Thứ Năm, 10 tháng 9, 2015

[FIM] Setup PCNS (Password change notification service) for FIM


1         Referral links

2         Configuration steps

2.1        Install PCNS on DC (perform only 1 time)

Download Microsoft Password Change Notification Service from:

On the DC, extract the downloaded file and run the following command via command line console (the setup could not run directly by click on the msi file)

Unblock this msi file

msiexec /I “Password Change Notification Service.msi” SCHEMAONLY=TRUE

A dialog will display as below, then click Next to install the service

Or you can run with powershell

- Powershell unattended script :

$MSIPCNSFile = "Password Change Notification Service.msi"
Start-Process $MSIPCNSFile "SCHEMAONLY=TRUE /q  /L*v C:\pcnslog.txt" -Wait

A restart DC is need

- In my case I need to add a new Install with command to complete PCNS

msiexec /I “Password Change Notification Service.msi”

- Powershell unattended script :

 $MSIPCNSFile = "Password Change Notification Service.msi" 

Start-Process $MSIPCNSFile "/q  /L*v C:\pcnslog.txt" -Wait

A restart DC is need

Validate ServicePrincipalName between Synchronization Service Account and PCNS Configuration Data

- On the Source Domain Controller, Open an Administrative Command-Prompt by right clicking on the command prompt and selecting Run as Administrator.

- Change directory to %programfiles%\Microsoft Password Change Notification
cd c:\program files\Microsoft Password Change Notification
- In the command-prompt, type the following and then press the ENTER keypcnscfg list > pcnscfg.txt

- In the command-prompt, type the following and press the ENTER key
setspn –L <DOMAIN NAME>\<SYNCHRONIZATION SERVICE ACCOUNT> > spn.txt


- Review both text files to ensure that the ServicePrincipalName (SPN) set on the Domain Synchronization Service Account matches exactly to the Service Principal Name line in the PCNS Configuration information.


If they do not match, you may need to rebuild the information, or modify the information to ensure that the SPNs match.
Note: in some case you will receive Error
Password Change Notification Service received an RPC exception attempting to deliver a notification.

The password change notification target could not be contacted.

User Action:
The target server may not be running. Verify that the target server is running.

Additional Details:

PCNS Status is 1722 - The RPC server is unavailable.
You need rejoin domain(verify delete DNS as well)

2.2        Configure SPN

Run the following command on DC:
setspn –a PCNSCLIENTNAME/<fqdn of your FIM server> <domain>\<FIM service account>
Example:
setspn -a PCSNSCLIENTNAME/<fqdnofyourFIM server> <your Service account>

2.3        Add PCNS client

Run the following command on DC:
pcnscfg.exe addtarget /N:PCNSCLIENTNAME /A:<fqdn of your FIM server> /S:PCSNSCLIENTNAME/<fqdn of your FIM server> /fi:"”<name of the PCNS Active Directory Group> /f:3

Example:
Pcnscfg.exe addtarget /n: miisdemo /a: fab-dev-01.usergroup.fabrikam.com /s: PCNSCLNT/fab-dev-01.usergroup.fabrikam.com /fi: Domain Users/f:3
To verify that PCNS has been configured properly for the target, run the command “pcnscfg list”

Now we have finished the configuration for change password notification service, every time a password is change from AD, the FIM server will get notified and we need to handle that event by configuring the MA at FIM
A restart  DC is need

2.4        Verify

To verify that PCNS is working, try to reset password of a user. Then open the Event Viewer, it the process was successful, a 2100 event will be logged:

3         FIM Configuration

Note: in the blow instructions, “your MA” means the MA that you are developing the Password synchronization functionality.

3.1        Create AD MA

Create AD MA to import users from AD into FIM.

3.2        Create MV extention

Create MVExtension.dll to synchronize users from AD MA to your MA.
Reference: IST.Sybase and Powershell connector.

3.3        Configure MAs

First, go in FIM and open the options menu. Enable the Password Synchronization functionality.

On the Active Directory MA, edit the properties, and Enable Password Sync Source. Select your MA as a target. The below picture is for Powershell MA.


3.4        Run Export

Run an Export on your MA. If you don’t run an Export, FIM will think that users in your MA haven’t been synchronized so FIM will not call SetPassword method.

3.5        Verify

Reset password of a user in AD.
Using Visual studio, attach to the FIM process, verify that the SetPassword in the connector gets called.

Không có nhận xét nào:

Đăng nhận xét