Troubleshoot Password Change Notification Service from Forefront Identity Manager. This article applies to MIIS, ILM and FIMSync, which will be further referenced as "sync engine".
- Verifiy the requirements for forest trusts. Also, verify forest and domain levels (cannot be mixed mode).
- Make sure the PCNS schema update has been installed and replicated properly.
CN
ID
MS-MIIS-PCNS-Target
1.2.840.113556.1.5.249
MS-MIIS-PCNS-Service
1.2.840.113556.1.5.250
MS-MIIS-PCNS-TargetGUID
1.2.840.113556.1.4.1895
MS-MIIS-PCNS-TargetSPN
1.2.840.113556.1.4.1896
MS-MIIS-PCNS-TargetServer
1.2.840.113556.1.4.1897
MS-MIIS-PCNS-TargetAuthenticationService
1.2.840.113556.1.4.1898
MS-MIIS-PCNS-TargetUserNameFormat
1.2.840.113556.1.4.1899
MS-MIIS-PCNS-TargetKeepAliveInterval
1.2.840.113556.1.4.1900
MS-MIIS-PCNS-TargetDisabled
1.2.840.113556.1.4.1901
MS-MIIS-PCNS-TargetEncryptionKey
1.2.840.113556.1.4.1902
MS-MIIS-PCNS-ServiceMaxQueueLength
1.2.840.113556.1.4.1903
MS-MIIS-PCNS-ServiceMaxQueueAge
1.2.840.113556.1.4.1904
MS-MIIS-PCNS-ServiceMaxNotificationRetries
1.2.840.113556.1.4.1905
MS-MIIS-PCNS-ServiceRetryInterval
1.2.840.113556.1.4.1906
MS-MIIS-PCNS-TargetExclusionSID
1.2.840.113556.1.4.1908
MS-MIIS-PCNS-TargetInclusionSID
1.2.840.113556.1.4.1909
MS-MIIS-PCNS-TargetQueueWarningLevel
1.2.840.113556.1.4.1911
MS-MIIS-PCNS-TargetQueueWarningInterval
1.2.840.113556.1.4.1912
- Verify AD replication, DC diagnostics (dcdiag) and network diagnostics (netdiag)
- Verify PCNS has been installed on all AD domain controllers (See: Step 1: Install PCNS on All Active Directory Domain Controllers in the Implementing the Automated Password Synchronization Solution – Step-by-Step guide.)
- Enable verbose logging for PCNS and the sync engine
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters
0 = Minimal logging
1 = Normal logging (default)
2 = High logging
3 = Verbose logging
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters" /v EventLogLevel /t REG_DWORD /d 3
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\miiserver\Logging
For MIIS 2010, four logging levels are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FimSynchronizationService\Logging
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FIMSynchronizationService\Logging" /v FeaturePwdSyncLogLevel /t REG_DWORD /d 3
Screenshot from FIM 2010:
Finally, search the ILM and FIM forums for specific error messages and keyword combinations, some hints for example: