Configure Password Change Notification Service (PCNS) for use with OLSync for Live@edu

Grein
09/12/2014

Á við: Live@edu

Efni síðast breytt: 2011-12-05

The Microsoft Password Change Notification Service (PCNS) enables synchronization of password changes in Active Directory to Microsoft Forefront Identity Manager (FIM) 2010 or Microsoft Identity Lifecycle Manager (ILM) 2007. To use PCNS, you must install it on one domain, set up an SPN record for each FIM 2010 or ILM 2007 server, configure PCNS, and then enable PCNS in FIM 2010 or ILM 2007:

Install PCNS on One Domain Controller
Create SPN Records on Each FIM 2010 or ILM 2007 Server
Configure PCNS
Enable PCNS in FIM 2010 or ILM 2007

Note After you install PCNS, you must restart your domain controller.

Required Permissions and Information

The following permissions and information are required before installing and configuring PCNS:

The user who installs PCNS must be a member of the Domain Admins group.
If the Active Directory directory service schema must be updated to include object classes and attributes that PCNS requires, the user must also be a member of the Schema Admins group. If you’re not a member of the Schema Admins group, you need to log on with a Schema Admin account and run the following command:
```
MSIEXEC.EXE /I "Password Change Notification Service.msi" SCHEMAONLY=TRUE 
```
After running this command, log back on and complete the PCNS install.
You’ll need to know the names of each of your FIM 2010 or ILM 2007 servers, and the credentials for the service accounts used for running FIM 2010 or ILM 2007, and for running OLMA.

Install PCNS on One Domain Controller

Download the appropriate version of PCNS. PCNS should be installed on one domain controller.
- If you’re using FIM 2010, download the 64-bit version of PCNS.
- If you’re using ILM 2007, download the 32-bit version of PCNS.
Download PCNS
On the Location to Save Files page, select a location, and then click Next.
In the Setup Wizard, click Next.
When prompted, restart your domain controller.

Create SPN Records on Each FIM 2010 or ILM 2007 Server

You need to create one Service Principal Name (SPN) record to identify the PCNS client on each FIM 2010 or ILM 2007 server. Note that you do not need one SPN per domain controller. This means you need to do the following steps for each FIM 2010 or ILM 2007 server:

On a domain controller, open a command window with elevated permissions. Click Start, right-click Command Prompt, and then click Run as Administrator.
If you’re using Windows Server 2008, on your domain controller, run the setspn command with the –A (add) parameter, where service/name is the SPN that you want to add, and hostname is the actual host name of the computer object you want to update:
```
Setspn.exe -A servicename/name hostname 
```
For example, the following example adds a PCNSCLNT SPN record for the FIM server named FIMserver1, using the service account Contoso\fimaccount.
```
Setspn.exe -A PCNSCLNT/FIMServer1.contoso.edu Contoso\fimaccount
```

Note Setspn can be downloaded for Windows 2003. The syntax may vary slightly based on your version of Windows. For download locations and detailed information for the setspn utility, see SetSPN Overview.

The SPN actually gets attached to the service account, not to the server. To verify the SPNs were added correctly, use the –L (list) parameter and specify the service account. This example uses the same service account as in the previous example, Contoso\fimaccount:

Setspn -L Contoso\fimaccount

Note The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent. Use setspn -X to help find duplicates.

Configure PCNS

The next step is to add the FIM 2010 or ILM 2007 servers to PCNS. PCNS calls these servers targets.

In the Command Prompt window, change directories to the location you selected during installation of PCNS.

Run the pcnscfg utility once for each FIM 2010 or ILM 2007 server, using the correct values for your domain. In the /S parameter, use the same format you used for the computer name in the Setspn command: if you used the fully qualified domain name (FQDN) in Setspn, use it here also.

pcnscfg ADDTARGET /N:FIMserver1 /A:FIMserver1.contoso.edu /S:PCNSCLNT/FIMserver1.contoso.edu/FI:"Domain Users" /FE:"Domain Admins" /F:1 /I:600 /D:False /WL:20 /WI:60

Here’s what the parameters mean:

Parameter	Description
/N	Unique name of the target
/A	FQDN of the target
/S	SPN of the target (that you added above)
/FI	The filter inclusion group. Note that this is a group and not an organizational unit.
/FE	Filters groups whose passwords you don’t want synchronized (“Domain Admins" for example)
/F	User name format delivered to the target (1 = FQDN)
/I	Keep-alive interval in seconds
/WL	Logs a warning if the queue reaches or exceeds this length
/WI	Interval to log the queue length warning in minutes

Enable PCNS in FIM 2010 or ILM 2007

From the FIM 2010 Synchronization Service Manager or the ILM 2007 Identity Manager, select Tools > Options.
In the Password Synchronization section, select the “Enable Password Synchronization” check box, and click OK.
Select the OnPremise management agent, and click Properties.
In the Password Synchronization section, select the “Enable this partition as a password synchronization source” checkbox.
Select the Hosted management agent, and click Properties.
In the Password management section, make sure the Set only radio button is selected. This option does process password changes. If you select the “Set and change” radio button, password synchronization with Live@edu will not work.
Click the Settings button next to “Connection information for password extension”.
In the Connection Settings dialog box, enter the user name and password for the OLMA account you created when you set up OLMA. Do not change the value of Connection timeout: it should be set to 0.
Click OK. FIM 2010 or ILM 2007 will now synchronize a password whenever it is changed.

Innleiðing Outlook Live Directory Sync fyrir Live@edu

Deila með