Before installing fresh bits of Identity Synchronization for Windows, be sure to read Chapter 4, Preparing for Installation, in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.
To enable the Account Lockout feature, you must map certain attributes, which are different in Directory Server and in Active Directory. Account Lockout must be enabled. Password policies must be the same on both AD and Directory Server. With this configuration, lockout and unlockout events can flow bidirectionally between Active Directory and Directory Server.
Identity Synchronization for Windows can synchronize the following events between Active Directory and Directory Server:
Lockout events from Active Directory to Directory Server
Lockout events from Directory Server to Active Directory
Manual unlockout events from Active Directory to Directory Server
Manual unlockout events from Directory Server to Active Directory
The attribute lockoutDuration should be set to the same value at both the places before enabling the account lockout feature. Make sure that the system time is also uniform across the distributed setup. Otherwise, the lockout events can expire if the lockoutDuration is less than the difference in the system dates.
To enable Account lockout synchronization, you need to map attributes accountUnlockTime (Directory Server) and lockoutTime (AD). accountUnlockTime can be selected in the console after loading the schema with passwordObject object class.
Account Lockout policy should be similar on Active Directory and on Directory Server data sources.
Duration of account lockout should be set to same value on the Active Directory and on the Directory Server data source.
LockoutTime at Active Directory data source has to be mapped to AccountUnLockoutTime at Directory Server data source.
See the README that accompanies the software for installation details.
On Windows 2003 Server, the default password policy enforces strict passwords, which is not the default password policy on Windows 2000.