We are having a password sync problem after putting on hotfix 4.1.3613.0 (http://support.microsoft.com/kb/3011057 ). Originally we were on 4.1.3441.0. We put on 2 patches to bring us to the latest patch. Patch 4.1.3510.0 then 4.1.3613
Structure of AD is
company.com Forest
d1.company.com Domains
D2.company.com Domains
FIM Sync is in d1.company.com
All the accounts from d1.company.com are syncing. The accounts from d2.company.com are failing.
We receive the error 6914 The connection from a password notification source failed because it is not a Domain Controller service account.
In the notes on the hotfix
Issues that are fixed or features that are added in this update
This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.
Password Change Notification Service (PCNS)
Issue 1
The following error message is logged:
6914 The connection from a password notification source failed because it is not a Domain Controller service account.
After you install this fix, adding a backslash character to a domain name causes the function to return the domain controller Security Identifier (SID) instead of an empty user SID
Error in FIM SYNC
6914 error
The connection from a password notification source failed because it is not a Domain Controller service account.
Domain: d2.company.com
Server: x.x.x.x
6915 error
An error has occurred during authentication to the password notification source.
"ERR_: MMS(6872): d:\bt\35150\private\source\miis\shared\utils\libutils.cpp(11691): gethostbyaddr failed with 0x2afc
BAIL: MMS(6872): d:\bt\35150\private\source\miis\shared\utils\libutils.cpp(11693): 0x80004005 (Unspecified error)
BAIL: MMS(6872): d:\bt\35150\private\source\miis\password\listener\pcnslistener.cpp(316): 0x80070534 (No mapping between account names and security IDs was done.): Win32 API failure: 1332
BAIL: MMS(6872): d:\bt\35150\private\source\miis\password\listener\pcnslistener.cpp(570): 0x80070534 (No mapping between account names and security IDs was done.)
Forefront Identity Manager 4.1.3613.0"
The error we are getting when a user from d2.company.com tries a sync
ERROR IN PCNS
Log Name: Application
Source: PCNSSVC
Date: 3/10/2015 9:19:08 AM
Event ID: 6025
Task Category: (4)
Level: Error
Keywords: Classic
User: N/A
Computer: box.d2.company.com
Description:
Password Change Notification Service received an RPC exception attempting to deliver a notification.
Thread ID: 3704
Tracking ID: 19657b31-4547-4
User GUID: 99de63a6-9e09-4
User:
Target: FIMProd1
Delivery Attempts: 1135
Queued Notifications: 1
0x00000005 - Access is denied.
LOCB netbios resolves to d2.company.com
LOCA netbios resolves to d1.company.com
C:\>setspn -l LOCA\_FIMSyncService
Registered ServicePrincipalNames for CN=_FIMSyncService,OU=Sec,OU=SA,OU=Resource
Management,DC=d1,DC=company,DC=com:
PCNSCLNT/fim2
PCNSCLNT/fim2.d1.company.com
PCNSCLNT/fim1
PCNSCLNT/fim1.d1.company.com
--------------------------------------------------------------------------------------
C:\Program Files\Microsoft Password Change Notification>pcnscfg list
Service Configuration
MaxQueueLength........: 0
MaxQueueAge...........: 345600 seconds
MaxNotificationRetries: 0
RetryInterval.........: 60 seconds
Targets
Target Name...........: FIMProd1
Target GUID...........: 4C72BA98-8414-476B-80BF-6D9045EFCF39
Server FQDN or Address: fim1.d1.company.com
Service Principal Name: PCNSCLNT/fim1.d1.company.com
Authentication Service: Kerberos
Inclusion Group Name..: LOCB\Domain Users
Exclusion Group Name..:
Keep Alive Interval...: 0 seconds
User Name Format......: 3
Queue Warning Level...: 0
Queue Warning Interval: 30 minutes
Disabled..............: False
Total targets: 1
The password sync has been working for years now this is throwing this error. Does anyone have clues to the problem with the Hotfix?
We have looked at trying to resolve 6025 errors using http://social.technet.microsoft.com/wiki/contents/articles/4159.pcns-troubleshooting-event-id-6025.aspx but there are no issues here.