locked
PCNS failing to sync passwords RRS feed

  • Question

  • Hi ILM gurus =D!

    Basically, I have followed the "Publishing Active Directory Users From Two Authoritative Data Sources" document located at FIM2010 site.

    Right now, I have the following scenario:
    + Domain1\sourceAD (DC) with PCNS installed on it
    + Domain1\FIM2010 RC1 server
    + Domain 2\targetAD

    I synchronized users from Domain1\sourceAD  to Domain2\targetAD successfully. Then, on Domain2 DC (target AD) I created a password for 'consultant' user and I was able to log in to Windows with that acct credentials.
    Later, I changed the password for the 'consultant' on domain1 DC (source AD) to trigger PCNS sync process. I reviwed the "Application" log on the FIM box and found FIM sync service failed:

    An unexpected error has occurred during a password set operation.
     "ERR: MMS(2788): utils.cpp(960): Failed getting registry value 'AdExtTimeout', 0x2
    BAIL: MMS(2788): utils.cpp(962): 0x80070002 (The system cannot find the file specified.)
    BAIL: MMS(2788): dnutils.cpp(1326): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition CN=Configuration,DC=Morgan,DC=net to the list because it already exists at position 0
    BAIL: MMS(2788): dnutils.cpp(1326): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=Morgan,DC=net to the list because it already exists at position 1
    BAIL: MMS(2788): dnutils.cpp(1326): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=ForestDnsZones,DC=Morgan,DC=net to the list because it already exists at position 2
    ERR: MMS(2788): utils.cpp(740): Failed getting registry value 'ADMADoNormalization', 0x2
    BAIL: MMS(2788): utils.cpp(741): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
    BAIL: MMS(2788): utils.cpp(796): 0x80070002 (The system cannot find the file specified.)
    ERR: MMS(2788): admaexport.cpp(3643): The Kerberos change operation failed: 0xc000005e
    ERR: MMS(2788): ma.cpp(8157): ExportPasswordSet failed with 0x80004005
    Forefront Identity Manager 4.0.2560.0"

    ** After 10 tries:

    The password synchronization set operation has exceeded the maximum retry limit for this target connected data source.
     
    Additional information:
    Tracking ID: {289AE4D9-B95F-4238-8E7C-500C8CA1A265}
    Reference ID: {1E5E5EEC-6BFC-45A0-BBEC-85B0A1763EB5}
    Target Object GUID: {0F444E8F-73E1-45BE-BA79-F9323010AAAA}
    Target DN: CN=consultant bt,OU=NewYork,DC=Morgan,DC=net
    Target MA Name: AD_destination

    Kerberos seems to be the source of the error.

    Does somebody has an idea of the source of this error?? Is it related to acct permissions?

    Please have mercy =P...thanks fellows!!...

    max


    • Edited by MaxMexican Wednesday, October 28, 2009 7:22 AM
    Thursday, October 15, 2009 5:01 AM

Answers

All replies

  • It is working perfectly on the DC side as the password change notification gets delivered to the ILM box according to the "Application" log of the DC box:

    The password notification has been delivered to all targets.
    Tracking ID: aa6fd2e3-2df3-4643-98b6-c0181cefa962
    User GUID: 8b4ddc4c-5288-4023-857c-4d01911892dd
    User: MORGANDEV\consultant
    Targets: ilmbox

    On the ILM box side I am getting the unexpected error described in the section above. After enabling the kerberos loggin I got the following error on the "System" log:

    *********
    A Kerberos Error Message was received:
    on logon session morgandev\ilmmgmt           <-----------------This is the FIM MA account.
    Client Time: Server Time: 4:21:37.0000 10/27/2009 Z

    Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
    Extended Error:
    Client Realm:
    Client Name:
    Server Realm: morgandev
    Server Name: krbtgt/morgandev
    Target Name: krbtgt/morgandev@morgandev
    Error Text:
    File: e
    Line: 98a
    Error Data is in record data.
    ***********

    thank you guys!!!
    max




    Does somebody has an idea or suggestion???? Please feel extremely FREE....

    Tuesday, October 27, 2009 4:50 AM
  • This appears to be an error in your Kerberos configuration. The 0xC000005E error code corresponds to a STATUS_NO_LOGON_SERVERS error. Try enabling Kerberos logging to see if it gives you any further details:

    http://support.microsoft.com/kb/262177

    Bruce Bequette - MSFT
    Monday, November 2, 2009 8:23 PM