stopped-entry-export-error can't provision any accounts to AD
Hello,

 I'm using FIM 2010 R2 (4.1.3419.0) and Exchange 2010, I've recently hit an issue whereby the AD MA stops running due to "Stopped-entry-export-error". My environment was working fine, AD accounts and Exchange mailboxes were being provisioned OK (confirmed working for the past 6 months). I've only come upon this error since we installed around 25 Windows updates on our DC, Exchange server and FIM synchronization server.

 There is no associated error in the Synchronization service Application for the user object(s) which cause an error (as you'll see it's blank in the picture). AD MA delta imports and syncs work fine, but exports always fail with different user accounts (so I don't think it's an issue with the accounts being synced). Looking at the Windows logs shows errors as below:


Application log (typical error for a user):

There is an error in Exch2010Extension AfterExportEntryToCd() function when exporting an object with DN CN=jp um 
receptionist,OU=staff,OU=Accounts,DC=contoso,DC=local. Type: Microsoft.MetadirectoryServices.ExtensionException Message: **** ERROR **** Property 
expression "jp um receptionist" isn't valid. Valid values are: Strings formed with characters from A to Z (uppercase or lowercase), digits from 0 to 
9, !, #, $, %, &, ', *, +, -, /, =, ?, ^, _, `, {, |, } or ~. One or more periods may be embedded in an alias, but each period should be preceded and followed by at least one of the other characters. Unicode characters from U+00A1 to U+00FF are also valid in an alias, but they will be mapped to a best-fit US-ASCII string in the e-mail address, which is generated from such an alias. Property Name: Alias **** END ERROR **** Stack Trace: at  Exch2010Extension.Exch2010ExtensionClass.AfterExportEntryToCd(Byte[] origAnchor, String origDN, String origDeltaEntryXml, Byte[] newAnchor, String new DN, String failedDeltaEntryXml, String errorMessage)


Application Service Log (Forefront Identity Manager) - Error (happens every 30 minutes, this has been happening for 2 weeks, since the updates were installed):

Microsoft.ResourceManagement.Service: System.InvalidOperationException: Operation is not valid due to the current state of the object.
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0 (Boolean findUnreadItems) at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object 
state)


Here's the relevant section from my Microsoft.ResourceManagement.Service.exe.config file

<appsettings>
< add key="mailServer" value="https://email.contoso.com/ews/exchange.asmx" />
<add key="isExchange" value="1" />
<add key="SendAsAddress" value="svc-fim@contoso.com" />
<add key="synchronizationServerName" value="SvrFIM01" />
</appsettings>

If I browse to https://email.contoso.com/ews/exchange.asmx I'm PROMPTED for Windows logon credentials (the EWS virtual is configured for anonymous and windows authentication).Upon entering the FIM service account details, the appropriate xml page appears (no certificate warnings or errors are generated). I can logon the FIM service mailbox and send emails.

The error may be down to a PowerShell problem, as I couldn't initiate a remote PowerShell session from my FIM service account to the Exchange server using:

$session=new-pssession -configurationName Microsoft.Exchange -connectionuri https://email.comtoso.com/PowerShell

To get around this, I've added the fim service account to Organization management (it was already a recipient management user) and added it the local administrators group on the FIM server, I then restart the fim synchronization and fim service. The remote Power Shell connection works fine, but the AD MA export still does not.

There are some warnings in the Application logs about not being able to connect to the Exchange web services, however I think these are red herrings as they've been going on for over a year (during which time FIM has been working fine)
https://social.technet.microsoft.com/Forums/forefront/en-US/993a34dd-2c38-431a-8e36-c5be1bb2cf7f/fim-warning-cannot-access-exchange-web-service?forum=ilm2

I would appreciate some help in resolving this as it's currently got me stumped.The only thing I can try is removing the security patches and giving the fim service account administrative and exchange organization management permissions on the server and rebooting all boxes.

Thanks in advance
  

  • Edited by Aetius2012 Friday, July 31, 2015 1:34 PM hj
July 31st, 2015 1:33pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics