Target
- Customers who are replacing (relocating/upgrading OS included) their Active Directory and sync servers
- Customers who are performing password sync from Active Directory
Purpose
This article explains the settings related to HENNGE Directory Sync Tool when replacing (relocating/upgrading OS included) Active Directory and sync servers.
Notes
- This article is based on the current environment configuration and work details that HENNGE representatives have heard from your company in advance.
If you are planning a replacement, please refer to the following article:
Request for Customers Planning to Upgrade, Replace, or Add Windows Server - Due to our company name change (HDE→HENNGE) on February 1, 2019, the names of services and sync tools have been changed.
However, the file names and installation folder names used in this procedure have not been changed to avoid impact on customers, so please use the names as described in this article. - The content of this article is based on information as of March 2026 and may be changed without notice.
Table of Contents
Preparation – On-Premise App Download
- Work on the New Active Directory Domain Controller (Windows Server 2016 or later) [All Servers]
- Work on the New Active Directory Domain Controller (Windows Server 2016 or later) [After Domain Promotion/All Servers]
- Preparation on the Server Where HENNGE Directory Sync Tool Will Be Newly Run [After Building New Sync Server]
- Stopping the Sync Service on the Old Server Running HENNGE Directory Sync Tool
- Steps to Run HENNGE Directory Sync Tool on the New Sync Server
- What to Do If Password Sync Does Not Occur Even After All Steps Are Completed
Procedure
Preparation – On-Premise App Download
- Access the Access Control Administration.
[Access Control] How to Log in to the Administration - Follow the steps below to obtain HDEOneDirectorySync-x64.msi and Installer_HDEOnePasswordSync.zip.
[Access Control] How to Download the Active Directory Sync Tool
1. Work on the New Active Directory Domain Controller (Windows Server 2016 or later)
[All Servers]
This work should be performed on all Windows Server 2016 or later servers that will operate as new Active Directory domain controllers (hereafter, domain controllers).
This can be done before domain promotion.
Installing HDEPasswordFilter.dll
When using Access Control and password sync on domain controllers running Windows Server 2016 or later, you need to run a script to install HDEPasswordFilter.dll on all domain controllers.
* Please perform this step with a user who has [Domain Admins] or [Enterprise Admins] role.
- Extract the downloaded Installer_HDEOnePasswordSync.zip and copy the Installer_HDEOnePasswordSync folder to all domain controllers.
- Launch PowerShell as an administrator.
-
Run the following commands in PowerShell.
> cd <Path to Installer_HDEOnePasswordSync folder> > powershell -ExecutionPolicy Bypass -File .\install.ps1Example
> cd C:\work\Installer_HDEOnePasswordSync > powershell -ExecutionPolicy Bypass -File .\install.ps1 -
Make sure the following message is displayed.
* If an error is displayed, please contact HENNGE support.The script was successfully completed. Please restart Windows Server. - Restart the domain controller.
- Repeat steps 2 to 5 on all newly introduced domain controllers.
2. Work on the New Active Directory Domain Controller (Windows Server 2016 or later)
[After Domain Promotion/All Servers]
Checking Active Directory Web Services (ADWS)
* Please perform this step after domain controller promotion.
Open [Administrative Tools] – [Services] and make sure that the status of "Active Directory Web Services" is "Running" and the startup type is "Automatic".
Stopping the AmazonSSMAgent Service (For Domain Controllers on AWS Only)
On Windows Server built on AWS, the AmazonSSMAgent service may be running.
If this service is running, it may affect the operation of HDEPasswordFilter.dll, so please check and stop it as described below.
Service Check Procedure
- Open [Control Panel] – [Administrative Tools] – [Services].
- If the "Startup Type" of the "AmazonSSMAgent" service is not "Disabled", perform the "Service Stop Procedure".
Service Stop Procedure
- Select "AmazonSSMAgent" and open Properties from the right-click menu.
- On the [General] tab, set "Startup type" to "Disabled" and click [OK].
- Restart the domain controller.
3. Preparation on the Server Where HENNGE Directory Sync Tool Will Be Newly Run [After Building New Sync Server]
Checking HENNGE Directory Sync Tool Installation Requirements
- Refer to the following article and make sure the supported requirements are met.
HENNGE One Supported Environments – HENNGE Directory Sync Tool - Make sure you can connect to the destination Active Directory.
Installing the Root Certificate for Operation
-
Refer to the following procedure to install the certificate.
[Access Control] How to Install the Root Certificate for HENNGE Directory Sync Tool OperationWhen running HENNGE Directory Sync Tool, SSL certificate checks are performed for communication with Access Control.
If the required root certificate for SSL is not installed, an error may occur.
Installing the New HENNGE Directory Sync Tool
- Run the HDEOneDirectorySync-x64.msi downloaded from Access Control in advance and follow the dialog to install.
- Overwrite the config.ini file provided by HENNGE into the installation folder (※).
