none
FIMSynchronizationService RRS feed

  • Question

  • An unexpected error has occurred during a password set operation.

    "BAIL: MMS(9408): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)

    BAIL: MMS(9408): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)

    BAIL: MMS(9408): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)

    ERR_: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2

    BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2

    BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)

    ERR_: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2

    BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2

    BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)

    ERR_: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2

    BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2

    BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)

    ERR_: MMS(9408): admaexport.cpp(4230): The Kerberos change operation failed: 0xc000005e

    ERR_: MMS(9408): ..\ma.cpp(8531): ExportPasswordSet failed with 0x80004005

    Forefront Identity Manager 4.4.1749.0"

    Hi,

    I have read the forums looking for a solution to the above problem but have not yet found the solution.

    The senary is as follows,
    There are 3 different domains connected by VPN to each Domain Controller.
    FIM Server is new and is on Domain1.
    When we create a new user in Portal, in the Domain Controller of Domain1 the user appears well created, but in others it is created but appears inactive.
    When we run the Reset Password on the Domain Controller Domain1 in the EventViewer of the FIM server gives the above error.
    Users used in agent synchronization are DomainAdmin (temporary permissions).
    The Firewall of the servers are turned off and the VPN allows any port.
    We tested a script by PowerShell and were able to change the Domain1 password to any user's Domain2.
    Does anyone have a tip or doubt that might help solve the problem?

    Thank you

    Tuesday, January 29, 2019 5:41 PM

All replies

  • Bruno-

    The error code (0xc000005e) translates to this:

    # for hex 0xc000005e / decimal -1073741730 :
      STATUS_NO_LOGON_SERVERS                                       ntstatus.h
    # There are currently no logon servers available to service
    # the logon request.
    # 1 matches found for "0xc000005e"

    FIM uses Kerberos to set the password. If kpasswd (TCP/UDP 464) is blocked, it will fail. I would recommend taking a network trace while you reproduce the error. I suspect it's this or a DNS or connectivity problem.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Wednesday, January 30, 2019 12:54 AM
    Moderator
  • Hi,

    I used a script to test the open ports, it follows the result below:

    TCP Port 135                   True                                                                                     
    TCP Port 3268                  True                                                                                     
    TCP Port 3269                  True                                                                                     
    TCP Port 389                   True                                                                                     
    TCP Port 464                   True                                                                                     
    TCP Port 53                    True                                                                                     
    TCP Port 636                   True                                                                                     
    TCP Port 88                    True                                                                                     
    UDP Port 3268                                                                                                           
    UDP Port 3269                                                                                                           
    UDP Port 464

    The DNS is written manually in the Hosts file, with the domain where the machine is associated with the FIM is working, in remote domains fails.

    Wednesday, January 30, 2019 10:51 AM
  • The hosts file is your problem. FIM is calling into DC Locator and that's not going to work without the full suite of DNS records AD uses. You may be able to work around this and set a preferred domain controller on the AD MA but I've never tested that. 

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Wednesday, January 30, 2019 2:57 PM
    Moderator
  • Hi Brian,

    I added a new zone in DNS Domain1 with the name Domain2.com, I added a Host record with the IP address of the ActiveDirectory server of Domain2.com and I get a response on the FIM server if you do the _kpasswd._udp / _tcp.Domain2 command but the FIM continues to mention the same error.

    The preferred domain controller is xpto.Domain2.com in Agent.

    _tcp

    _gc | _kerberos | _kpasswd | _ldap

    _udp

    _kerberos | _kpasswd

    

    Thursday, January 31, 2019 4:55 PM