Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Summary

This article lists the Microsoft Managed Services Service Provisioning Provider (MMSSPP) synchronization error codes together with resolutions to the errors that those codes represent.

Currently, customers can find synchronization errors listed in the MMSSPP Sync Report. The MMSSPP Sync Report is provided to Microsoft Office 365 dedicated customers one time per day.

Note If customers want to receive synchronization error reports more frequently, they can submit a change request through their Service Delivery Manager. The frequency of reports can be increased to no more than one time per MMSSPP synchronization cycle.

All synchronization errors (that is, those errors whose code begins with "SE") have the same impact regardless of the specific synchronization error. A description of that impact follows. Provisioning errors (that is, those errors whose codes begin with "PE") do not have that impact.

General synchronization error impact

If the object was previously synchronized without errors to the MSO-hosted directory, MMSSPP will not synchronize any new attribute changes to the object to the MSO-hosted global address list (GAL). If this is the first time that this object is being synchronized by MMSSPP, the object will not be synchronized to the MSO-hosted directory. Any attribute updates to the customer object, such as a new mail address or a new or removed group membership, will not be synchronized to the MSO-hosted directory. Therefore, such attribute updates will not be seen in the MSO-hosted GAL until this error condition is corrected through the resolution that is mentioned in the "Specific synchronization error impact" section. The impact statements that are listed in the specific synchronization error messages are all in addition to the general impact that is mentioned here. If there is no additional impact, the explanation will read as follows:

There is no additional impact. See the "General synchronization error impact" section near the beginning of this article for a description of the impact of this synchronization error.

More Information

Note You should use the source distinguished name (DN) of an object when you search for synchronization errors. If the source DN does not work, you should use the managed DN of an object.


Note For errors that are associated with groups and group memberships, see the "Missing member in distribution group" section.

  • SE1008No targetAddress on user object

    The user object does not have a mailbox (homeMDB), and there is no targetAddress value. This results in undeliverable email errors.

    Impact: There is no additional impact. See the "General synchronization error impact" section near the beginning of this article for a description of the impact of this synchronization error.

    Resolution: Create a mailbox for the user object. Or, point the targetAddress value to an existing mailbox.

  • SE1101The mail attribute value is not valid

    The format of the Simple Mail Transfer Protocol (SMTP) mail address is incorrect or contains unsupported characters.

    Impact: If the customer mailbox is present, it cannot be migrated to the MSO-hosted directory until this issue is corrected.

    Resolution: The mail attribute must be corrected before MMSSPP can resume the sync. For more information about how to correct the SMTP address format, click the following article number to view the article in the Microsoft Knowledge Base:

    316061 XADM: The SMTP connector returns an error message when invalid characters are used

  • SE1102 Mail attribute value is not in the Managed SMTP Domain List

    The SMTP suffix of the mail attribute is not in the list of SMTP domains that are allowed to have mailbox provisioning. (This list is also known as the Managed SMTP Domain List).

    Impact: If the customer mailbox is present, it cannot be migrated to the MSO-hosted directory until this issue is corrected.

    Resolution: Contact MSO if this SMTP domain should be added to the Managed SMTP Domain List. Or, correct the email address if it is not valid.

    • MMSSPP expects all user objects that have a mailbox (homeMDB or Configurable Mailbox Indicator Tag [CMIT]) in a customer's on-premises mail system to have a mail address that has a suffix in the Managed SMTP Domain List.

    • The only exception occurs when a targetAddress value is also set. For example, an exception occurs when the customer mailbox is not hosted on-premises but is external to the customer's mail system.

    • Caution If the mail address is changed on the customer object so that its suffix is not in the Managed SMTP Domain List any longer, and if that user had an MSO-hosted mailbox, the MSO-hosted mailbox will be deprovisioned, and an SE1153 synchronization error will be generated. For more information about the SE1153 synchronization error, see SE1153.

  • SE1103Mail attribute is null

    Mail attribute is not set on group or contact object (null value).

    Impact: There is no additional impact. See the "General synchronization error impact" section near the beginning of this article for a description of the impact of this synchronization error.

    Resolution: Assign a mail attribute value to the object in the customer forest.

    Note MMSSPP expects all group and contact objects to have a defined, valid SMTP mail address.

  • SE1104The targetAddress is not present

    The targetAddress attribute is not present on a contact object (null value). All contact objects that have a mail address in the Managed SMTP Domain List should have their targetAddress value pointing to an external SMTP address.

    Impact: There is no additional impact. See the "General synchronization error impact" section near the beginning of this article for a description of the impact of this synchronization error.

    Resolution: Assign a valid external targetAddress value for each affected contact object.

    Note An example of a valid targetAddress value is as follows:

    SMTP:userA@domainX.fabrikam.com

  • SE1106 The mail attribute value is not unique

    Another object in one of the customer forests in the MMSSPP synchronization scope has the same mail address.

    Impact: If the customer mailbox is present, it cannot be migrated to the MSO-hosted directory until this issue is corrected.

