I'm migrating cross-forest from Exchange 2003 to Exchange 2007. Apologies in advance, this is my first experience with ForeFront Identity Manager. FIM 2010 is syncing the GAL one-way from E2K3 to E2K7. Our migration tool (Priasoft) is creating contacts in the E2K3 forest so migrated mailboxes appar in the GAL. There are no problems with the Priasoft contacts, but mailing to the the FIM-generated contacts from a migrated E2k7 mailbox gives the following NDR: Generating server: E2K7HubTransport.companylan.local IMCEAEX-_O=NT5_ou=2c93a303b061604facd6014c7714b70a_cn=7f5ac003ee3f8b4eaa2ef13bb2e46bd2@targetsmtpnamespace.co.uk #550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ## The FIM-generated contacts are stamped with the correct X500 address based on LegacyExchangeDN of migrated account. The target addresses stamped by FIM on these contacts is also correct - and are within an authoritative SMTP namespace on E2K3 that is different from that used to create target addresses on the Priasoft contacts. One interesting quirk is that the IMCEAEX address above includes an SMTP namespace (in bold) that is an accepted domain in the E2K7 environment - but not one of the target address domains mentioned above! Any help on the NDRs would be greatly appreciated!

Hmm, if I copy the LegacyExchangeDN from the E2K3 user account to the E2K7 FIM-generated contact, the mail is delivered successfully without NDR! My understanding is that the X500 address stamped on the contact by FIM (which includes the LegacyExchangeDN details of E2K3 account) should handle the routing, but this doesn't appear to work. Will I have to manually add LegacyExchangeDNs to all FIM-generated contacts?

You should not have to add the legacyExchangeDN attribute value manually, Exchange is expected to do this for you. I suspect you are getting error because contact is created in Exchange 2007 org but there is a problem with the update-recipient Powershell script that the FIM 2010 sync engine uses for this purpose. You might check the application log on the FIM 2010 machine, it should show some more specific information regarding this. Of course, it is expected that you will have the EMC 2007 SP1 on the FIM machine. If you are not getting errors and the checkbox for 'enabling Exchange 2007 provisioning' is enbaled, then this could be because of a known issue with update-recipient that is ultimately fixed in RU9 for Exchange 2007 SP1 or updating to SP2. One last thing that can cause this(this especially affects group objects) is that if the mailNickname(alias) attribute of the target object has a space character in it, Exchange 2007 won't accept it and this will cause the object to be created but update-recipient to fail. If this is the case, it will show up in app log on FIM 2010 sync box.

I really appreciate the response Glenn! I have to admit that FIM was installed on Win 2008 R2, and getting to the end of the deployment, realised I'd have to install Exchange 2007 SP3 management tools. Am aware SP1 is specified inthe FIM 2010 system requirements. Do you think it's possible that this is a simple incompatibility issue, in that SP3 is possibly causing the problems? If not, is the GALSync.dll definitely supposed to stamp the LegacyExchangeDN attribute on the FIM-generated contact? It is successfully pulling the attribute across and copying it to the contact as an X500 proxy address, but the LegacyExchangeDN is empty. I'm struggling to understand if it's potentially a missing LegacyExchangeDN that's the problem (i.e. a FIM issue), or otherwise if it's that the X500 address is not being routed properly or recognised within the Exchange 2007 organisation (i.e. an E2K7 problem, FIM is doing its job, x500 should deal with routing to E2K3, and LegacyExchangeDN is not required). PS - When performing a Get-GlobalAddressList | Update-GlobalAddressList on the E2K7 deployment, it only complains that 4 out of around 350 contacts have space characters in the alias.

One other thing to note is the Attribute Flow for FIM source domain MA shows "proxyAddresses <- legacyExchangeDN, proxyAddresses" (for all 'contact' Object Types). This makes me think FIM GAL Sync is configured by default to convert LegacyExchangeDN to an X500 proxy address, and not actually copy this to LegacyExchangeDN attribute on destination domain contact. Which leads me to think that this is a problem with Exchange 2007 not routing the X500 address through to the E2K3 org (and not an issue with FIM not doing its job!). ... although, I'm more than happy to be told otherwise!

Ok, you are using R2. I probably should have mentioned, I don't believe that anything before EMC 2007 SP3 is supported on R2. As for the attribute flow you are referring to with the x500 addresses, this is what GALSYNC does: It takes the legacyExchangeDN value from all objects, including source mailbox and any contacts that it creates, and stores them in a MV attribute also called legacyExchangeDN. During synchronization process, it, like you said, converts the legacyExchangeDN values to x500 addresses and it attempts to put these on all objects, both source and target. So it does attempt to put these values on your source mailbox object and that is what the flow rule you saw is for. However, it doesn't actually write the legacyExchangeDN values themselves; it still expects Exchange to provide these. The bugs I mentioned with update-recipient are unlikely to be your issue if you are using SP3. I would verify that MAs are configued to provision to Exchnage 2007 via the dropdown on the 'Configure Extensions' property page for each GALSYNC MA. Assuming it is configured to provision to Exchange 2007, take a look at the app log on the FIM 2010 server. I suspect that these are objects that have something wrong with them, such as a mailNickname(alias) value that has a space character in it.

