Skip to main content
日本語 简体中文 繁體中文

[Access Control] Active Directory Replacement Procedure (Adding a Domain Controller with Password Synced)

Target

  • Customers who only want to add an Active Directory domain controller server
  • Customers who want to perform password synchronization from Active Directory

Purpose

This article explains the settings related to HENNGE Directory Sync Tool when adding an Active Directory server.

Notes

  1. This article is based on your current environment and tasks as confirmed in advance by your HENNGE representative.
    If you are planning a server replacement, please refer to the following article:
    Request for Customers Planning to Upgrade, Replace, or Add Windows Server
  2. Due to our company name change (HDE→HENNGE) on February 1, 2019, the names of services and synchronization tools have changed.
    However, the file names and installation folder names used in this procedure have not been changed to avoid impact on customers, so please use the names as described in this article.
  3. The content of this article is based on information as of March 2026 and may be changed without notice.

Table of Contents

Preparation – On-Premise App Download

  1. Tasks on the New Active Directory Domain Controller Server (Windows Server 2016 or later) [All Servers]
  2. Tasks on the New Active Directory Domain Controller Server (Windows Server 2016 or later) [After Domain Promotion / All Servers]
  3. Troubleshooting When Password Synced Is Not Performed After Completing All Tasks

Procedure

Preparation – On-Premise App Download

  1. Access the Access Control Administration.
    [Access Control] How to Log in to the Administration
  2. Follow the steps below to obtain Installer_HDEOnePasswordSync.zip.
    [Access Control] Procedure for Downloading the Active Directory Sync Tool

1. Tasks on the New Active Directory Domain Controller Server (Windows Server 2016 or later)
 [All Servers]

This procedure must be performed on all Windows Server 2016 or later servers that will operate as new Active Directory domain controllers (hereafter, domain controllers).
This can be performed before domain promotion.

Installing HDEPasswordFilter.dll

When using Access Control and Password Synced on domain controllers running Windows Server 2016 or later, you must run a script to install HDEPasswordFilter.dll on all domain controllers.

* Please perform this task with a user who has [Domain Admins] or [Enterprise Admins] role.

  1. Extract the downloaded Installer_HDEOnePasswordSync.zip and copy the Installer_HDEOnePasswordSync folder to all domain controllers.
  2. Launch PowerShell as an administrator.

  3. Run the following commands in PowerShell.

    > cd <Path to Installer_HDEOnePasswordSync folder>
> powershell -ExecutionPolicy Bypass -File .\install.ps1

    Example

    > cd C:\work\Installer_HDEOnePasswordSync
> powershell -ExecutionPolicy Bypass -File .\install.ps1

  4. Confirm that the following message is displayed.
    * If an error is displayed, please contact HENNGE support.

    The script was successfully completed. Please restart Windows Server.
  5. Restart the domain controller.
  6. Repeat steps 2 to 5 on all newly added domain controllers.

2. Tasks on the New Active Directory Domain Controller Server (Windows Server 2016 or later)
 [After Domain Promotion / All Servers]

Checking Active Directory Web Services (ADWS)

* Please perform this task after domain controller promotion.

Open [Administrative Tools] – [Services] and confirm that the status of Active Directory Web Services is "Running" and the startup type is "Automatic".

Active Directory Web Servicesの状態確認画面
Example: Windows Server 2016

Stopping the AmazonSSMAgent Service (For Domain Controllers on AWS Only)

On Windows Server built on AWS, the AmazonSSMAgent service may be running.
If this service is running, it may affect the operation of HDEPasswordFilter.dll, so please check and stop the service as described below.

Service Check Procedure

  1. Open [Control Panel] – [Administrative Tools] – [Services].
  2. If the "Startup Type" of the "AmazonSSMAgent" service is anything other than "Disabled", perform the "Service Stop Procedure".

Service Stop Procedure

  1. Select "AmazonSSMAgent", right-click, and open Properties from the context menu.
  2. On the [General] tab, set "Startup type" to "Disabled" and click the [OK] button.
  3. Restart the domain controller.

3. Troubleshooting When Password Synced Is Not Performed After Completing All Tasks

This procedure should be performed as an initial response if password synchronization is not working properly after completing all steps in this procedure.
* If password synchronization is working properly, this step is not necessary.
* If password synchronization does not work even after performing this step, please also refer to the following article.
Active Directory Integration: Troubleshooting Password Synced

HENNGE Directory Sync Tool Registry Clear

HENNGE Directory Sync Tool's Password Synced duplicates and retains the registry value of the last executed domain controller.
If the referenced domain controller has changed, you need to reset this value to perform password synchronization properly.

Please follow the steps below to reset the value.

  1. [Access Control] Required Tasks When Changing the Reference AD for HENNGE Directory Sync Tool
  2. Open the Access Control Administration.
    * It is also acceptable to perform this on a different device.
  3. Follow the steps in [Checking the Periodic sync Log] in the article below to confirm that account and password synchronization has completed.
    [Access Control] Running the HENNGE Directory Sync Tool
    * The default periodic execution intervals for each service are as follows (can be changed in 1-minute increments):
    ・HDE One Directory Sync: Once every 2 hours
    ・HDE One Password Sync: Once every 3 minutes (only displayed if there is a password change)