    Resolution: Change the mail attribute to a unique value. Use the following Lightweight Directory Access Protocol (LDAP) query to identify objects that have the same mail address:

    (&(|(objectCategory=user)(objectCategory=contact)(objectCategory=group))(mail=<email>))

    For example, a query for the email address Kim.Akers@contoso.com resembles the following:

    
     
    (&(|(objectCategory=user)(objectCategory=contact)(objectCategory=group))(mail=Kim.Akers@contoso.com))
  • SE1107The targetAddress value is invalid

    The format of the targetAddress value is incorrect or contains unsupported characters.

    Impact: There is no additional impact. See the "General synchronization error impact" section near the beginning of this article for a description of the impact of this synchronization error.

    Resolution: The targetAddress value must be corrected. For more information about how to correct the SMTP address format, click the following article number to view the article in the Microsoft Knowledge Base:

    316061 XADM: The SMTP connector returns an error message when invalid characters are used

    • If the mailbox is not hosted in MSO, the targetaddress domain suffix for mail-enabled user objects should not be in the Managed SMTP Domain List.

    • If the mailbox is hosted in MSO, the targetaddress domain suffix for mail-enabled user objects should be in the Managed SMTP Domain List (if the New Hire Mailbox Provisioning option is set to OFF) or be null (if the New Hire Mailbox Provisioning option is set to ON).

    • An example of valid targetAddress value is as follows:

      SMTP:userA@domainX.fabrikam.com

    • Make sure that the targetAddress value does not include a white space or other invalid character. Trailing white spaces are invalid and are especially difficult to see.

  • SE1112 The targetAddress value is in the Managed SMTP Domain List

    The SMTP suffix of the targetAddress value points to the Managed SMTP Domain List.

    Impact: There is no additional impact. See the "General synchronization error impact" section near the beginning of this article for a description of the impact of this synchronization error.

    Resolution: Change the suffix of the targetAddress value so that the suffix points to a domain that is not in the Managed SMTP Domain List and is therefore out of scope for mailbox provisioning. These objects have a mailbox that is hosted on an external system (that is, not on a customer-premises mail system) and will be synchronized to the MSO-hosted directory as mail-enabled users.

  • SE1115 The mail attribute does not match the targetAddress value on the contact object

    The mail attribute of the contact object is not in the Managed SMTP Domain List, and the targetAddress value does not match the mail attribute. MMSSPP expects all internal contact objects that have a mail address domain suffix from the SMTP Domain List to have matching mail and targetAddress attributes.

    Impact: There is no additional impact. See the "General synchronization error impact" section near the beginning of this article for a description of the impact of this synchronization error.

    Resolution: The mail and targetAddress attributes should match for all internal contact objects. Internal contacts are those that have a mail suffix in the Managed SMTP Domain List.

  • SE1117 Proxy address value is not unique

    The proxy proxyAddresses attribute contains a duplicate address in one of the customer forests in the MMSSPP synchronization scope. Another object already has the same proxy address in its Microsoft-managed proxyAddresses attribute. The duplicate managed proxyAddress attribute may come from one of the following:

    • A source mail attribute

    • A source proxyAddress attribute

    • A source TargetAddress attribute

      Note This attribute flows to the managed Active Directory schema as a secondary proxyAddress attribute.



    Impact: There is no additional impact. See the "General synchronization error impact" section near the beginning of this article for a description of the impact of this synchronization error.

    Resolution: Delete the duplicate proxy address from proxyAddresses attribute of the appropriate object that does not have to have the address. To do this, use the following LDAP query to identify objects that share same proxy address:

    (&(|(objectCategory=user)(objectCategory=contact)(objectCategory=group))(proxyAddresses=<address>))

    For example, a query for the proxy email address Kim.Akers@contoso.com resembles the following:

    
     
    (&(|(objectCategory=user)(objectCategory=contact)(objectCategory=group))(proxyAddresses=SMTP:kim.akers@contoso.com))

    Note To maintain the ability to reply to legacy addresses, some managed proxy addresses are protected from accidental deletion and are not automatically cleared from managed Active Directory schema when they are cleared from the source. To resolve this issue, follow these instructions:

    • If the error specifies a proxy address that is in a Managed Routing domain (such as @mgd.contoso.com), the proxy address must be removed by Microsoft Online Services Support.

    • Proxy addresses of the x500 proxy type were not removed in pre-12.2 versions of MMSSPP when they were cleared from the source Active Directory schema. In the current version, x500 proxy addresses that are deleted from the customer forest are immediately deleted from the Managed forest. x500 proxy addresses that were previously removed from the customer forest but that still exist in the managed Active Directory schema can now be removed. To remove these x500 proxy addresses, follow these steps:

      1. Add the unwanted x500 proxy addresses back to the original source object.

      2. Wait two sync cycles.

      3. Remove the unwanted x500 proxy addresses from the source object. The unwanted proxy address will be cleared from the managed Active Directory schema during the next sync cycle.

  • SE1118 Mailnickname is null

    MailNickname is empty on the customer contact object, and MMSSPP cannot generate a customer contact object by using mailNickname attribute generator rules. The default attribute generator rules will try to use the givenName (also known as first name) and Sn (also known as last name) attributes in Active Directory to generate a mailNickname value for a contact that does not have a value that is defined on the customer object.

    Impact: There is no additional impact. See the "General synchronization error impact" section near the beginning of this article for a description of the impact of this synchronization error.

    Resolution: Set a MailNickname value or a givenName (also known as first name) and Sn (also known as last name) attribute value on the customer contact object.

  • SE1119 Mail attribute suffix matches the managed routing address suffix

    The mail attribute suffix must not match the managed routing address suffix. The managed routing address suffix is used to route mail from the customer object to an MSO-hosted mailbox while the customer legacy mail environment is still in a coexistence phase with MSO. Therefore, it should be used only as part of targetAddress and secondary SMTP proxyAddresses and never in the mail or primary SMTP address on a customer object. The managed routing address suffix typically takes the format @mgd.contoso.com.

    Impact: The customer mailbox, if present, cannot be migrated to the MSO-hosted directory until this issue is corrected.

    Resolution: Change the mail address to a valid SMTP value that has a suffix that is not the managed routing address suffix.

  • SE1125 The user object validation failed for the object DN [CN=...DC=com] in the Export Mail Flow (mail = [user@contoso.com]; targetAddress = [SMTP:user@northwindtraders.com])

    The combination of the mail attribute and the TargetAddress attribute does not use a valid configuration.

    Impact: A provisioning action cannot be completed because of an invalid state on the customer object. This invalid state may block any of the following actions:

    • Mailbox deprovisioning

    • Mailbox provisioning

    • Mail user provisioning

    • Mail user deprovisioning


    Resolution: Make sure that a valid combination of the mail attribute and the targetAddress attribute is applied to the source object. Also, make sure that the target address does not include a trailing white space.

    Notes

    • For mail users: The targetAddress attribute should match the mail attribute or should be null. (Check provisioning rules.)

    • For mailboxes: The targetAddress suffix should be a managed routing domain (that is, a domain that contains @mgd) if the New Hire feature is not enabled. Or, the targetAddress suffix should be null if the New Hire feature is enabled. The mail attribute domain should be in the list of MMSSPP Included SMTP Domains. The MMSSPP Included SMTP Domains list is customized per customer.


    For more information about the New Hire feature, see the "More Information on New Hire scenario" section.

  • SE1129 Detected a Customer Mailbox and a Managed Mailbox for the object DN [CN=...]

    A homeMDB value exists in both the customer and the managed environments.

    Impact: Attributes flow from the source object to the managed Active Directory object until this issue is corrected.

    Resolution: If the user should have a mailbox hosted in MSO, remove homeMDB from the customer Active Directory. If the user should not have a mailbox in MSO, temporarily clear the source homeMDB, and use the explicit deprovisioning attribute to deprovision the managed mailbox. After the managed mailbox is deprovisioned, the source homeMDB can be restored. This error usually occurs when the customer homeMDB attribute is accidentally stamped with the MSO homeMDB value.

  • SE1131 Proxy address value is not valid

    The format of the SMTP proxy address value is incorrect or contains unsupported characters.

    Impact: The customer mailbox, if present, cannot be migrated to the MSO-hosted directory until this issue is corrected.

    Resolution: The SMTP proxy address value must be corrected. By default, top-level domain suffixes are limited to three characters for the primary proxyAddresses value and to five characters for the secondary proxyAddress value. For more information about how to correct the SMTP address format, click the following article number to view the article in the Microsoft Knowledge Base:

    316061 XADM: The SMTP connector returns an error message when invalid characters are used

  • SE1137 The object with DN [CN=...,DC=COM] specifies the Customer Attribute extensionattribute[NN] = [aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa], but is not joining to any other object

    Note The exact extension attribute is the Automatic Service Reconnection (ASR) attribute and is customized per customer environment.

    This error indicates that a source object is set to connect to an existing mailbox through ASR. However, the managed object that is currently associated with the specified source object GUID cannot be connected. Error conditions SE1139 and SE1140 will generate the identical message and have the same resolution.

    Impact: A source object cannot be joined to a managed object that is connected to a managed mailbox. Additionally, a new managed mailbox cannot be created. 

    Resolution: The ASR extension attribute value should be cleared. After the next sync cycle runs, MMSSPP will create a new managed object. If the customer configures the sync appropriately, MMSSPP will create a new empty managed mailbox. The Microsoft Online Services Support Team (MOSSUP) will then restore the contents of the old disconnected mailbox to the new empty one.

    This error occurs when the old losing or source object is filtered or moved out of the MMSSPP scope before the ASR extension attribute was set on the new object. In other words, the ASR process starts for the new object after the managed object already expired in the PendingDeletions organization unit (OU). To avoid these errors on interforest migrations, stamp the ASR extension attribute value on the new object, and confirm that the ASR process finished successfully before the old losing or source object is filtered.

  • SE1144 Can't find a single row in IDIS with SourceObjectGUID [{0}] and SecondaryVerification [{1}] matching and PendingDeletion set to 1 for object DN [{2}]

    This error can occur after a failed Automatic Service Reconnection (ASR) or after an object is pulled from the MMSSPP scope, changed, and then returned to the scope. For ASR or a PendingDeletions reconnection to succeed, there must be a match between the source and managed objects for mail and customer object GUID. When this error occurs, one of these conditions was not met.

    Impact: A source object cannot be joined to a managed object that is connected to a managed mailbox. Additionally, a new managed mailbox cannot be created. 

    Resolution: Make sure that the mail values are identical for the new gaining or target object and the old losing or source object. In an ASR scenario, the GUID that is stamped in the ASR attribute must be the GUID of the old source object, not the GUID of its corresponding managed object. If those conditions are confirmed, contact Microsoft Online Support for help.

    This error occurs when the email address is changed on the old (losing or source) object before the ASR process is complete. To avoid these errors on interforest migrations, stamp the ASR extension attribute value on the new object, and confirm that the ASR process finishes successfully before the old (losing or source) object is filtered or changed.

    If an object is removed from the MMSSPP scope and then returned to the scope before the managed object is deleted from the PendingDeletions OU, the mail value must be the identical to what it was when it was originally removed from the scope. Otherwise, the objects will not reconnect, and you must wait for the PendingDeletion duration period to expire.

  • SE1153 [inconsistent state]: MBU->MEU transition is detected, but object with DN [CN=...DC=Net] does not explicitly deprovision the managed mailbox (DeprovisionMailboxEnabledUser rule = FALSE)

    This error indicates that a mailbox exists in a Microsoft Online environment. However, the source object is changed to a mail-enabled user configuration (If this was done in error, the "Resolution" steps below will explain how to correct this.) To avoid accidental mailbox deprovisioning, the customer must explicitly stamp the deprovisioning attribute before the mail type for the object is changed. Error conditions SE1151, SE1152, and SE1154 will generate an identical message and have the same resolution.

    Impact: The intended mailbox for deprovisioning is still present in the Microsoft Online environment. No source attribute changes will flow to the object in the managed object, and the managed mailbox will not be deprovisioned.

    Resolution

    1. If you want to change the object to a mail-enabled user, undo the changes that were made and then follow these steps to correctly change it to a mail-enabled user.

      1. Return the mail and targetAddress values to their original values (targetAddress contains @mgd). Make sure that the mail and targetAddress values are valid. Make sure that there are no leading or trailing white spaces in either attribute. Then, wait for two sync cycles to run. These steps resolve the error and return the object to a valid mailbox-enabled state.

      2. Set the explicit deprovisioning attribute, and change the targetAddress value so that is has a suffix that's not in the managed routing domain (@mgd).

    2. If the object should still be a mailbox object and you unexpectedly received this error, take the following action:

      • Make sure that the values for mail and targetAddress are consistent with the provisioning rules that are required for a mailbox. One or both may have been changed. Check the source values and make sure that the following conditions are true:

        • There are no leading or trailing white spaces in either attribute.

        • The targetAddress suffix does not have transposed letters. For example, do not use @mdg.contoso.com instead of @mgd.contoso.com.

        • The mail value does not contain @mgd or your company’s equivalent to a managed proxy address. The mail domain must be in the SMTP inclusion list.

    Note If the New Hire feature is not enabled, the targetAddress value must include @mgd in the suffix. Confirm that the suffix contains @mgd and that it specifies the correct managed routing domain. If the New Hire feature is enabled, the targetAddress value should include a valid @mgd… routing address, or it may be null if customer is not using EOP or migrating to vNext/MT.

  • SE1155 The Proxy address value [{0}] in the proxyaddresses attribute on {1} object DN [{2}] is an invalid SMTP Address for a Secondary SMTP Address and will be removed. Please correct the proxy address Validity.

    This error indicates that an invalid SMTP address exists for a secondary SMTP proxy.

    Impact: There is no additional impact. See the "General synchronization error impact" section near the beginning of this article for a description of the impact of this synchronization error.

    Resolution:

    1. The SMTP proxy address value must be corrected before MMSSPP can resume the sync for this object. Make sure that no leading or trailing white spaces exist. For more information about how to correct the SMTP address format, click the following article number to view the article in the Microsoft Knowledge Base:

      316061 XADM: The SMTP connector returns an error message when invalid characters are used

    2. The validation rule is different for primary proxyAddress values and secondary proxyAddress values. For example, a primary SMTP address is limited to a three-digit top-level domain suffix (@contoso.com or contoso.net). A secondary SMTP address has a limit of five characters in the top level domain suffix (@contoso.local). These rules are configurable on request to accommodate different naming conventions for local needs.

