Check if the school is using RM Unify Network Provisioning RM Unify will reject a password coming from AD if it is too simple. The User Audit log in the RM Unify Management Console will show if RM Unify has rejected a user's AD password. For more information, refer to TEC5943089 in the Other Useful Articles section below.
Note: The use of RM Network Provisioning can be confirmed by navigating to the User Audit page of the RM Unify Management Console as a super admin, selecting 'Network Agent' from the Change type drop down, and returning logs for the past month or so. Change type entries such as, "Update AD User" or "Create AD User" indicate RM Unify Network Provisioning.
Check that the server time on your network is accurate If the time on your servers is plus or minus five minutes, the password change files sent from your network (via AD Sync) to the RM Unify datacentre will be ignored. This is a security measure to protect against any potential unauthorised interception and replay of those files. You must ensure that your network's DCs are properly time-synchronised.
Confirm the RM Unify AD Sync service is set to log on as the identitysyncservice user This service is installed on the RM Unify AD Sync server and should be set to log on as the dedicated identitysyncservice user. If it has been changed to log on as another account, set a new secure password for the identitysyncservice user in Active Directory and change the service to log on as the identitysyncservice user.
Check Event Viewer logs for related errors View the 'Application and System Windows' logs for warnings or errors referencing RM Unify Password Filter.
Confirm RM Unify Password Filter is installed on all domain controllers (DCs)
- On a DC, open 'Active Directory Users and Computers'.
- Browse to the Domain Controllers OU and sub-OUs, as necessary.
- Make a note of all the DCs.
- In the RM Unify AD Sync Tool, expand Domains and right-click the Domain Controllers folder.
- Select Rescan domain and confirm if all the DCs noted above (step 3) are now displayed.
- For each DC, use DWN3182456 in the Other Useful Articles section below to confirm if the RM Unify Password Filter is installed.
Check the RM Unify Password Filter log files on each DC If password changes have never worked or appear to work intermittently, check C:\Program Files\RM\RM Unify Password Filter\LogFiles on each DC for installation errors.
Confirm the correct version of RM Unify Password Filter is installed There is a 32-bit and a 64-bit installer for RM Unify Password Filter, depending on whether the Microsoft® Windows® server is 32-bit or 64-bit. Please see Appendix 1 in both the Release Notes contained within DWN3182456 to help check if the operating system is 32-bit or 64-bit.
In Programs and Features, you should see either RM Unify Password Filter 32-bit or RM Unify Password Filter 64-bit listed.
Check access and permissions on all RMNetIdentityQueue$ shares
-
In the RM Unify AD Sync Config Tool, expand Domains and view the list of DCs.
-
Check that all your DCs are listed and that none have a red cross. A DC with a red cross indicates that the Configuration Tool has been unable to access the DC and/or its RMNetIdentityQueue$ share.
-
For any DC with a red cross, confirm that RM Unify Password Filter has been installed.
-
On every DC, check the permissions on the C:\Program Files\RM\RM Unify Password Filter\RMNetIdentityQueue folder. It should be shared as RMNetIdentityQueue$ with share permissions of Everyone=Full Control. NTFS permissions should include Read, Write, Modify and Delete for the identitysyncservice user.
-
Confirm if the RMNetIdentityQueue$ share on each DC contains an RMUnifyADSyncCert.cer file. The RM Unify AD Sync service should automatically download a copy of the file to C:\Program Files (x86)\RM\RM Unify AD Sync and distribute it to all DCs in a heartbeat every 15 minutes by default. You can manually copy the .cer file to RMNetIdentityQueue$ shares (it is not), but having to do so may indicate an underlying issue that still requires resolution.
Check there is only one RM Unify Password Filter installation on each DC If a previous installation of RM Unify Password Filter has not been uninstalled correctly you might have two installations, which will cause you an issue. Confirm you have just one installation in C:\Program Files\RM\RM Unify Password Filter and no installation in C:\Program Files (x86)\RM\RM Unify Password Filter.
