You may find this of value.
While having several discussions over the years, regarding IM's AD reverse password sync process; and how/when passwords are changed; I would outline the processes on whiteboards and/or via email.
I put together the two (2) decks to clarify the password data flow; and how to "force the solution" to "fail", where "fail" is to help identify when the solution's architecture should be adjusted to horizontally scale to millions of users.
Please forward comments if you have questions or find this of value.
Edit: 2018/07/27 Update PDF for Lifecycle of userPassword of CA Identity Manager solution.
Extraordinarily helpful, Alan. Thank you very much!
If you see delays with ADS password reset, you may wish to eliminate challenges from read-only DC, Firewall ports blocked between internal network segments, or DNS issues.
The IM ADS endpoint will identify all failover DC hostnames. If any of these hostnames have a challenge, you may be able to observe your JCS/CCS logs attempt to communicate to the other DC host names.
Add in full control of which DCs you wish to communicate with. Update the CCS\data\ADS\<endpoint-name>.dns file for each AD managed endpoint.
Below is a screen shot to help assist with this performance; and reduce delays.
Steps to get better metrics.
Monitor IMPS/logs/etatrans*.log to view the ADS updates.
Monitor your CCS\logs\ADS\<ads-endpoint-name>.log for any DNS issues or Port Conflicts.
What are the default port allocations for CA Ident - CA Knowledge
389 - Active Directory non SSL [ Used base communication]
636 - Active Directory SSL [ Required for password resets]
3268/3269 - Active Directory Global Catalog [ For creation/modification if feature is used. ]
139/445 - Active Directory NetBios / microsoft-ds [ For creation/modification if feature is used. Home Folder creation. ]
4104/4105 (UDP/TCP) - Active Directory default Exchange Agent CAM/CAFT [ OLDER MS EXCHANGE process: For creation/modification if feature is used. Retire and use MS Powershell API processes]