+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 50
How do you do....it? Thread, live@edu and ILM to sync passwords in Technical; Thanks! I had it installed but I was looking in the wrong folder. This is the message that I got: ...
  1. #16

    Join Date
    Apr 2010
    Location
    Oahu
    Posts
    16
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks!
    I had it installed but I was looking in the wrong folder. This is the message that I got:

    C:\Program Files\Microsoft Password Change Notification>pcnscfg.exe addtarget /n
    :PCNSCLNT /a: DCTEST.ADTEST.byuh.EDU /s:PCSNCLNT/DCTEST.ADTEST.xxx.EDU /fi:"Doma
    in Users" /f:3
    Warning: The Service Principal Name you specified could not be found on any
    accounts in this domain. This target configuration will not be able to deliver
    passwords if the Service Principal Name is not configured properly.

    Target Name...........: PCNSCLNT
    Target GUID...........: CF420837-BDB5-4D69-98D4-D8197C0CAA33
    Server FQDN or Address: DCTEST.ADTEST.xxx.EDU
    Service Principal Name: PCSNCLNT/DCTEST.ADTEST.xxx.EDU
    Authentication Service: Kerberos
    Inclusion Group Name..: ADTEST\Domain Users
    Exclusion Group Name..:
    Keep Alive Interval...: 0 seconds
    User Name Format......: 3
    Queue Warning Level...: 0
    Queue Warning Interval: 30 minutes
    Disabled..............: False


    Is this how should it look like at this point? There is another step to be completed, will that fix the message that says that is not configured right?
    Thanks very much for your help.

    Cheers

    Manu

  2. #17

    Join Date
    Apr 2010
    Location
    Oahu
    Posts
    16
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks very much Rabbie.
    I get this message when I ran the command though:
    "C:\Program Files\Microsoft Password Change Notification>pcnscfg.exe addtarget /n
    :PCNSCLNT /aCTEST.ADTEST.byuh.EDU /s:PCSNCLNT/DCTEST.ADTEST.byuh.EDU /fi:"Doma
    in Users" /f:3
    Warning: The Service Principal Name you specified could not be found on any
    accounts in this domain. This target configuration will not be able to deliver
    passwords if the Service Principal Name is not configured properly.

    Target Name...........: PCNSCLNT
    Target GUID...........: CF420837-BDB5-4D69-98D4-D8197C0CAA33
    Server FQDN or Address: DCTEST.ADTEST.byuh.EDU
    Service Principal Name: PCSNCLNT/DCTEST.ADTEST.byuh.EDU
    Authentication Service: Kerberos
    Inclusion Group Name..: ADTEST\Domain Users
    Exclusion Group Name..:
    Keep Alive Interval...: 0 seconds
    User Name Format......: 3
    Queue Warning Level...: 0
    Queue Warning Interval: 30 minutes
    Disabled..............: False"
    So I typed the command "setspn -L OLSync" and I get this message: "Usage: setspn [modifiers switches data] computername
    Where 'computername' can be the name or domain\name

    Modifiers:
    -F = perform the duplicate checking on forestwide level
    -P = do not show progress (useful for redirecting output to file)

    Switches:
    -R = reset HOST ServicePrincipalName
    Usage: setspn -R computername
    -A = add arbitrary SPN
    Usage: setspn -A SPN computername
    -S = add arbitrary SPN after verifying no duplicates exist
    Usage: setspn -S SPN computername
    -D = delete arbitrary SPN
    Usage: setspn -D SPN computername
    -L = list registered SPNs
    Usage: setspn [-L] computername
    -Q = query for existence of SPN
    Usage: setspn -Q SPN
    -X = search for duplicate SPNs
    Usage: setspn -X

