Support-Tip: (GALSYNC): Exchange 2010 Provisioning: extension-dll-timeout on Export

APPLIES TO: 

  • Forefront Identity Manager 2010, R2, R2 SP1
  • Microsoft Identity Manager 2016, SP1

 

ENVIRONMENT / ASSOCIATED WITH THE BREAK – FIX SCENARIO

  • Synchronization Service Engine
  • GalSync Management Agent (Connector)
  • Microsoft Exchange 2010

 

PROBLEM SCENARIO DESCRIPTION

  • GalSync Management Agent configured for Exchange 2010 provisioning was failing on Export with “extension-dll-timeout”.  The export would run for approximately 3 minutes and then fails.  No adds, updates or deletes would be processed.
NOTE The words “extension-dll-timeout” will appear to the right of the object that has thrown the error.

 

RESOLUTIONS

#1: Fix the Exchange CAS URI

  1. Reviewed the configuration.
  2. Tried running a test to export 10 objects.  The export still failed.
  3. All other management agent run profiles were running successfully, just the export was failing.
  4. Reviewed the “Configure Extensions” for the GalSync MA and verified the Exchange URI.
  5. The Exchange URI was pointing to a single CAS server.  The export had worked previously but just recently had stopped working.
  6. The specified Exchange CAS server has had an issue recently with opening PowerShell where it will take a long time to open a PowerShell session even directly on the server.
  7. Updated the URI to point to a different CAS server, which was not having an issue when opening PowerShell and the export is now running successfully.

#2: HTTPS with Kerberos Auth is not supported  by Exchange for the remote call to the Exchange CAS

  1. Utilize the HTTP protocol rather than HTTPS

 

ADDITIONAL INFORMATION – BACKGROUND ON THE ISSUE

An Export on the GalSync Management Agent with Exchange 2010 Provisioning enabled first tries to connect to the Exchange 2010 CAS Server based on the URI specified on the Configure Extensions Tab (How to get the Exchange 2010 CAS Information) even prior to exporting any objects to ensure it is available and the FIM Synchronization Service is able to connect.

Once the connection has been confirmed the GalSync Management Agent will export the contact objects to Active Directory.

Once the contact has been export the GalSync Management Agent executes a remote PowerShell CMDLET called Update-Recipient which populates the legacyExchangeDN and the mail attributes on the contact objects.

 

ADDITIONAL INFORMATION – RESOURCES