When attempting to create an Active Directory Domain Services (AD DS) Management Agent (ADMA) in Forefront Identity Manager 2010 (FIM) you receive the following error when you click Finish.
Repeated in textual format:
Synchronization Service Manager
A directory service error has occurred. (Exception from HRESULT: 0x80072095)
If you run a network trace you’ll notice that the “discovery process” is looking for the Exchange Organisation in the configuration naming context (NC). The reason the ADMA is looking for Exchange data is because the schema discovery process identified Exchange schema attributes. You’ve probably selected some of them in the MA configuration.
I’ve seen at least three people hit this issue now. Basically the AD has been partially prepared for Exchange. Specifically the schema has been extended (maybe someone has run SETUP /PREPARESCHEMA for example, or SETUP /PREPAREAD was run and failed part way through) but the other preparation tasks haven’t been completed.
How to fix this? Two options:
- Preferred option. Run the Exchange SETUP /PREPAREAD command. This command performs several tasks (documented here) notably:
If the Microsoft Exchange container doesn’t exist, this command creates it under CN=Services,CN=Configuration,DC=<root domain>.
- Alternate option. Create the Microsoft Exchange container in AD DS and assign a valid version number yourself. For example, create the msExchOrganizationContainer CN=Organisation Name, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=corp, DC=contoso, DC=com (you’ll need to create the parent CN=Microsoft Exchange too –this is also an msExchConfigurationContainer object class) and set a valid objectVersion attribute value. I used 13214 as that is what my real Exchange 2010 organisation in another environment had.
I appreciate that the listed options are nothing to do with FIM. I don’t know of a way of telling the ADMA to ignore Exchange schema if it finds it. So the answer is get the Exchange container and object version sorted and try again.
FYI there is an R2 bug tracking this. There’s no customer evidence requesting a back port to FIM 2010 but this issue will probably not manifest itself in FIM 2010 R2 (I stress probably as I am but a lowly consultant).