none
stopped-entry-export-error can't provision any accounts to AD RRS feed

  • Question

  • Hello,

     I'm using FIM 2010 R2 (4.1.3419.0) and Exchange 2010, I've recently hit an issue whereby the AD MA stops running due to "Stopped-entry-export-error". My environment was working fine, AD accounts and Exchange mailboxes were being provisioned OK (confirmed working for the past 6 months). I've only come upon this error since we installed around 25 Windows updates on our DC, Exchange server and FIM synchronization server.

     There is no associated error in the Synchronization service Application for the user object(s) which cause an error (as you'll see it's blank in the picture). AD MA delta imports and syncs work fine, but exports always fail with different user accounts (so I don't think it's an issue with the accounts being synced). Looking at the Windows logs shows errors as below:


    Application log (typical error for a user):

    There is an error in Exch2010Extension AfterExportEntryToCd() function when exporting an object with DN CN=jp um 
    receptionist,OU=staff,OU=Accounts,DC=contoso,DC=local. Type: Microsoft.MetadirectoryServices.ExtensionException Message: **** ERROR **** Property 
    expression "jp um receptionist" isn't valid. Valid values are: Strings formed with characters from A to Z (uppercase or lowercase), digits from 0 to 
    9, !, #, $, %, &, ', *, +, -, /, =, ?, ^, _, `, {, |, } or ~. One or more periods may be embedded in an alias, but each period should be preceded and followed by at least one of the other characters. Unicode characters from U+00A1 to U+00FF are also valid in an alias, but they will be mapped to a best-fit US-ASCII string in the e-mail address, which is generated from such an alias. Property Name: Alias **** END ERROR **** Stack Trace: at  Exch2010Extension.Exch2010ExtensionClass.AfterExportEntryToCd(Byte[] origAnchor, String origDN, String origDeltaEntryXml, Byte[] newAnchor, String new DN, String failedDeltaEntryXml, String errorMessage)
     

    Application Service Log (Forefront Identity Manager) - Error (happens every 30 minutes, this has been happening for 2 weeks, since the updates were installed):

    Microsoft.ResourceManagement.Service: System.InvalidOperationException: Operation is not valid due to the current state of the object.
    at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0 (Boolean findUnreadItems) at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object 
    state)


    Here's the relevant section from my Microsoft.ResourceManagement.Service.exe.config file

    <appsettings>
    < add key="mailServer" value="https://email.contoso.com/ews/exchange.asmx" />
    <add key="isExchange" value="1" />
    <add key="SendAsAddress" value="svc-fim@contoso.com" />
    <add key="synchronizationServerName" value="SvrFIM01" />
    </appsettings>

    If I browse to https://email.contoso.com/ews/exchange.asmx I'm PROMPTED for Windows logon credentials (the EWS virtual is configured for anonymous and windows authentication).Upon entering the FIM service account details, the appropriate xml page appears (no certificate warnings or errors are generated). I can logon the FIM service mailbox and send emails.

    The error may be down to a PowerShell problem, as I couldn't initiate a remote PowerShell session from my FIM service account to the Exchange server using:

    $session=new-pssession -configurationName Microsoft.Exchange -connectionuri https://email.comtoso.com/PowerShell

    To get around this, I've added the fim service account to Organization management (it was already a recipient management user) and added it the local administrators group on the FIM server, I then restart the fim synchronization and fim service. The remote Power Shell connection works fine, but the AD MA export still does not.

    There are some warnings in the Application logs about not being able to connect to the Exchange web services, however I think these are red herrings as they've been going on for over a year (during which time FIM has been working fine)
    https://social.technet.microsoft.com/Forums/forefront/en-US/993a34dd-2c38-431a-8e36-c5be1bb2cf7f/fim-warning-cannot-access-exchange-web-service?forum=ilm2

    I would appreciate some help in resolving this as it's currently got me stumped.The only thing I can try is removing the security patches and giving the fim service account administrative and exchange organization management permissions on the server and rebooting all boxes.

    Thanks in advance
      

    • Edited by Aetius2012 Friday, July 31, 2015 1:34 PM hj
    Friday, July 31, 2015 1:33 PM

Answers

  • Aetius,

    You have two problem:

    -the stopped entry export error is caused because in the build you likely have, 4.1.3419, when Exchange provisoning is enabled and there is an error during export related to it, the entire export run to this AD MA stops. This was changed in following 4.1.3441 build; this error only occurs in 4.1.3419, any build before or after does not exhibit this behavior. You should upgrade to any build later than 4.1.3419 so that the entire export does not stop. This is link to newest hotfix (they are cumulative):

    https://support.microsoft.com/en-us/kb/3054196

    -the mailnickname attribute value of target object mentioned in app log entry has a space in it. For versions of Exchange from 2007 on, the mailNickname attribute, which Exchange calls 'alias', cannot have a space character in it. This can be fixed via changing source data to exclude space character.

