none
FIM Troubleshooting: Error 80230904 occurs when Sync Service Manager tries to create GAL MA and connect to another forest RRS feed

  • Question

  • Hi All,

    I am testing GAL sync between 3 forests. With 2 forests, everything is fine. When I try to add the third GAL sync management agent, Synchronization Service Manager fails to connect to the forest and shows error alert with number 80230904.

    I suspect the reason of failure is in the new forest which FIM tries to connect. What does this error number mean? Besides showing this number, nothing is recorded in logs. I am failing to find any info on this error.

    FIM 2012 R2 SP1 version: 4.1.3646.0, works on Windows 2008 R2 machine, the first and second forests are of level 2012 R2, and the third new one (failing) is of level 2008 R2.

    Regards
    Dmitry

    Thursday, July 30, 2015 12:21 PM

All replies

  • It seems to be you are unable to create the third MA, correct?  Not sure what the code means.

    Make sure the Forest is reachable from FIM server;

    1. Ping the Forest name

    2. Ensure your credentials have the right permissions, Check here if unsure. http://setspn.blogspot.com/2010/06/fim-active-directory-management-agent.html

    3. Try with the IP address of the forest instead of the Forest Name


    Nosh Mernacaj, Identity Management Specialist

    Thursday, July 30, 2015 1:21 PM
  • Yes, I am unable to create the third MA. I can ping the forest, and tried with both FDQNs and IP addresses of particular DCs - same code is shown. As for MA user's permissions on target AD forest, I can run adsiedit on behalf of MA user, connect to the forest, walk through the AD tree and check permissions. Everything's fine - same permissions for MA user in the third forest as for previous two (actually I used same script to configure them). If I knew what that code means, I would know where to troubleshoot.

    Am I right that MAs are created by miisclient.exe program? I would trace it to get known where the error appears.

    Or, probably, there is some alternative way to create a MA? Some API or Powershell comandlet?

    Thursday, July 30, 2015 2:32 PM
  • You don't need to ping a DC, but the name of the forest, contoso.com not dc.contoso.com.  I think you know that, but just pointing out.

    The error (though I don't know it) may lead you nowhere, simply saying it failed.  It is a connection issue, period.  Can you show the page where the error appears?

    Also check the even viewer as well.


    Nosh Mernacaj, Identity Management Specialist

    Thursday, July 30, 2015 3:43 PM
  • I have parsed the error code, however. Let's presume the code has HRESULT format. 8 means that the eldest bit is 1, therefore, it's error. Then 23 hex (35 dec) means facility code FACILITY_METADIRECTORY ("The source of the error code is the Microsoft Identity Server"). Correct by now. Then error code itself 904 hex (2308 dec) means "Socket closed". So you are right, more than likely it's a connection issue.

    The event viewer has no events on this, neither general purpose Application and System logs, nor special logs for FIM.

    The forum engine does not permit me to put here links and pictures, but you can look at that on http: // 
    bestpics.ru/full/FIMError.jpg
    Thursday, July 30, 2015 4:16 PM
  • I cant open the url you send either, but you may want to try to use the IP address of the Forest.  Ping the Forest.Com and get the ip.


    Nosh Mernacaj, Identity Management Specialist

    Thursday, July 30, 2015 5:50 PM
  • Finally I have written myself today a program on C# to do this job (GAL Synchronizing). FIM is very universal and powerful system, and, probably, overkilling to accomplish this particular goal. Will be testing over weekend and deploying on Monday. At least, if I can connect programmatically to all the forests, why not to perform the rest? :)
    Friday, July 31, 2015 7:59 PM
  • I've used the FIM GAL Sync twice over the past years for two separate customers and twice I was very very satisfied with how it worked.

    If your data is squeaky clean you write a powershell script that performs GAL sync in 15'. But then the fun starts with all kinds of edge cases where errors pop up due to invalid addresses or whatever issues GAL sync usually throws.

    And that's where that little GAL MA is quite good at. I've found the limited amount of code to be quite powerfull and complete.

    If you write some code yourself you'll have to do quite some testing to be absolutely sure it's bugfree. Why not use a product that has been deployed many times, or at least more than a custom, self made, solution?

    Either way, with the FIM/MIM Sync now being part of the OS license and thus "free" (in a way) I see very little reason to build something of your own.

    It sucks that you get an MA creation error ofcourse :)


    http://setspn.blogspot.com


    Wednesday, August 5, 2015 8:54 AM
  • There's a handy galsync script by Carol Wapshere, which sometimes is fastest way to achieve required result.

    I had a customer who required galsync functionality but was denying to setup and extra VM for that or install anything on existing servers, but a simple script.

    http://www.wapshere.com/missmiis/galsync-v2

    Wednesday, August 5, 2015 1:15 PM