Hi allWe have two Forests, one which has installed the PCNS Service on all Domaincontrollers, and the other Forest with ILM 2007.Password synch works when the two-way external Trust is set to Domain-wide authentication.When we set the Trust to Selective-authentication, Password synch failed with Access Denied Errors. Password Change Notification Service received an RPC exception attempting to deliver a notification. Thread ID: 8576 Tracking ID: 7d0147da-e676-4d35-a192-0fb647fb0ff5User GUID: a5e38c8a-605f-40ed-9b53-84b4679aac61User: Domain\testuser Target: ilmserverDelivery Attempts: 4 Queued Notifications: 1 0x00000005 - Access is denied.ProcessID is 8636System Time is: 12/10/2009 9:44:28:390Generating component is 2Status is 5 - Access is denied.Detection location is 1710Flags is 0NumberOfParameters is 1Long val: 0ProcessID is 8636System Time is: 12/10/2009 9:44:28:390Generating component is 2Status is 5 - Access is denied.Detection location is 1461Flags is 0NumberOfParameters is 0 We enabled the Flag "Allow to authenticate" on the Domaincontrollers, ILM Service Account, ILM Machine Account on both Forests. What do we need to configure that the PCNS Service will work with an external selective two-way Trust? Or is it not possible? Thanks for any Help!

If this is possible (in other words I haven't tested this config) here is what you need to do:1) In the ILM Forest in ADUC on the ILM Server set Allow to authenticate to all of the DCs in the PCNS forest.2) Also grant the DCs from the PCNS forest "Access this computer from the network" to the ILM serverMore info:In order to communicate with the ILM service, the DC sending the password change must be allowed a network logon to the ILM machine. Auditing the logon event on the ILM machine showed a failed logon for the DC. from http://support.microsoft.com/default.aspx/kb/973807David Lundell www.ilmBestPractices.com