Troubleshoot Password Change Notification Service from Forefront Identity Manager. This article applies to MIIS, ILM and FIMSync, which will be further referenced as "sync engine".

Reference documents

(1) Implementing the Automated Password Synchronization Solution - Step-by-Step
(2) Automated Password Synchronization Solution Guide for MIIS 2003 (download here)
(3) Microsoft Identity Integration Server 2003 Scenarios with (MIIS 2003 walkthrough: Password Synchronization doc (4)
(5) Password Synchronization Port Settings (in management agent  port, rights and permissions, download here)
(6) Sync engine Help

Tasks

Check Requirements

- Verifiy the requirements for forest trusts. Also verify forest and domain levels (cannot be mixed mode).

  • Cfr. reference (2): "/../ In an optimal configuration, PCNS and MIIS 2003 are in the same forest because they authenticate to each other using Kerberos authentication. PCNS and MIIS 2003 can be in different forests only if the forests have cross-forest trusts. /../"

PCNS Schema update info

- Make sure the PCNS schema update has been installed and replicated properly

Schema Object Classes Added by the PCNS 

CN

ID

MS-MIIS-PCNS-Target

1.2.840.113556.1.5.249

MS-MIIS-PCNS-Service

1.2.840.113556.1.5.250

Schema attributes Added by the PCNS 

CN

ID

MS-MIIS-PCNS-TargetGUID

1.2.840.113556.1.4.1895

MS-MIIS-PCNS-TargetSPN

1.2.840.113556.1.4.1896

MS-MIIS-PCNS-TargetServer

1.2.840.113556.1.4.1897

MS-MIIS-PCNS-TargetAuthenticationService

1.2.840.113556.1.4.1898

MS-MIIS-PCNS-TargetUserNameFormat

1.2.840.113556.1.4.1899

MS-MIIS-PCNS-TargetKeepAliveInterval

1.2.840.113556.1.4.1900

MS-MIIS-PCNS-TargetDisabled

1.2.840.113556.1.4.1901

MS-MIIS-PCNS-TargetEncryptionKey

1.2.840.113556.1.4.1902

MS-MIIS-PCNS-ServiceMaxQueueLength

1.2.840.113556.1.4.1903

MS-MIIS-PCNS-ServiceMaxQueueAge

1.2.840.113556.1.4.1904

MS-MIIS-PCNS-ServiceMaxNotificationRetries

1.2.840.113556.1.4.1905

MS-MIIS-PCNS-ServiceRetryInterval

1.2.840.113556.1.4.1906

MS-MIIS-PCNS-TargetExclusionSID

1.2.840.113556.1.4.1908

MS-MIIS-PCNS-TargetInclusionSID

1.2.840.113556.1.4.1909

MS-MIIS-PCNS-TargetQueueWarningLevel

1.2.840.113556.1.4.1911

MS-MIIS-PCNS-TargetQueueWarningInterval

1.2.840.113556.1.4.1912

AD Replication

- Verify AD replication, DC diagnostics (dcdiag) and network diagnostics (netdiag)

PCNS Installation on DCs

- Verify PCNS has been installed on all AD domain controllers (See: Step 1: Install PCNS on All Active Directory Domain Controllers in the Implementing the Automated Password Synchronization Solution – Step-by-Step guide.)

Verbose logging

- Enable verbose logging for PCNS and the sync engine

 PCNS   For PCNS, four logging levels are controlled by adding the EventLogLevel (REG_DWORD) entry to the following registry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters·         0 = Minimal logging·         1 = Normal logging (default)·         2 = High logging·         3 = Verbose logging

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters" /v EventLogLevel /t REG_DWORD /d 3

Sync Engine   For MIIS 2003, four logging levels are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\miiserver\Logging·         0 = Minimal logging·         1 = Normal logging (default)·         2 = High logging·         3 = Verbose logging
  For MIIS 2010, four logging levels are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FimSynchronizationService\Logging· 0 = Minimal logging· 1 = Normal logging (default)· 2 = High logging· 3 = Verbose logging

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FIMSynchronizationService\Logging" /v FeaturePwdSyncLogLevel /t REG_DWORD /d 3

Clock

- Verify clock setting / time skew between password source, password target and sync engine server

DNS

- Verify DNS name resolution. PCNS must be able to find the sync engine

Port Settings

- Verify PCNS port settings and availability

Operation Minimum Permissions
Install PCNS If the Active Directory schema needs to be updated, you must be a member of Schema Admins groups or Enterprise Admins group.If the Active Directory schema is already updated, you need to be a member only in the Domain Admins group.
Synchronize passwords from one Active Directory forest to another Active Directory forest, when MIIS 2003 is installed on a domain controller within one of the forests. There must be a two-way forest trust established between the Active Directory forests.
  •  Communication Protocols and Ports  
Service Protocol Port
RPC Endpoint mapper TCP 135
Dynamic RPC ports (PCNS) TCP 5000 - 5100
Dynamic RPC ports (management agent for Active Directory) TCP 57500 - 57520

Rights

 - Make sure the service account used in the target MA has sufficient rights to set the password.

- Verify firewall configuration, between servers or on the servers themselves

Service configuration

- Verify PCNS configuration (check for the details on server, service, service account naming)

  • use "Pcnscfg LIST" command, see the step-by-step guide (1)

- Verify SPN configuration

  • See this KB article to install setspn.exe (See section : Configure a service principal name for the domain user account)
  • use setspn –L <MIIS service account>, see the step-by-step guide (1)

Sync engine

- Check if password sync has been enabled on sync engine server (Tools > options)

Screenshot from FIM 2010:

- Check if password source MA (AD MA) has been configure properly

- Check if password target MA has been configured properly for password change

 

 

Finally, search the ILM and FIM forums for specific error messages and keyword combinations, some hints for example:
- "target could not be authenticated" (on ILM vs. FIM forum)
- "exceeded the maximum retry limit" (on ILM vs FIM forum)
- PCNS "RPC server is unavailable" (on ILM vs FIM forum)
- PCNS "forest trust" (on ILM vs FIM forum)
- ...

See Also

 

note Note
To provide feedback about this article, create a post on the FIM TechNet Forum.