  • SE1290 Cannot resolve Reference-DN value of attribute [name]

    A reference attribute of a cross-forest group cannot be resolved in an MSO-hosted directory. For example, this error occurs when a cross-forest group member does not have a mail attribute value or if the matching mail address does not exist in the MSO-hosted environment.

    Impact: The referenced object is not represented in cross-forest group attribute name in the MSO-hosted environment.

    Resolution: Set an anchor attribute (such as the mail attribute) to a value that exists in the MSO-hosted environment.

  • SE1401 Object GUID specified in Automatic Service Reconnection attribute is invalid or does not exist

    This error and other ASR-related errors (SE1404, SE1405, SE1406) indicate the following issues:

    • The value that is specified in the ASR attribute is not a valid GUID.

    • The object that is referenced by the GUID in combination with Secondary Gate attribute (mail) does not exist in the MMSSPP scope.

    • The referenced GUID and the Secondary Gate attribute (mail) match more than one object in the MMSSPP scope.


    Impact: The customer mailbox, if present, cannot be migrated from one forest to another, and the object sync is suspended.

    Resolution: If ASR is intended for this object, specify a valid object GUID of another in-scope object in another forest. The Secondary Gate value (mail) must also match for both objects. If ASR is not intended, this value must be cleared.

  • SE1409 Object in the Pending Deletion state is in conflict with another in-scope object

    The mail attribute value of an in-scope object conflicts with another object that is currently in the Pending Deletion state. This error automatically is resolved when pending deletion is completed in N days (by default, three days) and when the in-scope object is provisioned.

    Impact: The new in-scope object will not provision or sync until the conflicting object that is in the Pending Deletion state is deleted physically.

    Resolution: Specify different email address (and possible proxy address) for the new object. Or, wait until the Pending Deletion period expires. If this error is frequent, consider filing a Customer Request with Microsoft Online Services to have the Pending Deletion duration shortened. After initial ASR implementation, recommended durations are one day for Users and Groups and zero days for Contacts.

  • SE1514 Error Key [extensionattribute10] does not exist. Unable to process error for object [CN=…DC=com]

    Note The exact extension attribute is the ASR attribute and is customized per customer environment.

    Usually, this error occurs when an invalid value is set for the ASR extension attribute. The ASR extension attribute must be a valid GUID string. If the object is not intended for ASR migration, this value must be cleared.

    Impact: The object will not be changed, provisioned, or deprovisioned in this state.

    Resolution: Set a valid GUID string for the ASR attribute. String formats that are approved are available in Section 8.2 of the MMSSPP Provisioning Interfaces Handbook. Check that no trailing white space exists and that no other character (such as a semicolon) exists at the end of the string. The ASR attribute can be used only for a target source object GUID. If the object is not intended for ASR migration, this value must be cleared.

  • SE1647 The source user object with DN [{0}] has been removed from scope, but the hosted mailbox has a litigation hold set by [{1}] on [{2}]. Managed Object and Mailbox will not be deleted. To delete this mailbox, remove litigation hold.

    The managed mailbox is configured for litigation hold. However, the related source object is filtered or removed from the MMSSPP scope. MMSSPP does not delete the managed object until the litigation hold is removed.

    Impact: The object will not be deprovisioned in this state.

    Resolution: This behavior is by design, because litigation hold is an explicit setting to preserve mailbox integrity. If the mailbox should be deleted, the litigation hold must be removed by the customer.

  • SE1648 A hosted mailbox for the source user object with DN [{0}] has been determined by MMSSPP to be deprovisioned, but the hosted mailbox has a litigation hold set by [{1}] on [{2}]. Managed Object and Mailbox will not be deleted. To deprovision this mailbox, remove litigation hold.

    The managed mailbox is configured for litigation hold. However, the related source object is configured to deprovision that managed mailbox. MMSSPP does not disconnect the managed mailbox until the litigation hold is removed.

    Impact: The object is not deprovisioned in this state.

    Resolution: This behavior is by design, because litigation hold is an explicit setting to preserve mailbox integrity. If the mailbox should be deleted, the litigation hold must be removed by the customer.

  • PE1 Error: Enabling the MSO-hosted mailbox failed

    An error occurs when MMSSPP tries to enable the MSO-hosted mailbox.

    Impact: MMSSPP cannot create the MSO-hosted mailbox until this issue is corrected.

    Resolution: See the specific details in the error report on that object for an indication of the issue and remediation steps. Contact the Microsoft Liaison if the issue or remediation steps are still unclear.

  • PE1 Error: The specified Region Code ('') for 'CN=...,DC=mgd,DC=msft,DC=net' is Invalid...

    If data centers in two geographical regions (such as North America and Europe) are available for a specific Office 365 dedicated environment, values are determined to specify the location of a new mailbox. This error occurs if the mailbox-provisioning attribute does not contain a valid value. If Microsoft Online Services is configured for a particular geographical location for your company, using a region code is mandatory in the mailbox-provisioning attribute.

    Impact: The mailbox will not be provisioned until this error is corrected.

