Ok, i`ve got a major problem here. I have followed every posting here on the subject but i can`t find a solution to the problem. I have followed the "Deploying Cross-Forest Management Solution for FIm 2010", i`m able to sync all users into FIM, and new user accounts are getting created from DomainA on DomainB. everything looked good, till i tried syncing passwords changes (PCNSCLNT) from DomainB to DomainA. What`s strange if i switch the configuration and try syncing password changes from DomainA to DomainB it works fine. What i can`t figure out is why it would work the other way. When i try it from DomainB to DomainA i get an error message on the FIM Server as shown below. Log Name: Application Source: FIMSynchronizationService Date: 7/8/2010 3:37:31 PM Event ID: 6329 Task Category: Server Level: Error Keywords: Classic User: N/A Computer: FIM.mycambrian.net Description: An unexpected error has occurred during a password set operation. "ERR: MMS(3088): utils.cpp(963): Failed getting registry value 'AdExtTimeout', 0x2 BAIL: MMS(3088): utils.cpp(965): 0x80070002 (The system cannot find the file specified.) BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition CN=Configuration,DC=domainA,DC=com to the list because it already exists at position 0 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=academic,DC=domainA,DC=com to the list because it already exists at position 1 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=camres,DC=domainA,DC=com to the list because it already exists at position 4 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=camres,DC=domainA,DC=com to the list because it already exists at position 6 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=academic,DC=domainA,DC=com to the list because it already exists at position 1 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=domainA,DC=com to the list because it already exists at position 5 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=camres,DC=domainA,DC=com to the list because it already exists at position 6 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=ForestDnsZones,DC=domainA,DC=com to the list because it already exists at position 7 ERR: MMS(3088): utils.cpp(743): Failed getting registry value 'ADMADoNormalization', 0x2 BAIL: MMS(3088): utils.cpp(744): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2 BAIL: MMS(3088): utils.cpp(799): 0x80070002 (The system cannot find the file specified.) ERR: MMS(3088): admaexport.cpp(3686): The Kerberos change operation failed: 0xc000018b ERR: MMS(3088): ma.cpp(9099): ExportPasswordSet failed with 0x80004005 Forefront Identity Manager 4.0.3531.2" Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="FIMSynchronizationService" /> <EventID Qualifiers="49152">6329</EventID> <Level>2</Level> <Task>3</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-07-08T19:37:31.000000000Z" /> <EventRecordID>6068</EventRecordID> <Channel>Application</Channel> <Computer>FIM.domainb.com</Computer> <Security /> </System> <EventData> <Data>ERR: MMS(3088): utils.cpp(963): Failed getting registry value 'AdExtTimeout', 0x2 BAIL: MMS(3088): utils.cpp(965): 0x80070002 (The system cannot find the file specified.) BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition CN=Configuration,DC=domainA,DC=com to the list because it already exists at position 0 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=academic,DC=domainA,DC=com to the list because it already exists at position 1 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=camres,DC=domainA,DC=com to the list because it already exists at position 4 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=camres,DC=domainA,DC=com to the list because it already exists at position 6 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=academic,DC=domainA,DC=com to the list because it already exists at position 1 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=domainA,DC=com to the list because it already exists at position 5 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=camres,DC=domainA,DC=com to the list because it already exists at position 6 BAIL: MMS(3088): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=ForestDnsZones,DC=domainA,DC=com to the list because it already exists at position 7 ERR: MMS(3088): utils.cpp(743): Failed getting registry value 'ADMADoNormalization', 0x2 BAIL: MMS(3088): utils.cpp(744): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2 BAIL: MMS(3088): utils.cpp(799): 0x80070002 (The system cannot find the file specified.) ERR: MMS(3088): admaexport.cpp(3686): The Kerberos change operation failed: 0xc000018b ERR: MMS(3088): ma.cpp(9099): ExportPasswordSet failed with 0x80004005 Forefront Identity Manager 4.0.3531.2</Data> </EventData> </Event> I also turned up logging on the FIm Server and i`m seeing this error message too.. Log Name: Application Source: FIMSynchronizationService Date: 7/8/2010 3:37:31 PM Event ID: 6901 Task Category: Password Synchronization Level: Warning Keywords: Classic User: N/A Computer: FIM.domainb.com Description: A password synchronization set operation has failed in a target connected data source. Additional information: Tracking ID: {E41D4AD1-1EA9-415A-AC89-B165336A8A00} Reference ID: {0D2F2712-1FDC-41F3-A824-A6B3CB83EF8C} Target Object GUID: {8BD2AB17-CB2E-4469-851B-7E10D2568A43} Target DN: CN=XXXX,OU=Computer Services,DC=domainA,DC=com Target MA Name: Cambrian Import Retry Count: 1 ErrorCode: 0x80004005 ErrorString: (Unspecified error) Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="FIMSynchronizationService" /> <EventID Qualifiers="32768">6901</EventID> <Level>3</Level> <Task>8</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-07-08T19:37:31.000000000Z" /> <EventRecordID>6069</EventRecordID> <Channel>Application</Channel> <Computer>FIM.domainB.net</Computer> <Security /> </System> <EventData> <Data>{E41D4AD1-1EA9-415A-AC89-B165336A8A00}</Data> <Data>{0D2F2712-1FDC-41F3-A824-A6B3CB83EF8C}</Data> <Data>{8BD2AB17-CB2E-4469-851B-7E10D2568A43}</Data> <Data>CN=XXXX,OU=Computer Services,OU=Staff,DC=domainA,DC=com</Data> <Data>Cambrian Import</Data> <Data>1</Data> <Data>0x80004005</Data> <Data>(Unspecified error)</Data> </EventData> </Event> DomainA - Windows 2008 R2 Domain Level, 2003 Forest Level DomainB - Windows 2008 R2 Domain Level, 2008 R2 Forest Level Fim server in DomainB Anyone has any ideas what to look at next, i`ve already turned on KErbose Logging on DomainA, didn`t show any problems.

