Overview / Purpose

This issue was seen while working a Global Address List (GalSync) solution where we are provisioning mail-enabled contacts to Microsoft Exchange 2010. You can see in the Synchronization Service Manager console, that the Export step fails with a stopped-dll-exception status.

*NOTE: It is important to note, that you can see this same issue when doing an export to Exchange 2010 with an Active Directory Management Agent solution.

Application Event Log

There is an error in Exch2010Extension BeginExportToCd() function.Type: System.Management.Automation.Remoting.PSRemotingTransportException
Message: Connecting to remote server failed with the following error message : WinRM cannot process the request. Access Denied.

Cause

The Synchronization Service Engine utilizes WinRM ( Windows Remote Management ) to remotely execute a Microsoft Exchange 2010 PowerShell Script called Update-Recipient. In this case, WinRM ( Windows Remote Management ) is receiving the error message being sent back from the Microsoft Exchange 2010 PowerShell Script Update-Recipient.

Update-Recipient is failing to update the mail-enabled contact object, because the mail-enabled contact object is read-only.

Resolution

There are three possible resolutions here:

Resolution #1

  • Confirm the correct permissions are in place ( Permissions for the GalSync User )
  • Delete the read-only mail-enabled contact
  • Allow the FIM GalSync Solution to re-create the mail-enabled contact

    Resolution #2

  • Find the object in Active Directory using ADSIEDIT, or a tool that you can use to modify attributes
  • Clear the attribute values for msExchRecipientDisplayType and msExchRecipientTypeDetails
  • Execute the Export Step again, allowing the FIM GalSync Solution to update the object

    Resolution #3

  • In the Management Agent Properties, remove Export Attribute Flow (EAF) for msExchRecipientDisplayType and msExchRecipientTypeDetails
  • Execute the Export Step again, allowing the FIM GalSync Solution to update the object

    Additional Information

    Here are some of the troubleshooting steps utilized in this case:

    1. Validate the Permissions for the GalSync User
    2. Export without Exchange 2010 Provisioning
      1. Select No Provisioning in the drop-down on the Configure Extensions Tab of the Management Agent Properties
      2. Execute the Export Step. This creates a mail-enabled contact object in Active Directory. However, because the Exchange PowerShell CMDLET doesn't fire, other necessary attributes are not populated.
      3. Go to the Exchange 2010 Server  
      4. Execute the an Exchange PowerShell CMDLET called Get-MailContact on the object ( e.g. get-mailcontact -organizationalunit <domain fqdn>\<ou path> |set-mailcontact )

    Executing these steps, you may end up with an error similar to this one.

    See Also

    FIM LANDING PAGE: Resource Wiki and Troubleshooter Wiki Page

    Configuring Exchange 2010 Provisioning