Friday, March 19, 2010

Should the OIM AD Password Sync Connector be Installed on all the Active Directory Domain Controller Machines to Which a User can Bind to

Should the OIM AD Password Sync Connector be installed on all the Active Directory Domain Controllers to which users can connect to change their passwords or should it be installed only on the Primary Domain Controller?

If the user's password is changed on an Active Directory Domain Controller, that Domain Controller should have the OIM AD Password Sync connector package installed in order for it to propagate the new password to OIM.


If only the Primary Active Directory Domain controller has the OIM AD Password Sync connector installed and if the password is changed on the non primary domain controller (which does not have the AD Password Sync connector installed and configured) and then primary domain controller having AD Password Sync connector would never execute the change password to OIM even after it the two domain controllers sync. One would never know on which Domain Controller a user is authenticated and where their password was changed, that's why AD Password Sync connector should on any Domain Controller that a user could bind to.