Unable to export users from FIM to AD due to missing registry keys RRS feed

  • Question

  • Hi All,

    I have been trying to export users from FIM 2010 R2 to ADDS but have not been successful.

    I get to see a lot of errors on the event logs. The major being missing registry keys 1. ADMADoNormalization 2. ADMARecursiveUserDelete 3. ADMAUseACLSecurity

    I could not find these registry keys on reistrykey Db. 'ADMADoNormalization' needs to be present under SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma
    name> but I cannot find any other folder after Parameters. How and when are these keys created? what do I need to do to fix these errors?

    some of the other errors

    1. HRESULT: '0x80230703' Source:
    'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(2354)'  Thread ID: '0x1038'
    Additional Info: ''

    2. HRESULT: '0x80230808' Source:
    'd:\bt\800\private\source\miis\ma\ldapcore\ldapmaexportcore.cpp(635)'  Thread
    ID: '0x1038' Additional Info: 'EndExportSession called before export session was

    3. HRESULT: '0x0' Source:
    'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(3729)'  Thread ID: '0x1038'
    Additional Info: 'Controller Export failed with hr=  80230703.

    4. HRESULT:
    '0x80230703' Source: 'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(3562)' 
    Thread ID: '0x1038' Additional Info: ''

    5. HRESULT: '0x80230703' Source:
    'd:\bt\800\private\source\miis\ma\ldapcore\ldapmaexportcore.cpp(585)'  Thread
    ID: '0x1038' Additional Info: ''

    6. HRESULT: '0x80230703' Source:
    'd:\bt\800\private\source\miis\scrhost\scripthost.cpp(20031)'  Thread ID:
    '0x23E0' Additional Info: ''

    7. HRESULT: '0x80004002' Source:
    'd:\bt\800\private\source\miis\scrhost\scripthostloader.cpp(790)'  Thread ID:
    '0x23E0' Additional Info: ''

    8. HRESULT: '0x0' Source:
    'D:\bt\800\private\source\MIIS\ma\shared\inc\MAUtils.h(58)'  Thread ID: '0x1038'
    Additional Info: 'Failed getting registry value 'ADMARecursiveUserDelete', 0x2

    9. HRESULT: '0x80070002' Source:
    'D:\bt\800\private\source\MIIS\ma\shared\inc\MAUtils.h(59)'  Thread ID: '0x1038'
    Additional Info: 'Win32 API failure: 2

    Thursday, February 11, 2016 7:28 PM

All replies

  • Hi,

    Those registry entries are all end-user created by system administrators for advanced sync settings. Perhaps you had those settings at one time and the registry settings were removed. If you restart the synchronization service do you still see the errors?

    If after a restart you are still seeing the errors, create the these...

    ADMADoNormalization is a DWORD and added in SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters.  Give it a value of 0. Setting it to 1 is only needed in special circumstances where you receive exported-change-not-reimported errors.

    ADMARecursiveUserDelete is a DWORD and added in SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service. Give it a value of 1, which is default and means you can de-provision non-leaf user objects.

    ADMAUseACLSecurity is a DWORD and added in SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>. Create the PerMAInstance and MAName keys (the MAName should be the name of the ADMA). If you have granted the AD MA service account "Replicating Directory Changes Permission" then enter 0 here which is the default.  If you want to use AD ACL permissions instead of granting the sync service account "Replicating Directory Changes Permission" then enter 1.

    Reference: Registry Keys and Configuration File Settings in FIM 2010


    Jeff Ingalls

    • Edited by Jeff IngallsMVP Thursday, February 11, 2016 10:26 PM Clarified location of registry values
    Thursday, February 11, 2016 10:12 PM
  • Jeff, Thank you for your reply.

    I have never created registry key so far in my previous assignment too. Aren't these supposed to be created when creating a new MA? Could this be due to a faulty installation?

    A restart of the sync service did not work. It throws a stopped-extension-dll on the sync service.

    Any idea how this error can be fixed?