    Examples:
    setspn -R daserver1
    It will register SPN 'HOST/daserver1' and 'HOST/{DNS of daserver1}'
    setspn -A http/daserver daserver1
    It will register SPN 'http/daserver' for computer 'daserver1'
    setspn -D http/daserver daserver1
    It will delete SPN 'http/daserver' for computer 'daserver1'
    setspn -F -S http/daserver daserver1
    It will register SPN 'http/daserver' for computer 'daserver1' if no such SPN exi
    sts in the forest"
    How is that possible it was working the other day? I ran the command to delete it and recreate it and this is what I get: "C:\>setspn.exe -A PCNSCLNT/DCTEST.ADTEST.BYUH.EDU ADTEST.BYUH.EDU\OLSync
    Registering ServicePrincipalNames for CN=OLSync,CN=Users,DC=adtest,DC=byuh,DC=ed
    u
    PCNSCLNT/DCTEST.ADTEST.BYUH.EDU
    Updated object"
    I thought I was done and instead I'm back to square 1! I want to cry!
    What am I doing wrong? nothing has changed the environment is the same.

    Manu

  3. #18

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    you have made a mistake in your command.

    Code:
    "C:\Program Files\Microsoft Password Change Notification>pcnscfg.exe addtarget /n
    :PCNSCLNT /aCTEST.ADTEST.byuh.EDU /s:PCSNCLNT/DCTEST.ADTEST.byuh.EDU /fi:"Doma
    in Users" /f:3
    you have put PCSNCLNT instead of PCNSCLNT

    (apologies if that was a typo I made previously if you have copied)

  4. #19

    Join Date
    Apr 2010
    Location
    Oahu
    Posts
    16
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I fixed all the misspellings and now everything looks like it should be, but still can't synchronize the passwords.
    Any other clues?
    I get this message from the event viewer:

    " The management agent "Hosted" completed run profile "Delta Import (Stage Only)" with a delta import or delta synchronization step type. The rules configuration has changed since the last full import or full synchronization.

    User Action
    To ensure the updated rules are applied to all objects, a run with step type of full import and full synchronization should be completed."

    I appreciate your help.

    Manu

  5. #20

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    thats not an error just a log.

    When you run .\StartSync.ps -FirstRun

    Does it create the accounts OK? Do you get a load of green Success text showing?

    When you change a password on a DC, does it say it was delivered to all targets, or does it give you an error?

  6. #21

    Join Date
    Apr 2010
    Location
    Oahu
    Posts
    16
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    When I run the command .\startSync I get this results:

    PS C:\Program Files\Microsoft Identity Integration Server\SourceCode\Scripts> .\StartSync
    Hosted [Delta Import (Stage Only)] success
    OnPremise [Delta Import (Stage Only)] success
    OnPremise [Delta Sync] success
    Hosted [Delta Sync] success
    Hosted [Export] success
    Hosted [Delta Import (Stage Only)] success

    It creates new accounts in WLive for users that I create in the AD, when I reset the password on AD it shows a message that says that the password for that user has been changed, nothing more. So I'm assuming that the password sync is still not working properly.
    Manu

  7. #22

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    That is looking promising. You wont get any other message in AD after changing the password. The only other thing you will see is an event log from the PCNS Service saying the password was delivered to all targets.

    Can you login to live@edu with the new password you changed it to?

  8. #23

    Join Date
    Apr 2010
    Location
    Oahu
    Posts
    16
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    How can I access the PCNS log?
    I can't login to live@edu with the new password.

  9. #24

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    ITs just another entry in eventviewer on the domain controller you used to change the password.

    Have you enabled password sync within ILM and entered the correct live@edu admin account into the relevent places?

  10. #25

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Also, are you running exchange?

    When you installed the OLSync msi package, what options did you choose?
    Attached Images Attached Images

  11. #26

    Join Date
    Apr 2010
    Location
    Oahu
    Posts
    16
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I have set up the ILM, for pass sync, and I entered the right credentials for the Admin Account.
    Exchange is installed on the DC, we are testing it to migrate all the staff and faculty in the next few months.
    When I installed ILM I selected the "exchange option" but I never configured it to work with ILM. Do I need to do something on that end?
    Later

    Manu

  12. #27

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    I didnt do a migration of accounts from Exchange to live@edu

    Although we run exchange, it is for staff only. So I set it up as AD only.

