Sign in
Microsoft.com
 
Resources for IT Professionals
 
 
 
Resources for IT Professionals > Forums Home > Identity Management Forums > Identity Lifecycle Manager 2 > PCNS failing to sync passwords
Ask a questionAsk a question
Search Forums:
 

AnswerPCNS failing to sync passwords

  • Thursday, October 15, 2009 5:01 AMMaxMexican Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote

    Hi ILM gurus =D!

    Basically, I have followed the "Publishing Active Directory Users From Two Authoritative Data Sources" document located at FIM2010 site.

    Right now, I have the following scenario:
    + Domain1\sourceAD (DC) with PCNS installed on it
    + Domain1\FIM2010 RC1 server
    + Domain 2\targetAD

    I synchronized users from Domain1\sourceAD  to Domain2\targetAD successfully. Then, on Domain2 DC (target AD) I created a password for 'consultant' user and I was able to log in to Windows with that acct credentials.
    Later, I changed the password for the 'consultant' on domain1 DC (source AD) to trigger PCNS sync process. I reviwed the "Application" log on the FIM box and found FIM sync service failed:

    An unexpected error has occurred during a password set operation.
     "ERR: MMS(2788): utils.cpp(960): Failed getting registry value 'AdExtTimeout', 0x2
    BAIL: MMS(2788): utils.cpp(962): 0x80070002 (The system cannot find the file specified.)
    BAIL: MMS(2788): dnutils.cpp(1326): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition CN=Configuration,DC=Morgan,DC=net to the list because it already exists at position 0
    BAIL: MMS(2788): dnutils.cpp(1326): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=Morgan,DC=net to the list because it already exists at position 1
    BAIL: MMS(2788): dnutils.cpp(1326): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=ForestDnsZones,DC=Morgan,DC=net to the list because it already exists at position 2
    ERR: MMS(2788): utils.cpp(740): Failed getting registry value 'ADMADoNormalization', 0x2
    BAIL: MMS(2788): utils.cpp(741): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
    BAIL: MMS(2788): utils.cpp(796): 0x80070002 (The system cannot find the file specified.)
    ERR: MMS(2788): admaexport.cpp(3643): The Kerberos change operation failed: 0xc000005e
    ERR: MMS(2788): ma.cpp(8157): ExportPasswordSet failed with 0x80004005
    Forefront Identity Manager 4.0.2560.0"

    ** After 10 tries:

    The password synchronization set operation has exceeded the maximum retry limit for this target connected data source.
     
    Additional information:
    Tracking ID: {289AE4D9-B95F-4238-8E7C-500C8CA1A265}
    Reference ID: {1E5E5EEC-6BFC-45A0-BBEC-85B0A1763EB5}
    Target Object GUID: {0F444E8F-73E1-45BE-BA79-F9323010AAAA}
    Target DN: CN=consultant bt,OU=NewYork,DC=Morgan,DC=net
    Target MA Name: AD_destination

    Kerberos seems to be the source of the error.

    Does somebody has an idea of the source of this error?? Is it related to acct permissions?

    Please have mercy =P...thanks fellows!!...

    max


    • Edited byMaxMexican Wednesday, October 28, 2009 7:22 AM
    •  
     

Answers

All Replies

  • Tuesday, October 27, 2009 4:50 AMMaxMexican Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote

    It is working perfectly on the DC side as the password change notification gets delivered to the ILM box according to the "Application" log of the DC box:

    The password notification has been delivered to all targets.
    Tracking ID: aa6fd2e3-2df3-4643-98b6-c0181cefa962
    User GUID: 8b4ddc4c-5288-4023-857c-4d01911892dd
    User: MORGANDEV\consultant
    Targets: ilmbox

    On the ILM box side I am getting the unexpected error described in the section above. After enabling the kerberos loggin I got the following error on the "System" log:

    *********
    A Kerberos Error Message was received:
    on logon session morgandev\ilmmgmt           <-----------------This is the FIM MA account.
    Client Time: Server Time: 4:21:37.0000 10/27/2009 Z
    Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
    Extended Error:
    Client Realm:
    Client Name:
    Server Realm: morgandev
    Server Name: krbtgt/morgandev
    Target Name: krbtgt/morgandev@morgandev
    Error Text:
    File: e
    Line: 98a
    Error Data is in record data.
    ***********
    thank you guys!!!
    max




    Does somebody has an idea or suggestion???? Please feel extremely FREE....

     
  • Monday, November 02, 2009 8:23 PMBruce Bequette - MSFT Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    1
    Sign In to Vote
    This appears to be an error in your Kerberos configuration. The 0xC000005E error code corresponds to a STATUS_NO_LOGON_SERVERS error. Try enabling Kerberos logging to see if it gives you any further details:

    http://support.microsoft.com/kb/262177
    Bruce Bequette - MSFT