HOW TO: Troubleshoot real-time password synchronization issues (4336609)

Passwords are not being synchronized between the source and target systems in the Active Roles Synchronization Service.

Passwords may fail to synchronize under the following scenarios:

1. The Capture Agent is not installed on all source domain controllers.
2. The version of the capture agent does not match the one of the target service.
3. There is a network communication issue between the source domain controller and the machine hosting the target service.
4. Service connection points could not be created in the source domain due to insufficient permissions granted to the Synchronization Service service account.

• Valid mapping rules should be configured between the source and target systems
• Password Sync rules should be configured between the source and target systems, configured under Password Sync tab in the Sync Service console
• The Capture Agent should be installed on all domain controllers in source domains. The Synchronization Service is unable to detect password changes on Domain Controllers that do not have the Capture Agent installed
• The version of each installed Capture Agent should match the Synchronization Service version
• Verify that the DNS name of the machine hosting the Synchronization Service can be resolved from the domain controller(s) and is reachable
• Verify that the following container exists in the source domain:
  • Domain | System | One Identity | Active Roles Sync Service
• ​Verify that the containers located in the previous step have a serviceConnectionPoint object in it representing the DNS name of the matching hosting the Synchronization Service host.

• The Capture Agent installation directory on a Domain Controller contains a configuration file named caSvcCfg.xml. The file is located in the following location:
  • %ProgramData%\One Identity\Active Roles\Logs\Synchronization Service
• ​The caSvcCfg.xml file should contain the hostname for the Synchronization Service host, assuming a valid connection was made. If there were any errors attempting a connection, this file should also contain relevant information on the issue. For troubleshooting and verification purposes, this file can be safely renamed/deleted, and restarting the Capture Agent service will recreate the file.
• Verify that the CaptureAgentPasswordFilter.dll module is loaded into the system process lsass.exe. The Microsoft Process Explorer utility can be used to verify.

1. On the domain controller hosting the Capture Agent navigate to the Capture Agent installation folder:
   • C:\Program Files\One Identity\Active Roles\8.X\SyncServiceCaptureAgent
2. Locate the following file in the Capture Agent installation folder:
   • ActiveRoles.SyncService.CaptureAgentService.exe.config
3. Edit the file and locate the following line:
   • <logger name="ActiveRoles.SyncService.CaptureAgentService.*" writeTo="fileTarget" minlevel="Info"/>
4. Replace Info with Debug, and save the file to enable logging
5. The log file ActiveRoles.SyncService.CaptureAgentService.txt will be created in the Capture Agent installation directory

1. On the domain controller, navigate to the following registry key:
   • HKLM | SOFTWARE | One Identity | Active Roles | Configuration | SyncService | Capture Agent
2. Locate the DWORD (32-bit) value named EnableLog. If it does not exist, create it.
3. Flip the value to 1.
4. Restart the domain controller for the changes to take effect.
5. The resulting log file is named ca.log and can be found in the Capture Agent installation folder.