    HRESULT: '0x80230808' Source:
    'd:\bt\800\private\source\miis\ma\ldapcore\ldapmaexportcore.cpp(635)'  Thread
    ID: '0x1038' Additional Info: 'EndExportSession called before export session was


    Friday, February 12, 2016 6:37 AM
  • Those registry entries do not get created by the system or FIM install. They are special registry entries only created by an administrator to handle special situations.

    After you restarted the sync service, when did the new errors appear?  During a synchronization run profile or an export?

    If during a synchronization run profile, I would verify any rules extension code -- perhaps it is referencing an XML/configuration file that is missing or renamed. Running Visual Studio, attaching a debugger to miiserver.exe, and setting a break point at the MapAttributesForJoin method is helpful here. If you don't make it that far then look at the Initialize method up at the top of the code. If you get to the MapAttributesForJoin method without hitting the error then keep stepping through the code -- the look in MVExtension.DLL.

    If you are hitting the error during an export, try running a full import of that target MA, then a full sync then try.  If same error, make sure that target MA is selected (AD MA), then click Delete. You want to select the first choice, "Delete connector space only". When deletion is done, run a full import of that MA, then a Full Sync.

    If you still get that error and you have verified all the code is rules extension code is good, I would then suspect the sync service install. Backup the FIM Synchronization service database, then go to add/remove programs and select a change install for the FIM Synchronization service. Select existing database and enter the same values. This process will re-apply permissions in COM+, registry, and files.  Then try.

    If you are still throwing the error then you could go to extreme and export the FIM configuration. Go to File, Export Server Configuration and save to an empty folder. Then do a re-install and select a new database. Then do a File, Import Server Configuration and walk through the setup -- you should just be able to click Next through the import process. Then try.

    If you are having trouble debugging the rules extension code please paste in the rules extension code for the source MAs, target MAs and MVExtension.DLL.


    Jeff Ingalls

    Saturday, February 13, 2016 12:38 AM
  • Thanks a Lot Jeff.. I will try these out now..
    Tuesday, February 16, 2016 5:14 AM
  • Hi Jeff.

    Can you please let me know the purpose of the field ADMADormalization.. As per the description it says, it is used for exporting to the AD server.. I re-checked it in one of our earlier environments, we do not have such registry keys there. Why is it asking for it in this environment? one of the differences I noticed of the exchange provisioning. In the old one, it was just user/group provisioning on AD and that's about it.I am very skeptical about modifying these registry keys.. so wanted to know its purpose before going through with it.

    Also, this error is only on an EXPORT. The import and sync are working fine on the AD MA.

    Tuesday, February 16, 2016 9:10 AM
  • If you are receiving an "exported-change-not-reimported" error message when exporting then set this value to 1, otherwise keep the default of 0 as per documentation.

    There is no harm in creating the keys with their default values and see if those bail errors go away. If you are concerned about what they do, you can read through the reference in my first reply.  If you don't want to create those keys, which really shouldn't be needed, then delete the AD connector space, perform a full import, full sync and attempt to export. If you are still throwing those bail errors, consider going to add/remove programs and running a repair of the sync engine install.  If that doesn't solve it, consider an uninstall, re-install and patching up to the latest version.  You can find the latest update of FIM here.  The hotfixes are cumulative so all you need to do is install the last one -- currently 4.1.3671.0.


    Jeff Ingalls

    Tuesday, February 16, 2016 2:40 PM
  • Hi Jeff,

    ADMADoNormalization, ADMAUseACLSecurity have been resolved.But the path for

    ADMARecursiveUserDelete is not getting resolved from the path below.

    SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service

    Is there any alternative path available?

    Thanks a lot for your help so far! we were able to resolve quite a few issues.

    Also, deleting the connector space and doing a full import and sync did not work. We do not have an mcextension.dll as we are using codeless provisioning.

    Thank you,


    Wednesday, February 17, 2016 7:54 AM
  • Hi Carl,

    The MSDN documentation says ADMARecursiveUserDelete is a DWORD and is located in HKLM\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service.  The default value is 1 which allows deprovisioning of non-leaf user objects.  After you set the registry value and stop and restart the FIM synchronization service, what error do you receive upon export of the AD MA?  Please copy and paste the full error message.


    Jeff Ingalls

    Wednesday, February 17, 2016 1:42 PM