Troubleshoot Password Change Notification Service from Forefront Identity Manager. This article applies to MIIS, ILM and FIMSync, which will be further referenced as "sync engine".
Implementing the Automated Password Synchronization Solution - Step-by-Step
Automated Password Synchronization Solution Guide for MIIS 2003 (download
(3) Microsoft Identity Integration Server 2003 Scenarios with (MIIS
2003 walkthrough: Password Synchronization doc (4)
(5) Password Synchronization Port Settings (in management agent port, rights and permissions, download
Sync engine Help
- Verifiy the requirements for forest trusts. Also verify forest and domain levels (cannot be mixed mode).
- Make sure the PCNS schema update has been installed and replicated properly
- Verify AD replication, DC diagnostics (dcdiag) and network diagnostics (netdiag)
- Verify PCNS has been installed on all AD domain controllers (See:
Step 1: Install PCNS on All Active Directory Domain Controllers in the
Implementing the Automated Password Synchronization Solution – Step-by-Step guide.)
- Enable verbose logging for PCNS and the sync engine
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters" /v EventLogLevel /t REG_DWORD /d 3
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FIMSynchronizationService\Logging"
/v FeaturePwdSyncLogLevel /t REG_DWORD /d 3
- Verify clock setting / time skew between password source, password target and sync engine server
- Verify DNS name resolution. PCNS must be able to find the sync engine
- Verify PCNS port settings and availability
- Make sure the service account used in the target MA has sufficient rights to set the password.
- Verify firewall configuration, between servers or on the servers themselves
- Verify PCNS configuration (check for the details on server, service, service account naming)
- Verify SPN configuration
- Check if password sync has been enabled on sync engine server (Tools > options)
Screenshot from FIM 2010:
- Check if password source MA (AD MA) has been configure properly
- Check if password target MA has been configured properly for password change
Finally, search the ILM and FIM forums for specific error messages and keyword combinations, some hints for example:
- "target could not be authenticated" (on
- "exceeded the maximum retry limit" (on
- PCNS "RPC server is unavailable" (on
- PCNS "forest trust" (on