You just recently installed and configured the Password Change Notification Service (PCNS) onto your Source Domain Controller(s). You have configured the Synchronization Service Manager and Management Agents to work with Password Management. You execute a test and receive an Event ID 6025 in the Application Event Log.
The Event ID 6025 can have a few different messages, which can control how you troubleshoot the Event ID 6025 error message. Essentially, the Event ID 6025 indicates that the source domain controller is not able to communicate with the Synchronization Service Manager machine.
One of the very first things to understand about your Password Management Solution is where the Synchronization Service Machine is setup.
The password change notification target could not be authenticated. User Action: This usually happens under the following conditions: 1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process. 2. The SPN is assigned to more than one Active Directory account. 3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system. 4. There is more than 5 minutes of time variance between this system and the target system. Please verify that the SPN configuration and that the clocks on the two systems are synchronized to an authoritative time source.
The following iteration of the Event ID 6025 is an indication that there is a problem with the ServicePrincipalName that was configured on the Synchronization Service Account, and configured in the PCNS Configuration Data.
Here is a check list of items to check to isolate and resolve the issue:
Password Change Notification Service received an RPC exception attempting to deliver a notification. The password change notification target could not be contacted. User Action: The target server may not be running. Verify that the target server is running. Additional Details: Thread ID: 2880 Tracking ID: fd88787d-f2be-4ac6-96a9-e74413c65a0e User GUID: 6f83f346-bd5d-441d-a1ba-be145499c89b User: DOMAINNAME\username Target: PCNS_CONFIGURATION_TARGET_NAME Delivery Attempts: 1 Queued Notifications: 1 0x000006D9 - There are no more endpoints available from the endpoint mapper. ProcessID is 3688 System Time is: 10/4/2011 13:26:13:248 Generating component is 2 Status is 1753 - There are no more endpoints available from the endpoint mapper. Detection location is 501 Flags is 0 NumberOfParameters is 4 Unicode string: ncacn_ip_tcp Unicode string: FQDN TO SYNCHRONIZATION SERVICE MACHINE Long val: -647262927 Long val: 382312662
The following iteration of the Event ID 6025 is an indication of the inability to make a successful RPC connection to the Synchronization Server from the Source Domain Controller. The Source Domain Controller is where the Password Change Notification Service (PCNS) is installed.
Here are some focus points for troubleshooting and resolving the 6025 Event ID with a status of 1753. The focus should be around network connectivity, and some PCNS-Password Synchronization configurations.
Log Name: Application Source: PCNSSVC Date: 1/17/2013 3:50:48 PM Event ID: 6025 Task Category: Error Level: Error Keywords: Classic User: N/A Computer: S324VM-DS03.CDSresource.pvt Description: Password Change Notification Service received an RPC exception attempting to deliver a notification.
Thread ID: 1584 Tracking ID: 68202185-6fbe-47f0-a0e7-c7cd50f87cd9 User GUID: 4257a2a1-ed52-402e-8c34-64b349c5b147 User: DOMAIN\FIMSynchronizationServiceAccount Target: PCNSCFG Delivery Attempts: 16 Queued Notifications: 1 0x000006D3 - The authentication service is unknown.
ProcessID is 4632 System Time is: 1/17/2013 23:50:48:449 Generating component is 2 Status is 1747 - The authentication service is unknown. Detection location is 1710 Flags is 0 NumberOfParameters is 1 Long val: 0
ProcessID is 4632 System Time is: 1/17/2013 23:50:48:449 Generating component is 2 Status is 1747 - The authentication service is unknown. Detection location is 701 Flags is 0 NumberOfParameters is 2 Long val: 8 Long val: 0
This iteration of the Event ID 6025 is an indication that something is invalid with the configuration of the PCNS-Password Synchronization Solution.
Here are some focus areas to help troubleshooting and resolving the 6025 Event ID.
FIM-TROUBLESHOOTING-PCNS: Event ID: 6025 – Status: 1747
If the above information has not assisted in resolving the issue, you can utilize some of the following tools to assist in troubleshooting/isolating the Event ID 6025.
The ServicePrincipalName (SPN) that is set on the Domain Synchronization Service Account needs to match exactly to that specified in the PCNS Configuration Data. The following steps should assist in validating this information. I have found that the easiest way to validate this information, is to dump the information to a text file, and then review the information.
This is extremely easy to validate and a common miss when setting up Password Management. Validation can be done through the following steps.
In most cases a firewall between two machines in the same forest/domain normally does not occur. If there is, in most cases it will be that the Windows Firewall is enabled either on the Source Domain Controller and/or the Synchronization Service machine. The necessary ports need to be open in the Windows Firewall, if the intent is to keep the Windows Firewall enabled.
Firewalls are seen to be more of an issue in a Password Management Solution (PCNS-Password Synchronization Solution) between the Synchronization Service machine and the Target forest. Either way, ensure that the correct ports are open to allow communication between the servers.
PCNS does require DNS connectivity, Kerberos Connectivity and RPC Connectivity. RPC connectivity will require an open range of ports for RPC communication. Here is some more information about RPC.
Service
Protocol
Port
Kerberos
TCP/UDP
88
DNS
53
Kerberos Change Password
UDP
464
RPC Endpoint mapper
TCP
135
Dynamic RPC ports (PCNS)
5000-5100
Duplicate Service Principal Names (SPN) can cause communication problems with the Synchronization Service Machine. Searching for duplicate SPNs will depend on which Windows Server that you are currently running.
Duplicate SPNs can be:
We have seen #2 when the Synchronization Service Engine is installed in the Target Forest, and PCNS is setup and configured in the Source Forest and the Synchronization Service Account exists in both environments. In this situation, you will want to use the –Q switch to help see if the SPN exists on both accounts. It can only exist on one, the account that is being used for the Synchronization Service.
Windows Server 2008: http://technet.microsoft.com/en-us/library/cc731241(WS.10).aspx
Query Mode Parameters
Description
Usage
-Q <spn>
Query for existence of SPN
setspn –Q SPN
-X
Query for duplicate SPNs
setspn –X
NOTE: Searching for duplicates, especially forest-wide can take a long period of time and a large amount of memory
Windows Server 2003
Recommend to download the SETSPN.EXE update from Microsoft Knowledge Base Article 970536. If the update is installed then the two commands above can be utilized for SPN searches.
At a minimum, all Domain Controllers that will be sending password changes must be given Access this computer from the network permissions. It is recommended not to change the default settings of this User Assignment.
The Default settings of the Access this computer from the network are:
You can validate this setting through the following steps:
For more information on the Access this computer from the network, review this Microsoft TechNet Document.
http://technet.microsoft.com/en-us/library/cc740196(v=WS.10).aspx
Tim Macaulay edited Revision 16. Comment: added link for 1753 wiki
Peter Geelen - MSFT edited Revision 13. Comment: Consolidated layout
Tim Macaulay edited Revision 9. Comment: complete update
Tim Macaulay edited Revision 5. Comment: title update
Tim Macaulay edited Revision 4. Comment: updated the title
Tim Macaulay edited Revision 3. Comment: More general article for 6025 information
Ed Price - MSFT edited Revision 2. Comment: Title and format