-versa using an ARS Sync Service Workflow:
Note: The pwdHash attribute sync requires the Capture Agents to be installed on all source domain controllers and on the target domain controller the Sync Engine is talking to. If the target connection to AD is configured to connect to any DC in the domain or forest, the Capture Agent must be deployed on all DCs on the target domain.
Reverse Sync Rule: If a Password change has occurred (in the Target endpoint), the pwdHash value from the Target endpoint will be synced to the Source endpoint.
So where the password has been changed, it’ll show *****, where the pwdHash is to be updated it’ll show ***** (Old value: *****):
Merge Sync Rule: Allows you to create a rule that merges the values of specified attributes between the source and the target data systems. As a result, the attribute values most recently changed* will be updated in the other endpoint.
* The first sync of the object will sync from source to target, regardless of where the more recent change occurs, also if both values have been changed since the last execution of the workflow, the source value will sync to the target.
Useful KB articles to troubleshoot Password Sync issues:
30256 - Communication Ports for Active Roles Service and Clients
114333 - User Create Sync Error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
224974 - Password Sync Fails with Event ID 10206