Solved

X500 addresses in Exchange 2010

Posted on 2013-05-22
11
5,752 Views
Last Modified: 2014-07-22
Hi guys,

We did a migration from server 2003 to SBS 2011 a few months back. We had some issues with X500 addresses, which I learnt all about once we ran in to the problems.

So I went through and added everyone's X500 addresses to their email addresses. Everything seems to be working fine until now. I get a user saying that the X500 address can't be resolved AGAIN and it always seems to be for this specific user. I know you're supposed to be able to just derive the X500 address from the diagnostic error but I've done that (also with variants) and seems to keep happening.

Can anyone tell me what the X500 address should be for this particular user based on this diagnostics?

Thanks

"
Delivery has failed to these recipients or groups:
 
Firstname Lastname
The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.
 
 
Diagnostic information for administrators:
 
Generating server: BON-VSBS-01.domain.local
 
IMCEAEX-_O=DOMAINORGANISATION_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=Firstname@domain.local
#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##
 
Original message headers:
 
Received: from BON-VSBS-01.domain.local ([fe80::3cef:11cb:bf8c:967]) by
 BON-VSBS-01.domain.local ([fe80::3cef:11cb:bf8c:967%10]) with mapi id
 14.01.0438.000; Wed, 22 May 2013 16:23:05 +1000
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: Firstname Lastname <sender@domain.com.au>
To: Firstname Lastname <receiver@domain.com.au>
Subject: Canceled: Subject
Thread-Topic: Subject
Thread-Index: Ac5WtKKttQskIHo7TyakT3+nq1NP5QAAC2Rw
Importance: high
X-Priority: 1
Date: Wed, 22 May 2013 16:23:04 +1000
Message-ID: <5F2B01C0166AD14A91F15FA8EE4455C837618BA3@BON-VSBS-01.domain.local>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator: <5F2B01C0166AD14A91F15FA8EE4455C837618BA3@BON-VSBS-01.domain.local>
MIME-Version: 1.0
X-Originating-IP: [10.1.1.52]
"
0
Comment
Question by:Talds_Alouds
11 Comments
 
LVL 12

Expert Comment

by:SreRaj
ID: 39187323
/O=DOMAINORGANISATION/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=Firstname@domain.local

We need to add a new X500 address to the user mailbox from Exchange Management Console. To do that, we need to first create it in the right format.
First step is to get rid of the _ and convert them to /

/O=EXCH/OU=EXCHANGE+20ADMINISTRATIVE+20GROUP+20+28FHSDHJF23GHYED+29/CN=RECIPIENTS/CN=RON+2EMayers@contoso.com
 
Now the tricky part:
 
/O=EXCH/OU=EXCHANGE+20ADMINISTRATIVE+20GROUP+20+28FHSDHJF23GHYED+29/CN=RECIPIENTS/CN=RON+2EMayers@contoso.com
 
Look closely and you see some numbers like +20, +28 etc… Wondering what they are?
 +20 is a SPACE
 +28 and +29 are ( and ) respectively
 +2E is .

http://msexchangeguru.com/2012/03/15/x500/
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 39187400
@SreRaj... don't just cut and paste without adding to the link...

You need to click on the name in the NDR and post the resolver address, this will give you the info you need to create the correct X500 address
0
 

Author Comment

by:Talds_Alouds
ID: 39189309
PS.
I should tell you that "Firstname Lastname" below is a hyperlink to this address:

"
Delivery has failed to these recipients or groups:
 
Firstname Lastname (Hyperlink:mailto:IMCEAEX-_O%3DDOMAINORGANISATION_OU%3DFIRST%2B20ADMINISTRATIVE%2B20GROUP_CN%3DRECIPIENTS_CN%3DFirstname@domain.local
"

So given the whole NDR and this link above, these are the addresses that the user already has and has had for the last couple of months. Can someone please confirm that these are right?

X.500
/O=DOMAINORGANISATION/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=FIRSTNAME (Firstname)

/O=DOMAINORGANISATION/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=firstname@domain.local

/O=DomainOgranisation/OU=First Administrative Group/CN=Recipients/CN=Firstname

-----
Every user has these 3 addresses (with their names changed respectively. Everything you see above is exactly what's in the address (with names changed obviously), but capital letters are all the same though.

