What is a GalSync Solution?
GalSync is a Global Address List Synchronization Solution. It is a way for Microsoft Exchange Organizations to share their Global Address Lists (GAL). Additionally, once a GalSync Solution is setup, it provides the ability to share Free/Busy information.
NEW GALSYNC SOLUTION – Contacts are not provisioning
Contacts not provisioning is a very common issue that is seen within a GalSync Solution. We normally see this in new GalSync Solutions because something has been missed in the configuration. The following information provides guidance on things to check to get GalSync working.
- Validate that “Enable Provisioning Rules Extension” is checked in the Tools > Options Dialog.
- Ensure that you have a Target Container selected on the Configure GAL properties page of the GalSync Management Agent.
- Here is a TechNet Wiki that discusses the issue: http://social.technet.microsoft.com/wiki/contents/articles/15915.troubleshooting-fim-galsync-no-contacts-to-provision.aspx
- Ensure that your GalSync.XML file is correct in the %programfiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions folder.
- Here is a TechNet Wiki that discusses the issue: http://social.technet.microsoft.com/wiki/contents/articles/15401.troubleshooting-galsync-contacts-are-not-being-created-for-new-users.aspx
GALSYNC RELATED SYNCHRONIZATION ERRORS
- mv-deletion: msExchDynamicDistributionList: http://social.technet.microsoft.com/wiki/contents/articles/19034.troubleshooting-fim-extension-unexpected-attribute-value-mv-deletion-msexchdynamicdistributionl.aspx
GALSYNC RELATED EXPORT ERRORS
In many cases, GalSync Export Errors are related to the Exchange Provisioning process. Exchange Provisioning is configured on the Configure Extensions tab of the GalSync Management Agent. When Exchange Provisioning is enabled, the Synchronization Service Engine executes an Exchange PowerShell CMDLET called Update-Recipient.
- Exchange 2007: Update-Recipient is executed locally on the Synchronization Service Engine machine
- Exchange 2010, 2013, 2016: Update-Recipient is executed remotely on the Exchange Client Access Server (CAS) using WinRM.
The below blog provides some general troubleshooting information on WinRM.
- STOPPED-DLL-EXCEPTION: Stopped-DLL-Exception is status that is displayed on the Operations Tab (Run History) for a Run Profile that failed to complete successfully. The best place to start when receiving a stopped-dll-exception status is the Application Event Log. There you will most likely see at-least two events there associated with the stopped-dll-exception status. Review the Event ID 0 for the most detail about the status. In most cases, you will see the error is associated with Exchange Provisioning and WinRM.
- The property value you specified, “-1073740026”, isn’t defined in the Enum type “Nullable`1”. Property Name: RecipientDisplayType: http://social.technet.microsoft.com/wiki/contents/articles/17909.troubleshooting-fim-the-property-value-you-specified-1073740026-isn-t-defined-in-the-enum-type-nullable1.aspx
- WINRM client received HTTP status code of 403 from the remote WS-Management service: http://social.technet.microsoft.com/wiki/contents/articles/11231.troubleshooting-stopped-dll-exception-the-winrm-client-received-an-http-status-code-of-403-from-the-remote-ws-management-service.aspx
- WINRM cannot process the request: Access Denied: http://social.technet.microsoft.com/wiki/contents/articles/15091.troubleshooting-fim-stopped-dll-exception-winrm-cannot-process-the-request-access-denied.aspx
- WINRM: cannot process the request. The following error occurred while using Kerberos Authentication. The network path was not found. : http://social.technet.microsoft.com/wiki/contents/articles/12463.troubleshooting-fim-sync-stopped-dll-exception-the-following-error-occurred-while-using-kerberos-authentication.aspx
- STOPPED-DLL-EXCEPTION TROUBLESHOOTER: http://social.technet.microsoft.com/wiki/contents/articles/8759.fim-troubleshooting-stopped-dll-exception-troubleshooter-document.aspx
- MA-EXTENSION-ERROR: The ma-extension-error status is very similar to the stopped-dll-exception status documented above. We saw this more in the Exchange 2007 provisioning. Troubleshooting this run status starts with the Application Event Log. Please find below some TechNet Wikis that provide more information around the error messages received.
- Active Directory response: 00002098: SecErr (INSUFF_ACCESS_RIGHTS): http://social.technet.microsoft.com/wiki/contents/articles/12703.troubleshooting-fimgalsync-active-directory-response-00002098-secerr-dsid-03150bb9-problem-4003-insuff-access-rights-data-0.aspx
- Event ID 6500 – name is not valid for Alias: http://social.technet.microsoft.com/wiki/contents/articles/11427.fim-troubleshooting-ma-extension-error-event-id-6500-name-is-not-valid-for-alias.aspx
- FIM-GALSYNC: ma-extension-error
This is an indication that there is too much data in an attribute. Normally we see this in multi-line attributes such as Info, msExchSafeSenderHash, description, etc.
- mv-constraint-violation (msExchSafeSenderHash) during GalSync: 10733.troubleshooting-mv-constraint-violation-msexchsafesenderhash-during-galsync.aspx
- PERMISSION ISSUE
Permission issues are normally an indication that the GalSync Management Agent account does not have permission to do something in the Active Directory Forest that it is Exporting (Writing) too.
- Insufficient access rights to perform operation: http://social.technet.microsoft.com/wiki/contents/articles/7612.galsnc-permission-issue-insufficient-access-rights-to-perform-the-operation.aspx
- Permissions for GalSync User: http://social.technet.microsoft.com/wiki/contents/articles/4868.permissions-for-galsync-user-ma-user-account.aspx
- CONTACTS CREATED NOT SEEN IN GAL
- GalSync creates mail-enabled contacts that are not seen in GAL: http://social.technet.microsoft.com/wiki/contents/articles/4232.galsync-creates-contacts-that-are-not-seen-in-the-gal.aspx
- LEGACYEXCHANGEDN is not populated (Multiple Contacts are being created in GAL)
- LegacyExchangeDN is not populated:
We see this issue happen when the Exchange PowerShell CMDLET fails. In most cases, you can find additional information about the issue in the Application Event Log. Here is a Microsoft TechNet Wiki that describes more of the information. http://social.technet.microsoft.com/wiki/contents/articles/7773.galsync-troubleshooting-legacyexchangedn-is-not-populated.aspx
- LegacyExchangeDN is not populated:
- How to customize TargetAddress on Export Attribute Flow: http://social.technet.microsoft.com/wiki/contents/articles/4418.how-to-customize-targetaddress-on-export-attribute-flow-in-galsync.aspx
- How to flow msExchHideFromAddressList but filter if the value is true:
- Sharing GALs and Free/Busy Information between Exchange Orgs: http://social.technet.microsoft.com/wiki/contents/articles/7377.fim-2010-sharing-gals-and-freebusy-info-between-exchange-orgs.aspx
- Identity and Access Management Support Team Blog:
- Global Address List (GalSync) Resources:
- On-Premises Identity and Access Management: https://www.microsoft.com/en-us/cloud-platform/microsoft-identity-manager#fbid=2VvP26FRhhI
- Resource Page Wiki Page Index: http://social.technet.microsoft.com/wiki/contents/articles/11405.fim-reference-fim-resource-wiki-page-index.aspx