locked
Exchange 2010 Provisioning with ILM 2007 FP1 SP1 RRS feed

  • Question

  • Has anyone been able to provisioning mailboxes to Exchange 2010 from ILM 2007 FP1 where the ILM and Exchange boxes existed in different domains. I've had no problem provisioning to Exchange when it exists in the same domain but get exceptions when Exchange resides in a different domain. The exception I receive is:

    Microsoft.MetadirectoryServices.ExtensionException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: There are currently no logon servers available to service the logon request.  

     Possible causes are:

      -The user name or password specified are invalid.

      -Kerberos is used when no authentication method and no user name are specified.

      -Kerberos accepts domain user names, but not local user names.

      -The Service Principal Name (SPN) for the remote computer name and port does not exist.

      -The client and remote computers are in different domains and there is no trust between the two domains.

     After checking for the above issues, try the following:

      -Check the Event Viewer for events related to authentication.

      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.

     Note that computers in the TrustedHosts list might not be authenticated.

       -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

       at Exch2010Extension.Exch2010ExtensionClass.BeginExportToCd(String connectTo, String domain, String server, String user, String password)

    Microsoft Identity Integration Server 3.3.1139.2"

     

    Also, I set up both machines as TrustedHosts through PowerShell on both machines and opened up the appropriate ports. Any help or suggestions would be appreciated. Thanks.

     

    Mark

    Tuesday, September 13, 2011 3:19 PM

Answers

  • Actually its across domains with no trust between them. Since the dll that triggers the call defaults to Kerberos, the way around that is by configuring TrustedHosts with PowerShell or WinRM, which I did. 

    I ended up fixing the problem, and it was related to the network guys changing IP's on me on the VM's that the Exchange and DC resided. I didn't figure this out until I reflector'd the code in Exch2010Extension.dll. I ended up creating a console app and used the same calls from that dll. The error that it was throwing was basically that the Exchange server could not locate the Configuration Domain Controller. I just pointed it to a specific Configuration Domain Controller instead of the default Domain Controller and all is well.

    Mark

    • Marked as answer by Mark Struck Thursday, September 15, 2011 1:58 PM
    Thursday, September 15, 2011 1:58 PM

All replies

  • Different Forest? I had a similar problem where the remote domain was in a different forest and the forest trust was set to 'external trust' and it needed to be 'Forest trust'

    Have you verified the problem exists if you use powershell outside of FIM ? (would expect the same error)


    Frank C. Drewes III - Consultant: Certified Security Solutions - My blog: http://www.css-security.com/author/fdrewes
    Wednesday, September 14, 2011 7:49 PM
  • Actually its across domains with no trust between them. Since the dll that triggers the call defaults to Kerberos, the way around that is by configuring TrustedHosts with PowerShell or WinRM, which I did. 

    I ended up fixing the problem, and it was related to the network guys changing IP's on me on the VM's that the Exchange and DC resided. I didn't figure this out until I reflector'd the code in Exch2010Extension.dll. I ended up creating a console app and used the same calls from that dll. The error that it was throwing was basically that the Exchange server could not locate the Configuration Domain Controller. I just pointed it to a specific Configuration Domain Controller instead of the default Domain Controller and all is well.

    Mark

    • Marked as answer by Mark Struck Thursday, September 15, 2011 1:58 PM
    Thursday, September 15, 2011 1:58 PM