Ok… So you have brought up your Forefront Identity Management 2010 environment, configured policies, got password reset working and life is good. Then down the road you of course make performance, configuration changes or tweaks to the environment, MAs, etc… One day you initiate (or user) a password reset via a workstation “reset password” link, pass through the gate questions without any problems, enter the new password and submit. Then to your surprise are presented with a not so intuitive error. Wait… this worked before WTH is going on.
You do some digging, check for events on the server running the password reset and discover a slue of the following events under “Forefront Identity Manager” event node.
Details: "PWReset activity could not connect to the directory"
After banging my head on the concrete, I recalled changes made to the environment and when, then matched them up to the last time Password Reset worked. I recalled a change made to the AD MA in order to work around the Excessive CPU Utilization on the Synchronization Server, which was to set the ADMA to “Run in a separate process..”. If you set the AD MA to run in a separate process, password reset fails.
Make sure the AD MA is NOT enabled to “Run in a separate process”, and then restart the Forefront Identity Manager Synchronization Server Service (miisserver.exe). Try another password reset and BAM, it works.
So what fixed one issue apparently damaged/disrupted another. Until the fix for FIM 2010 is available, determine what is more important to you… a pegged processor on the Synchronization Server or Password Reset working. I’ll leave that up to you.