Password Sync Problem after applying Patch 4.1.3613.0

We are having a password sync problem after putting on hotfix 4.1.3613.0  (http://support.microsoft.com/kb/3011057 ). Originally we were on 4.1.3441.0.  We put on 2 patches to bring us to the latest patch.  Patch 4.1.3510.0 then 4.1.3613

Structure of AD is

company.com Forest

                d1.company.com Domains

                D2.company.com Domains

FIM Sync is in d1.company.com

All the accounts from d1.company.com are syncing. The accounts from d2.company.com are failing.

We receive the error 6914 The connection from a password notification source failed because it is not a Domain Controller service account.

In the notes on the hotfix

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

Password Change Notification Service (PCNS)

Issue 1

The following error message is logged:

6914 The connection from a password notification source failed because it is not a Domain Controller service account.


After you install this fix, adding a backslash character to a domain name causes the function to return the domain controller Security Identifier (SID) instead of an empty user SID

Error in FIM SYNC

6914 error

The connection from a password notification source failed because it is not a Domain Controller service account.

Domain: d2.company.com

Server: x.x.x.x

6915 error

An error has occurred during authentication to the password notification source.

 "ERR_: MMS(6872): d:\bt\35150\private\source\miis\shared\utils\libutils.cpp(11691): gethostbyaddr failed with 0x2afc

BAIL: MMS(6872): d:\bt\35150\private\source\miis\shared\utils\libutils.cpp(11693): 0x80004005 (Unspecified error)

BAIL: MMS(6872): d:\bt\35150\private\source\miis\password\listener\pcnslistener.cpp(316): 0x80070534 (No mapping between account names and security IDs was done.): Win32 API failure: 1332

BAIL: MMS(6872): d:\bt\35150\private\source\miis\password\listener\pcnslistener.cpp(570): 0x80070534 (No mapping between account names and security IDs was done.)

Forefront Identity Manager 4.1.3613.0"

The error we are getting when a user from d2.company.com tries a sync

ERROR IN PCNS

Log Name:      Application
Source:        PCNSSVC
Date:          3/10/2015 9:19:08 AM
Event ID:      6025
Task Category: (4)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      box.d2.company.com
Description:
Password Change Notification Service received an RPC exception attempting to deliver a notification.  
Thread ID: 3704 
Tracking ID: 19657b31-4547-4f18-94c3-e85adc1d0700 
User GUID: 99de63a6-9e09-4906-9515-bb4ba0a2c5d6 
User: LOCB\user 
Target: FIMProd1 
Delivery Attempts: 1135 
Queued Notifications: 1 
0x00000005 - Access is denied.

LOCB netbios resolves to d2.company.com

LOCA netbios resolves to d1.company.com

C:\>setspn -l LOCA\_FIMSyncService

Registered ServicePrincipalNames for CN=_FIMSyncService,OU=Sec,OU=SA,OU=Resource

 Management,DC=d1,DC=company,DC=com:

        PCNSCLNT/fim2

        PCNSCLNT/fim2.d1.company.com

        PCNSCLNT/fim1

        PCNSCLNT/fim1.d1.company.com

--------------------------------------------------------------------------------------

C:\Program Files\Microsoft Password Change Notification>pcnscfg list

Service Configuration

  MaxQueueLength........: 0

  MaxQueueAge...........: 345600 seconds

  MaxNotificationRetries: 0

  RetryInterval.........: 60 seconds

Targets

  Target Name...........: FIMProd1

  Target GUID...........: 4C72BA98-8414-476B-80BF-6D9045EFCF39

  Server FQDN or Address: fim1.d1.company.com

  Service Principal Name: PCNSCLNT/fim1.d1.company.com

  Authentication Service: Kerberos

  Inclusion Group Name..: LOCB\Domain Users

  Exclusion Group Name..:

  Keep Alive Interval...: 0 seconds

  User Name Format......: 3

  Queue Warning Level...: 0

  Queue Warning Interval: 30 minutes

  Disabled..............: False

Total targets: 1

The password sync has been working for years now this is throwing this error.  Does anyone have clues to the problem with the Hotfix?

We have looked at trying to resolve 6025 errors using http://social.technet.microsoft.com/wiki/contents/articles/4159.pcns-troubleshooting-event-id-6025.aspx but there are no issues here.


  • Edited by Robin Lilly Tuesday, March 10, 2015 7:18 PM
March 10th, 2015 7:05pm

Spent morning on phone with Microsoft Support. Apparantly patch 4.1.3627.0 and 4.1.3613.0 both introduce this bug.  Microsoft is aware of it and is working on a fix. NO ETA. DONT PUT THESE PATCHES ON YOUR BOX. Unless you want a major headache.

We are dead in the water and backing off the FIM SYnc is probably not an option. This has been given as our alternatives. Microsoft's reply: 

    •          The issue you are facing with the PCNS is already reported as a known issue with build 4.1.3613.0
    •          The Product group is working on this issue and expected to be fixed this in the next hotfix.
    •          Right now we dont have an ETA on the release of next hotfix.

    •          To work around this issue,
    1.       Revert the FIM to the previous build.
    2.       Wait till the next hotfix is released.

We would have never put this patch on if the Patch said it introduces these new problems.


Free Windows Admin Tool Kit Click here and download it now
March 11th, 2015 2:18pm

Spent morning on phone with Microsoft Support. Apparantly patch 4.1.3627.0 and 4.1.3613.0 both introduce this bug.  Microsoft is aware of it and is working on a fix. NO ETA. DONT PUT THESE PATCHES ON YOUR BOX. Unless you want a major headache.

We are dead in the water and backing off the FIM SYnc is probably not an option. This has been given as our alternatives. Microsoft's reply: 

    •          The issue you are facing with the PCNS is already reported as a known issue with build 4.1.3613.0
    •          The Product group is working on this issue and expected to be fixed this in the next hotfix.
    •          Right now we dont have an ETA on the release of next hotfix.

    •          To work around this issue,
    1.       Revert the FIM to the previous build.
    2.       Wait till the next hotfix is released.

We would have never put this patch on if the Patch said it introduces these new problems.


  • Edited by Robin Lilly Wednesday, March 11, 2015 6:17 PM
March 11th, 2015 6:16pm
Microsoft has a patch for this now so just call Premier Support or wait another week and it should be released.  The new patch fixed my issue.
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2015 1:00pm
Microsoft has a patch for this now so just call Premier Support or wait another week and it should be released.  The new patch fixed my issue.
April 29th, 2015 4:59pm
Microsoft has a patch for this now so just call Premier Support or wait another week and it should be released.  The new patch fixed my issue.

http://social.technet.microsoft.com/wiki/contents/articles/13394.microsoft-identity-software-public-release-build-versions.aspx#FIMR2

Released today:

http://support.microsoft.com/kb/3048056

Free Windows Admin Tool Kit Click here and download it now
April 30th, 2015 3:53pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics