When using the Password Change Notification Service (PCNS) the password change is not delivered from the DC to the ILM server and you see the following error in the Event Log on the Domain Controller:
Event Type: Error
Event Source: PCNSSVC
Event Category: Error
Event ID: 6025
Time: 8:03:23 PM
Description: Password Change Notification Service received an RPC exception attempting to deliver a notification.
The password change notification target could not be contacted.
The target server may not be running. Verify that the target server is running.
Thread ID: 5364
Tracking ID: 43a60f6f-2e97-4a8f-b320-b56ed02c7295
User GUID: db36b68d-f23a-4866-891d-23f0a27ea6f2
Delivery Attempts: 73
Queued Notifications: 3
0x000006D9 - There are no more endpoints available from the endpoint mapper.
ProcessID is 648
System Time is: 5/14/2009 0:3:23:207
Generating component is 2
Status is 1753 - There are no more endpoints available from the endpoint mapper.
Detection location is 501
Flags is 0
NumberOfParameters is 4
Unicode string: ncacn_ip_tcp
Unicode string: mymachine.mycompany.com
Long val: -647262927
Pointer val: 785240
At a minimum, all DC's that will be sending password changes must be given this access. Note that it is recommended not to change the default settings, which are
1. Administrators local group
3. Users Local group
There are a number of possible causes of this error, most of which can be found by standard PCNS troubleshooting techniques such as verifying that the ILM service is running, the SPN is set correctly on the ILM service account and the output from pcnscfg -list shows a valid configuration. This article addresses one specific cause that can not be found using the usual troubleshooting techniques and was difficult to isolate.
In order to communicate with the ILM service, the DC sending the password change must be allowed a network logon to the ILM machine. Auditing the logon event on the ILM machine showed a failed logon for the DC.
For more information on the side-effects of changing the "Access this computer from the network" setting see the following article
KB823659 - Client, service, and program incompatibilities that may occur when
you modify security settings and user rights assignments
PCNS, Password Change Notification Service, ILM, Identity Lifecycle Manager, MIIS, Microsoft Identity Integration Server
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.
Artikel-id: 973807 - Laatst bijgewerkt: 17 jul. 2009 - Revisie: 1