locked
PCNS Troubleshooting RRS feed

  • Question

  • I am currently running PCNS between two AD forests, both running Windows 2003 and need some validation on my configuration. Reviewing the MIIS documents regarding Password Management, they mention the following ports need to be open for the target server, receiving the password change.

    The following table lists all the outbound ports in the external firewall that you need to:

    Table 7.1. MIIS 2003 with SP1 Server Outbound Ports to External Domain Controller

    Outbound port

    Protocol

    Purpose

    389

    TCP and UDP

    LDAP

    88

    TCP and UDP

    Kerberos authentication protocol

    135

    TCP

    RPC Endpoint Mapper (may require additional open ports)

    464

    TCP and UDP

    Kerberos Change Password

    Password synchronization is working well in this deployment and many of my users are able to change their passwords and login to the other forest with now problems; however I have one user who seems to be giving me problems.

    Within the domain controllers, successful events for this user are stating delivery of the password changes successful (Event: 2100) however this user’s password is not being synchronized when attempting to logon onto the remote systems.

     

    My question is which ports are actually necessary to opened up between MIIS and the target domain controller? Are the password changes sent to the target domain controller using UDP? 

     

    Any advice is appreciated

     

    Ram

     

    Thursday, August 24, 2006 7:10 AM

Answers

  • Hi,

    Have you enabled logging to get more information for troubleshooting?:

    PCNS

    For PCNS, four logging levels are controlled by adding the EventLogLevel (REG_DWORD) entry to the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters

    ·         0 = Minimal logging

    ·         1 = Normal logging (default)

    ·         2 = High logging

    ·         3 = Verbose logging

    MIIS 2003

    For MIIS 2003, four logging levels are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\miiserver\Logging

    ·         0 = Minimal logging

    ·         1 = Normal logging (default)

    ·         2 = High logging

    ·         3 = Verbose logging

     

    Thursday, August 24, 2006 8:06 AM

All replies

  • Hi,

    Have you enabled logging to get more information for troubleshooting?:

    PCNS

    For PCNS, four logging levels are controlled by adding the EventLogLevel (REG_DWORD) entry to the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters

    ·         0 = Minimal logging

    ·         1 = Normal logging (default)

    ·         2 = High logging

    ·         3 = Verbose logging

    MIIS 2003

    For MIIS 2003, four logging levels are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\miiserver\Logging

    ·         0 = Minimal logging

    ·         1 = Normal logging (default)

    ·         2 = High logging

    ·         3 = Verbose logging

     

    Thursday, August 24, 2006 8:06 AM
  • The PCNS event only indicates that the pwd was delivered to the MIIS server.  You can turn logging up on the MIIS server to see if the password was delivered to the connected systems.  Here's instruction from the pwd sync step-by-step doc:

    MIIS 2003

    For MIIS 2003, four logging levels are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\miiserver\Logging

    ·         0 = Minimal logging

    ·         1 = Normal logging (default)

    ·         2 = High logging

    ·         3 = Verbose logging

    For a complete listing of PCNS and MIIS 2003 password change event messages, see MIIS 2003 Help.

     Here's a` sample of what you'll see on the MIS eventlog:

    Event Type: Information
    Event Source: MIIServer
    Event Category: Password Synchronization
    Event ID: 6907
    Date:  8/9/2006
    Time:  5:27:07 PM
    User:  N/A
    Computer: MIISLAB
    Description:
    A password notification was successfully staged for synchronization.
     
    Additional information:
    Reference ID: {86DD0D12-9847-4E11-BC4D-43D8DBB2DA1E}
    Target Object GUID: {FC863053-1E47-4CC7-BE9A-8C3BB5D942B1}
    Target MA Name: ADMA External FHA
    Target DN: CN=testpwd,OU=ExtranetUsers,DC=external,DC=ca

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Thursday, August 24, 2006 1:24 PM
  • Thanks Danny and Craig,

    Verbose logging allowed me to isolate and resolve my problems. Basically, there was a password timestamp conflict with that one user which prevented the password changes from being delivered to the target destination.

