Hi,

Getting the following event setting up FIM. 

Message: The property 'AddressListMembership' is on a read-only object and can't be modified.

This is syncing contacts into a domain with Exchange 2010 SP1.  The other domain (where the FIM server lives) is running exchange 2013 and not experiencing errors.

I have followed the steps outlined here for rights: http://social.technet.microsoft.com/wiki/contents/articles/4868.permissions-for-galsync-user.aspx#_Toc305417939

I can't find any attribute for AddressListMembership, so I assume this is associated with an Exchange role?  What can I do to give these rights to the FIMGALSync Account?  I want to keep these rights as limited as possible.

Cheers.

------------------------

Log Name:      Application
Source:        FIMSynchronizationService
Date:          9/05/2013 1:26:05 PM
Event ID:      0
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      CORP-FIM01
Description:
The description for Event ID 0 from source FIMSynchronizationService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

 

There is an error in Exch2010Extension AfterExportEntryToCd() function when exporting an object with DN CN=User,OU=Contacts,OU=GalSync,DC=domain,DC=com.

Type: System.Management.Automation.RemoteException

Message: The property 'AddressListMembership' is on a read-only object and can't be modified.

Stack Trace:    at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke()
   at Exch2010Extension.Exch2010ExtensionClass.AfterExportEntryToCd(Byte[] origAnchor, String origDN, String origDeltaEntryXml, Byte[] newAnchor, String newDN, String failedDeltaEntryXml, String errorMessage)

the message resource is present but the message is not found in the string/message table

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="FIMSynchronizationService" />
    <EventID Qualifiers="0">0</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-05-09T03:26:05.000000000Z" />
    <EventRecordID>1963</EventRecordID>
    <Channel>Application</Channel>
    <Computer>CORP-FIM01</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

There is an error in Exch2010Extension AfterExportEntryToCd() function when exporting an object with DN CN=user,OU=Contacts,OU=GalSync,DC=domain,DC=com.

Type: System.Management.Automation.RemoteException

Message: The property 'AddressListMembership' is on a read-only object and can't be modified.

Stack Trace:    at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke()
   at Exch2010Extension.Exch2010ExtensionClass.AfterExportEntryToCd(Byte[] origAnchor, String origDN, String origDeltaEntryXml, Byte[] newAnchor, String newDN, String failedDeltaEntryXml, String errorMessage)</Data>
  </EventData>
</Event>

The Organization Management role should give your GalSync Ma user all the permissions it needs.

I suggest logging in as that user, opening the Exchange Shell and manually calling Update-Recipient for that object -- see what happens.

Hi, sorry for the delayed response.  Too many projects on at the moment.

I have tried running an update-recipient for one of the contacts Synced via FIM when logged in with the FIMGALSync account and here is the result:

[PS] C:\Windows\system32>update-recipient -identity <contact name>
WARNING: An unexpected error has occurred and a Watson dump is being generated: The property 'AddressListMembership' is on a read-only object and can't be modified.
The property 'AddressListMembership' is on a read-only object and can't be modified.
    + CategoryInfo          : NotSpecified: (:) [Update-Recipient], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Exchange.Management.RecipientTasks.UpdateRecipient

I then tried the same command logged in with my admin account and received the same message.

• Edited by James Bellaart Tuesday, May 21, 2013 3:44 AM

Hi, sorry for the delayed response.  Too many projects on at the moment.

I have tried running an update-recipient for one of the contacts Synced via FIM when logged in with the FIMGALSync account and here is the result:

[PS] C:\Windows\system32>update-recipient -identity <contact name>
WARNING: An unexpected error has occurred and a Watson dump is being generated: The property 'AddressListMembership' is on a read-only object and can't be modified.
The property 'AddressListMembership' is on a read-only object and can't be modified.
    + CategoryInfo          : NotSpecified: (:) [Update-Recipient], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Exchange.Management.RecipientTasks.UpdateRecipient

I then tried the same command logged in with my admin account and received the same message.

• Edited by James Bellaart Tuesday, May 21, 2013 3:44 AM

James,

Love your icon! If you can reproduce the error with just calling the commandlet (in other words independent of FIM) then this is an Exchange issue. What version of Exchange are you running?

You may need to open a ticket with support regarding Exchange.

Hi David,

I think I'm making some progress on this, hoping I can get some more insight from the forum here.

I now have 5 different organisations connected via FIM and I have found the following issues.

Org 1 is running Exchange 2013 - these are the contacts I am getting the previous error on. "The property 'AddressListMembership' is on a read-only object and can't be modified."

If I try and open one of these contacts via Exchange 2010 EMC I get the warning: "You must use management consolversion 15.0.0.0 or later to modify this object"

Each time I run an export on FIM these contacts become duplicatedin the Exchange 2010 ADs (Orgs 2-4)

Orgs 2-4 are running Exchange 2010.  2 on SP3, one of SP1.  These contacts all working fine.

Org 5 is running Office 365 completely stand alone.  I have configured FIM with an Active Directory Domain Services MA to pull these users across as they have all the contact list info we need in their AD, just no exchange attributes.

These users also get duplicated when running a FIM import into one of the exchange 2010 orgs.  Opening them in Exchange gives the message "The properties on this object have invalid data", and running update-recipient on them gives me "There is no primary SMTP address".  I have pulled the attribute mail across to TargetAddresswith FIM, but it is not in the SMTP:.... format, so I need a way to insert "SMTP:" in front of the email address.

