• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8793
  • Last Modified:

X500 addresses in Exchange 2010

Hi guys,

We did a migration from server 2003 to SBS 2011 a few months back. We had some issues with X500 addresses, which I learnt all about once we ran in to the problems.

So I went through and added everyone's X500 addresses to their email addresses. Everything seems to be working fine until now. I get a user saying that the X500 address can't be resolved AGAIN and it always seems to be for this specific user. I know you're supposed to be able to just derive the X500 address from the diagnostic error but I've done that (also with variants) and seems to keep happening.

Can anyone tell me what the X500 address should be for this particular user based on this diagnostics?


Delivery has failed to these recipients or groups:
Firstname Lastname
The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.
Diagnostic information for administrators:
Generating server: BON-VSBS-01.domain.local
#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##
Original message headers:
Received: from BON-VSBS-01.domain.local ([fe80::3cef:11cb:bf8c:967]) by
 BON-VSBS-01.domain.local ([fe80::3cef:11cb:bf8c:967%10]) with mapi id
 14.01.0438.000; Wed, 22 May 2013 16:23:05 +1000
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: Firstname Lastname <sender@domain.com.au>
To: Firstname Lastname <receiver@domain.com.au>
Subject: Canceled: Subject
Thread-Topic: Subject
Thread-Index: Ac5WtKKttQskIHo7TyakT3+nq1NP5QAAC2Rw
Importance: high
X-Priority: 1
Date: Wed, 22 May 2013 16:23:04 +1000
Message-ID: <5F2B01C0166AD14A91F15FA8EE4455C837618BA3@BON-VSBS-01.domain.local>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-TNEF-Correlator: <5F2B01C0166AD14A91F15FA8EE4455C837618BA3@BON-VSBS-01.domain.local>
MIME-Version: 1.0
X-Originating-IP: []
1 Solution

We need to add a new X500 address to the user mailbox from Exchange Management Console. To do that, we need to first create it in the right format.
First step is to get rid of the _ and convert them to /

Now the tricky part:
Look closely and you see some numbers like +20, +28 etc… Wondering what they are?
 +20 is a SPACE
 +28 and +29 are ( and ) respectively
 +2E is .

James HIT DirectorCommented:
@SreRaj... don't just cut and paste without adding to the link...

You need to click on the name in the NDR and post the resolver address, this will give you the info you need to create the correct X500 address
Talds_AloudsAuthor Commented:
I should tell you that "Firstname Lastname" below is a hyperlink to this address:

Delivery has failed to these recipients or groups:
Firstname Lastname (Hyperlink:mailto:IMCEAEX-_O%3DDOMAINORGANISATION_OU%3DFIRST%2B20ADMINISTRATIVE%2B20GROUP_CN%3DRECIPIENTS_CN%3DFirstname@domain.local

So given the whole NDR and this link above, these are the addresses that the user already has and has had for the last couple of months. Can someone please confirm that these are right?



/O=DomainOgranisation/OU=First Administrative Group/CN=Recipients/CN=Firstname

Every user has these 3 addresses (with their names changed respectively. Everything you see above is exactly what's in the address (with names changed obviously), but capital letters are all the same though.

Over the months, I've noticed that people have had more problems sending to this user in particular although this could just be because other users don't report the problem.

See anything wrong?

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Last part of the X500 address contains user alias. So the alias should be as follows.


The X500 addresses looks fine.

Exchange uses the legacyExchangeDN attribute for sending mails within the organization. legacyExchangeDN gets changed when a user changes name or when mailbox is re-created or after a migration. The new legacyExchangeDN may not be recognized by the Exchange system and this triggerst the NDR.
Talds_AloudsAuthor Commented:
Yeah so I'm confused. We got the same legacy exchangeDN. So how can it keep failing?

I don't know much about this stuff, although it doesn't SEEM overly complicated. Is not having the x500 record the ONLY way this NDR would be triggered?

NDR is triggered when user reply to an old mail. The old mail will be having information regarding the old legacyExchangeDN as Outlook is still caching old legacyExchangeDN information. Exchange will try to forward mail to that and since it got changed, NDR will be triggered.

Now, while replying to the old mail, if the user removes the cached address and does a fresh search from the GAL for this user then it will not trigger this NDR.

By adding the old legacyExchangeDN as X500 address, when Exchange system looks for old legacyExchangeDN, it will be found as additional mail address and mail will get delivered without a NDR.
Talds_AloudsAuthor Commented:
Thanks...I get all that but why is it still happening when I've got these X500 addresses in there?
Could you please provide one more NDR? There is differences in the addresses you have provided earlier. We will try to confirm which is the correct one. Also please try testing by replying to the user by searching for the user from GAL. Following are the earlier ones.



Also, please let us know what is the value of the attribute legacyExchangeDN now. You will be able to find it thru ADSIEdit.msc.
Talds_AloudsAuthor Commented:

I haven't been notified of this happening again. It must have been a once off?
Normally this happens when users reply to an old mail. If they compose a new mail and select this user's address from GAL, this error will not be generated. This is because GAL will be having updated information of the user. When replying to old mail, outlook will use the old mail address which is cached in outlook and this results in error.
Talds_Alouds - I dealt with this issue for a client recently and the easiest way to get the correct X500 address causing the rejection NDR, is to click on the Name Link in the NDR email. It should open a new email to the fully qualified rejected X500 address, allowing you to simply copy and paste it into the Exchange Mailbox properties.

I found it easy to access the NDR email via the user's mailbox using OWA on a browser on the Exchange server.

In our client's case there was no previous migration, it was just simply a case where a corrupt mailbox was exported to PST, deleted, and then recreated. The Exchange X500 address of the recreated mailbox had different alphanumeric characters suffixed to the end of the alias name, when compared to the original.

As others have posted, running this command in Exchange Management Shell will tell you the current X500 address of the recreated mailbox:  Get-Mailbox username | fl LegacyExchangeDN  

Checking the rejected Name Link in the NDR email will show you the old X500 address of the original mailbox. They will be different, hence the NDR.

Adding a custom X500 address into the recreated mailbox's properties, using the address from the NDR link, should resolve the NDR issue.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now