none
Password Synchronization error RRS feed

  • Question

  • Hi!

    I get the following error when trying to do password sync between 2 ADs

    ________________________________________________________________________

    An unexpected error has occurred during a password set operation.

     "BAIL: MMS(3304): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)

    BAIL: MMS(3304): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)

    BAIL: MMS(3304): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)

    ERR_: MMS(3304): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2

    BAIL: MMS(3304): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2

    BAIL: MMS(3304): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)

    ERR_: MMS(3304): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2

    BAIL: MMS(3304): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2

    BAIL: MMS(3304): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)

    ERR_: MMS(3304): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2

    BAIL: MMS(3304): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2

    BAIL: MMS(3304): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)

    ERR_: MMS(3304): admaexport.cpp(4207): The Kerberos change operation failed: 0xc000005e

    ERR_: MMS(3304): ..\ma.cpp(8531): ExportPasswordSet failed with 0x80004005

    Forefront Identity Manager 4.4.1302.0"

    _______________________________________________________________

    The MIM server is located in the source domain.

    I have tried resetting passwords in the destination domain with ADSIEDIT, using the account also used by the MA. That works.

    The naming lookup to the destinaton domain is by a manual DNS zone, where 2 manual A records has been created for the 2 DCs. Import from the AD works fine.

    There is a firewall between the MIM server and the destination domain. But there is no entries with blocked traffic. The following ports are open:

    TCP/UDP 389, 636 (LDAP, LDAP-SSL)
    TCP 3268-3269 (GC, GC SSL)
    UDP 53 (DNS)
    TCP/UDP 88 (Kerberos)
    TCP Dynamic (RPC) 1024+
    TCP/UDP 464 (Kerberos Change/Set Password)
    TCP 445 – (CIFS/ MICROSOFT-DS)

    Any ideas what is causing this error?

    Cheers, Søren.


    Thursday, July 20, 2017 8:15 AM

All replies

  • ERR_: MMS(3304): admaexport.cpp(4207): The Kerberos change operation failed: 0xc000005e

    ERR_: MMS(3304): ..\ma.cpp(8531): ExportPasswordSet failed with 0x80004005

    Make sure that your FIMService MA has appropriate rights - it is in FIMSyncPasswordSet and FIMSyncBrowse groups and you've configured DCOM and WMI rights as you should have.

    Also, if FIMSync and FIMService are on separate boxes, please make sure that FIMService is able to logon to FIMSync box.

    You'll find links pretty easy how to set those all permissions.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, July 20, 2017 12:02 PM
  • Hi!

    It is not SSPR, but password synchronization. There is no FIMService involved.

    /Søren

    Thursday, July 20, 2017 1:35 PM
  • Ah sorry, missed that.

    • Please check in AD (where FIM is installed) that:
    • 1. Find FIM server object in ad and check in security that you allow PCNSDOMAIN\Domian Controllers to Read i Allowed to authenticate on FIM Server object in AD
    • 2. Find FIM sync service account object in ad and check in security that you allow PCNSDOMAIN\Domian Controllers to Read i Allowed to authenticate on FIM Sync service account object in AD
    • in GPEDIT.msc on FIMServer please check if in Computer Configuration -> Windows Settings -> Security Settings -> User Rights Assignment -> “Access this computer from the Network” you have a group PCNSDOMAIN\Domian Controllers 
    • in domain policy please check if you have the same group here " Default Domain Controllers Policy" -> Computer Configuration -> Windows Settings -> Security Settings -> User Rights Assignment ->  “Access this computer from the Network” -> PCNSDOMAIN\Domian Controllers
    • in PCNSDOMAIN -> Default Domain Controllers Policy -> Computer Configuration -> Administrative Templates -> System -> Kerberos -> Enabled: "FIM.DOMAIN.COM"

    This is my checklist of things for setting new PCNS connectivity from domain PCNSDOMAIN to FIM installed in FIM.DOMAIN.COM.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, July 20, 2017 2:02 PM
  • Hi Dominik.

    These are all permissions for sending the password to the MIM Sync server. The problem lies in setting the password in the destination domain.

    /Søren

    Friday, July 21, 2017 8:22 AM
  • Hi Dominik.

    These are all permissions for sending the password to the MIM Sync server. The problem lies in setting the password in the destination domain.

    /Søren

    So please check effective permissions that ADMA service account has on the test account. As it seems there is a lack of one of required two (reset password, unlock account)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Saturday, July 22, 2017 7:57 PM
  • Hi Soren,

    Did you find the solution to your problem?

    I have exactly the same stack trace in my Event Viewer... PCNS messages are sent successfully to MIM, but MIM fails to update the target domain (Event ID = 6329, same error message).

    Thanks,

    Matthieu

    Friday, February 23, 2018 10:50 AM
  • Ok we found the problem, port TCP 464 was blocked by the firewall.

    (note that this technet article says only UDP is needed:

    https://social.technet.microsoft.com/wiki/contents/articles/1597.troubleshooting-pcns.aspx

    This is wrong...)

    Friday, February 23, 2018 1:12 PM