Hi, I have tried to setup FIM2010 to provision users to AD (different forest). While configuring the AD MA, have provided IP address in the place of server, and UPN for login and left the domin blank. Have configured "Preferred DC" to use in the MA. I am able to connect to AD, do a full synch. While running the export profile, I am receiving "cd-connectivity-errror" (stopped connectivity) . However the users are getting created in disabled state (514 status). There is no much load and I have tried to export one user only. Am I doing something wrong. Regards Sai

You need to initialize the userAccountControl attribute if you want to provision enabled users in AD. AD will create disabled users by default if userAccountControl is not initialized to 512 (default enabled user). How do you provision the users? Through rules extension or through portal synchronization rules? In both methods, you need to set the userAccountControl.

Thanks Beck for you respone. I am passing both unicodepwd and useraccountcontrol attributes (512). But, these values are not being set. Provisioning is happening through synchronization rules. -- Sai

Maybe there is a problem in network configuration between your ma and dc. Have you checked firewall requirements for AD management agent? Isn't a call to set password blocked? If you will create a user without a password it will be created as disabled. Are you sure that initial password you are setting meets the other forest complexity requirements?

Did you select initial flow only for userAccountControl = 512, pwdLastSet = 0, dn, ... ? The FIM Ramp Up course contains very good tutorials on how to configure synchronization through portal sync rules, check lab 5 Managing Synchronization from the Portal - Synchronizing Active Directory Users. http://technet.microsoft.com/en-us/ff793470.aspx

Is SSL mandatory to set the password. I am currently connected using port 389. Regards Sai

SSL is not mandatory.

Looks like I have followed all the steps mentioned in the doc. Have verfied again. Now, the error changed to "kerberos-no-logon-server". Have added the hostname (dns name) instead of ip address for "forest" in the connection details page. Any idea on how to fix this. Regards sAi

Any more ideas. All the required ports specified in the ADMA doc are open. Unable to find a resolution for this. Regards Sai

I saw this once a couple of weeks ago but didnt really take notes on it. I seem to remember there was a "paging" issue when I drilled into the error. I ran a full import and the problem stopped. Paul N Smith

Paul, Full Import is working as expected. Only while running the export profile, we are getting this issue. FIM is not able to set the password, thus creating the users in disabled state. Have checked the DNS configs. Looks fine. Not sure what we have missed. Regards Sai

Is the FIM ADMA account a domain admin account in your target "foreign" forest? Or at least have write access to "all of the attributes" of a user object in the specified OU of the foreign forest? Have you tried to bring up an Active Directory Users & Computers mmc with "Run As" (Shift+Right Click=>Run as different user) and try to perform the account creation manually to check if "you" can create accounts manually? rgds

Yes, FIM ADMA account is a admin account in the "foreign" forest. Able to create users in the target AD using the ADMA account manually. Regards Sai

if you are able to create them as disabled I would definately try enabling one of these users manually in the target forest. If that gives an error, try setting the password manually on that account. More specifically try the password you were flowing to the unicodepwd. If you can't get the account as enabled this typically means that either no password was set, or it wasn't complex (long) enough in regards to the password policy in the target forest. That's also what Thomasz suggested. http://setspn.blogspot.com

Yes, I am able to change the password and make the user active manually. Regards Sai

The problem described in following post sounds very much like yours: http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/c3624392-dbc1-4a30-80da-bd4697c562a1/

Hi Sai, In leaving the domain blank, you've left out the little bit of information that the FIM AD MA requires to set the password. I've dealt with this a few times with a client. You'll need to provide domain information for the target domain so that the MA can direct the kerberos set password command. Without that, everything looks like it's working fine, i.e. you can import and export (albeit in a disabled state). You end up in a disabled state because no password was set. Cheers, MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com

Marc, I am passing the domain value while creating users in FIM portal. Do I need to pass this value to any attribute in AD MA as well ? I am a newbie to FIM, please clarify this. Regards Sai

Sai, In your first post, you mentioned that you had left the domain blank in the AD MA configuration. If that is still the case, you'll need to enter the domain name for the domain in question. MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com

Marc, In FIM AD Management Agent, I left the domain field blank but provided the UPN for username. Later have configured the FIM AD MA with samAccountName as username and populated the domain field. In the first case, I was getting "cd-connectivity-error" and in the second case "kerberos-nologon-server" error. But in both the cases, users are getting created in AD in disabled state. Anything wrong with this configuration ? Regards Sai

Sai, If you try to enable the user that gets created, do you get an error stating the password is invalid? If so, the password is not getting set properly. This could be because the domain value is not valid in the AD MA, or the firewall is blocking the kerberos password set port (464 if I recall rightly), or the service account you've defined in that forest does not have the required rights to set passwords on user accounts. In terms of the domain name, you should be able to set it to the NETBIOS value (ACME) or the FQDN value (acme.com). The forest name can either be the FQDN of the forest, or for some clients with restrictive firewalls, I've had to specifiy a preferred DC FQDN there. Other ports you will want to verify are open are 53 (DNS) and 88 (Kerberos). Cheers, MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com

Marc, I am able to reset the users password in AD and enable the account using the ADMA account I have used. All the ports 464,53,88 are open. Have crosschecked mulitple times. I have specified the FQDN as the domain name. Will try with NETBIOS aswell. Regards Sai

Sai, Can you export a new user to the AD and if it is still disabled, attempt to enable it. If there is an error, what is it? MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com

Marc, Tried to enable an account but couldnt. Got the below error. "Cannot enable the object, Unable to update the password". After resetting the password I could enable the account. (Tried to reset the password with the same password I am passing from FIM). From FIM password is not getting set in AD. Regards Sai

Okay, so as you surmised, the password is not being set by FIM, which brings us back to the following: The domain value is not valid in the AD MA, in that the AD MA can't determine the kerberos login server for that domain (could be DNS as well). The firewall is blocking the kerberos password set port (464 if I recall rightly), which you've indicated has been validated. The service account you've defined in that forest does not have the required rights to set passwords on user accounts. The easiest way to check this is to view the effective permissions of your AD service account against one of the user accounts it had created to see whether it has the set password permission. MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com

Yes. The account has permission for setting the password. I tried to create a new user in AD directly with this user account and reset the passwords for existing users. Regards Sai

Marc, This seems to be a DNS resolution issue to me. I have changed the MA to point to another AD and it worked. So, with the current AD there seems to be some issue with name resolution. Thanks for your assistance. Regards sai