The Exchange 2007 MA is configured OK to provision to Exchange 2007. The other MA is being used to import required contact info from an Exchange 2003 environment to the MV, so can't be set to provision to Exchange 2007. I do get ma-extension-errors on all contacts when exporting via the Exchange 2007 MA. However, there's no 'Connected data source error code' listed. In the event viewer, I get a whole bunch of 6500 and 6801 FIMSynchronizationService errors (see below). Re: X500 addresses, I can confirm that FIM is writing these successfully to the Exchange 2007 contacts - it's just not writing it also directly into the equivalent legacyExchangeDN attribute (and if I copy this across manually, then mail flow to Exchange 2003 mailboxes works OK when selecting recipient in GAL). Any other thoughts on this would be welcomed. I've hit a brick wall on this one! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Log Name: Application Source: FIMSynchronizationService Date: 15/08/2010 19:44:00 Event ID: 6500 Task Category: None Level: Error Keywords: Classic User: N/A Computer: fimserver.lan.local Description: The description for Event ID 6500 from source FIMSynchronizationService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: There is an error in Exch2007Extension AfterExportEntryToCd() function when exporting an object with DN CN=contactDN... Type: Microsoft.Exchange.Configuration.Tasks.ThrowTerminatingErrorException Message: Could not find the default Administrative Group 'Exchange Administrative Group (FYDIBOHF23SPDLT)'. Stack Trace: at Microsoft.Exchange.Configuration.Tasks.Task.ThrowTerminatingError(Exception exception, ErrorCategory category, Object target) at Microsoft.Exchange.Configuration.Tasks.Task.ProcessUnhandledException(Exception e) at Microsoft.Exchange.Configuration.Tasks.Task.BeginProcessing() at System.Management.Automation.Cmdlet.DoBeginProcessing() at System.Management.Automation.CommandProcessorBase.DoBegin() the message resource is present but the message is not found in the string/message table Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="FIMSynchronizationService" /> <EventID Qualifiers="0">6500</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-08-15T18:44:00.000000000Z" /> <EventRecordID>7498</EventRecordID> <Channel>Application</Channel> <Computer>fimserver.lan.local</Computer> <Security /> </System> <EventData> <Data> There is an error in Exch2007Extension AfterExportEntryToCd() function when exporting an object with DN CN=contactDN... Type: Microsoft.Exchange.Configuration.Tasks.ThrowTerminatingErrorException Message: Could not find the default Administrative Group 'Exchange Administrative Group (FYDIBOHF23SPDLT)'. Stack Trace: at Microsoft.Exchange.Configuration.Tasks.Task.ThrowTerminatingError(Exception exception, ErrorCategory category, Object target) at Microsoft.Exchange.Configuration.Tasks.Task.ProcessUnhandledException(Exception e) at Microsoft.Exchange.Configuration.Tasks.Task.BeginProcessing() at System.Management.Automation.Cmdlet.DoBeginProcessing() at System.Management.Automation.CommandProcessorBase.DoBegin()</Data> </EventData> </Event> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Log Name: Application Source: FIMSynchronizationService Date: 15/08/2010 19:44:00 Event ID: 6801 Task Category: Server Level: Error Keywords: Classic User: N/A Computer: fimserver.lan.local Description: The extensible extension returned an unsupported error. The stack trace is: "Microsoft.MetadirectoryServices.ExtensionException: Could not find the default Administrative Group 'Exchange Administrative Group (FYDIBOHF23SPDLT)'. at Exch2007Extension.Exch2007ExtensionClass.AfterExportEntryToCd(Byte[] origAnchor, String origDN, String origDeltaEntryXml, Byte[] newAnchor, String newDN, String failedDeltaEntryXml, String errorMessage) Forefront Identity Manager 4.0.2592.0" Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="FIMSynchronizationService" /> <EventID Qualifiers="49152">6801</EventID> <Level>2</Level> <Task>3</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-08-15T18:44:00.000000000Z" /> <EventRecordID>7499</EventRecordID> <Channel>Application</Channel> <Computer>fimserver.lan.local</Computer> <Security /> </System> <EventData> <Data>Microsoft.MetadirectoryServices.ExtensionException: Could not find the default Administrative Group 'Exchange Administrative Group (FYDIBOHF23SPDLT)'. at Exch2007Extension.Exch2007ExtensionClass.AfterExportEntryToCd(Byte[] origAnchor, String origDN, String origDeltaEntryXml, Byte[] newAnchor, String newDN, String failedDeltaEntryXml, String errorMessage) Forefront Identity Manager 4.0.2592.0</Data> </EventData> </Event>

An update on this: It looks like the 350+ ma-extension-error and 6801/6500 errors occurring when exporting via the Exchange 2007 MA were fixed when I added both the MA and FIM Synchronization Service accounts to the Exchange Recipient Administrators group in E2K7 domain. I'm now only getting these errors on 4 contacts, which have problem you describe re: spaces in the alias. This is a big improvement on 350+ errors! I can see also in ADSIEdit that a legacyExchangeDN is now being stamped on the E2K7 contacts!! However, it is not the same legacyExchangeDN the Exchange 2003 user has! Exchange 2003 user has legacyExchangeDN: /o=E2K3ExchangeOrg/ou=First Administrative Group/cn=Recipients/cn=mailboxalias Exchange 2007 contact has legacyExchangeDN: /o=E2K7ExchangeOrg/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=mailboxalias

Another update: Even with Exchange 2003 legacyExchangeDN of: /o=E2K3ExchangeOrg/ou=First Administrative Group/cn=Recipients/cn=mailboxalias ... E2K7 mails sent as replies to old mail, via NK2, and also via the GAL are now received by E2K3 mailboxes, so it looks to be sorted! Thanks for your help Glenn - you pointed me in the right direction with FIM app log and clearing sync errors. Would be nice to know why FIM-generated legacyExchangeDN on the new contact pointing to the Exchange 2007 Exchange org (rather than Exchange 2003 org) works though!

I think this will answer the question: http://support.microsoft.com/default.aspx?scid=kb;EN-US;951077