    Resolution: Make sure that a valid region is set for the mailbox provisioning attribute in the format REG=XX, where XX is a valid region code. Additionally, make sure that the mailbox type or provisioning value is valid.

    Example: extensionAttribute10:MBX=ST;REG=NA;

    Note The mailbox provisioning extension attribute is customized per customer environment.

  • PE1 Error: WPS Error [Enable-Mailbox]: The property value is invalid. The value can't contain leading or trailing whitespace. Property Name: ***Display Name*** or ***Name***

    Trailing or leading spaces are invalid for the displayName and Name Active Directory attributes.

    Impact: The managed object will not be provisioned until this error is corrected.

    Resolution:

    • If an object is configured by using a trailing white space in the displayName attribute, delete the white space. After you do this, the mailbox or mail-enabled user will be provisioned.

    • If an object is provisioned by using a leading white space in the displayName attribute, delete the white space. The managed object must be corrected by an escalation to the Microsoft Online Services Support Team (MOSSUP).

  • PE1 Error: WPS Error [Enable-Mailbox]: The address 'smtp:.username@contoso.com' is invalid

    The specified mail attribute is invalid.

    Impact: The managed object will not be provisioned until the error is corrected.

    Resolution: The attribute must be corrected. Common errors include invalid characters, white spaces (including a difficult-to-see trailing white space), leading or trailing periods, and repeating periods.

  • PE1 Error: WPS Error [Enable-Mailbox]: The proxy address "smtp:user.one@mgd.contoso.com" is already being used by [managedDN]. Please choose another proxy address. ManagedDN: …

    The proxyAddresses attribute contains a duplicate address in one of the customer forests in the MMSSPP synchronization scope. Another object already has the same proxy address in its Microsoft-managed proxyAddresses attribute. The duplicate managed proxyAddress attribute may come from a source mail attribute, a source proxyAddress attribute, or a source targetAddress attribute. (This flows to the managed Active Directory schema as a secondary proxyAddress.)

    Impact: There is no additional impact. See the "General synchronization error impact" section near the beginning of this article for a description of the impact of this synchronization error.

    Resolution: Change or delete the duplicate targetAddress attribute or proxy address of the object that should not have it. Use the following LDAP query to identify objects that share same proxy address: (&(|(objectCategory=user)(objectCategory=contact)(objectCategory=group))(proxyAddresses=<address>)) For example, a query for the proxy email address Kim.Akers@contoso.com resembles the following:

    (&(|(objectCategory=user)(objectCategory=contact)(objectCategory=group))(proxyAddresses=SMTP:kim.akers@contoso.com)) 


    Note To maintain the ability to reply to legacy addresses, some managed proxy addresses that are protected from accidental deletion are not automatically cleared from the managed Active Directory schema when they are cleared from the source. To resolve this issue, follow these instructions:

    • If the error specifies a proxy address that has a Managed Routing domain (such as @mgd.contoso.com), that proxy address must be removed by Microsoft Online Services Support.

    • Proxy addresses of the x500 proxy type were not removed in pre-12.2 versions of MMSSPP when they are cleared from the source Active Directory object. In the current version, x500 proxy addresses that are deleted from the customer forest are immediately deleted from the Managed forest. x500 proxy addresses that were previously removed from the customer forest but that still exist in the managed Active Directory schema can now be removed. To do this, follow these steps:

      1. Add the unwanted x500 proxy address back to the original source object.

      2. Wait two sync cycles.

      3. Remove the unwanted x500 proxy address from the source object. The unwanted proxy address will be cleared from the managed Active Directory schema on the next sync cycle.

  • PE1 Error: WPS Error [Enable-Mailbox]: ExternalEmailAddress has an invalid value: Specified argument was out of the range of valid values. Parameter name: The address User..@contoso.com is not a valid SMTP address.

    The error source is the tartgetAddress attribute that contains an invalid address that was previously synchronized to the Office 365 targetAddress attribute. The targetAddress attribute value must be corrected on the source object. Common errors include invalid characters, white spaces (including a difficult-to-see trailing white space), leading or trailing periods, and repeating periods. Typically, the targetAddress attribute value was recently transformed from an invalid value. For example: the User..@contoso.com address as reported on sheet tab PE7 and then transformed and corrected to a valid value, User@mgd.contoso.com, is now reported on sheet tab PE1. However, the invalid targetAddress attribute value was already synchronized to Office 365 and must be reverted to clear the mailbox provisioning error.

    Resolution: Set a valid targetAddress attribute value for a mail-enabled user. For example, the User@contoso.com address is synchronized and updated the Office 365 targetAddress attribute value. Don't transform as a mailbox-enabled user until the incorrect targetAddress value is corrected in Office 365. After the corrected targetAddress attribute value is synchronized to Office 365, change the targetAddress attribute value to provision a mailbox-enabled user. For example, assume that the value is User@mgd.contoso.com.

    1. Change the targetAddress attribute value to valid entry for a mail-enabled user, such as User@contoso.com.

    2. Wait for the new targetAddress attribute value to synchronize to the Office 365 object targetAddress attribute value User@contoso.com.