    Sunday, August 2, 2015 5:08 PM

All replies


  • IT Support/Everything

    Friday, July 31, 2015 1:42 PM
  • Your issue is with that account.  Constraint Violation means that you are trying to write something to AD that violates the attribute constraints.  For instance if the sAMAccountName contains illegal characters.

    Investigate the values and see if any of them look out of the ordinary.


    Nosh Mernacaj, Identity Management Specialist

    Friday, July 31, 2015 3:39 PM
  • Hello

    I agree with Nosh, from the above Log I would say there are some not valid mailNicknames (Alias) that causes the constrained violation.

    And that causes also the "Update-Recipient" cmdlet in the Exchange Provisioning to fail.

    So check that attribute on the users with error, and maybe embedd some code or function to normalize that string in future.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, July 31, 2015 3:45 PM
  • Thanks for looking guys,

    The top 2 errors (constraint-violation and cd-existing-object) have existed for about a year, I know these are due to invalid objects and I'm OK with that. What is new and what has me stumped are the event log errors I've listed above and the bottom error "CN=US Training". If not the CN=US Training user, it'll happen with another user object.

    In addition, what normally happens is that every week I'm synching around 3500 users so usually have around 100 users provisioned to AD. What has happened recently is that 0 users are provisioned to AD every time I try an AD export, regardless if there are users to export. What I would expect is the following to happen:

    1. X users provisioned
    2. Errors logged due to constraint violations or existing users for y no of users
    3. Additional users provisioned

    But since these windows updates 0 users a provisioned. 


    IT Support/Everything

    Sunday, August 2, 2015 9:34 AM
  • Aetius,

    You have two problem:

    -the stopped entry export error is caused because in the build you likely have, 4.1.3419, when Exchange provisoning is enabled and there is an error during export related to it, the entire export run to this AD MA stops. This was changed in following 4.1.3441 build; this error only occurs in 4.1.3419, any build before or after does not exhibit this behavior. You should upgrade to any build later than 4.1.3419 so that the entire export does not stop. This is link to newest hotfix (they are cumulative):

    https://support.microsoft.com/en-us/kb/3054196

    -the mailnickname attribute value of target object mentioned in app log entry has a space in it. For versions of Exchange from 2007 on, the mailNickname attribute, which Exchange calls 'alias', cannot have a space character in it. This can be fixed via changing source data to exclude space character.

    Sunday, August 2, 2015 5:08 PM
  • "The top 2 errors (constraint-violation and cd-existing-object) have existed for about a year, I know these are due to invalid objects and I'm OK with that. What is new and what has me stumped are the event log errors I've listed above and the bottom error "CN=US Training". If not the CN=US Training user, it'll happen with another user object."

    So these 2 errors don't matter, but you covered the only error that matter on the picture?!


    Nosh Mernacaj, Identity Management Specialist

    Monday, August 3, 2015 1:25 PM
  • Thanks Glenn,

     You're right the build number is
    4.1.3419.0

    I have the fim sync and service on the same VM, whilst another server has SSPR installed.

    Do I need to update both the FIM sync\service server and the sspr server?
    I've had a quick look at the upgrade considerations (link below), given that both servers are VMs, can I just download and install the patch on both VMs and reboot? I don't have any custom RODCs
    https://technet.microsoft.com/en-us/library/JJ134291(v=WS.10).aspx

    Thanks

    Nosh,

    I haven't covered the snipping tool error - I've highlighted it. You can't see a reported error as FIM simply reports a blank value as the error (as shown in the pic)


    IT Support/Everything

    Wednesday, August 5, 2015 7:13 PM
  • Apologies (Aetius), I did not realized it.  I also think it is bizarre that it does not have any error associated with it.

    But, seems you 2 have it figured it out.  I regret I could not be of much help!


    Nosh Mernacaj, Identity Management Specialist

    Wednesday, August 5, 2015 7:50 PM
  • Nps - thanks for looking!

     Hopefully Glenn's suggestion should resolve this (will report back later in the week once I've tried)


    IT Support/Everything

    Wednesday, August 5, 2015 7:57 PM
  • Aetius

    Yes, all FIM components must be the same build number. So when you upgrade the FIM sync engine to something other than 4.1.3419, you will also need to upgrade the service and portal (as well as SSPR server(s)) as well. Just make sure to back up the FIM Service and sync DBs before attempting upgrade. After upgrading you should see that the stopped-entry-export exception goes away and the export to the AD MA will finish, albeit with any per-object errors.

    Friday, August 7, 2015 12:36 AM
  • Thanks Glenn,

     Worked a treat. I unpacked the hotfix and executed the individual executables for each applicable FIM component.


    IT Support/Everything

    Monday, August 10, 2015 8:49 AM