locked
PCNS RRS feed

  • Question

  • Hello,

    i have a forest root domain with two child domains. In one of the two child domain i have configured PCNS and ILM. All is working.

    Now i have to add a PCNS in the second child domain and i have to configure the SPN to point to the actual ILM..it will work ?

    thanks

    Monday, July 12, 2010 8:57 AM

Answers

  • No, you have to configure PCNS in the second domain (PCNSCFG addtarget /N:<target> ... ). The SPN is the way the service can find out where the ILM service is implemented ...
    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    Wednesday, July 14, 2010 10:28 AM

All replies

  • Paolo,

    As far as I'm concerned, you only to register the SPN for the ILM server, which you already did (your PCNS is working in your first child domain). So, all you need to do is install the PCNS service on all your DCs in your second child domain and correctly configure your AD MA.

    While I'm not completely sure (someone please correct me if I'm wrong), I think the PCNS configuration is forest-wide, so you shouldn't need to configure PCNS in your other domains. To be sure, execute "PCNSCFG LIST" on a command prompt of a DC in your second child domain. If it gives you the configuration settings of PCNS, you're all done. Otherwise, just configure it with the same command you did in your first child domain.

    Paul.


    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    Monday, July 12, 2010 9:49 PM
  • Looks like I was wrong: PCNS configuration is stored per domain. You can find the object in your domain in the the "Password Change Notification Service" container which is in the System container. There, the information is stored in a object that has the name of your target (which you supplied when you did PCNSCFG addtarget /N:<targetname> ...

    So, you'll have the repeat the configuration of PCNS in your 2nd child domain. BTW, as you know, the schema extension required for PCNS is already present as schema extensions are forest-wide.

    Paul.


    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    Tuesday, July 13, 2010 7:43 PM
  • Thanks Paul !

    I have verificed and i have to configure the SPN anyway but the schema is abviously already extended. So can i have multiple source that sync the password to a single destination ?

    thanks

    Wednesday, July 14, 2010 7:06 AM
  • You can have multiple sources for password changes and replicate to a single destination. You will obviously need to make sure that you don't have overlaps in your sources (a user that has an account in both sources - technically this works, but will confuse your users) and you also have to make sure that you don't go around in circles (i.e. configuring one or both of your sources as targets).

    I find it strange that you would have to configure the SPN again, unless you have of course multiple ILM servers with multiple service accounts ...


    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    Wednesday, July 14, 2010 10:07 AM
  • This is in the domain that is already working:

    C:\Programmi\Microsoft Password Change Notification>PCNSCFG LIST
    The service configuration is not set. Defaults will be used by the s

    Default Service Configuration
      MaxQueueLength........: 0
      MaxQueueAge...........: 259200 seconds
      MaxNotificationRetries: 0
      RetryInterval.........: 60 seconds

    Targets
      Target Name...........: ilm2007
      Target GUID...........: 449FFA7B-0AAE-4B3C-BF94-210F09B27F06
      Server FQDN or Address: breilmas3s02.agenzie.example.com
      Service Principal Name: PCNSCLNT/breilmas3s02.agenzie.example.com
      Authentication Service: Kerberos
      Inclusion Group Name..: AGENZIE\Domain Users
      Exclusion Group Name..:
      Keep Alive Interval...: 0 seconds
      User Name Format......: 3
      Queue Warning Level...: 0
      Queue Warning Interval: 30 minutes
      Disabled..............: False

    Total targets: 1

    -------------------------------------------------------------------

    And this is in the second child domain:

    C:\Programmi\Microsoft Password Change Notification>PCNSCFG LIST
    The service configuration is not set. Defaults will be used by the service.

    Default Service Configuration
      MaxQueueLength........: 0
      MaxQueueAge...........: 259200 seconds
      MaxNotificationRetries: 0
      RetryInterval.........: 60 seconds

    Targets

    Total targets: 0

     

    So i have to configure the SPN for the second child domain.

    Wednesday, July 14, 2010 10:22 AM
  • No, you have to configure PCNS in the second domain (PCNSCFG addtarget /N:<target> ... ). The SPN is the way the service can find out where the ILM service is implemented ...
    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    Wednesday, July 14, 2010 10:28 AM