    3. Change the targetAddress attribute value to a valid entry for a mailbox-enabled user, such as User@mgd.contoso.com.

    4. Wait for mailbox provisioning.

    5. The Office 365 targetAddress attribute value no longer exists.

  • PE3 Enabling the MSO-hosted resource mailbox failed

    An error occurs when MMSSPP tries to enable the MSO-hosted resource mailbox.

    Impact: MMSSPP cannot create the MSO-hosted resource mailbox until this issue is corrected.

    Resolution: See the specific details in the error report on that object for an indication of the issue and of the remediation steps. Contact the Microsoft Liaison if the issue or the remediation steps are still unclear.

  • PE7 Creating the MSO-hosted mail enabled user failed

    An error occurs when MMSSPP tries to create a mail-enabled user in the MSO-hosted directory.

    Impact: MMSSPP cannot create the MSO-hosted mail-enabled user until this issue is corrected.

    Resolution: See the specific details in the error report on that object for an indication of the issue and of the remediation steps. Contact the Microsoft Liaison if the issue or the remediation steps are still unclear.

  • PE10 WPS Error [Connect-Mailbox]: Mailbox "...MBX GUID..." doesn't exist on database "…MBX database…" ManagedDN:

    MMSSPP will not automatically reconnect to a mailbox that is in a soft deleted state. This condition exists when a mailbox was migrated to a different environment (for example, from O365-Dedicated to the customer’s on-premises server or to O365 Services) and then the customer wants it reconnected to the original mailbox in O365 Dedicated.

    Impact: The user mailbox cannot be reconnected.

    Resolution: Escalate the issue to Microsoft Online Support for remediation.

  • PE11Setting Calendar settings on the MSO-hosted resource mailbox failed

    An error occurs when MMSSPP tries to set mailbox calendar settings on an MSO-hosted resource mailbox.

    Impact: MMSSPP cannot set the mailbox calendar settings on the MSO-hosted resource mailbox until this issue is fixed. This can affect the usability of the resource mailbox. For example, features such as AutoAccept of meeting invites by the resource mailbox may not work until this issue is fixed.

    Resolution: See the specific details in the error report on that object for an indication of the issue and of the remediation steps. Contact the Microsoft Liaison if the issue or the remediation steps are still unclear.

  • PE17 Creating the MSO-hosted mail-enabled contact or distribution group failed

    This error occurs when MMSSPP tries to create a mail-enabled contact or distribution group in the MSO-hosted directory.

    Impact: MMSSPP cannot create the MSO-hosted mail-enabled contact or distribution group until this issue is corrected.

    Resolution: See the specific details in the error report on that object an indication about the issue and remediation steps. Contact the Microsoft Liaison if the issue or remediation steps are still unclear.

  • extension-attribute-not-present error: MailNickname is null

    This error is same as SE1118 in earlier versions of MMSSPP. The MailNickname attribute is empty on the customer contact object, and MMSSPP cannot generate a MailNickname attribute by using the mailNickname attribute generator rules. The default attribute generator rules try to use the givenName (also known as first name) and the Sn (also known as last name) attributes in Active Directory to generate a mailNickname attribute for a contact that does not have a mailNickname attribute that is defined on the customer object.

    Impact: There is no additional impact. See the "General Synchronization Error Impact" section in the header of this Help file for a description of the impact of this synchronization error.

    Resolution: Set a Mailnickname value or a givenName (also known as first name) and Sn (also known as last name) attribute value on the customer contact object.

  • extension-attribute-not-present error: MailNickname is invalid

    MailNickname value contains invalid characters.

    Impact: There is no additional impact. See the "General Synchronization Error Impact" section in the header of this Help file for a description of the impact of this synchronization error.

    Resolution: If a mailNickname value is left null by the customer, MMSSPP will automatically create a mailNickname value if this is possible. Therefore, one option is to clear the mailNickname value. If the customer has to set the mailNickname value, the value must meet the criteria defined in RFC 821. Common invalid characters include spaces, em dashes that are displayed to be valid dashes, the at sign (@), and parentheses. Make sure that there are no leading or trailing white spaces that are difficult to see.

  • mv-constraint-violation

    This error occurs when direct import attribute flow occurs and the attribute value from the source exceeds the length restrictions of the metaverse attribute.

    Impact: MMSSPP cannot flow attribute changes or set up services until this issue is corrected.

    Resolution: Reduce attribute value size down to maximum length that is enabled by the schema.

  • [WorkQueueIns] Mail should not be null. We are unable to complete your request.

    This error occurs when mail is cleared on a source object that is synched to the MSO-hosted directory. The error persists after a value is restored in the source Active Directory object.

    Impact: There is no additional impact. See the "General Synchronization Error Impact" section in the header of this Help file for a description of the impact of this synchronization error.

    Resolution: Confirm that the source object has a valid mail value and that at least one MMSSPP sync cycle is completed. After you confirm this, you should escalate this issue to Microsoft Online Support Services for remediation. Make sure that scripts or manual edits to the mail attribute do not clear the value before the value is changed.