I would think this is one of two things: -Check DNS, the FIM server must have DNS SRV record access to the AD environment that is the target for password synchronization, domain A in your case. This message also occurs with MIIS/ILM when it can't access DNS SRV records in the target AD environment. If DNS is problem it makes sense that the opposite direction works, since FIM is syncing passwords to same domain in which it resides, so DNS would be expected in this case. -Another possibility is that the krbtgt account in domain A has been authoritatively restored. You can check this by using the attribute editor and checking the msDS-KeyVersionNumber of the krbtgt account. If it is 6 digits(>100000), then this means it has been authoritatively restored. There is a known issue when attempting to change password using the kpasswd mechanism, which the password synchronization compoent in FIM 2010 does. This is described in more detail here: http://support.microsoft.com/kb/976424 Unfortunately, this fix is not yet present in Windows 2008 R2. One possible workaround is to point the AD MA for domain A to a non-windows 2008 R2 DC. You can do this using the 'preferred DC' checkbox in the 'configure directory partitions' dialog. I hope this helps!

Not sure, what DNS SRV record to test, but i tested _ldap._tcp.dc._msdcs..domainA.com and _ldap._tcp.dc._msdcs.domainB.com from the FIM server and had no problems seeing the SRV records for the Domain. Not sure what other SRV records to test. As for the krbtgt account, i`ve checked it the msDS-KeyVersionNumber = 800003.

If the version number is 800003, that means that this account has been authoritatively restored 8 times. Even once will cause this problem with a windows 2008 domain. Since DNS appears to be working properly, I would try configuring the target AD MA to use a preferred DC that is not a windows 2008 R2 box. If pointed to a windows 2008 non-R2 box, you can use the KB article above and get the hotfix that addresses this issue. If using a Windows 2003 DC, then you shouldn't have this problem at all. I hope this helps.

there lies the problem, my domain is running at Domain Level 2008 R2, which means i can`t add any windows 2008 DC`s to the forest. :( Does anyone know if this problem has been fixed in Windows 2008 R2 SP1 Beta.? or an eta on the fix for Windows 2008 R2...

i can confirm that the problem is fixed in Window 2008 R2 Service Pack 1 beta.

That`s not the correct answer, you can`t use a Windows 2008 Server as a DC when the forest level is at 2008 R2. the only solution at the moment, was to install Windows 2008 R2 SP1 Beta on a DC. This corrected the problem.