    The following was the exampled event id, logged within MIIS.

    Description:
    A password notification was received but was not processed because the timestamp was out of date. This could be caused by the Domain Controller sending password changes out of order.
     
    Additional information:
    Last password timestamp: 2007-02-11 16:29:43.497
    Current password timestamp: 2006-08-24 08:20:06.045
    Reference ID: {BCCA82EC-61E6-4222-BC11-F70479F6DCA4}
    Source Object GUID: {2FC69CA8-BC28-49E9-97BA-37A22D61ADF2}
    Source DN: ADAM Internal MA

    Thanks for the help.

    Ram

    Thursday, August 24, 2006 3:47 PM
  • Hi Ram,

    I'm glad that your issue was resolved.  I would like to add that in addition to the event logs, you can also troubleshoot problems by querying for password synchronization history information using WMI.  There is an exmaple of this in the Developer's Reference: "Example: Searching for the Password Change History of a User".

    I would be interested to know if this history information is commonly used when troubleshooting PSync issues.  If people could give me feedback on whether or not they use it, I would appreciate it.

    Thanks,

    Dave

    Thursday, August 24, 2006 5:48 PM
  • Dave, I have a related question here : I want to enable MIIS logging, and set the
    FeaturePwdSyncLogLevel to 3 under [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\miiserver\Logging],
    but I still cannot get the log. Is there anything else I should be doing?

     

    Thanks
    Prashanth

     

    Thursday, January 24, 2008 1:28 PM
  • I have a similar environment. I wanted to create a mirror test forest. I get a copy of a production DC and isolated, clean it up and used is to have an isolated but identical copy of production.  I then used IIFP to sync changes from production to this isolated lab. I also installed PCNS on source DCs and enable password sync on the IIFP/MIIS server and configure it correctly.

     

    Unfortunately when the password changes reached the IIFP/MIIS server, MIIS does not correctly associate the request with the right MA.  Some Times it worked fine, other times; MIIS report an error during the password sync. The error due to the fact it associates the request with the destination MA instead of the source MA.

     

    I have the same DN for both Internal and External. The password sync work when under the Source DN it list the Internal AD and it fail when it list External AD.

     

    Is there is a way to force MIIS to associate password request with specific MA instead of let it pick based on DN?

     

     

    Thanks

     

    Issam Andoni

     

    Tuesday, May 6, 2008 3:31 PM
  • Issam,

    a small hint: although your question is similar to an existing post, better post a new topic if the existing post was answered a while ago.

    As the existing post was marked as answer, your question might get overlooked. 

     

    If you create a new post, provide some details on the errors you get.

    Also check the event viewer for messages and warnings.

    Post them too.

    (Searching this forum with the error info could be a big help, with some luck.)

     

    Also mention the build/version of the MIIS/ILM you're using.

     

    Is your import & sync working correctly?

    Have you correctly set up source and target MA's for password sync?

     

    Kind regards,

    Peter

     

    Tuesday, May 6, 2008 6:52 PM
  • I received simlilar event for my domian controller

    Exchange Critical: The Microsoft Operations Manager WMI provider 'PCNS Service stopped: The Password Change Notification Service entered a stopped state.' could not register query "SELECT * FROM __InstanceModificationEvent WITHIN 90 WHERE TargetInstance ISA 'Win32_Service' AND TargetInstance.Name = 'Password Change Notification Service' AND TargetInstance.State = 'Stopped'". Ensure that the WMI Query is valid. Computer: abcmail\DC Host Info(WorkGroup\Host): DC

     

    I am not sure how to check and validate this issue.

     

    any suggestion???

    Tuesday, November 9, 2010 2:15 PM
  • Yes, open a new thread, ask a NEW question.

    Although your question is similar to an existing post, better post a new topic if the existing post was answered a while ago.

    As the existing post was marked as answer, your question might get overlooked and you'll not get the attention you deserve. 

    Looking forward to your new thread!
    Kind regards,
    Peter


    Peter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be)

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
    By marking a post as Answered or Helpful, you help others find the answer faster.]
    Tuesday, November 9, 2010 4:44 PM