Pcns Generally Stay in Their Positions Longer and Thus Provide More Continuity of Management
Table of Contents
- Scope
- Reference documents
- Tasks
- Check Requirements
- PCNS Schema update info
- Schema Object Classes Added by the PCNS
- Schema attributes Added by the PCNS
- AD Replication
- PCNS Installation on DCs
- Verbose logging
- Clock
- DNS
- Port Settings
- Minimum Permissions
- Rights
- Service configuration
- Sync engine
- See Also
Scope
Troubleshoot Password Change Notification Service from Forefront Identity Manager. This article applies to MIIS, ILM and FIMSync, which will be further referenced as "sync engine".
Reference documents
- Implementing the Automated Password Synchronization Solution - Step-by-Step
- Automated Password Synchronization Solution Guide for MIIS 2003 (download here)
- Microsoft Identity Integration Server 2003 Scenarios with
- MIIS 2003 walkthrough: Password Synchronization doc
- Password Synchronization Port Settings (inmanagement agent port, rights and permissions, download here)
- Sync engine Help
Tasks
Check Requirements
- Verifiy the requirements for forest trusts. Also, verify forest and domain levels (cannot be mixed mode).
- Cfr. reference (2): "/../ In an optimal configuration, PCNS and MIIS 2003 are in the same forest because they authenticate to each other using Kerberos authentication. PCNS and MIIS 2003 can be in different forests only if the forests have cross-forest trusts. /../"
PCNS Schema update info
- Make sure the PCNS schema update has been installed and replicated properly.
Schema Object Classes Added by the PCNS
CN | ID |
MS-MIIS-PCNS-Target | 1.2.840.113556.1.5.249 |
MS-MIIS-PCNS-Service | 1.2.840.113556.1.5.250 |
Schema attributes Added by the PCNS
CN | ID | |
MS-MIIS-PCNS-TargetGUID | 1.2.840.113556.1.4.1895 | |
MS-MIIS-PCNS-TargetSPN | 1.2.840.113556.1.4.1896 | |
MS-MIIS-PCNS-TargetServer | 1.2.840.113556.1.4.1897 | |
MS-MIIS-PCNS-TargetAuthenticationService | 1.2.840.113556.1.4.1898 | |
MS-MIIS-PCNS-TargetUserNameFormat | 1.2.840.113556.1.4.1899 | |
MS-MIIS-PCNS-TargetKeepAliveInterval | 1.2.840.113556.1.4.1900 | |
MS-MIIS-PCNS-TargetDisabled | 1.2.840.113556.1.4.1901 | |
MS-MIIS-PCNS-TargetEncryptionKey | 1.2.840.113556.1.4.1902 | |
MS-MIIS-PCNS-ServiceMaxQueueLength | 1.2.840.113556.1.4.1903 | |
MS-MIIS-PCNS-ServiceMaxQueueAge | 1.2.840.113556.1.4.1904 | |
MS-MIIS-PCNS-ServiceMaxNotificationRetries | 1.2.840.113556.1.4.1905 | |
MS-MIIS-PCNS-ServiceRetryInterval | 1.2.840.113556.1.4.1906 | |
MS-MIIS-PCNS-TargetExclusionSID | 1.2.840.113556.1.4.1908 | |
MS-MIIS-PCNS-TargetInclusionSID | 1.2.840.113556.1.4.1909 | |
MS-MIIS-PCNS-TargetQueueWarningLevel | 1.2.840.113556.1.4.1911 | |
MS-MIIS-PCNS-TargetQueueWarningInterval | 1.2.840.113556.1.4.1912 |
AD Replication
- Verify AD replication, DC diagnostics (dcdiag) and network diagnostics (netdiag)
- Netdiag
PCNS Installation on DCs
- Verify PCNS has been installed on all AD domain controllers (See: Step 1: Install PCNS on All Active Directory Domain Controllers in the Implementing the Automated Password Synchronization Solution – Step-by-Step guide.)
Verbose logging
- Enable verbose logging for PCNS and the sync engine
- See paragraph "Setting Log Levels" in the password synchronization walkthrough doc
PCNS | For PCNS, four logging levels are controlled by adding the EventLogLevel (REG_DWORD) entry to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters 0 = Minimal logging 1 = Normal logging (default) 2 = High logging 3 = Verbose logging reg add " HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters " /v EventLogLevel /t REG_DWORD /d 3 |
Sync Engine | In MIIS 2003, four logging levels are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\miiserver\Logging 0 = Minimal logging 1 = Normal logging (default) 2 = High logging 3 = Verbose logging For MIIS 2010, four logging levels are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FimSynchronizationService\Logging 0 = Minimal logging 1 = Normal logging (default) 2 = High logging 3 = Verbose logging reg add " HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FIMSynchronizationService \Logging " /v FeaturePwdSyncLogLevel /t REG_DWORD /d 3 |
Clock
- Verify clock setting/time skew between password source, password target and sync engine server
- Authentication Errors are Caused by Unsynchronized Clocks
- Kerberos Troubles
DNS
- Verify DNS name resolution. PCNS must be able to find the sync engine
Port Settings
- Verify PCNS port settings and availability
Minimum Permissions
Communication Protocols and Ports
Service | Protocol | Port |
Kerberos | TCP/UDP | 88 |
DNS | TCP/UDP | 53 |
Kerberos Change Password | UDP | 464 |
RPC Endpoint mapper | TCP | 135 |
Dynamic RPC ports (PCNS) | TCP | 5000-5100 |
Dynamic RPC ports (management agent for Active Directory) | TCP | 57500 - 57520 |
LDAP | TCP/UDP | 389 |
Rights
- - Make sure the service account used in the target MA has sufficient rights to set the password.
- - Verify firewall configuration, between servers or on the servers themselves
Service configuration
- - Verify PCNS configuration (check for the details on server, service, service account naming)
- use "Pcnscfg LIST" command, see the step-by-step guide (1)
- Verify SPN configuration
- See this KB article to install setspn.exe (See section : Configure a service principal name for the domain user account)
- use setspn –L < MIIS service account >, where < MIIS service account > is the service account running the synchronization service. The output of the command should be: PCNSCLNT/server_fully_qualified_name Example: PCNSCLNT/SYNCSRV.contoso.com
Sync engine
- Check if password sync has been enabled on sync engineserver (Tools > options)
Screenshot from FIM 2010:
- Check if password source MA (AD MA) has been configure properly
- Check if password target MA has been configured properly for password change
Finally, search the ILM and FIM forums for specific error messages and keyword combinations, some hints for example:
- "target could not be authenticated" (on ILM vs. FIM forum)
- "exceeded the maximum retry limit" (on ILM vs FIM forum)
- PCNS "RPC server is unavailable" (on ILM vs FIM forum)
- PCNS "forest trust" (on ILM vs FIM forum)
- - ...
See Also
- FIM Password Synchronization (PCNS) Resource Wiki
- PCNS Logging
- Troubleshooting FIM 2010 Roadmap
- Current Identity Lifecycle Manager Resources
- Current Forefront Identity Manager Resources
Note |
---|
To provide feedback about this article, create a post on the FIM TechNet Forum. |
Source: https://social.technet.microsoft.com/wiki/contents/articles/1597.troubleshooting-pcns.aspx
0 Response to "Pcns Generally Stay in Their Positions Longer and Thus Provide More Continuity of Management"
Post a Comment