Automated Password Synchronization Solution Guide for MIIS 2003
Posted by thangletoan
The Automated Password Synchronization Solution Guide for MIIS 2003 provides instructions for planning and implementing an automated password synchronization solution in an enterprise environment using Microsoft Identity Integration Server 2003 (MIIS 2003).
As with any solution, it is important to try this solution in a test environment before you deploy it into your production environment.
What This Guide Covers
This Guide offers a way to manage user passwords in an enterprise environment by keeping passwords synchronized across multiple identity stores. In it, you will find information about designing, implementing, and configuring your automated password synchronization solution. After you have read this Guide and implemented its solution, you will be able to deploy the automated password synchronization solution in your enterprise environment.
This guide does not cover the installation, configuration, and operational details of MIIS 2003. This guide also does not cover password management in environments other than Active Directory® directory service. For general information about installation, configuration, and operation of MIIS 2003, see Microsoft Identity Integration Server 2003 Scenarios at http://go.microsoft.com/fwlink/?LinkId=34336.
For detailed instructions for implementing the automated password synchronization solution, see the companion document Implementing the Automated Password Synchronization Solution – Step-by-Step at http://go.microsoft.com/fwlink/?LinkId=81750.
This Guide assumes that you are familiar with configuring and administering an Active Directory domain controller and configuring management agents in MIIS 2003. It is intended for users with some experience configuring MIIS 2003 and assumes that you are familiar with the Microsoft Identity Integration Server 2003 Technical Reference at http://go.microsoft.com/fwlink/?LinkId=38680.
This Guide is intended for IT planners, systems architects, technology decision makers, consultants, infrastructure planners, and secondary IT personnel involved in planning and deploying an automated password synchronization solution.
Business Challenges of Password Management
Businesses face many password management challenges. Implementing a password management solution is necessary in many corporate environments because users have to authenticate to the network in a secure manner.
Passwords are the most common authentication mechanism. From a deployment perspective, passwords are the simplest and cheapest authentication technique.
With this in mind, having a poor password management policy in an enterprise environment can compromise enterprise security and make the enterprise vulnerable to outside attack from malicious threats. In organizations with poor password management practices, one or more of the following issues is typically present:
- Weak and easily breakable passwords.
- Passwords that users are not required to change often enough, which means that attackers can compromise the passwords through force and cryptographic attacks.
- Passwords that have been written down, which can be easily compromised.
- Numerous calls to the Help desk for password resets, which can result in increased operational costs.
- Users who have too many passwords, which can result in password overload. With so many passwords for users to remember, they have difficulty managing passwords securely.
To meet these challenges, businesses must find an appropriate solution to address their password management requirements.
Business Solutions for Password Management
Businesses can adopt various solutions to solve password management challenges. For example, users can change their passwords on each connected data directory by logging on to each directory interactively, and then changing the password natively in the connected data store. Although this is a typical solution, users can easily become confused and frustrated if they cannot remember which password they used for any of the connected data stores.
Another solution is a state-based solution (not real time) in which users change their passwords in an authoritative connected data source. Then, a synchronization application pushes the updated password to other connected data sources that maintain identity information.
Although this solution is also typical, it is not efficient because a state-based solution is not real time. Users must wait for the synchronization application to run for their passwords to be synchronized over multiple connected directories. This delay causes a problem when users log on to a connected data source before the password management agent runs. Because the passwords are not synchronized, users must remember the previous passwords for all of their connected data sources.
An event-driven password management application, such as the one in MIIS 2003, is a more viable solution to these password management challenges. MIIS 2003 users change their passwords from their desks in an authoritative connected data source. Then, a service in the authoritative connected source captures the password change requests and pushes the newly changed password to other configured connected data sources in real time. This solution is cost-effective and efficient because users do not have to manually change passwords for each connected data source to match the password of the authoritative connected data source. Also, when they initiate password changes, those changes are effective immediately.
The Automated Password Synchronization Solution for MIIS 2003
During automated password synchronization, a user makes a password change in an authoritative connected data source. The newly updated password is automatically captured from the authoritative data source during the password change process, and then distributed to configured, connected data sources in MIIS 2003. When a user presses CTRL+ALT+DEL on the keyboard to initiate the password change at the authoritative data source, the change process initiates synchronization with the other data sources so that the password is distributed with little or no manual intervention.
