Hi,
We are using Forefront Identity Manager to sync 2 Active Directory domains.
Let's call it DomainA and DomainB. A FIM server has been installed in the DomainA. Users and groups are synced between DomainA and DomainB, all works great.
Now we want to use password sync from B to A. As mentioned in https://technet.microsoft.com/en-us/library/jj590288(v=ws.10).aspx, PCNS agent has been installed on all domain controlers for B.
Password change from DomainB (which does NOT hosts FIM Server) to DomainA = error.We have configured FIM as explained, created a SPN entry on DomainB and target.
But when a password is changed on DomainB, it is captured by PCNS, and send to the FIM server (domainA) and the errors occurs : Status is -2146893053 - The target is unknown
On server side, we can find this log : An error has occurred during authentication to the password notification source.
0x80070534: no mapping between account names and security IDs...
Indeed, when configuring spn, we created on domain B
setspn.exe -a PCNS/server.domainb.local DOMAINB\MIMSync which may be unknown on domain A.
What should be the way to sync password when the FIM server is not in the source domain ?
BR,
Emmanuel IT
