none
Problems with Exchange 2010 provisioning

    Domanda

  • Hi,

    We have the basic outbound sync rules for both users and groups which works great from FIM to AD and vice versa. Then we configured Exchange 2010 Provisioning on FIM using guides found at http://technet.microsoft.com/en-us/magazine/ff472471.aspxhttp://bennettadelson.wordpress.com/2012/05/21/fim-2010-with-exchange-2010-configuration-for-provisioning/ and http://fabienduchene.blogspot.fi/2010/02/fim-2010-exchange-2010-provisioning.html but we haven´t got this to work. When using PowerShell as FIM MA user (remote towards Exchange on http://fqdn/powershell) on its own to enable mailbox for user, it works just brilliantly so I would assume permissions on Exchange for the FIM MA service account are correct, PS remoting correctly enabled etc.

    When exporting changes on AD MA, we do not get any errors on either application logs at FIM sync server or on the Exchange server. On the Exchange server we can see on the security logs that FIM MA account has indeed logged in while we did the Export on AD MA but no mailbox is created for the synchronized user. While running the export on AD MA, netstat -n shows that connection to Exchange server has been established on port 80.

    I think we have gone through most of the forums/posts on internet regarding the Exchange 2010 provisioning on FIM 2010 but we cannot find the root cause for the problem as there are no errors on any logs. Do you guys have any idea what might be wrong and if we should check something on the configurations? Thanks.

    -Pappa75 

    giovedì 18 aprile 2013 18:34

Tutte le risposte

  • On the Exchange server, there is an MSExchange Management event log under Apps & Services logs that traces each command that's run. Have you had a look there yet?

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    giovedì 18 aprile 2013 23:25
    Moderatore
  • Pappa75,

    Check the application event log on the synchronization server. Usually, when update-recipient, the PS cmdlet that runs during export when Exchange 2010/2007 provisioning is enabled, it shows per-object errors here. The errors can range from something wrong with the objects themselves, such as mailNickname value that has a space character in it, to connection problems with attempting to use WinRM to run the PS cmdlet remotely.

    If you don't see application event log errors, do you have the proper attribute to populate Exchange 2010 mailboxes? You need

    displayName

    mailNickname

    mxExchHomeServerName

    as a minimum. Also, if there is a firewall between the sync server and the target Exchange CAS box, there are some port access requirements. I think 5985 is the WinRM port.

    venerdì 19 aprile 2013 01:37
  • Hi guys,

    And thanks for your help so far..

    Some background info of our forest; we have 10 internal domains and Exchange environment is on root domain and FIM test environment is installed on new tree beside.

    We have set displayName, mailNickname, HomeMDB, msExchHomeServerName, MSExchangeRBACPolicyLink and MDBUseDefaults (as True) on the outbound sync rule.

    And As Brian suggested, we checked the MSExchange Management logs on the Exchange server and saw errors for each synced users (Event ID 6):

    Cmdlet failed. Cmdlet Update-Recipient, parameters {Identity=fimdomain.domain.com/Managed/TestUser, DomainController=dc001.fimdomain.domain.com}.

    Additional info on the event shows:

    Update-Recipient 
    {Identity=fimdomain.domain.com/Managed/TestUser, DomainController=dc001.fimdomain.domain.com} 
    fimdomain.domain.com/Service accounts/FIMMA 
    S-1-5-21-317867505-1990935197-705460009-1131 
    S-1-5-21-317867505-1990935197-705460009-1131 
    ServerRemoteHost-Unknown 
    6168 
        
    52 
    00:00:00.3900050 
    View Entire Forest: 'False', Default Scope: 'forestdomain.com', Configuration Domain Controller: 'forestdc001.forestdomain.com', Preferred Global Catalog: 'dc001.fimdomain.domain.com', Preferred Domain Controllers: '{ dc001.fimdomain.domain.com }' 
    Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: fimdomain.domain.com/Managed/TestUser wasn't found. Please make sure you've typed it correctly. ---> Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'fimdomain.domain.com/Managed/TestUser' couldn't be found on 'dc001.fimdomain.domain.com'. at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.GetDataObject[TObject](IIdentityParameter id, IConfigDataProvider session, ObjectId rootID, OptionalIdentityData optionalData, Nullable`1 notFoundError, Nullable`1 multipleFoundError, ExchangeErrorCategory errorCategory) at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.GetDataObject[TObject](IIdentityParameter id, IConfigDataProvider session, ObjectId rootID, Nullable`1 notFoundError, Nullable`1 multipleFoundError) at Microsoft.Exchange.Management.RecipientTasks.UpdateRecipient.ResolveDataObject() --- End of inner exception stack trace --- 
    13 
    Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'fimdomain.domain.com/Managed/TestUser' couldn't be found on 'dc001.fimdomain.domain.com'. at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.GetDataObject[TObject](IIdentityParameter id, IConfigDataProvider session, ObjectId rootID, OptionalIdentityData optionalData, Nullable`1 notFoundError, Nullable`1 multipleFoundError, ExchangeErrorCategory errorCategory) at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.GetDataObject[TObject](IIdentityParameter id, IConfigDataProvider session, ObjectId rootID, Nullable`1 notFoundError, Nullable`1 multipleFoundError) at Microsoft.Exchange.Management.RecipientTasks.UpdateRecipient.ResolveDataObject() 

     According to the logs, it seems that the user cannot be found to which the mailbox is about to be created so it fails. We have the outbound synchronization rule for users in which we also have the attributes for Exchange provisioning set. Is that the correct way of doing this or should these be set on a separate outbound sync rule that is applied after the actual outbound sync rule for user is applied and user is indeed created/found in AD?

    -Pappa75

    venerdì 19 aprile 2013 07:36
  • @ Pappa75

    I have the same issue, did you ever find the solution??? If so please post.

    Thanks

    Mike


    Mike Finazzo

    giovedì 27 febbraio 2014 19:54
  • Should note, Update-Recipient is run as the AD MA account when using OOB exchange provisioning.  Test to make sure you can make a remote connection to Exchange from the Sync server, as the AD MA account, and then run update-recipient.  Also make sure the user you are trying to provision has the required attributes

    http://technet.microsoft.com/en-us/library/bb738148(v=exchg.150).aspx

    venerdì 28 febbraio 2014 00:12