The automated password synchronization solution for MIIS 2003 addresses the password management needs of many enterprises. It provides a near real time automated password synchronization solution. This Guide introduces you to automated password synchronization in MIIS 2003 and the steps needed to implement the solution in an enterprise environment.
The Automated Password Synchronization Process in MIIS 2003
The automated password synchronization process in MIIS 2003 uses the Password Change Notification Service (PCNS) to perform near real time automated password synchronization. PCNS is a service that runs on a Microsoft Windows Server® 2003 domain controller. It listens for password change requests that are sent to that domain controller. When PCNS receives a password change request, it sends a change notification to the MIIS 2003 server that then initiates the password synchronization process. Using PCNS makes it possible to have the password change event trigger the synchronization operation immediately rather than waiting for the next scheduled management agent run normally associated with MIIS 2003. This functionality provides both the automation and near real time capabilities that are commonly desired in a password synchronization solution.
In a PCNS-based solution, MIIS 2003 runs as a Remote Procedure Call (RPC) server that has been configured to listen for change notifications sent by PCNS. When MIIS 2003 receives a notification, it authenticates the source of the notification, and then initiates the password synchronization process on the MIIS 2003 server. The newly updated password is immediately propagated to the other connected data sources that you configured to participate in the password synchronization environment.
Automated password synchronization assumes that the user accounts already exist in the source and target directories, and that those accounts have been imported and joined to one another in the metaverse. This is known as join information.
Automated password synchronization synchronizes passwords only between existing accounts on connected data sources that have management agents that support the password synchronization option. (That option must be enabled.) Automated password synchronization does not perform the usual full or delta synchronizations normally processed by a synchronization run profile. It does not create accounts, synchronize other attributes, process rules extensions, or trigger provisioning code.
The following illustration shows the process for implementing automatic password synchronization. A description of the process follows the illustration.
- The user or an administrator initiates the password change request. The password change request, including the new password, is then sent to the domain controller.
- The domain controller records the password change request, and then notifies the password change notification filter (pcnsflt.dll).
- The password change notification filter passes the request to PCNS.
- PCNS verifies the password change request, and then uses Kerberos to authenticate the Service Principal Name (SPN).
- PCNS encrypts the password change request, and then forwards it to the MIIS 2003 target server, which runs as an RPC server.
- MIIS 2003 validates that the source domain controller is a member of the Domain Controllers container in the source domain.
MIIS 2003 uses the domain name to locate the management agent that services that domain, and then uses the user account information in the password change request to locate the corresponding object in the connector space.
MIIS 2003 uses the join information to determine which management agents should receive the password change request, and if they are enabled for password synchronization.
Password synchronization is initiated, and then the updated password is sent to the configured data sources.
Before You Implement the Solution
Before you implement an automated password synchronization solution in your enterprise environment, it is important that you understand the following points:
- Active Directory is the only authoritative connected directory in an automated password synchronization environment.
- Bi-directional password synchronization between Active Directory forests causes an infinite loop to occur.
- Following security best practices can enhance the security of your enterprise environment. For more information, see Security Considerations for Automated Password Synchronization later in this document.
Active Directory as the Authoritative Data Source
A data source is authoritative for data stored in the MIIS 2003 metadirectory when data that is imported into the metadirectory from that source overwrites any data currently stored in the metadirectory. Active Directory is the only authoritative data source for automated password synchronization. Because MIIS 2003 does not natively support using another authoritative data source for automated password synchronization, all passwords are set in Active Directory, and then pushed to other data sources.
This is why password synchronization in MIIS 2003 is referred to as one way. Password changes originate in Active Directory, and then flow one way through MIIS 2003 to the connected data sources. Using MIIS 2003 password synchronization, password changes cannot flow from any other data source back to Active Directory.
Bi-Directional Password Synchronization and an Infinite Loop
Bi-directional password synchronization occurs when more than one Active Directory forest is the authoritative source for automated password synchronization. MIIS 2003 does not support bi-directional password synchronization. Bi-directional password synchronization causes an infinite loop to occur. If your environment has multiple Active Directory forests, you must set one forest as the authoritative forest for automated password synchronization. Otherwise, an infinite loop occurs.
An example of an infinite loop is when Forest A receives a password change request, and then sends a password change notification to Forest B. Forest B interprets this as a change request, and then sends the request back to Forest A. Each time the notification is sent, the receiving forest interprets it as a change request, and then sends a new notification to the other forest, thus causing an infinite loop.
If bi-directional password synchronization is inadvertently set up, MIIS 2003 limits the number of password changes in 24 hours to prevent excessive password changes. If this scenario occurs, you lose any password changes that occur after this limit is reached.
Implementing the Automated Password Synchronization Solution
The automated password synchronization solution in MIIS 2003 allows users to change their passwords in all connected data sources that are configured for automated password synchronization. Users can press CTRL+ALT+DEL on the keyboard to initiate password change.
This is a password change operation, not a password set or reset operation. For a password change operation, a user must know the previous password when attempting to change passwords. For a password set or reset operation to occur, a user does not have to know the previous password to set or reset the password to a different value. The automated password synchronization solution is a password change operation because users must know the previous password.
The process for implementing an automated password synchronization solution is as follows:
- Installing PCNS on all Active Directory domain controllers
- Configuring the Service Principal Name (SPN)
- Configuring an inclusion and exclusion group (optional)
- Configuring PCNS
- Configuring the management agents
- Enabling password synchronization
This section provides an overview of the automated password synchronization process. For detailed instructions for implementing the automated password synchronization solution, see Implementing the Automated Password Synchronization Solution – Step-by-Step at http://go.microsoft.com/fwlink/?LinkId=81750.
Installing PCNS on All Active Directory Domain Controllers
To ensure that password changes originating in Active Directory are sent to MIIS 2003, you must install PCNS on all of the Active Directory domain controllers in your environment. PCNS is located on the MIIS 2003 SP1 installation CD. In this phase of implementing the automated password synchronization process, PCNS is installed only on the domain controllers. You configure PCNS later in the process.
PCNS is the service that delivers all password change notifications to MIIS 2003 for processing. PCNS captures passwords in plaintext, and then, using RPC packet privacy, sends them to the server running MIIS 2003 for processing. PCNS uses the password change notification filter to capture the plaintext passwords before they can be encrypted by the target directory. After you install the filter and restart the domain controller, the filter receives password changes that are sent to that domain controller.
Installing PCNS installs the following components on all domain controllers:
- PCNS filter (Pcnsflt.dll) – This filter catches plaintext passwords when they are sent to Active Directory. This filter is loaded by the Local Security Authority (LSA) on each Microsoft Windows 2000 or Windows Server 2003 domain controller participating in password distribution to a target server running MIIS 2003. After you install the filter and restart the domain controller, the filter receives password change notifications for password changes that originate on that domain controller. This filter runs simultaneously with other filters running on the domain controller.
- PCNS (Pcnssvc.exe) – This service runs on a domain controller. It receives password change notifications from the local password filter, queuing them for the target server running MIIS 2003. The service, which uses RPC to deliver the notifications, captures passwords in plaintext. It then encrypts the passwords and ensures that they remain secure by using RPC packet privacy, until they are delivered successfully to the target server running MIIS 2003.
- PCNS configuration tool (Pcnscfg.exe) – This tool manages and maintains the PCNS configuration parameters stored in Active Directory. PCNS uses these configuration parameters when it authenticates and sends password notifications to the target server running MIIS 2003. Configuration parameters determine the target servers, the password queue retry interval, and when target servers are enabled or disabled.
Keep the following requirements in mind when you install PCNS on your domain controllers:
- Although PCNS captures password changes, it cannot synchronize existing passwords from one forest into another forest.
PCNS is push technology, not pull technology. Specifically, passwords can be pushed from Active Directory but cannot be pulled from Active Directory. If a password already exists, PCNS does not change it or synchronize it with other connected data sources. Passwords that existed previously in Active Directory must have a change request instigated for PCNS to retrieve the password change request and synchronize that password with the other connected data sources.
- In an optimal configuration, PCNS and MIIS 2003 are in the same forest because they authenticate to each other using Kerberos authentication.
- PCNS and MIIS 2003 can be in different forests if two conditions are met:
- A Kerberos realm forest trust must be established between the forests hosting PCNS and MIIS 2003. This requires that both forests and domains are running in Windows 2003 functional mode. For more information on forest trusts see Trust types at http://go.microsoft.com/fwlink/?LinkId=106059.
- DNS is configured such that Kerberos can function properly between forests.
- You can synchronize passwords one way between forests without trust if MIIS 2003 and PCNS are in the same forest. For example, if you want to install both PCNS and MIIS 2003 in Forest A, and you want to configure them to synchronize passwords to Forest B; the credentials in the MIIS 2003 management agent for Forest B will provide the necessary authentication without the trust requirement.
- Each domain controller whose password changes are to be managed by PCNS must have:
- PCNS installed.
- The capability to contact the MIIS 2003 server via Remote Procedure Call (RPC).
- PCNS installation verifies the Active Directory schema to ensure that classes and attributes needed to run PCNS are available. If they are not, the PCNS installation wizard prompts you to launch the PCNS Schema Update Wizard to update the schema.
After updating the Active Directory schema, you must run the PCNS installation wizard again in order to install PCNS.
To modify the schema, you must be a member of both the Domain Admins and the Schema Admins groups. You must extend the Active Directory schema only once for each Active Directory forest. The schema modifications are replicated to the other domain controllers in the forest when domain replication occurs.
Configuring the Service Principal Name (SPN)
MIIS 2003 uses Setspn.exe to create and configure the service principal name (SPN). Setspn.exe is included with the Windows 2000 Resource Kit Tools and the Windows Server 2003 Support Tools on the Windows Server 2003 installation CD.
SPN is a property on the account object in Active Directory that the Kerberos protocol uses to mutually authenticate PCNS and the MIIS 2003 server. SPN is the mechanism by which PCNS authenticates to MIIS 2003.
Using PCNS and MIIS 2003, SPN works in the following manner:
- When PCNS binds to the RPC server in MIIS, it tells RPC that it must use Kerberos, which server to connect to, and what principal it expects to be running at the other end (SPN).
- RPC connects to the server, locates the end point, and then passes authentication to Kerberos.
- Kerberos takes the SPN provided, and then verifies that the server name portion specified in the SPN matches the computer with which it is communicating.
- Kerberos runs a lookup on the host account in Active Directory to compare the SPN with the SPNs registered for that account. Because Kerberos asks for mutual authentication, it also ensures that the incoming call is from an authenticated account. If the SPNs match, then the authentication succeeds.
- RPC calls the security callback function, which gives MIIS 2003 an opportunity to validate further.
- MIIS 2003 validates that the caller is a domain controller on the specified domain.
SPN Naming Convention
We recommend that you use an SPN that reflects the service that will run. For example, you might use PCNSCLT because this SPN indicates that this is the SPN of the target MIIS 2003 server for PCNS.
The SPN must be unique and cannot appear on any other service account. Otherwise, Kerberos authentication fails and PCNS does not send password change requests to MIIS 2003.
Configuring an Inclusion and Exclusion Group (Optional)
Optionally, you can configure groups that will or will not participate in automated password synchronization. If all the users in the domain will participate in automated password synchronization, then this step is not necessary.
Inclusion and exclusion groups must be security groups. As the names imply, the members of these groups are users who are either included or excluded from password synchronization. These groups should reside in the authoritative forest for password synchronization. If you have an existing group for users who must participate in password synchronization, you can specify that group. If not, create a new group. For example you can create a group called PasswordSyncUsers for all users whose passwords you want to synchronize.
Members of the exclusion group are always excluded from password synchronization, even if they are also members of the inclusion group.
Earlier in the automated password synchronization solution, you installed PCNS on all the domain controllers in the authoritative forest. Now, you must configure PCNS on those domain controllers.
You use Pcnscfg.exe, a command-line tool, to configure PCNS to process password change notifications to MIIS 2003. Pcnscfg.exe manages and maintains the PCNS configuration parameters stored in Active Directory. It installs with PCNS into the Microsoft Password Change Notification folder, which is in the Program Files folder, on each domain controller.
You must configure the following parameters for PCNS:
- The user-defined friendly name of the target server running MIIS 2003.
- The fully-qualified domain name of the server running MIIS 2003.
- The SPN for the server running MIIS 2003.
- The specified inclusion group of all users who will participate in automated password synchronization.
For detailed instructions on configuring PCNS, see Implementing the Automated Password Synchronization Solution – Step-by-Step at http://go.microsoft.com/fwlink/?LinkId=81750.
MIIS 2003 uses these configuration parameters when it authenticates and sends password notifications to the target server running MIIS 2003.
After you configure PCNS, password changes that are sent to domain controllers in the authoritative forest can be sent to MIIS 2003 for further processing.
Configuring the Management Agents
To correctly configure the Management Agent for Active Directory and the target management agents for automated password synchronization, you must know which management agents support automated password synchronization by default and which management agents require that you configure a password extension to support automated password synchronization.
You do not have to run the management agents for automated password synchronization to occur. MIIS 2003 uses information from the management agent configuration to process password synchronization requests in real time.
Default Support for Automated Password Synchronization
Management agents in MIIS 2003 support a range of password management features. Management agents for directory services support password set and change operations by default.
The following management agents support password change operations:
- Management Agent for Active Directory
- Management Agent for Active Directory Application Mode (ADAM)
- Management Agent for Windows NT 4.0
The following management agents support password set operations only:
- Management Agent for Lotus Notes
- Management Agent for Sun and Netscape Directory Servers (formerly iPlanet Directory Server)
Extension Support for Automated Password Synchronization
For file-based, database, and extensible connectivity management agents, which do not support password change and set operations by default, you can create a .NET password extension dynamic-link library (DLL). The Microsoft .NET password extension DLL is called whenever a password change or set call is invoked for any of these management agents. You configure password extension settings for these management agents in MIIS 2003 Identity Manager.
For more information about configuring password extensions, see Microsoft Identity Integration Server 2003 Developer Reference at http://go.microsoft.com/fwlink/?LinkId=77629.
The following management agents support password management using a password extension:
- Management Agent for Attribute-Value Pair Text File
- Management Agent for Delimited Text File
- Management Agent for Directory Services Markup Language (DSML)
- Management Agent for Extensible Connectivity
- Management Agent for Fixed-Width Text File
- Management Agent for IBM DB2
- Management Agent for LDAP Data Interchange Format (LDIF)
- Management Agent for Microsoft SQL Server™
- Management Agent for Oracle Database
Configuring the Management Agent for Active Directory
You must configure the Management Agent for Active Directory on the server running MIIS 2003 so that it can process password change requests. The Management Agent for Active Directory must be the source for all password change requests. As such, the authoritative Active Directory domain pushes all password change requests to every configured data source that has password management enabled.
Enabling and Configuring the Target Management Agents
You must configure the management agents for all connected data sources that participate in automated password synchronization to receive and process password change requests. These management agents receive the password changes sent to them by the Active Directory domain that you have enabled to be the source for password synchronization.
The Configure Extensions option, located in the Properties section of each target management agent, has the following options to enable automated password management:
- Maximum retry count
This option specifies the number of times MIIS 2003 attempts to push a password change to the connected data source, if there are connectivity errors.
- Retry interval
This option specifies how much time elapses between attempts by MIIS 2003 to push the password to the connected data source.
- Require secure connection for password synchronization operations
This option specifies that a secure connection to the connected data source is required before MIIS 2003 attempts to push a password change to the connected data source. If you do not include this option, the management agent pushes the password change to the connected data source regardless of the security level.
Enabling Password Synchronization
The final step in implementing the automated password synchronization solution is to enable password synchronization on the server running MIIS 2003. Although you have enabled password management for the relevant management agents, you must configure the MIIS 2003 Web-based application separately for successful automated password synchronization.
When password synchronization is enabled, the RPC service on the server running MIIS 2003 starts. This ensures that MIIS 2003 can process password change requests that are sent to it from Active Directory, and then push those requests to the connected data sources. RPC dynamically chooses a range of ports to push the password change requests to the connected data sources. If you require that MIIS 2003 communicate with the Active Directory forest through a firewall, you must open a range of ports.
If you enable, and then disable, password synchronization, password synchronization on MIIS 2003 pauses. MIIS 2003 holds all password change requests that it has already received in the queue, and then processes them when you enable password synchronization again. While password synchronization is disabled, password change notifications from the domain controllers are not acknowledged and are held in queues on the domain controllers. When you enable password synchronization again, MIIS 2003 processes these requests.
Security Considerations for Automated Password Synchronization
For many enterprises, transporting and storing passwords across connected data sources is a security concern. If password security is compromised, enterprises can be vulnerable to threats from outside intruders. MIIS 2003 addresses the following security considerations for automated password synchronization:
- Authentication from the password source – When MIIS 2003 receives a password change notification, the domain controller and MIIS 2003 do Kerberos authentication to ensure that the recipient and sender are both valid. MIIS 2003 ensures that the caller has an account in the Domain Controllers container of the domain to which it belongs.
- Failed password synchronization to a target data source due to an insecure connection – If a management agent that is configured to require a secure connection does not detect one, synchronization fails. If the management agent is configured to allow non-secure connections, however, synchronization succeeds. Enable non-secure connections only after examining and understanding the risks involved.