    But I dont imagine it would make a difference.

    Did you remember to run all the powershell commands to link the local admin sync account to the live@edu admin account?

  13. #28

    Join Date
    Apr 2010
    Location
    Oahu
    Posts
    16
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I probably missed those I only run the .\startsync. Do you have them? it might be it.
    thx

  14. #29

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Here is an extract from my instructions documentation:

    After you create the OLSync and PWSync service accounts, sign out of the Outlook Live domain, and sign in to the Outlook Live domain again with the OLSync service account using Outlook Web App (https://www.outlook.com/owa). You have to do this one time to accept the terms of use for that new account. If you don't sign in to Outlook Web App and accept the terms of use, you will get Access Denied errors when you try to run ILM 2007 FP1 with the service account.

    Connect Windows PowerShell on your local computer to Outlook Live

    • Click Start > All Programs > Accessories > Windows PowerShell > Windows PowerShell.
    • Run the following command:

    Code:
    $LiveCred = Get-Credential
    • In the Windows PowerShell Credential Request window that opens, type the Windows Live ID and password of an Outlook Live account. When you are finished, click OK.
    • Run the following command:

    Code:
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Note The AllowRedirection parameter enables Outlook Live organizations all over the world to connect Windows PowerShell to Outlook Live by using the same URL.
    • Run the following command:

    Code:
    Import-PSSession $Session
    Assign the GALSynchronizationManagement RBAC role to the OLSync service account
    The GALSynchronizationManagement role based access control (RBAC) role lets the OLSync service account run Exchange synchronization cmdlets on your Outlook Live domain.
    • In a client-side session, run the following command:

    Code:
    New-ManagementRoleAssignment  -User OLSync@<tenant_domain> -Role GALSynchronizationManagement -Name "OLSync Svc Role"
    Give the OLSync service account access to WinRM:

    The last configuration you need to make to the service account is to give the account access to Windows Remote Management (WinRM) so ILM 2007 FP1 can connect Windows PowerShell to Outlook Live. After you have run the command to enable WinRM on the OLSync service account, be sure to close the current Windows PowerShell session.
    1. In a client-side session, run the following command:

    Code:
    Set-User OLSync@<tenant_domain> -RemotePowerShellEnabled $true
    Keep the powershell window open, and proceed to the next step to test the Service Account

    Test the OLSync service account:

    Because this OLSync service account will be used by ILM 2007 FP1 to synchronize your on-premises domain with your Outlook Live domain, the best way to test the configuration is to open a client-side session with the service account.
    Using the session from the previous step, run the following cmdlets to make sure the account has the appropriate RBAC permissions:
    Code:
    Get-SyncMailbox
    Code:
    Get-AcceptedDomain
    When you're finished using the Outlook Live server-side session, always disconnect Windows PowerShell from Outlook Live by running the following command:
    Code:
    Remove-PSSession $Session
    Last edited by RabbieBurns; 21st April 2010 at 07:57 AM.

  15. #30

    Join Date
    Apr 2010
    Location
    Oahu
    Posts
    16
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hello RabbieBurns. I ran these commands the first time that I created the OLSync account. It seems to be configured correctly. I still think that the password sync did not work somehow.

SHARE:
+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. ipod sync to pc
    By layercake426 in forum Windows
    Replies: 8
    Last Post: 22nd July 2011, 07:42 AM
  2. Sync folder
    By irsprint in forum How do you do....it?
    Replies: 5
    Last Post: 14th June 2009, 06:06 PM
  3. How do I... sync
    By matt40k in forum Coding
    Replies: 0
    Last Post: 1st June 2009, 02:28 PM
  4. Kaleidos - sync with anything?
    By theriver in forum Virtual Learning Platforms
    Replies: 3
    Last Post: 9th March 2009, 11:43 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •