Hi Team,
I know that this issue has been reported a few times but none of them helped me resolve the problem. Please let me know if I missed anything.
I have cross domain and forest structure. Domain A and Domain B (both with single DC and in separate forest). FIM is installed in Domain B. Domain A is the source for password changes.
Followed below steps to setup PNCS, referred http://social.technet.microsoft.com/wiki/contents/articles/1597.troubleshooting-pcns.aspx
1. Installed PCNS on Domain A.
2. Enabled the verbose logging on FIM sync in Domain B and AD in Domain A.
3. Ensured the clock is in Sync on all the servers
4. Name resolution is working fine from Domain A to B and vise varsa.
5. There is no firewall between the severs.
6. Account used in Target MA has account operators + reset password rights
7. PCNScfg list shows following result.
Targets
Target Name...........: fim-labmachine
Target GUID...........: 3BA26260-4537-4B84-BAD3-B045F6SDERAD
Server FQDN or Address: fim-labmachine.b.com
Service Principal Name: PCNSCLNT/fim-labmachine.B.com
Authentication Service: Kerberos
Inclusion Group Name..: B\Domain Users
Exclusion Group Name..: B\Domain Admins
Keep Alive Interval...: 600 seconds
User Name Format......: 1
Queue Warning Level...: 20
Queue Warning Interval: 60 minutes
Disabled..............: False
8. SETSPN -L for FIM Sync service account gives following result.
PCNSCLNT/fim-labmachine.goglab.com
9. Password synchronization is enabled in FIMSync
10. Ensured that there is no duplicate SPNs
10. Password source sync is enabled on source ad destination as per figure in above mentioned article.
11. Though I don't think it was necessary but I have created one way external trust where Domain B trusts accounts from Domain A. It's validated and working fine.
12. Also increased the "KdcWaitTime" to 60 seconds
13. Forest and Domain functional level for both the domains is same.
14. PCNS is installed only in Source AD
Error:
Password Change Notification Service received an RPC exception attempting to deliver a notification.
The password change notification target could not be authenticated.
.
.
0x00000721 - A security package specific error occurred.
.
.
Status is -2146893053 - The specified target is unknown or unreachable.