Which Domain Controllers should I install Password Sync Agents on?
search cancel

Which Domain Controllers should I install Password Sync Agents on?


Article ID: 50277


Updated On:


CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting



Password Sync Agents are required to be installed only on DCs where passwords are allowed to be set/reset.


A Password Sync Agent is CA's agent that intercepts password changes as they take place on a target endpoint Domain Controller and synchronizes them back to the Provisioning Server and Identity Manager. These servers will then be able to figure out if to accept this change and if it needs to be propagated to other provisioned end points.

You might have read-only domain controllers in your farm. Such domain controllers are 'slaves' and will not allow direct updates but only be replicated through other domain controllers that do accept updates.

Therefore, you really do not need to install the Password Sync Agent software on any domain controller that isn't allowing direct password resets. There simply no point in doing that and you are better off not doing that. You should install the Password Sync Agents only on specific machines (in this case domain controllers) that necessarily allow passwords to be set and/or reset. The installed agent will be able to intercept these sets/resets as explained above.


Component: IDMGR