none
MIM 2016 Password Synchronization RRS feed

  • Question

  • Hi,

    Currently we have three forests (A, B and C). We are in the middle of Active Directory Migration and Forest C is our centralized AD where all of the accounts will be placed. MIM server joined to Forest C. We enabled password synchronization from Forest A->C and B->C. Everything is working.

    Then we enabled password synchronization from C->A and C-B.

    C->A is working. Password changes can be synced over successfully. But C->B is some how not working.

    We are using MA account which is member of domain admin and have full access on OU and accounts. There is no firewall between Forest C and Forest B.

    Here is the error that we are getting.

    Could you advice us what need to be checked?

    Cheer.

    Tuesday, December 20, 2016 7:22 AM

Answers

  • https://social.technet.microsoft.com/Forums/en-US/e1a45b75-5c14-42b2-895d-995ae79e17f7/an-unexpected-error-has-occured-during-a-password-set-operation?forum=identitylifecyclemanager

    Suggests that you double check you have the appropriate service principal name configured for PCNS.

    https://social.technet.microsoft.com/Forums/en-US/111cfea7-20ad-4222-a4cb-9890912e878d/pcns-failing-to-sync-passwords?forum=ilm2

    Suggests enabling Kerb logging on the domain controllers in the target forest.

    https://social.technet.microsoft.com/Forums/en-US/1c500697-5ca3-4d78-a4ee-5af30ed80121/the-server-encountered-an-error-while-attempting-to-perform-a-setchange-password-operation?forum=ilm2

    This one got the exact same Kerberos error and the issue was resolved with a hotfix to Window Server 2008 or 2008 R2 Domain Controllers (there had been a special restore scenario involving the krbtgt account).

    I would start by double checking the SPN for PCNS. The key thing is to ensure that the PCNS config on the domain controllers matches SPN configured for MIM sync.

    Here is a snippet from my book:

    SETSPN –S PCNSCLNT/FIMSyncServer.snappyslackers.com Exchange\svc_fim_sync

    Code Fragment 611– SetSPN command for FIMsync

    PCNSCLNT is just a name that someone picked out and included in a document. You can use something different just so long as you use the same name when you configure PCNS using PCNSCFG.exe.

    FIMSyncServer.snappyslackers.com is the FQDN of the FIM Sync Server.

    Svc_fim_sync is the name of the service account running FIM Sync.

    Setting up an SPN to support PCNS is a must to make it work as the Domain Controllers that capture the passwords must use Kerberos to authenticate to the FIM Sync Server.


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    • Marked as answer by KHnin Wednesday, December 21, 2016 6:59 AM
    Tuesday, December 20, 2016 3:14 PM

All replies

  • https://social.technet.microsoft.com/Forums/en-US/e1a45b75-5c14-42b2-895d-995ae79e17f7/an-unexpected-error-has-occured-during-a-password-set-operation?forum=identitylifecyclemanager

    Suggests that you double check you have the appropriate service principal name configured for PCNS.

    https://social.technet.microsoft.com/Forums/en-US/111cfea7-20ad-4222-a4cb-9890912e878d/pcns-failing-to-sync-passwords?forum=ilm2

    Suggests enabling Kerb logging on the domain controllers in the target forest.

    https://social.technet.microsoft.com/Forums/en-US/1c500697-5ca3-4d78-a4ee-5af30ed80121/the-server-encountered-an-error-while-attempting-to-perform-a-setchange-password-operation?forum=ilm2

    This one got the exact same Kerberos error and the issue was resolved with a hotfix to Window Server 2008 or 2008 R2 Domain Controllers (there had been a special restore scenario involving the krbtgt account).

    I would start by double checking the SPN for PCNS. The key thing is to ensure that the PCNS config on the domain controllers matches SPN configured for MIM sync.

    Here is a snippet from my book:

    SETSPN –S PCNSCLNT/FIMSyncServer.snappyslackers.com Exchange\svc_fim_sync

    Code Fragment 611– SetSPN command for FIMsync

    PCNSCLNT is just a name that someone picked out and included in a document. You can use something different just so long as you use the same name when you configure PCNS using PCNSCFG.exe.

    FIMSyncServer.snappyslackers.com is the FQDN of the FIM Sync Server.

    Svc_fim_sync is the name of the service account running FIM Sync.

    Setting up an SPN to support PCNS is a must to make it work as the Domain Controllers that capture the passwords must use Kerberos to authenticate to the FIM Sync Server.


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    • Marked as answer by KHnin Wednesday, December 21, 2016 6:59 AM
    Tuesday, December 20, 2016 3:14 PM
  • Thank you for reply.

    The issued is resolved by installing above hotfix.

    Wednesday, December 21, 2016 6:59 AM