Table of Contents

  • Scope
  • Reference documents
  • Tasks
    • Check Requirements
    • PCNS Schema update info
      • Schema Object Classes Added by the PCNS
      • Schema attributes Added by the PCNS
    • AD Replication
    • PCNS Installation on DCs
    • Verbose logging
    • Clock
    • DNS
    • Port Settings
      • Minimum Permissions
    • Rights
    • Service configuration
    • Sync engine
  • See Also
  

Scope

Troubleshoot Password Change Notification Service from Forefront Identity Manager. This article applies to MIIS, ILM and FIMSync, which will be further referenced as "sync engine".

Reference documents

  1. Implementing the Automated Password Synchronization Solution - Step-by-Step
  2. Automated Password Synchronization Solution Guide for MIIS 2003 (download here)
  3. Microsoft Identity Integration Server 2003 Scenarios with
  4. MIIS 2003 walkthrough: Password Synchronization doc
  5. Password Synchronization Port Settings (inmanagement agent  port, rights and permissions, download here)
  6. Sync engine Help

Tasks

Check Requirements

- Verifiy the requirements for forest trusts. Also, verify forest and domain levels (cannot be mixed mode).

  • Cfr. reference (2): "/../ In an optimal configuration, PCNS and MIIS 2003 are in the same forest because they authenticate to each other using Kerberos authentication. PCNS and MIIS 2003 can be in different forests only if the forests have cross-forest trusts. /../"

PCNS Schema update info

- Make sure the PCNS schema update has been installed and replicated properly.

Schema Object Classes Added by the PCNS

CN

ID

MS-MIIS-PCNS-Target

1.2.840.113556.1.5.249

MS-MIIS-PCNS-Service

1.2.840.113556.1.5.250

Schema attributes Added by the PCNS

CN

ID

MS-MIIS-PCNS-TargetGUID

1.2.840.113556.1.4.1895

MS-MIIS-PCNS-TargetSPN

1.2.840.113556.1.4.1896

MS-MIIS-PCNS-TargetServer

1.2.840.113556.1.4.1897

MS-MIIS-PCNS-TargetAuthenticationService

1.2.840.113556.1.4.1898

MS-MIIS-PCNS-TargetUserNameFormat

1.2.840.113556.1.4.1899

MS-MIIS-PCNS-TargetKeepAliveInterval

1.2.840.113556.1.4.1900

MS-MIIS-PCNS-TargetDisabled

1.2.840.113556.1.4.1901

MS-MIIS-PCNS-TargetEncryptionKey

1.2.840.113556.1.4.1902

MS-MIIS-PCNS-ServiceMaxQueueLength

1.2.840.113556.1.4.1903

MS-MIIS-PCNS-ServiceMaxQueueAge

1.2.840.113556.1.4.1904

MS-MIIS-PCNS-ServiceMaxNotificationRetries

1.2.840.113556.1.4.1905

MS-MIIS-PCNS-ServiceRetryInterval

1.2.840.113556.1.4.1906

MS-MIIS-PCNS-TargetExclusionSID

1.2.840.113556.1.4.1908

MS-MIIS-PCNS-TargetInclusionSID

1.2.840.113556.1.4.1909

MS-MIIS-PCNS-TargetQueueWarningLevel

1.2.840.113556.1.4.1911

MS-MIIS-PCNS-TargetQueueWarningInterval

1.2.840.113556.1.4.1912

AD Replication

- Verify AD replication, DC diagnostics (dcdiag) and network diagnostics (netdiag)

  • Netdiag

PCNS Installation on DCs

- Verify PCNS has been installed on all AD domain controllers (See: Step 1: Install PCNS on All Active Directory Domain Controllers in the Implementing the Automated Password Synchronization Solution – Step-by-Step guide.)

Verbose logging

- Enable verbose logging for PCNS and the sync engine

  • See paragraph "Setting Log Levels" in the password synchronization walkthrough doc
 PCNS For PCNS, four logging levels are controlled by adding the EventLogLevel (REG_DWORD) entry to the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters

0 = Minimal logging

1 = Normal logging (default)

2 = High logging

3 = Verbose logging

reg add " HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters " /v EventLogLevel /t REG_DWORD /d 3

Sync Engine In MIIS 2003, four logging levels are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\miiserver\Logging

0 = Minimal logging

1 = Normal logging (default)

2 = High logging

3 = Verbose logging

For MIIS 2010, four logging levels are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FimSynchronizationService\Logging

0 = Minimal logging

1 = Normal logging (default)

2 = High logging

3 = Verbose logging

reg add " HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FIMSynchronizationService \Logging " /v FeaturePwdSyncLogLevel /t REG_DWORD /d 3

Clock

  •  Verify clock setting/time skew between password source, password target and sync engine server
  • Authentication Errors are Caused by Unsynchronized Clocks
  • Kerberos Troubles

DNS

  •  Verify DNS name resolution. PCNS must be able to find the sync engine

Port Settings

  • Verify PCNS port settings and availability

Minimum Permissions

Communication Protocols and Ports

Service

Protocol

Port

Kerberos

TCP/UDP

88

DNS

TCP/UDP

53

Kerberos Change Password

UDP

464

RPC Endpoint mapper

TCP

135

Dynamic RPC ports (PCNS)

TCP

5000-5100

Dynamic RPC ports (management agent for Active Directory)

TCP

57500 - 57520

LDAP

TCP/UDP

389

Rights

  •  - Make sure the service account used in the target MA has sufficient rights to set the password.
  • - Verify firewall configuration, between servers or on the servers themselves

Service configuration

  • - Verify PCNS configuration (check for the details on server, service, service account naming)
    • use "Pcnscfg LIST" command, see the step-by-step guide (1)
  • Verify SPN configuration
    • See this KB article to install setspn.exe (See section : Configure a service principal name for the domain user account)
    • use setspn –L < MIIS service account >, where < MIIS service account > is the service account running the synchronization service. The output of the command should be:  PCNSCLNT/server_fully_qualified_name   Example: PCNSCLNT/SYNCSRV.contoso.com

Sync engine

  •  Check if password sync has been enabled on sync engineserver (Tools > options)

Screenshot from FIM 2010:

  •  Check if password source MA (AD MA) has been configure properly

  •  Check if password target MA has been configured properly for password change

Finally, search the ILM and FIM forums for specific error messages and keyword combinations, some hints for example:

  •  "target could not be authenticated" (on ILM vs. FIM forum)
  •  "exceeded the maximum retry limit" (on ILM vs FIM forum)
  •  PCNS "RPC server is unavailable" (on ILM vs FIM forum)
  •  PCNS "forest trust" (on ILM vs FIM forum)
  • - ...

See Also

  • FIM Password Synchronization (PCNS) Resource Wiki
  • PCNS Logging
  • Troubleshooting FIM 2010 Roadmap
  • Current Identity Lifecycle Manager Resources
  • Current Forefront Identity Manager Resources
note Note
To provide feedback about this article, create a post on the FIM TechNet Forum.