Target
- Customers who are only replacing (migrating/upgrading OS included) the Active Directory domain controller server
- Customers who are performing password synchronization from Active Directory
Purpose
This article explains the settings related to HENNGE Directory Sync Tool when replacing (migrating/upgrading OS included) an Active Directory server.
Notes
- This article is based on the current environment configuration and work details as confirmed in advance by your HENNGE representative.
If you are planning a replacement, please refer to the following article:
Request for Customers Planning to Upgrade, Replace, or Add Windows Server - Due to our company name change (HDE→HENNGE) on February 1, 2019, the names of services and synchronization tools have changed.
However, file names and installation folder names used in this procedure have not been changed to avoid impact on customers, so please use the names as described in this article. - The content of this article is based on information as of March 2026 and may be changed without notice.
Table of Contents
Preparation – On-Premise App Download
- Work on the New Active Directory Domain Controller Server (Windows Server 2016 or later) [All Servers]
- Work on the New Active Directory Domain Controller Server (Windows Server 2016 or later) [After Domain Promotion / All Servers]
- Pre-Demotion Tasks for the Old Reference Domain Controller
- Restarting HENNGE Directory Sync Tool [After New AD Server Promotion]
- Troubleshooting When Password Synced Is Not Performed After All Tasks Are Completed
Procedure
Preparation – On-Premise App Download
- Access the Access Control Administration.
[Access Control] How to Log in to the Administration - Follow the steps below to obtain Installer_HDEOnePasswordSync.zip.
[Access Control] Procedure for Downloading the Active Directory Sync Tool
1. Work on the New Active Directory Domain Controller Server (Windows Server 2016 or later)
[All Servers]
This procedure is to be performed on all Windows Server 2016 or later servers that will operate as new Active Directory domain controllers (hereafter, domain controllers).
This can be performed before domain promotion.
Installing HDEPasswordFilter.dll
When using Access Control and Password Synced on domain controllers running Windows Server 2016 or later, you must run a script to install HDEPasswordFilter.dll on all domain controllers.
* Please perform this task with a user who has [Domain Admins] or [Enterprise Admins] role.
- Extract the downloaded Installer_HDEOnePasswordSync.zip and copy the Installer_HDEOnePasswordSync folder to all domain controllers.
- Launch PowerShell as an administrator.
-
Run the following commands in PowerShell.
> cd <Path to Installer_HDEOnePasswordSync folder> > powershell -ExecutionPolicy Bypass -File .\install.ps1Example
> cd C:\work\Installer_HDEOnePasswordSync > powershell -ExecutionPolicy Bypass -File .\install.ps1 -
Confirm that the following message is displayed.
* If an error is displayed, please contact HENNGE Support.The script was successfully completed. Please restart Windows Server. - Restart the domain controller.
- Repeat steps 2 to 5 on all newly introduced domain controllers.
2. Work on the New Active Directory Domain Controller Server (Windows Server 2016 or later)
[After Domain Promotion / All Servers]
Checking Active Directory Web Services (ADWS)
* Please perform this task after domain controller promotion.
Open [Administrative Tools] – [Services] and confirm that the status of Active Directory Web Services is "Running" and the startup type is "Automatic".
Stopping the AmazonSSMAgent Service (For Domain Controllers on AWS Only)
On Windows Server built on AWS, the AmazonSSMAgent service may be running.
If this service is running, it may affect the operation of HDEPasswordFilter.dll, so please check and stop the service as described below.
Service Check Procedure
- Open [Control Panel] – [Administrative Tools] – [Services].
- If the "Startup Type" of the "AmazonSSMAgent" service is anything other than "Disabled", perform the "Service Stop Procedure".
Service Stop Procedure
- Select "AmazonSSMAgent" and open Properties from the right-click menu.
- On the [General] tab, set "Startup type" to "Disabled" and click the [OK] button.
- Restart the domain controller.
3. Pre-Demotion Tasks for the Old Reference Domain Controller
Checking the Server Running Assign-HDEOnePasswordSyncGroup.bat
If the server running Assign-HDEOnePasswordSyncGroup.bat is the domain controller to be demoted, perform this procedure.
* If the HENNGE Directory Sync Tool is on a separate sync server from the domain controller, backup is not required.
Back up the entire C:\HDEOne\ folder where the bat file is stored.
This is preparation for moving it to the new domain controller server.
Stopping the HENNGE Directory Sync Tool Service
On the sync server, stop the following services from [Administrative Tools] – [Services].
- HDE One Directory Sync
- HDE One Password Sync
4. Restarting HENNGE Directory Sync Tool [After New AD Server Promotion]
Re-deploying and Scheduling Assign-HDEOnePasswordSyncGroup.bat
* Perform this procedure only if the bat was running on the old reference domain controller.
- Place the HDEOne folder obtained in "Pre-Demotion Tasks for the Old Reference Domain Controller" above directly under the C:\ drive on the new domain controller, maintaining the same folder structure as before.
- Refer to the "Periodic Execution Settings" section in the following article and configure the periodic execution of Assign-HDEOnePasswordSyncGroup.bat.
* You do not need to check other sections.
[Access Control] Running Assign-HDEOnePasswordSyncGroup.bat
Clearing the HENNGE Directory Sync Tool Registry and Changing the Reference for HENNGE Directory Sync Tool
The HENNGE Directory Sync Tool's Password Synced function duplicates and retains the registry value of the last domain controller it was run on.
If the reference domain controller changes, you need to reset this value to perform Password Synced correctly.
Follow the steps below to reset the value.
-
[Access Control] Required Tasks When Changing the Reference AD for HENNGE Directory Sync Tool
* Please perform the steps in "Changing the Reference AD for HENNGE Directory Sync Tool" and "Clearing the Registry Value (Password Synced Only)".
Verifying HENNGE Directory Sync Tool Operation
During normal operation, HENNGE Directory Sync Tool is executed periodically by Windows services, but you can also perform an immediate user sync using a PowerShell command.
You can verify user sync operation by following the steps below.
* Please perform this task with a user who has [Domain Admins] or [Enterprise Admins] role.
- Launch PowerShell as an administrator.
-
Run a test sync using HENNGE Directory Sync Tool with the following command.
* If you do not include the /n option, an actual sync will be performed. Please be careful.> cd "C:\Program Files\HDE One Directory Sync" > .\console.exe /n -
Confirm that the differences for unsynced users are displayed.
Example) ------------------------------------------------------------------ ##### Sync set [sync01] ##### Active Directory ---> HDE Access Control Add: Administrator / iGcrgi8tjUy1NfaLulJ/5Q== Add: Guest / qWEUYHX3DUOxPrZv6C271Q== Add: test01 / test01@addc1.example.com / WEt4r/aDlE3wtGz0UbVoqQ== Delete: aaa / aab@addc1.example.com / hfJV7x6cakym2AIWkThdA== ----------------------------------------------------------------------* If there are no users to be synced, the following will be output.
Example) ------------------------------------------------------------------ ##### Sync set [sync01] ##### Active Directory ---> HDE Access Control * No sync data * ----------------------------------------------------------------------
Restarting the HENNGE Directory Sync Tool Service
Start the following two services from [Administrative Tools] – [Services] on the sync server.
- HDE One Directory Sync
- HDE One Password Sync
5. Troubleshooting When Password Synced Is Not Performed After All Tasks Are Completed
Perform this procedure as an initial response if Password Synced is not working properly after completing all steps in this procedure.
* If Password Synced is working properly, this step is not required.
* If Password Synced is still not working after performing this step, please also refer to the following article.
Active Directory Integration: Troubleshooting Password Synced
Clearing the HENNGE Directory Sync Tool Registry
The HENNGE Directory Sync Tool's Password Synced function duplicates and retains the registry value of the last domain controller it was run on.
If the reference domain controller changes, you need to reset this value to perform Password Synced correctly.
Follow the steps below to reset the value.
- [Access Control] Required Tasks When Changing the Reference AD for HENNGE Directory Sync Tool
- Open the Access Control Administration.
* You may perform this on a different device. - Follow the steps in [Checking the Periodic Sync Log] in the following article to confirm that account and password synchronization has completed.
[Access Control] Running HENNGE Directory Sync Tool
* The default periodic execution intervals for each service are as follows (can be changed in 1-minute increments):
・HDE One Directory Sync: Once every 2 hours
・HDE One Password Sync: Once every 3 minutes (displayed only if there is a password change)