Exchange

Syncing passwords to [email protected]

One of the pieces to setting up the infrastructure to send password changes to a synchronization server like Forefront Identity Manager 2010 is installing the Password Change Notification Service on your domain controller(s).  This service “listens” for password changes and then sends them over to the FIM2010 server which is running OLSYNC so it can be processed and sent on to its destination.  One of the most commmon implementations of this would be with a cloud email solution such as Exchange Online or [email protected] for educational insitutions.  This service effectively allows the password change to be sent from the on premises Active Directory domain to the online Exchange organization so that the user’s password is the same both on premises and in the hosted environment.  Otherwise this would be a nightmare for an administrator to keep this synchronized manually.

Presumptions

The following presumes you have an already functioning FIM2010 server with management agents correctly installed and configured for your environment.  One detail that we want to show via screenshot though that is easily missed is under the Tools and Options menu in FIM2010.  You need to make sure you have the Password Synchronization – Enable Password Synchronization flag set.

pcns7

Downloading and Installing the PCNS (Password Change Notification Service)

To obtain the PCNS install simply go here and download the installer.

Installation

Copy the installer to your domain controller(s) and extract the zip file for installation.  Once you have extracted the file, simply run through the installer wizard.

pcns1

 

pcns2

 

pcns3

 

pcns4

 

pcns5

 

*****Note***** You will be prompted to restart the domain controller after installation completes.

pcns6

 

Configuring the SPN for the PCNS service and connecting this to FIM2010
Setting up the SPN – You will use the setspn.exe command to setup the service and connect this to the FIM2010 server and service account

  • setspn.exe -A PCNSCLNT/%servname% %domain%%username%
  • So setspn.exe -A PCNSCLNT/fim2010.somedomain.com DOMAINFIMUSER

Checking the SPN you created:

  • setspn.exe -l DOMAINFIMUSER

Adding the FIM2010 target to the SPN

  • Navigate to the PCNS directory, usually “c:program filesmicrosoftpassword change notification”
  • pcnscfg addtarget /N:Friendlyname /A:fim2010.domain.com /S:pcnsclnt/FIM2010.somedomain.com /Fl:”Domain Users” /FE:”Domain Admins” /F:1 /I:600 /D:False /WL:20 /WI:60
  • In the command above, we are specifying that all “Domain Users” will have passwords captured and sent to FIM2010 to process for synchronization and we are restricting “Domain Admin” passwords from being sent for synchronization.

Checking the logs:

Be sure and check the Application log on the FIM2010 server in your environment as any password synchronization successes/failures are captured here.  Also, the Application log on the domain controller itself will contain specific information about the PCNSSVC service itself and whether or not it encountered any errors.

Also useful

More often than not, the default logging levels of FIM and PCNS are not adequate to troubleshoot failures or problems with synchronization.  You can tweak the following registry keys to turn up the logging levels of both services to more easily troubleshoot what may be happening:

FIM2010

Add a DWORD value called FeaturePwdSyncLogLevel at the following registry path:

– HKEY_LOCAL_MACHINESystemCurrentControlSetServicesFIMSynchronizationServicesLogging

  • 0 = Minimum
  • 1 = Normal
  • 2 = High
  • 3 = Detailed

For PCNS add the DWORD value EventLogLevel (REG_DWORD) key under the following registry path with the following possible values

– HKEY_LOCAL_MACHINESystemCurrentControlSetServicesPCNSSVCParameters

  • 0 = Minimum
  • 1 = Normal
  • 2 = High
  • 3 = Detailed

Successful Password Synchronization

When successful password synchronization is staged and sent via PCNS to FIM2010 and then to the hosted management agent, you will see the following messages in the Application Eventlog with detailed logging turned on:

  • Event 6903, FIMSynchronizationService – A password notification was received from a Password Change Notification Service
  • Event 6907, FIMSynchronizationService – A password notification was successfully staged for synchronization.
  • Event 6902, FIMSynchronizationService – A password synchronization set operation was successful in a target connected data source.

Multiple Domain Controllers

Many have become confused when thinking about installing the PCNS service in a multidomain controller environment.

– ANSWER:  You WILL need to install the service on all domain controllers in your environment, however, you will only need to setup the SPN once.  So, on your first domain controller install, you will need to run through the PCNS SPN configuration.  Every subsequent domain controller installation of the PCNS service, it will simply pull the information from the initial setup for the SPN account, TARGET, etc.

 

Back to top button