none
Problems with Exchange 2010 provisioning RRS feed

  • Question

  • Hi,

    We have the basic outbound sync rules for both users and groups which works great from FIM to AD and vice versa. Then we configured Exchange 2010 Provisioning on FIM using guides found at http://technet.microsoft.com/en-us/magazine/ff472471.aspxhttp://bennettadelson.wordpress.com/2012/05/21/fim-2010-with-exchange-2010-configuration-for-provisioning/ and http://fabienduchene.blogspot.fi/2010/02/fim-2010-exchange-2010-provisioning.html but we haven´t got this to work. When using PowerShell as FIM MA user (remote towards Exchange on http://fqdn/powershell) on its own to enable mailbox for user, it works just brilliantly so I would assume permissions on Exchange for the FIM MA service account are correct, PS remoting correctly enabled etc.

    When exporting changes on AD MA, we do not get any errors on either application logs at FIM sync server or on the Exchange server. On the Exchange server we can see on the security logs that FIM MA account has indeed logged in while we did the Export on AD MA but no mailbox is created for the synchronized user. While running the export on AD MA, netstat -n shows that connection to Exchange server has been established on port 80.

    I think we have gone through most of the forums/posts on internet regarding the Exchange 2010 provisioning on FIM 2010 but we cannot find the root cause for the problem as there are no errors on any logs. Do you guys have any idea what might be wrong and if we should check something on the configurations? Thanks.

    -Pappa75 

    Thursday, April 18, 2013 6:34 PM

All replies

  • On the Exchange server, there is an MSExchange Management event log under Apps & Services logs that traces each command that's run. Have you had a look there yet?

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Thursday, April 18, 2013 11:25 PM
    Moderator
  • Pappa75,

    Check the application event log on the synchronization server. Usually, when update-recipient, the PS cmdlet that runs during export when Exchange 2010/2007 provisioning is enabled, it shows per-object errors here. The errors can range from something wrong with the objects themselves, such as mailNickname value that has a space character in it, to connection problems with attempting to use WinRM to run the PS cmdlet remotely.

    If you don't see application event log errors, do you have the proper attribute to populate Exchange 2010 mailboxes? You need

    displayName

    mailNickname

    mxExchHomeServerName

    as a minimum. Also, if there is a firewall between the sync server and the target Exchange CAS box, there are some port access requirements. I think 5985 is the WinRM port.

    Friday, April 19, 2013 1:37 AM
  • Hi guys,

    And thanks for your help so far..

    Some background info of our forest; we have 10 internal domains and Exchange environment is on root domain and FIM test environment is installed on new tree beside.

    We have set displayName, mailNickname, HomeMDB, msExchHomeServerName, MSExchangeRBACPolicyLink and MDBUseDefaults (as True) on the outbound sync rule.

    And As Brian suggested, we checked the MSExchange Management logs on the Exchange server and saw errors for each synced users (Event ID 6):

    Cmdlet failed. Cmdlet Update-Recipient, parameters {Identity=fimdomain.domain.com/Managed/TestUser, DomainController=dc001.fimdomain.domain.com}.

    Additional info on the event shows:

    Update-Recipient 
    {Identity=fimdomain.domain.com/Managed/TestUser, DomainController=dc001.fimdomain.domain.com} 
    fimdomain.domain.com/Service accounts/FIMMA 
    S-1-5-21-317867505-1990935197-705460009-1131 
    S-1-5-21-317867505-1990935197-705460009-1131 
    ServerRemoteHost-Unknown 
    6168 
        
    52 
    00:00:00.3900050 
    View Entire Forest: 'False', Default Scope: 'forestdomain.com', Configuration Domain Controller: 'forestdc001.forestdomain.com', Preferred Global Catalog: 'dc001.fimdomain.domain.com', Preferred Domain Controllers: '{ dc001.fimdomain.domain.com }' 
    Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: fimdomain.domain.com/Managed/TestUser wasn't found. Please make sure you've typed it correctly. ---> Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'fimdomain.domain.com/Managed/TestUser' couldn't be found on 'dc001.fimdomain.domain.com'. at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.GetDataObject[TObject](IIdentityParameter id, IConfigDataProvider session, ObjectId rootID, OptionalIdentityData optionalData, Nullable`1 notFoundError, Nullable`1 multipleFoundError, ExchangeErrorCategory errorCategory) at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.GetDataObject[TObject](IIdentityParameter id, IConfigDataProvider session, ObjectId rootID, Nullable`1 notFoundError, Nullable`1 multipleFoundError) at Microsoft.Exchange.Management.RecipientTasks.UpdateRecipient.ResolveDataObject() --- End of inner exception stack trace --- 
    13 
    Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'fimdomain.domain.com/Managed/TestUser' couldn't be found on 'dc001.fimdomain.domain.com'. at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.GetDataObject[TObject](IIdentityParameter id, IConfigDataProvider session, ObjectId rootID, OptionalIdentityData optionalData, Nullable`1 notFoundError, Nullable`1 multipleFoundError, ExchangeErrorCategory errorCategory) at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.GetDataObject[TObject](IIdentityParameter id, IConfigDataProvider session, ObjectId rootID, Nullable`1 notFoundError, Nullable`1 multipleFoundError) at Microsoft.Exchange.Management.RecipientTasks.UpdateRecipient.ResolveDataObject() 

     According to the logs, it seems that the user cannot be found to which the mailbox is about to be created so it fails. We have the outbound synchronization rule for users in which we also have the attributes for Exchange provisioning set. Is that the correct way of doing this or should these be set on a separate outbound sync rule that is applied after the actual outbound sync rule for user is applied and user is indeed created/found in AD?

    -Pappa75

    Friday, April 19, 2013 7:36 AM
  • @ Pappa75

    I have the same issue, did you ever find the solution??? If so please post.

    Thanks

    Mike


    Mike Finazzo

    Thursday, February 27, 2014 7:54 PM
  • Should note, Update-Recipient is run as the AD MA account when using OOB exchange provisioning.  Test to make sure you can make a remote connection to Exchange from the Sync server, as the AD MA account, and then run update-recipient.  Also make sure the user you are trying to provision has the required attributes

    http://technet.microsoft.com/en-us/library/bb738148(v=exchg.150).aspx

    Friday, February 28, 2014 12:12 AM
  • In case this helps anyone, I got this same error message ("[Object] wasn't found. Please make sure you've typed it correctly.") when I was trying to mail-enable a contact object and the mailNickname was empty.  Very misleading error message.
    Wednesday, November 12, 2014 1:35 PM