Cheers

Hi, interested to know if a solution was ever found to this.

I've got almost the same setup (minus the 365) and have the same problem exactly.

I dont think the issue is a missing SMTP as part of the attribute flow I think that is probably a symptom not a cause its a symptom that the MA is crashing as it tries to create the object.

I think the issue is the extension DLL, when it runs the function AfterExportEntryToCd()

As Im using some custom code in a re-compiled GALSYNC.DLL, I have gone looking for this function in VS, but cant find it

Has anyone seen this and solved it ?

Thanks

Hey, for what it is worth, I have managed to hack a work-around.

Using the MV search, I could see that the only difference in the objects imported from E2013 compared to E2010 is the MSExchVersion
For 2013 imported objects = 88218628259840
For 2010 imported objects = 44220983382016

I then supposed that Update-Recipient is performing different actions based on this attribute
So, after some testing, I have hard coded the MSExchVersion attribute (to the E2010 number) at export to the 2 x E2010 Forests and it is now working perfectly.

I can only surmise that Update-Recipient is doing something different for the E2013 objects possibly it is trying to go back to the source forest (hence the reference to read-only) which of course the MA agent account in the destination forest does NOT have rights to.

Would be nice for someone from MS to have a look over this.. I dont have access to Premier support (and there is no way Im going through standard support).. so Ill just have to live with the workaround

• Marked as answer by James Bellaart Sunday, August 11, 2013 8:37 PM

Hey, for what it is worth, I have managed to hack a work-around.

Using the MV search, I could see that the only difference in the objects imported from E2013 compared to E2010 is the MSExchVersion
For 2013 imported objects = 88218628259840
For 2010 imported objects = 44220983382016

I then supposed that Update-Recipient is performing different actions based on this attribute
So, after some testing, I have hard coded the MSExchVersion attribute (to the E2010 number) at export to the 2 x E2010 Forests and it is now working perfectly.

I can only surmise that Update-Recipient is doing something different for the E2013 objects possibly it is trying to go back to the source forest (hence the reference to read-only) which of course the MA agent account in the destination forest does NOT have rights to.

Would be nice for someone from MS to have a look over this.. I dont have access to Premier support (and there is no way Im going through standard support).. so Ill just have to live with the workaround

• Marked as answer by James Bellaart Sunday, August 11, 2013 8:37 PM

Hi David,

Thanks for the reply, I'm trying your work around now, forcing the MSExchVersion to the 2010 value.  1st run and I seem to have a mix of 2010 and 2013 values and some duplicate contacts created, however I don't get any ma-extension errors, so its promising. 

I think I need to have a clean out of the Person database in FIM, then re-sync all the domains before running the export again.

Will let you know how I get on.

Cheers,

James

Hi fellas, 

I facing same problem (Exchange 2010 and Exchange 2013), would be better if anyone tell me how to hack the GALSync? and where i must hardcoded msexchversion ?

I'm not developer but Infra guy

Thanks.

Endrik

This does not seem to have resolved the issue for me. :(

There is no out of the box Extension DLL for Exchange 2013 provisioning in FIM 2010 R2 SP1 however Microsoft claims that this version of FIM supports Exchange 2013 provisioning. I opened a case with Microsoft and the support team might file an issue with the FIM product team. Additionally I have also filed this as a bug by visiting https://connect.microsoft.com and request anyone facing the issue to also report it as a bug to Microsoft.

Hi all,

I know this is little bit old thread now, but may be I could help somebody that is still expecting.

Use following command line to change the msExchVersion attribute of mail contacts with version different from Exchange 2010 to Exchange 2010

Get-ADObject -SearchBase "OU=Contacts,DC=contoso,DC=com" -LDAPFilter "(&(!(msExchVersion=44220983382016)))" | Set-ADObject -Replace @{msExchVersion="44220983382016"}

Please pay attention to specify the correct searchbase for mail contacts location on domain controller.

_________________________________________

Hartmann

Hi there, I'm unsure if this will help you but the hotfix that has just been released for FIM 2010 R2 SP1 (Hotfix rollup build 4.1.3627.0) has a fix for the GALSync MA used against AD with Exchange 2013.

When the Active Directory global address list (GALSync) management agent is used against an Active Directory forest that hosts Exchange Server 2013, the GALSync solution does not generate the correct value for the msExchVersion attribute.

Here is the hotfix - http://support2.microsoft.com/kb/3022704/en-us

Regards. David

I am hitting a very similar issue, but no GAL MAs, plain AD MA, FIM build 4.1.3634.0, Exchange 2013 hybrid with Exchange 2010.

The error is generated when running Update-Recipient for DLs, both from ADMA and directly in Exchange 2013 PowerShell. Also cannot visualize object in Exchange 2013 ECP. When setting msExchVersion to 44220983382016, both direct Update-Recipient or through ADMA work well.

The issue does not occur for user objects though.

There is a hotfix now available
https://support.microsoft.com/en-us/kb/3022704?wa=wsignin1.0

The hotfix (https://support.microsoft.com/en-us/kb/3022704) is indeed a solution. I was having the same issue with a GAL Sync between an Exchange 2010 and an Exchange 2013 forest. Keep in mind for the hotfix to have effect you have to recreate the Exchange 2010 MA. You'll see a change in the attribute flow configuration for the msExchVersion attribute.