Knowledge bit: PCNS troubleshooting check list RRS feed

  • General discussion

  •   ILM/FIM Knowledge Bit

    This article applies to MIIS, ILM and FIMSync, which will be further referenced as "sync engine".

    Reference documents:
    (1) Implementing the Automated Password Synchronization Solution - Step-by-Step
    (2) Automated Password Synchronization Solution Guide for MIIS 2003 (download here)
    (3) Microsoft Identity Integration Server 2003 Scenarios with (MIIS 2003 walkthrough: Password Synchronization doc (4)
    (5) Password Synchronization Port Settings (in management agent  port, rights and permissions, download here)
    (6) Sync engine Help

    - Verifiy the requirements for forest trusts. Also verify forest and domain levels (cannot be mixed mode).

    • Cfr. reference (2): "/../ In an optimal configuration, PCNS and MIIS 2003 are in the same forest because they authenticate to each other using Kerberos authentication. PCNS and MIIS 2003 can be in different forests only if the forests have cross-forest trusts. /../"

    - Make sure the PCNS schema update has been installed and replicated properly

    - Verify AD replication, DC diagnostics (dcdiag) and network diagnostics (netdiag)

    - Enable verbose logging for PCNS and the sync engine

    • see paragraph "Setting Log Levels" in the pwd sync walkthrough doc

    - Verify clock setting / time skew between password source, password target and sync engine server

    - Verify DNS name resolution. PCNS must be able to find the sync engine

    - Verify PCNS port settings and availability, cfr. (5)

    - Verify firewall configuration, between servers or on the servers themselves

    - Verify PCNS configuration (check for the details on server, service, service account naming)

    • use "Pcnscfg LIST" command, see the step-by-step guide (1)

    - Verify SPN configuration

    • use setspn –L <MIIS service account>, see the step-by-step guide (1)

    - Check if password sync has been enabled on sync engine server (Tools > options)

    - Check if password source MA (AD MA) has been configure properly

    - Check if password target MA has been configured properly for password change

    Finally, search the ILM and FIM forums for specific error messages and keyword combinations, some hints for example:
    - "target could not be authenticated" (on ILM vs. FIM forum)
    - "exceeded the maximum retry limit" (on ILM vs FIM forum)
    - PCNS "RPC server is unavailable" (on ILM vs FIM forum)
    - PCNS "forest trust" (on ILM vs FIM forum)
    - ...

    More details at: Technet Wiki page on PCNS Troubleshooting


    Go to the ILM Knowledge Bit Collection

    Go to the FIM Knowledge Bit Collection

    Peter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be)

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
    By marking a post as Answered or Helpful, you help others find the answer faster.]
    Wednesday, October 13, 2010 9:53 PM