Thursday, April 14, 2011

Having extensible-extention-error or ma-extention-error while provisioning Live@EDU? Here's how to get the detailed errors in FIM2010

In a scenario where you are using Forefront Identity Manager 2010 (FIM) to provision mailboxes to Live@EDU (Microsoft’s Cloud e-mailservice for education) you must have seen the following error before when you did an export or EDIDS on your Live@EDU Management agent.
“Error: extensible-extention-error” or “ma-extention-error”

When you click on the details you’ll get the following information:
Microsoft.MetadirectoryServices.ExtensibleExtensionException: System.TypeInitializationException: The type initializer for 'Microsoft.Exchange.GALSync.Common.XMAEventLog' threw an exception. ---> System.Security.SecurityException: The source was not found, but some or all event logs could not be searched.  Inaccessible logs: Security.
Which tells us absolutely nothing about why the export to Live@EDU failed. When you look at the eventlog (application) you’ll see event id 6801 being raised which is basically the same error and still tells us nothing about why the export failed:
Why is this occurring? FIM 2010 is unable to actually write the error to the eventlog. Why? Because it doesn’t know which .dll to use to write to the eventlog. This is somewhat related to the fact that the Management Agent for Live@EDU that is used today was originally written for Identity Lifecycle Manager 2007 (ILM).
Now, what do we do to fix this? Quite simple!
1.       Create a .reg file and enter the following content

Windows Registry Editor Version 5.00

"EventMessageFile"="\"C:\\Program Files\\Microsoft Forefront Identity Manager\\2010\\Synchronization Service\\Extensions\\res\\Microsoft.Exchange.GALSync.EventLog.dll\""
"CategoryMessageFile"="\"C:\\Program Files\\Microsoft Forefront Identity Manager\\2010\\Synchronization Service\\Extensions\\res\\Microsoft.Exchange.GALSync.EventLog.dll\""

Make sure that the paths to the .dll match your environment and that the .dll is actually there.

2.       Run the .reg file on the machine that runs your FIM Sync Service
This should let FIM 2010 know what .dll to use to actually write a usefull error to the eventlog (that it receives from Live@EDU) and also where this .dll resides.

3.       Now restart the service FIMSynchronizationService

4.       (Re)start your export run profile (or EDIDS if you prefer so).
That’s it!
From now on, when for some reason FIM could not add, delete or update a mailbox in Live@EDU, we get the actual error from Live@EDU inside FIM2010 as well as inside the eventlog.

In this case the cause was simple, an account with the same liveID already existed. But you can imagine this can be very useful for finding out causes that aren’t too obvious.
From what I believe, add this to your default installation instructions when combining FIM2010 and Live@EDU!


  1. This one was so useful for me, helped me to solve the actual problem.

    thank you Mr.Berson

  2. Thanks for the feedback Vidyadhish! Good to hear you found it usefull!