Support Tip: GalSync Information

What is a GalSync Solution?

GalSync is a Global Address List Synchronization Solution.  It is a way for Microsoft Exchange Organizations to share their Global Address Lists (GAL).  Additionally, once a GalSync Solution is setup, it provides the ability to share Free/Busy information.

NEW GALSYNC SOLUTION – Contacts are not provisioning

Contacts not provisioning is a very common issue that is seen within a GalSync Solution.  We normally see this in new GalSync Solutions because something has been missed in the configuration.  The following information provides guidance on things to check to get GalSync working.

1. Validate that “Enable Provisioning Rules Extension” is checked in the Tools > Options Dialog.
2. Ensure that you have a Target Container selected on the Configure GAL properties page of the GalSync Management Agent.

1. Here is a TechNet Wiki that discusses the issue: http://social.technet.microsoft.com/wiki/contents/articles/15915.troubleshooting-fim-galsync-no-contacts-to-provision.aspx

1. Here is a TechNet Wiki that discusses the issue: http://social.technet.microsoft.com/wiki/contents/articles/15401.troubleshooting-galsync-contacts-are-not-being-created-for-new-users.aspx

GALSYNC RELATED SYNCHRONIZATION ERRORS

1. EXTENSION-UNEXPECTED-ATTRIBUTE-VALUE

1. mv-deletion: msExchDynamicDistributionList: http://social.technet.microsoft.com/wiki/contents/articles/19034.troubleshooting-fim-extension-unexpected-attribute-value-mv-deletion-msexchdynamicdistributionl.aspx

GALSYNC RELATED EXPORT ERRORS

In many cases, GalSync Export Errors are related to the Exchange PowerShell CMDLET called Update-Recipient.  In Exchange 2010, FIM utilizes WinRM to remotely execute the Exchange PowerShell CMDLET remotely on the Exchange 2010/2013 Client Access Server.  The following will assist in troubleshooting WinRM.

WinRM Troubleshooting: https://blogs.technet.microsoft.com/jonjor/2009/01/09/winrm-windows-remote-management-troubleshooting/

1. STOPPED-DLL-EXCEPTION: For stopped-dll-exception errors, you will want to review the Application Event Log to get more details about the error that is actually occurring. 

1. The property value you specified, “-1073740026”, isn’t defined in the Enum type “Nullable`1”. Property Name:  RecipientDisplayType: http://social.technet.microsoft.com/wiki/contents/articles/17909.troubleshooting-fim-the-property-value-you-specified-1073740026-isn-t-defined-in-the-enum-type-nullable1.aspx
2. WINRM client received HTTP status code of 403 from the remote WS-Management service: http://social.technet.microsoft.com/wiki/contents/articles/11231.troubleshooting-stopped-dll-exception-the-winrm-client-received-an-http-status-code-of-403-from-the-remote-ws-management-service.aspx
3. WINRM cannot process the request: Access Denied: http://social.technet.microsoft.com/wiki/contents/articles/15091.troubleshooting-fim-stopped-dll-exception-winrm-cannot-process-the-request-access-denied.aspx
4. WINRM: cannot process the request.  The following error occurred while using Kerberos Authentication.  The network path was not found.  : http://social.technet.microsoft.com/wiki/contents/articles/12463.troubleshooting-fim-sync-stopped-dll-exception-the-following-error-occurred-while-using-kerberos-authentication.aspx
5. STOPPED-DLL-EXCEPTION TROUBLESHOOTER: http://social.technet.microsoft.com/wiki/contents/articles/8759.fim-troubleshooting-stopped-dll-exception-troubleshooter-document.aspx

1. Extension-Dll-Timeout: https://blogs.msdn.microsoft.com/ms-identity-support/2014/02/04/troubleshooting-galsync-ma-exchange-2010-provisioning-extension-dll-timeout-error-on-export/

1. Active Directory response: 00002098: SecErr (INSUFF_ACCESS_RIGHTS): http://social.technet.microsoft.com/wiki/contents/articles/12703.troubleshooting-fimgalsync-active-directory-response-00002098-secerr-dsid-03150bb9-problem-4003-insuff-access-rights-data-0.aspx
2. Event ID 6500 – name is not valid for Alias: http://social.technet.microsoft.com/wiki/contents/articles/11427.fim-troubleshooting-ma-extension-error-event-id-6500-name-is-not-valid-for-alias.aspx

1. mv-constraint-violation (msExchSafeSenderHash) during GalSync: 10733.troubleshooting-mv-constraint-violation-msexchsafesenderhash-during-galsync.aspx

1. Insufficient access rights to perform operation: http://social.technet.microsoft.com/wiki/contents/articles/7612.galsnc-permission-issue-insufficient-access-rights-to-perform-the-operation.aspx
2. Permissions for GalSync User: http://social.technet.microsoft.com/wiki/contents/articles/4868.permissions-for-galsync-user-ma-user-account.aspx

1. GalSync creates mail-enabled contacts that are not seen in GAL: http://social.technet.microsoft.com/wiki/contents/articles/4232.galsync-creates-contacts-that-are-not-seen-in-the-gal.aspx

1. LegacyExchangeDN is not populated:
   We see this issue happen when the Exchange PowerShell CMDLET fails.  In most cases, you can find additional information about the issue in the Application Event Log.  Here is a Microsoft TechNet Wiki that describes more of the information. http://social.technet.microsoft.com/wiki/contents/articles/7773.galsync-troubleshooting-legacyexchangedn-is-not-populated.aspx

GALSYNC CUSTOMIZATION

1. How to customize TargetAddress on Export Attribute Flow: http://social.technet.microsoft.com/wiki/contents/articles/4418.how-to-customize-targetaddress-on-export-attribute-flow-in-galsync.aspx
2. How to flow msExchHideFromAddressList but filter if the value is true:
3. Sharing GALs and Free/Busy Information between Exchange Orgs: http://social.technet.microsoft.com/wiki/contents/articles/7377.fim-2010-sharing-gals-and-freebusy-info-between-exchange-orgs.aspx 

IAMSUPPORT RESOURCES

• Identity and Access Management Support Team Blog:
• Global Address List  (GalSync) Resources:
• On-Premises Identity and Access Management: https://www.microsoft.com/en-us/cloud-platform/microsoft-identity-manager#fbid=2VvP26FRhhI
• Resource Page Wiki Page Index: http://social.technet.microsoft.com/wiki/contents/articles/11405.fim-reference-fim-resource-wiki-page-index.aspx

GALSYNC PROVISIONING TO EXCHANGE 2007 and/or ECHANGE 2010

So, in support we deal with a lot of issues pertaining to Exchange 2007 and Exchange 2010 provisioning.  These can be educational calls as well as troubleshooting calls, to help understand the changes that happended with Exchange 2007 and Exchange 2010.  The following wiki articles will assist in better understanding how to provision to Exchange 2007 and Exchange 2010.

FIM-GALSYNC: Exchange 2007 Provisioning

FIM-GALSYNC: Exchange 2010 Provisioning

In addition to that, I have posted information dealing with one of the most common errors when provisioning to Exchange 2007 and/or Exchange 2010 and that is the infamous “ma-extension-error”.

FIM-GALSYNC: ma-extension-error

Please let me know if these are helpful.