Over the months, I've noticed that people have had more problems sending to this user in particular although this could just be because other users don't report the problem.

See anything wrong?

Thanks
0
 
LVL 12

Expert Comment

by:SreRaj
ID: 39190011
Last part of the X500 address contains user alias. So the alias should be as follows.

/O=DOMAINORGANISATION/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=Firstname

The X500 addresses looks fine.

Exchange uses the legacyExchangeDN attribute for sending mails within the organization. legacyExchangeDN gets changed when a user changes name or when mailbox is re-created or after a migration. The new legacyExchangeDN may not be recognized by the Exchange system and this triggerst the NDR.
0
 

Author Comment

by:Talds_Alouds
ID: 39190045
Yeah so I'm confused. We got the same legacy exchangeDN. So how can it keep failing?

I don't know much about this stuff, although it doesn't SEEM overly complicated. Is not having the x500 record the ONLY way this NDR would be triggered?

Thanks
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 12

Expert Comment

by:SreRaj
ID: 39190170
NDR is triggered when user reply to an old mail. The old mail will be having information regarding the old legacyExchangeDN as Outlook is still caching old legacyExchangeDN information. Exchange will try to forward mail to that and since it got changed, NDR will be triggered.

Now, while replying to the old mail, if the user removes the cached address and does a fresh search from the GAL for this user then it will not trigger this NDR.

By adding the old legacyExchangeDN as X500 address, when Exchange system looks for old legacyExchangeDN, it will be found as additional mail address and mail will get delivered without a NDR.
0
 

Author Comment

by:Talds_Alouds
ID: 39190217
Thanks...I get all that but why is it still happening when I've got these X500 addresses in there?
0
 
LVL 12

Expert Comment

by:SreRaj
ID: 39190294
Could you please provide one more NDR? There is differences in the addresses you have provided earlier. We will try to confirm which is the correct one. Also please try testing by replying to the user by searching for the user from GAL. Following are the earlier ones.

IMCEAEX-_O=DOMAINORGANISATION_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=Firstname@domain.local

IMCEAEX-_O%3DDOMAINORGANISATION_OU%3DFIRST%2B20ADMINISTRATIVE%2B20GROUP_CN%3DRECIPIENTS_CN%3DFirstname@domain.local

Also, please let us know what is the value of the attribute legacyExchangeDN now. You will be able to find it thru ADSIEdit.msc.
0
 

Author Comment

by:Talds_Alouds
ID: 39227895
Hi,

I haven't been notified of this happening again. It must have been a once off?
0
 
LVL 12

Accepted Solution

by:
SreRaj earned 500 total points
ID: 39276996
Normally this happens when users reply to an old mail. If they compose a new mail and select this user's address from GAL, this error will not be generated. This is because GAL will be having updated information of the user. When replying to old mail, outlook will use the old mail address which is cached in outlook and this results in error.
0
 

Expert Comment

by:lexrx
ID: 40213520
Talds_Alouds - I dealt with this issue for a client recently and the easiest way to get the correct X500 address causing the rejection NDR, is to click on the Name Link in the NDR email. It should open a new email to the fully qualified rejected X500 address, allowing you to simply copy and paste it into the Exchange Mailbox properties.

I found it easy to access the NDR email via the user's mailbox using OWA on a browser on the Exchange server.

In our client's case there was no previous migration, it was just simply a case where a corrupt mailbox was exported to PST, deleted, and then recreated. The Exchange X500 address of the recreated mailbox had different alphanumeric characters suffixed to the end of the alias name, when compared to the original.

As others have posted, running this command in Exchange Management Shell will tell you the current X500 address of the recreated mailbox:  Get-Mailbox username | fl LegacyExchangeDN  

Checking the rejected Name Link in the NDR email will show you the old X500 address of the original mailbox. They will be different, hence the NDR.

Adding a custom X500 address into the recreated mailbox's properties, using the address from the NDR link, should resolve the NDR issue.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now