none
PCNS Password Sync with FIM 2010 over firewall - ports must have changed since MIIS RRS feed

  • Question

  • Hi,

    I had to migrate from MIIS/ILM to FIM 2010. I got a new server, so old and new servers were running in parallel. New server, new SPN, new PCNS target.

    We have two domains in our forest that are protected by a firewall: Traffic toward these domains is fully enabled, but traffic from there needs to be enabled on the firewall. Both MIIS and FIM are member in another domain, but we only have one forest, so there is no trust issue. The protected domain controllers can fully communicate with the DCs of the domain where the FIM is located.

    So my first choice was to simply "copy" the firewall rules that were assigned to the old MIIS to the new FIM.

    In the internet and also from a MS FIM expert I got the info that the ports didnt change since MIIS. So the documentation "Management Agent Communication Ports, Rights, and Permissions" should have been ok.

    But it wasnt.

    The documentation says that I need the ports 135, 5000-5100 and maybe 57500-57520 (I say "maybe" because with our old MIIS we didnt need this range, but to be on the safe side I've added them to new rules).
    I got the copy of the existing (and working!) firewall rules implemented. I have switched over to the new PCNS target.

    But I got the error event 6025 on the protected DCs: "The password change notification target could not be contacted."

    Finally it worked after I requested to open all ports from the protected DCs towards FIM.
    Firewall log said:  <IP of dc>/57602 to <IP of FIM>/61857
    Which means: The dc needed port 61857 on the FIM server. Such a port range is not documented within FIM at Microsoft.

    So my conclusion is that the ports used by PCNS must have changed since MIIS, but this is not documented officially.

    When we installed the DCs behind the firewall we didnt change any PCNS config, just executed the MSI.
    The DCs and the FIM server are all running Server 2008 R2 SP1.

    Can someone confirm this or am I wrong?

    Thanks
    Walter

    Wednesday, April 3, 2013 1:43 PM

Answers

All replies

  • This is most likely a general Windows RPC issue and not specific to FIM -- the dynamic port range changed between Server 2003 and Server 2008, from 1025-5000, to 49152 and up.

    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    Wednesday, April 3, 2013 3:00 PM
  • Hi Steve,

    hmm, I can't agree.
    In the documentation about the ports there are tables for several management agents and, at last, also for "Password Synchronization Port Settings":

    Dynamic RPC ports (PCNS)  ->  TCP  ->  5000 - 5100

    So Microsoft tells explicitely the ports used. The doc was written for MIIS, but MS directs to it also when it's about FIM:

    I think that the ports used with FIM have changed since MIIS.

    Friday, April 5, 2013 2:43 PM
  • Sounds like a documentation gap - I will forward this thread along.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by WalterFMB Tuesday, April 9, 2013 11:40 AM
    Friday, April 5, 2013 3:27 PM
    Moderator
  • Hi Brian,

    that would be great.

    Thank you.

    Walter

    Tuesday, April 9, 2013 11:40 AM