Slightly contrived this one (I had to go out of my way to generate this error) but potentially useful for those setting up declarative synchronisation for the first time.
You synchronise the FIM Service management agent (MA) and get an extension-dll-exception error (status of the management agent operation is completed-sync-errors).
If you click the GUID in the Flow Errors column (next to the extension-dll-exception error listed in the NNN Error(s) column), followed by the Synchronization Error tab and finally the Stack Trace… button you’re faced with something like this (call stack information):
Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'AD-User'. Details: DN "CN=CN=Adams, Terry,OU=Users,OU=Human Resources,OU=Departments & Functions,DC=corp,DC=tailspin-toys,DC=com" is not valid.
Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)
The critical part of that stack trace is the details section within the error message:
Details: DN "CN=CN=Adams, Terry,OU=Users,OU=Human Resources,OU=Departments & Functions,DC=corp,DC=tailspin-toys,DC=com" is not valid.
In this case the DN is malformed. I’ve managed to get CN= in there twice.
If you hit this error check and recheck your distinguished name (DN). For an LDAP MA (in my example I’m using the Active Directory Domain Services (AD DS) MA) the best way of checking, in my opinion, is to stick it into LDP (use search, and use an LDAP filter of (objectClass=*) with the base DN the distinguished name).