Quest On Demand - Modern Password Sync - New Feature Spotlight

Quest is excited to release an improved method for syncing passwords from one domain to another in On Demand Migration for Active Directory.

The new Modern Password Sync adds compatibility with Domain Controllers that have Advanced LSA Protection and also addresses a known limitation in Legacy Password Sync that can cause a Domain Controller to reboot if multiple applications access the LSASS process simultaneously. Modern Password Sync will be available in all regions by October 20, 2023.

What are the main differences between Modern and Legacy Password Sync?

New Directory Sync Agent option and Password Filter Plugin

When installing the Directory Sync Agent (DS Agent), you can configure a Passphrase to use with Modern Password Sync or you can check a box to use Legacy Password Sync.

Modern Password Sync also requires you to install a Password Filter Plugin on at least one Domain Controller (DC) for each domain in scope.  Entering the same Passphrase for the Password Filter Plugin authorizes the communication between the DS Agent and the DC.

Reduced interaction between DS Agent and DC

Legacy Password Sync copies BTPass files from the DS Agent to the DC, which requires DC Admin$ access; uses BTPAExec (similar to PSEXEC) on the DS Agent to remotely run executables on the DC; and injects itself into the LSASS process on the DC during each password sync, which causes issues if other processes are accessing LSASS at the same time.

Modern Password Sync does not copy files from the DS Agent to the DC, does not use BTPAExec, and does not inject itself into the LSASS process directly during each sync.  Instead, it utilizes the Password Filter Plugin configured on the Domain Controller which updates the LSA registry entry during installation to enable access.

New logging location and contents

Legacy Password Sync stores the password logs in the BTPass folder on the DC.  Modern Password Sync stores the password logs in “C:\ProgramData\Quest\PwCopy” on the DC.  Below is an example of a Modern Password Sync log on a DC in the target domain.

You can also download Legacy and Modern Password Logs from the ODMAD Environments UI.

How do I enable Modern Password Sync in my project?

Install DS Agent 20.12.13 or higher and install the Password Filter Plugin on your DC(s).  You can download the Password Filter Plugin from the Passwords configuration screen in ODMAD within Local Environment Settings.

For each DC on which you install the Password Filter Plugin, Check the Modern Password Copy box on the Domain Controllers configuration screen in ODMAD under Local Environment Settings.

Enable Password Monitoring in the Local Environment Settings for the source and check the box to Allow password changes in the Local Environment Settings for the target.

Can I switch an existing project from Legacy to Modern Password Sync?

Yes, you will need to uninstall and reinstall the DS Agent to configure the passphrase, install the Password Filter Plugin on the DCs and configure the same passphrase as the DS Agent, and check the Modern Password Copy box for the DCs in the ODMAD UI. Future password changes will be synced using the new method. 

Can I continue using Legacy Password Sync?

Yes, Legacy Password Sync will continue to function in existing projects and can also be used in new projects. There are plans to eventually retire the Legacy Password Sync in the future, but we will provide advanced notice once the retirement date is decided.

What’s next for ODMAD Password Sync?

Quest plans to release an additional password sync solution in Q3 2024 that will support propagating password changes to domains that have RC4 disabled.

Further Information

For more information on this and many other features within On Demand Migration, check out the complete Modern Password Sync Setup Quick Start Guide and the On Demand Migration for Active Directory User Guide, and come visit us at Quest.com.