- Secure storage of passwords – MIIS 2003 stores encrypted passwords only temporarily. All passwords received by MIIS 2003 during a password change notification operation are encrypted as soon as they enter the MIIS 2003 process. The moment they are successfully sent to the target connected data source, they are decrypted, and the memory storing the password is immediately cleared. If the operation fails to write to the target connected data source, the encrypted password is stored until all retry attempts have been attempted, and then the password is cleared from memory.
- Secure password queues – Passwords stored in PCNS password queues are encrypted until they are delivered.
Because security is a major concern for many enterprises, MIIS 2003 has built-in features that address many security issues that can occur when you implement an automated password synchronization solution. Below are best practices for security in MIIS 2003 that can enhance the security of your corporate environment. For more information about securing your MIIS 2003 environment, see MIIS Best Practices for Security in MIIS 2003 Help.
Lock Down the MIIS 2003 Service Account
MIIS 2003 runs in the security context of a specific account. Because the account has access to all MIIS 2003 resources, you should lock down this account with the following restrictions:
- Deny users access to log on as a batch job.
- Deny users access to log on locally.
- Deny users access to log on using Terminal Services.
- Deny users access to this computer from the network.
For more information about setting account restrictions on Windows Server 2003, Enterprise Edition accounts, see Windows Server 2003, Enterprise Edition Help.
Place the Server Running MIIS 2003 Behind a Firewall
Ensure that the network context in which the server running MIIS 2003 run is behind a firewall. Use a tunnel from the server running MIIS 2003 to connect to resources such as domain controllers, if they are not on the same side of the firewall. For more information about security and Windows Server 2003, Enterprise Edition, see Windows Server 2003, Enterprise Edition Help.
As with any technology project, having enough of the right resources to implement a solution is critical. Resources such as scheduling, existing infrastructure budget, and solution features all impact the success of an automated password synchronization solution.
As noted earlier, we recommend that you try the procedures in this automated password synchronization solution in a test environment prior to deploying them in a production environment.
Although it does not follow recommended practices, you can set up a minimal test environment using only two computers to test this solution. To perform the procedures in this Guide, your test environment should have the following characteristics:
- At least one Active Directory domain controller running Windows Server 2000 or Windows Server 2003.
- A member server running Windows Server 2003, Enterprise Edition with at least one Management Agent for Active Directory and another management agent configured and successfully synchronizing objects with the Management Agent for Active Directory. The MIIS 2003 service account must be a domain account.
- A client workstation that is a member of the domain that can be used to initiate and verify password changes.
- No firewall between the servers.
If a firewall is enabled, you must open a range of ports to allow RPC communication between the domain controller and the server running MIIS 2003. For more information, Microsoft Identity Integration Server 2003 Technical Reference at http://go.microsoft.com/fwlink/?LinkId=38680.
- MIIS 2003 installation CD for PCNS installation.
- Service Principal Name (SPN) utility. You can find this utility in Windows 2000 Resource Kit Tools or Windows Server 2003 Support Tools, which are located on the Windows Server 2000 system disk or Windows Server 2003 system disk.
To download Setspn.exe, see Windows 2000 Resource Kit Tools for administrative tasks at http://go.microsoft.com/fwlink/?LinkID=33697.
- As noted earlier, during installation, PCNS verifies the Active Directory schema to ensure that classes and attributes needed to run PCNS are available. If they are not, the PCNS installation wizard prompts you to launch the PCNS Schema Update Wizard to update the schema. To modify the schema, you must be a member of both the Domain Admins and the Schema Admins groups. You must extend the Active Directory schema only once for each Active Directory forest. The schema modifications are replicated to the other domain controllers in the forest when domain replication occurs.
Be aware that users will not get any type of notification that things are not working. They will simply be aware that their changes are not getting through. So if the PCNS service is unavailable, down, or not working they will have no indication of this.
There will be error messages in the Event Viewer of the Domain Controller where PCNS is installed. There will be events to indicate that the service is not started or that changes are not being forwarded. Administrators should check the Event Viewer of the DC where PCNS is installed if they suspect that the service is not working or if changes are not being forwarded.
This Guide is an automated password synchronization solution based on MIIS 2003. It provides an overview of how automated password synchronization works, its fundamental components, and the processes necessary to implement the solution in your enterprise environment.
For detailed procedures, see Implementing the Automated Password Synchronization Solution – Step-by-Step at http://go.microsoft.com/fwlink/?LinkId=81750. This document presents instructions for implementing the automated password synchronization solution. It also provides configuration options and illustrations of the information in this Guide.