stopped-entry-export-error can't provision any accounts to AD
Hello,

 I'm using FIM 2010 R2 (4.1.3419.0) and Exchange 2010, I've recently hit an issue whereby the AD MA stops running due to "Stopped-entry-export-error". My environment was working fine, AD accounts and Exchange mailboxes were being provisioned OK (confirmed working for the past 6 months). I've only come upon this error since we installed around 25 Windows updates on our DC, Exchange server and FIM synchronization server.

 There is no associated error in the Synchronization service Application for the user object(s) which cause an error (as you'll see it's blank in the picture). AD MA delta imports and syncs work fine, but exports always fail with different user accounts (so I don't think it's an issue with the accounts being synced). Looking at the Windows logs shows errors as below:


Application log (typical error for a user):

There is an error in Exch2010Extension AfterExportEntryToCd() function when exporting an object with DN CN=jp um 
receptionist,OU=staff,OU=Accounts,DC=contoso,DC=local. Type: Microsoft.MetadirectoryServices.ExtensionException Message: **** ERROR **** Property 
expression "jp um receptionist" isn't valid. Valid values are: Strings formed with characters from A to Z (uppercase or lowercase), digits from 0 to 
9, !, #, $, %, &, ', *, +, -, /, =, ?, ^, _, `, {, |, } or ~. One or more periods may be embedded in an alias, but each period should be preceded and followed by at least one of the other characters. Unicode characters from U+00A1 to U+00FF are also valid in an alias, but they will be mapped to a best-fit US-ASCII string in the e-mail address, which is generated from such an alias. Property Name: Alias **** END ERROR **** Stack Trace: at  Exch2010Extension.Exch2010ExtensionClass.AfterExportEntryToCd(Byte[] origAnchor, String origDN, String origDeltaEntryXml, Byte[] newAnchor, String new DN, String failedDeltaEntryXml, String errorMessage)


Application Service Log (Forefront Identity Manager) - Error (happens every 30 minutes, this has been happening for 2 weeks, since the updates were installed):

Microsoft.ResourceManagement.Service: System.InvalidOperationException: Operation is not valid due to the current state of the object.
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0 (Boolean findUnreadItems) at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object 
state)


Here's the relevant section from my Microsoft.ResourceManagement.Service.exe.config file

<appsettings>
< add key="mailServer" value="https://email.contoso.com/ews/exchange.asmx" />
<add key="isExchange" value="1" />
<add key="SendAsAddress" value="svc-fim@contoso.com" />
<add key="synchronizationServerName" value="SvrFIM01" />
</appsettings>

If I browse to https://email.contoso.com/ews/exchange.asmx I'm PROMPTED for Windows logon credentials (the EWS virtual is configured for anonymous and windows authentication).Upon entering the FIM service account details, the appropriate xml page appears (no certificate warnings or errors are generated). I can logon the FIM service mailbox and send emails.

The error may be down to a PowerShell problem, as I couldn't initiate a remote PowerShell session from my FIM service account to the Exchange server using:

$session=new-pssession -configurationName Microsoft.Exchange -connectionuri https://email.comtoso.com/PowerShell

To get around this, I've added the fim service account to Organization management (it was already a recipient management user) and added it the local administrators group on the FIM server, I then restart the fim synchronization and fim service. The remote Power Shell connection works fine, but the AD MA export still does not.

There are some warnings in the Application logs about not being able to connect to the Exchange web services, however I think these are red herrings as they've been going on for over a year (during which time FIM has been working fine)
https://social.technet.microsoft.com/Forums/forefront/en-US/993a34dd-2c38-431a-8e36-c5be1bb2cf7f/fim-warning-cannot-access-exchange-web-service?forum=ilm2

I would appreciate some help in resolving this as it's currently got me stumped.The only thing I can try is removing the security patches and giving the fim service account administrative and exchange organization management permissions on the server and rebooting all boxes.

Thanks in advance
  

  • Edited by Aetius2012 Friday, July 31, 2015 1:34 PM hj
July 31st, 2015 1:33pm

Aetius,

You have two problem:

-the stopped entry export error is caused because in the build you likely have, 4.1.3419, when Exchange provisoning is enabled and there is an error during export related to it, the entire export run to this AD MA stops. This was changed in following 4.1.3441 build; this error only occurs in 4.1.3419, any build before or after does not exhibit this behavior. You should upgrade to any build later than 4.1.3419 so that the entire export does not stop. This is link to newest hotfix (they are cumulative):

https://support.microsoft.com/en-us/kb/3054196

-the mailnickname attribute value of target object mentioned in app log entry has a space in it. For versions of Exchange from 2007 on, the mailNickname attribute, which Exchange calls 'alias', cannot have a space character in it. This can be fixed via changing source data to exclude space character.

Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2015 5:08pm

Aetius,

You have two problem:

-the stopped entry export error is caused because in the build you likely have, 4.1.3419, when Exchange provisoning is enabled and there is an error during export related to it, the entire export run to this AD MA stops. This was changed in following 4.1.3441 build; this error only occurs in 4.1.3419, any build before or after does not exhibit this behavior. You should upgrade to any build later than 4.1.3419 so that the entire export does not stop. This is link to newest hotfix (they are cumulative):

https://support.microsoft.com/en-us/kb/3054196

-the mailnickname attribute value of target object mentioned in app log entry has a space in it. For versions of Exchange from 2007 on, the mailNickname attribute, which Exchange calls 'alias', cannot have a space character in it. This can be fixed via changing source data to exclude space character.

August 2nd, 2015 5:08pm

Aetius,

You have two problem:

-the stopped entry export error is caused because in the build you likely have, 4.1.3419, when Exchange provisoning is enabled and there is an error during export related to it, the entire export run to this AD MA stops. This was changed in following 4.1.3441 build; this error only occurs in 4.1.3419, any build before or after does not exhibit this behavior. You should upgrade to any build later than 4.1.3419 so that the entire export does not stop. This is link to newest hotfix (they are cumulative):

https://support.microsoft.com/en-us/kb/3054196

-the mailnickname attribute value of target object mentioned in app log entry has a space in it. For versions of Exchange from 2007 on, the mailNickname attribute, which Exchange calls 'alias', cannot have a space character in it. This can be fixed via changing source data to exclude space character.

Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2015 5:08pm

"The top 2 errors (constraint-violation and cd-existing-object) have existed for about a year, I know these are due to invalid objects and I'm OK with that. What is new and what has me stumped are the event log errors I've listed above and the bottom error "CN=US Training". If not the CN=US Training user, it'll happen with another user object."

So these 2 errors don't matter, but you covered the only error that matter on the picture?!

August 3rd, 2015 9:26am

Thanks Glenn,

 You're right the build number is
4.1.3419.0

I have the fim sync and service on the same VM, whilst another server has SSPR installed.

Do I need to update both the FIM sync\service server and the sspr server?
I've had a quick look at the upgrade considerations (link below), given that both servers are VMs, can I just download and install the patch on both VMs and reboot? I don't have any custom RODCs
https://technet.microsoft.com/en-us/library/JJ134291(v=WS.10).aspx

Thanks

Nosh,

I haven't covered the snipping tool error - I've highlighted it. You can't see a reported error as FIM simply reports a blank value as the error (as shown in the pic)

Free Windows Admin Tool Kit Click here and download it now
August 5th, 2015 3:14pm

Apologies (Aetius), I did not realized it.  I also think it is bizarre that it does not have any error associated with it.

But, seems you 2 have it figured it out.  I regret I could not be of much help!

August 5th, 2015 3:51pm

Nps - thanks for looking!

 Hopefully Glenn's suggestion should resolve this (will report back later in the week once I've tried)

Free Windows Admin Tool Kit Click here and download it now
August 5th, 2015 3:58pm

Thanks Glenn,

 Worked a treat. I unpacked the hotfix and executed the individual executables for each applicable FIM component.

August 10th, 2015 4:53am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics