OpenPasswordFilter icon indicating copy to clipboard operation
OpenPasswordFilter copied to clipboard

Published 20 hours ago verified publisher icon jephthai

Replication Errors with OPF

Open dh-pfsweb opened this issue 4 years ago • 8 comments

Hello,

We installed OpenPasswordFilter recently and have had some problems with it. We ran into the krbtgt error mentioned in an older post. In addition to that, we are having replication issues between our domains. When we change a users password, or make other attribute changes, we need to stop the OPF Service on the DC to get the changes to replicate to the other DCs. Has anyone else run into this issue or have any suggestions as to what we might be able to do to correct this problem?

thanks, david

dh-pfsweb avatar Mar 16 '20 16:03 dh-pfsweb

Yes, if you have a cloud sync it MUST be the last ones in the LSA notifiers. Especially Gsync (DEAD LAST!) which likes to kill the stack.. make sure OPF is before them, especially GSYNC!

edited: And that is on ALL ADs, but can test on one that your changing the PW on - using powershell with -server <ip/hostname> switch

OPF shouldnt affect attributes though, so could also be something else.

FFFreak avatar Mar 18 '20 20:03 FFFreak

Is this what you are referring to?

[cid:[email protected]]

Just moving the OpenPasswordFilter to the top of the Notification Packages in the registry?

thanks,

david

From: FFFreak [mailto:[email protected]] Sent: Wednesday, March 18, 2020 3:10 PM To: jephthai/OpenPasswordFilter [email protected] Cc: David Hodgson [email protected]; Author [email protected] Subject: Re: [jephthai/OpenPasswordFilter] Replication Errors with OPF (#36)

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Yes, if you have a cloud sync it MUST be the last ones in the LSA notifiers. Especially Gsync (DEAD LAST!) which likes to kill the stack.. make sure OPF is before them, especially GSYNC!

On Mon, Mar 16, 2020 at 9:37 AM dh-pfsweb <[email protected]mailto:[email protected]> wrote:

Hello,

We installed OpenPasswordFilter recently and have had some problems with it. We ran into the krbtgt error mentioned in an older post. In addition to that, we are having replication issues between our domains. When we change a users password, or make other attribute changes, we need to stop the OPF Service on the DC to get the changes to replicate to the other DCs. Has anyone else run into this issue or have any suggestions as to what we might be able to do to correct this problem?

thanks, david

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jephthai/OpenPasswordFilter/issues/36, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJDA4M3CATDCK3V42CZ7KETRHZIVNANCNFSM4LMNNKEA .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/jephthai/OpenPasswordFilter/issues/36#issuecomment-600834638, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AO27HAVWPAI257EUX5NVHJ3RIETALANCNFSM4LMNNKEA.

dh-pfsweb avatar Mar 19 '20 19:03 dh-pfsweb

Cannot see image, but I did it on mine before the cloud providers. However, most things "pass-through" so i don't know of any issue with it being first, but i also have never tried it that way. Sorry i cannot tell you a yes or no on it.

FFFreak avatar Mar 19 '20 23:03 FFFreak

Sorry. The image was a screenshot of our registry. I was wondering if this was the proper place to make the change to the LSA Notification.

HKLM > SYSTEM > CurrentControlSet > Control > Lsa > Notification Packages

In there I find three values: rassfm scecli OpenPasswordFilter

Do I just need to move OpenPasswordFilter to the top?

thanks,

david

From: FFFreak [mailto:[email protected]] Sent: Thursday, March 19, 2020 6:24 PM To: jephthai/OpenPasswordFilter [email protected] Cc: David Hodgson [email protected]; Author [email protected] Subject: Re: [jephthai/OpenPasswordFilter] Replication Errors with OPF (#36)

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Cannot see image, but I did it on mine before the cloud providers. However, most things "pass-through" so i don't know of any issue with it being first, but i also have never tried it that way. Sorry i cannot tell you a yes or no on it.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/jephthai/OpenPasswordFilter/issues/36#issuecomment-601461266, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AO27HATJ7JUYIRU3VCIAD7LRIKSPXANCNFSM4LMNNKEA.

dh-pfsweb avatar Mar 20 '20 12:03 dh-pfsweb

I personally see no issue with the original order. When you remove (OPF) it does replication perfectly? (replication and partition syncing [like on a service restart] are very different).

FFFreak avatar Mar 20 '20 16:03 FFFreak

Also what Operating System (I'm just some dude, and played alot with OPF in my test environments, but OSes I think were 2008 R2 to 2012).

FFFreak avatar Mar 20 '20 16:03 FFFreak

This is installed on Server 2012 R2.

All we have to do is to disable the OPF Service on the DCs and everything works fine. With the service enabled, we have long delays to change passwords (20 seconds up to several minutes), and we see replication problems arise.

thanks,

david

From: FFFreak [mailto:[email protected]] Sent: Friday, March 20, 2020 11:38 AM To: jephthai/OpenPasswordFilter [email protected] Cc: David Hodgson [email protected]; Author [email protected] Subject: Re: [jephthai/OpenPasswordFilter] Replication Errors with OPF (#36)

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

I personally see no issue with the original order. When you remove (OPF) it does replication perfectly? (replication and partition syncing [like on a service restart] are very different).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/jephthai/OpenPasswordFilter/issues/36#issuecomment-601796591, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AO27HAUUOGMDJKUQ4J2GI63RIOLW7ANCNFSM4LMNNKEA.

dh-pfsweb avatar Mar 20 '20 17:03 dh-pfsweb

So OPF does use a sorta local loopback (127.0.0.1) to do the communication from LSA notifier to the service that does the checking. Have you tried wire shark to see if there is a communication issue with this loopback. I am wondering if that communication channel is having issues and your hitting a timeout on the call. I didn't write it, but figured they did this for a buffer and ability to queue up asynchronous calls in to a synchronous check.

FFFreak avatar Mar 20 '20 17:03 FFFreak