(※) C:\Program Files\HDE One Directory Sync\-
If the IP address or hostname of the referenced Active Directory domain controller will change,
edit the "server=" value in the config.ini file to the new domain controller's IP address and save.------------------------------ ;; Domain information server=xxx.xxx.xxx.xxx ------------------------------ - If "password=" is deleted or masked, enter the correct logon password for the user specified in "username=" and save.
-
Moving the Assign-HDEOnePasswordSyncGroup.bat Folder from the Old Server Running HENNGE Directory Sync Tool
- Obtain the entire C:\HDEOne\ folder from the old server running HENNGE Directory Sync Tool.
- Place the obtained folder directly under the C:\ drive of the new server running HENNGE Directory Sync Tool, maintaining the same folder structure as the old server.
4. Stopping the Sync Service on the Old Server Running HENNGE Directory Sync Tool
Checking the User Running HENNGE Directory Sync Tool
On the pre-migration sync server, open [Administrative Tools] – [Services], open [Properties] – [Log On] for the following services, and note the value if a user is specified in [Account].
- HDE One Directory Sync
- HDE One Password Sync
Stopping the HENNGE Directory Sync Tool Services Before Migration
On the pre-migration sync server, stop the following services from [Administrative Tools] – [Services].
- HDE One Directory Sync
- HDE One Password Sync
5. Steps to Run HENNGE Directory Sync Tool on the New Sync Server
Setting Up Periodic Execution of Assign-HDEOnePasswordSyncGroup.bat
Refer to the "Periodic Execution Setting" section in the following article to set up periodic execution of Assign-HDEOnePasswordSyncGroup.bat. (You do not need to check other sections.)
[Access Control] Running Assign-HDEOnePasswordSyncGroup.bat
Checking HENNGE Directory Sync Tool Operation
During normal operation, HENNGE Directory Sync Tool is periodically executed by Windows services, but you can also immediately run user sync via PowerShell command.
You can check the operation of user sync by following the steps below.
* Please perform this step with a user who has [Domain Admins] or [Enterprise Admins] role.
- Launch PowerShell as an administrator.
-
Run a test sync with HENNGE Directory Sync Tool using the following command.
* If you do not add the /n option, a sync will be performed, so please be careful.> cd "C:\Program Files\HDE One Directory Sync" > .\console.exe /n -
Make sure that the differences for unsynced users are displayed.
Example) ------------------------------------------------------------------ ##### Sync set [sync01] ##### Active Directory ---> HDE Access Control Add: Administrator / iGcrgi8tjUy1NfaLulJ/5Q== Add: Guest / qWEUYHX3DUOxPrZv6C271Q== Add: test01 / test01@addc1.example.com / WEt4r/aDlE3wtGz0UbVoqQ== Delete: aaa / aab@addc1.example.com / hfJV7x6cakym2AIWkThdA== ----------------------------------------------------------------------* If there are no users to be synced, the following will be output.
Example) ------------------------------------------------------------------ ##### Sync set [sync01] ##### Active Directory ---> HDE Access Control * No sync data * ----------------------------------------------------------------------
Periodic Execution of HENNGE Sync Services
* Please note that all users' passwords will be synced during the initial sync.
- Log in as an administrator to the server where HENNGE Directory Sync Tool is installed.
- Open [Control Panel] – [Administrative Tools] – [Services].
- Double-click the following two services and set their status to [Start] and their startup type to [Automatic (Delayed Start)].
- HDE One Directory Sync
- HDE One Password Sync
- If an account was specified in "Checking the User Running HENNGE Directory Sync Tool" in section 4 of this manual, specify the same user on the [Log On] tab.
- Click [OK].
- Open the Access Control Administration in your browser.
* This can also be done from another device. - Follow the steps in the "[Checking Periodic Sync Logs]" section of the following article to confirm that account and password sync has completed.
[Access Control] Running HENNGE Directory Sync Tool
* The default periodic execution intervals for each service are as follows (can be changed in 1-minute increments):
・HDE One Directory Sync: Once every 2 hours
・HDE One Password Sync: Once every 3 minutes (displayed only if there is a password change)
6. What to Do If Password Sync Does Not Occur Even After All Steps Are Completed
Perform this step as an initial response if password sync is not working properly after completing all steps in this procedure.
* If password sync is working properly, this step is not necessary.
* If password sync still does not work after performing this step, please also refer to the following article.
Active Directory Integration: Troubleshooting Password Sync
Clearing the HENNGE Directory Sync Tool Registry
HENNGE Directory Sync Tool's password sync duplicates and retains the registry value of the last executed domain controller.
If the referenced domain controller has changed, you need to reset this value to properly perform password sync.
Follow the steps below to reset the value.
- [Access Control] Required Steps When Changing the Referenced AD for HENNGE Directory Sync Tool
- Open the Access Control Administration.
* This can also be done from another device. - Follow the steps in the "[Checking Periodic Sync Logs]" section of the following article to confirm that account and password sync has completed.
[Access Control] Running HENNGE Directory Sync Tool
* The default periodic execution intervals for each service are as follows (can be changed in 1-minute increments):
・HDE One Directory Sync: Once every 2 hours
・HDE One Password Sync: Once every 3 minutes (displayed only if there is a password change)