Hi All,
I am setting up FIM with the PCNS service cross forest and am struggling to grasp how the SPNs work.
I have 2 Domains (DomainA and DomainB) with a 2 way forest trust. I initially want passwords from DomainA to be synced to passwords in DomainB
DomainA has 2 DCs. I have updated the schema successfully and also installed the PCNS agent on both source DCs. I have also installed FIM in DomainB and configured the Management Agents and ive run the import processes and sync processes with no errors.
When I change my password I get an error on my source DC as below:
Password Change Notification Service received an RPC exception attempting to deliver a notification.
The password change notification target could not be authenticated.
User Action:
This usually happens under the following conditions:
1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process.
2. The SPN is assigned to more than one Active Directory account.
3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system.
4. There is more than 5 minutes of time variance between this system and the target system.
Please verify that the SPN configuration and that the clocks on the two systems are synchronized to an authoritative time source.
My problem is where do I set my SPNs? The documentation suggests the below:
Setspn.exe -a PCNSCLNT/fab-dev-01.usergroup.fabrikam.com fab-dev-01\MIISServAccount
I guess the question is which domain does the above need to be run in and what account us the MIISServAccount?
Cheers