When provisioning a linked-mailbox using Forefront Identity Manager (FIM) 2010, Identity Lifecycle Manager (ILM) 2007 or Identity Integration Server (MIIS) 2003 the Active Directory Management Agent (ADMA) throws an exported-change-not-reimported error for each new mailbox-enabled user.
Upon closer inspection you will find that the cause of the error is the nTSecurityDescriptor attribute. As discussed in my previous post the ExchangeUtils.CreateMailbox methods that are used for creating linked mailboxes (the two overrides that take a byte array) update the nTSecurityDescriptor attribute. Upon subsequent import the security descriptor has changed (because we’re reading the raw, i.e. un-normalised format by default) which triggers the error.
The resolution to this issue is the FIM Synchronization Service ADMA registry value ADMADoNormalization –documented here. It would appear that this value was introduced in MIIS 3.1.1057 (kb929622). The ADMADoNormalization DWORD requires a value of 1. No service restart is required. It comes into effect at the next export. The path to the registry key is:
- HKLM\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters -for the FIM Synchronization Service; and
- HKLM\SYSTEM\CurrentControlSet\Services\miiserver\Parameters -for ILM and MIIS.
What does normalisation do? How does it work?
Setting this value to “1” will cause the AD MA to export an object to AD, and then read back the AD normalized ‘nTSecurityDescriptor’ attribute and write it back onto the export image to avoid ‘exported-change-not-reimported’ errors.
The above is a quote from the registry keys and values documentation. I’ve not found enough extra detail to enable me to add to that description.
If, after turning on ADMADoNormalization, you no longer get the exported-change-not-reimported error and instead get an unexpected-error which generates the following event log entry (event ID 6401, source FIMSynchronizationService):
The management agent controller encountered an unexpected error. "ERR: MMS(2360): session.cpp(5622): ldap_get_values_len (attr=nTSecurityDescriptor) failed BAIL: MMS(2360): session.cpp(5624): 0x80070057 (The parameter is incorrect.) BAIL: MMS(2360): LDAPUtils.h(1581): 0x80070057 (The parameter is incorrect.) BAIL: MMS(2360): admaexport.cpp(1821): 0x80070057 (The parameter is incorrect.) BAIL: MMS(2360): ldapmaexportcore.cpp(897): 0x80070057 (The parameter is incorrect.) ERR: MMS(2360): ldapmaexportcore.cpp(1251): Unexpected export failure: local result = 0x80070057 ERR: MMS(2360): cntrler.cpp(7290): Invalid export error code received: 0x 80230808 ERR: MMS(2360): cntrler.cpp(8335): Invalid error code from MA 'CloudDS' while running run profile 'Export'. Forefront Identity Manager 4.0.3594.2"
The issue is likely that you are not running as an administrative user!
I’m working on a deployment whereby I’m doing my utmost to adhere to least privilege and this one has hit me hard.
By default you can’t read nTSecurityDescriptor. However you can grant permissions to read the attribute quite easily. Unfortunately this isn’t enough –nTSecurityDescriptor is a BLOB made up of three discreet elements: owner, DACL and SACL. If you want to return this attribute in the results of an LDAP query, and you’re not an administrator, you need to specify the LDAP_SERVER_SD_FLAGS_OID control with one or more of the security information flags (OR’d) to describe which aspects of the SD you want, i.e. if you want the Owner and the DACL (probably all we really want from the perspective of the Synchronization Service) then you add OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION as the [BER-encoded] value of the control.
Unfortunately FIM Synchronization Service isn’t utilising this control in any of the builds that I’ve tried: 3558 (when the registry value was introduced), 3576 and 3594. I’ve bugged this (17/11/2011) and am waiting for more information on when, if at all, a hotfix will be available.
In the meantime I have to turn off ADMADoNormalization and ignore the exported-change-not-reimported errors.
If you’re provisioning linked mailboxes you need to enable the ADMADoNormalization registry value to avoid the exported-change-not-reimported error on each exported object.
If you’re following recommended practices and the AD MA account is not an administrative user (this is the correct and only approach you should be taking but I digress) then you currently cannot make use of ADMADoNormalization and have to ignore the exported-change-not-reimported errors as the AD MA doesn’t make use of the LDAP_SERVER_SD_FLAGS_OID extended control and is therefore unable to read the security descriptor which will break the confirmation work done by the AD MA and result in you failing to properly create your linked mailbox.