I have been running the Active Directory driver for about a year, but
only with the Subscriber channel synchronization.
We now wish to enable Password Synchronization from Active Directory
back to the Identity Vault. I am having a tough time.
I have changed the password policy to Microsoft.
I have installed the Password Sync Filter on our single domain controller.
I have changed the Password Synchronization settings on the Active
Directory driver to allow synchronization both ways.
The Driver Filter is where I am getting stuck. I changed the User object
Publish from ignore to synchronize, and change all my attributes except
nspmDistributionPassword to ignore. I changed nspmDistributionPassword
to Notify of both Publish and Subscriber. Is that correct?
The issue I am writing about is when I restarted the driver I started
getting TONS of events related to deleted objects.
DirXML Log Event -------------------
Driver: \TCORP-VAULT\tcorp\driverset\Active Directory
Message: Code(-8019) Operation vetoed on unassociated object.
I had to turn the driver off and back out all my changes. I was getting
hundreds of these.
Can someone explain what I have done wrong, and the proper way for me to
change a Subscriber only Active Directory driver to start doing
Password-only synchronization both directions?