If the server is Community Connect 4 (CC4), check if another RM product called RM Password Filter is installed in Programs and Features. This is a password capture product associated with RM Password Plus. The two products may not co-exist successfully. RM Unify Password Filter should start working immediately once RM Password Plus is uninstalled, but in rare cases you may need to reinstall RM Password Filter.
Check there is only one RM Unify AD Sync installation on the network Although only one installation of RM Unify AD Sync can be registered with your RM Unify establishment, the presence of two or more Enabled instances of the RM Unify AD Sync Service running on the network could result in issues affecting the successful synchronisation of data, including passwords, to the RM Unify datacentre.
As RM Unify AD Sync can be installed on a DC or member server, complete the following:
- Identify the server you usually use to launch and configure the RM Unify AD Sync Config Tool. This should be the only server on the network with the RM Unify AD Sync Service listed in services.msc.
- On the next server, click Start, Run and type services.msc and press Enter.
- If you locate the RM Unify AD Sync Service, double-click it and select Disabled from the Startup type. Click OK.
- Change the password of an AD user that has an RM Unify account.
- If the user is able to log on to RM Unify with the new password after 60+ seconds, you are free to uninstall AD Sync from that server.
- Repeat Steps 2-5 on each server on your network.
Check the anti-virus or protection software installed on each DC Temporarily suspend the protection on one DC and follow the steps in the section 'Test a new password change' below. If you find a password is changed successfully, please consult your anti-virus/protection support provider on how to exclude the C:\Program Files\RM\RM Unify Password Filter and sub-folders from the protection software on each DC. Depending on the software, you may have to complete additional tasks to allow RM Unify Password Filter to function while the protection is on.
Check if a manually-provisioned RM Unify user with the same username already exists
- Sign in to RM Unify as a user with super admin rights.
- Click Management Console.
- Click Users.
- Click the down arrow key next to the box 'Any data source' and select 'Manual/CSV'.
- In the Username filter box, enter the username of the affected user and press Enter.
- If the filter does not return a user, click the down arrow key next to the box View and select a different role group.
- Repeat until you have checked all the six role groups.
- If a user is returned, please contact the RM Cloud Support team for further assistance.
Test a new password change
-
Open the RM Unify AD Sync Configuration Tool.
-
Click Service, Settings.
-
Under Logging, change the Log level to LOG (this enables verbose logging).
-
Click OK.
-
Restart the RM Unify AD Sync Service.
-
Open 'Active Directory Users and Computers' on a DC and change the AD password of an existing RM Unify user that still has membership of the RM Unify Users security group.
-
On the same DC, browse to the C:\Program Files\RM\RM Unify Password Filter\RMNetIdentityQueue folder and confirm that you can see a new .json file with the date/time when you changed the password. If you cannot see the new .json file or see a new .bin file instead, then RM Unify Password Filter has been unable to capture the change successfully. Please review the NTFS/share permissions and .cer file on the C:\Program Files\RM\RM Unify Password Filter folder and sub-folders detailed in the 'Check access and permissions on all RMNetIdentityQueue$ shares' section above. Note: If the DC is a read-only domain controller (RODC), it has to forward the password change request to another DC for processing. In this case, you should check the RMNetIdentityQueue folders on the other DCs to identify the one that processed the change and created the .json file.
-
Wait five minutes and then open the latest log file on the RM Unify AD Sync server:
-
Locate the log files in C:\Program Files\RM\RM Unify AD Sync\LogFiles.
-
Search for a Domain Timer event with information 'Saved password for xxx', where xxx is the username. This proves the password change has been detected.
-
Then search for a later 'RM Unify upload timer' event with information 'Password change complete for User xxx', where xxx is the username. This proves the password change has been uploaded.
-
Repeat Steps 6-8 on each DC.
-
Return the logging back to ERROR by repeating Steps 1-4 and setting the Log level to ERROR.
If the above checks fail to reveal a root cause and all user passwords are not propagating to RM Unify, uninstall RM Unify Password Filter on all DCs using the instructions below and reinstall. Please note that the install of RM Unify Password Filter requires a server reboot, followed by the domain administrator logging on to the server and then logging off again to complete the installation. |