  • Missing member in distribution group

    A member is missing from a distribution group. This missing member may be a user, a contact, or another group. If the group is a cross-forest group, an SE1290 error may be present. If the group is not a cross-forest group, other errors (such as duplicate mail) may be present.

    Impact: Group members may not receive mail sent to the distribution list.

    Resolution:

    • Make sure that the member has a valid mail value.

    • Make sure that the member does not have an active sync error.

    • Make sure that the member appears in MSO.


    Determine whether the group is a regular group or a cross-forest group. Cross-forest groups are configured by customers and contain members from other forests. Cross-forest groups are defined for each customer by the customer's location in a specific OU or by a user-defined attribute. Regular groups contain only members from the forest in which they live.

    Regular distribution groups:

    • Make sure that the missing member appears in MSO and that there are no synchronization errors.

    • If the missing object is a member of a nested group, make sure that the nested group has mail and that the group appears in MSO.

    • If the parent group is a regular group (that is, not a cross-forest group), make sure that the nested group is also not a cross-forest group. Cross-forest groups may contain either regular groups or other cross-forest groups. However, regular groups cannot contain cross-forest groups.


    Cross-forest groups:

    • Make sure that the missing member appears in MSO and that there are no synchronization errors.

    • If the group member appears in MSO but is missing from the group, validate that the source cross-forest group member has a matching mail value.

    • If the missing object is a member of a nested group, make sure that the nested group has mail and that the group appears in MSO.

    • If the missing member is a cross-forest group, check whether this group has a parent that is a regular group (that is, not a cross-forest group). Cross-forest groups may contain either regular groups or other cross-forest groups. However, regular groups cannot contain cross-forest groups.

  • LargeGroup

    We have increased the sync error report that uses a "Large Groups" tab that lets customers send notifications to a large group of recipients. This information is useful to help customers take additional steps per the following recommendations.

    Impact: Large groups that are included in the scope of MMSSPP can cause significant delays in sync cycle times, up to 10-12 hours.

    MMSSPP sync responds to changes in synched attributes every sync cycle (nominally, every 30 minutes). This provides a rapid response of the O365D GAL to changes that are made by the customer Human Resources system or Active Directory. In addition to providing a better user experience, certain important enterprise processes (such as inter-forest user migrations) are optimized.

    When groups that have very large membership counts in the MMSSPP scope are changed, MMSSPP/ FIM has to enumerate those changes. For example, if you add or remove a member from a group of 25,000, FIM sees a delta event on that attribute. However, it doesn't know what changed until it reads the whole list of 40,000 members. That could take significantly (many times) longer to rebuild than it would take to read a group that has 5,000 members. This delay can affect any customer process (such as ASR) in which a user who logs on to a new forest (through ASR) must be productive and have email access by the start of business on the following day.

    Another thing to consider is quality control checks on all groups. This is a less common scenario in which there may be multiple objects of the same object class and email address in the same customer forest. That condition requires an additional analysis step to determine which of these multiple objects should be included as group members. When that condition is found, quality control workflows are run. These can be expensive if they involve large groups.

    Going forward for groups that have more than 15,000 members, MMSSPP will process the group membership change. However, it will suspend the workflow that runs the check for multiple objects of the same type. This is the optimal step to prevent sync cycle and provisioning delays. Having groups of a manageable size helps keep the sync cycles to a predictable duration while it also increases the reliability of processing group membership changes.

    Resolution:

    • Ideally, no group should exceed a member count of 5,000. However, groups can have up to the maximum of 15,000 members for the purpose of workflow quality control. Customers can split groups that are larger than 15,000 into smaller groups by using simple logic (alphabetical, regional, and so on).

    • If the group does not have to be mail-enabled in O365 (a common scenario for security groups), customers should move the group into an OU that's out-of-scope of MMSSPP. Be aware that filtering the group (for example, by removing mail) does not resolve the issue. This is because FIM still reads every attribute (and enumerates every member) before customers can decide that the group doesn’t have to be imported.

More information about the New Hire scenario

The following is an excerpt from Section 5.2 of the Microsoft Managed Solutions Service Provisioning Provider (MMSSPP) Provisioning Interfaces Handbook:
New Hire Scenario:

MMSSPP will create a mailbox-enabled user object of requested type and in the requested region. Notes

  1. The lack of a targetAddress attribute and matching secondary SMTP proxyAddress attribute indicates that, in this scenario, the customer organization retired all its legacy mail systems and that there is therefore no need to route mail from the customer's legacy mail system to O365 hosted mailboxes.

  2. The new hire scenario is enabled when the New Hire Mailbox Provisioning option is set to ON. (By default, this option is set to OFF.) See the "New Hire Mailbox Provisioning Feature" section of the MMSSPP Customer Deployment Guide for an overview of the feature and the deployment selection option. Technical aspects of this feature can be found in this document in the "Mailbox Provisioning Components" section.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×