This option must be installed on the primary domain controller of the Windows NT domain in which user accounts are defined. It may also be installed on all backup domain controllers in the domain, but the components installed will be inactive until the server is promoted to a primary domain controller.
If user accounts are defined in multiple top-tier domains, the option must be installed on the primary domain controller in each domain.
During Setup, you are prompted for either the primary or backup role of the service. Only one instance of the Windows NT Account Synchronization can be designated as primary; all others must be backup servers. A backup server can be used for password synchronization of Windows NT accounts defined in that domain. The only way to promote or demote the role of this component is by using the Registry to change the entry on the primary and backup SNA Server computers. For more information about the Registry and where to change this information, see Chapter 8 of this manual.
Setup installs the SNAPWCHG.DLL and the SNAPMP service. These are discussed in greater detail below.
This DLL intercepts password changes for the user accounts defined in the Windows NT domain, regardless of who initiates the change. The DLL is always active to provide notice of password changes for Windows NT accounts in that domain, regardless of the designated role of the server.
Two Registry entries record where the passwords are changed. One lists the Windows NT domain name and the other is the complete path name for the SNAPWCHG. Both of these Registry entries are described in detail in Chapter 8.
The SNAPMP service, also known as the Windows NT Account Synchronization Service, is referred to in this chapter as the Password Management Process, or PMP. It coordinates all updates to the host account cache(s) in the resource
domains and coordinates all the password synchronization activities in the Windows NT and host security domains.
When the service is configured as a primary SNAPMP, the password management process (PMP) registers itself with the master Host Account Cache in all resource domains. PMP will not complete initialization and start normal operation until it has registered in each configured domain. This prevents communication problems from causing inconsistent updates being applied to the Host Account Cache(s).
When the service is configured as a backup PMP, the PMP service starts, determines that it is a backup, and then terminates. This is correct and normal operation.
The SNAPMP service must be installed to run in a security administrator's account. This service must have sufficient privileges to change the password of any user account defined in the domain. When there are several primary domain controllers, SNAPMP must have sufficient privilege to change user accounts in any of the domains.