Solved

Exchange NDR X500 issue

Posted on 2014-12-10
16
547 Views
Last Modified: 2016-06-03
Background: I have a customer which we migrated to Exchange 2013 SP1 from Exchange 2007 a while ago. The migration was done in a PST transfer manner with the import/export-pst cmdlets. The Exchange is running on a Win Server 2012 R2 VM on VMware ESX 5.5. Users use Outlook 2007 internally, as well as OWA and ActiveSync mobile externally. Let's call the domain contoso.com for security purposes.

Issue: Joe Doe is intermittently receiving NDR messages when sending/replying to internal emails to Maria Smith. Please note that Maria Smith was originally Maria White. The surname change happened BEFORE the migration, but this issue began AFTER the migration. The NDR is the following:

Diagnostic information for administrators:
 
Generating server: EX.contoso.local
 
IMCEAEX-_O=CONTOSO_OU=First+20administrative+20group_cn=Recipients_cn=maria+2Ewhite@contoso.com
Remote Server returned '550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found'
 
Original message headers:
 
Received: from EX.contoso.local (192.168.0.150) by EX.contoso.local
 (192.168.0.150) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 10 Dec
 2014 16:33:14 +0100
Received: from EX.contoso.local ([::1]) by EX.contoso.local ([::1]) with
 mapi id 15.00.0847.030; Wed, 10 Dec 2014 16:33:14 +0100
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary


What we did so far:
Cleared auto-complete cache in Outlook
Added the IMCEAEX address shown in the NDR as an X500 address alias in Maria Smith's mailbox. The resultant X500 address we used is:
/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white
Removed the .NK2 cache file from the Outlook profile
Checked Maria's LegacyExchangeDN attribute in the current AD object...its a jumble of numbers and characters...but I found some people online which said that I can ignore this.

NB. I tried sending an email directly to that X500 address internally from Outlook to test, but it sees it as an invalid address...not sure if its normal behavior or because the structure of the address is wrong...

I've read countless blogs and posts of people with exactly the same issue...and they solve it immediately with the X500 alias method...it isn't working for me and it's driving me nuts. Any ideas?
0
Comment
Question by:Sleezed
  • 8
  • 3
  • 3
  • +1
16 Comments
 
LVL 6

Expert Comment

by:Thomas Wheeler
Comment Utility
Is the address book properly updating? You can run update-offline address book from the ems and then in outlook go to send and receive and select send and receive group download addressbook. Uncheck download changes since last send and receive this should download the whole address book
0
 

Author Comment

by:Sleezed
Comment Utility
Yes it's updating no problem...checked it from the user's Outlook personally
0
 
LVL 6

Expert Comment

by:Thomas Wheeler
Comment Utility
Get-OfflineAddressBook

Open in new window

then
Update-OfflineAddressBook -Identity "Default Offline Address Book"

Open in new window

do that for each entry
0
 

Author Comment

by:Sleezed
Comment Utility
What will I gain by updating the OAB again? As mentioned I already did this and checked from the email client and it was updated successfully.
0
 
LVL 6

Expert Comment

by:Thomas Wheeler
Comment Utility
I had the same issue when updating from 2010 to 2013 and pulled my hair out with this issue. It was only resolved by updating the oab on the server. Hope that helps you.
0
 
LVL 5

Expert Comment

by:basil2912
Comment Utility
Seems you are missing the @contoso.com part. That is what the server is looking for.
0
 

Author Comment

by:Sleezed
Comment Utility
I read in several locations that the @contoso.com part needs to be removed. In fact, I had originally done it with @contoso.com, but it still didn't work.
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 5

Expert Comment

by:basil2912
Comment Utility
I know all the blogs mention differently, but if you look at the problem that is what server needs. I assume I should settle with this and the test was unsuccessful.

Can you post/send me get-mailbox | fl for the user?
0
 

Author Comment

by:Sleezed
Comment Utility
What are the attributes that you need exactly? The LegacyExchangeDN? It's this, but keep in mind this is the CURRENT legacyexchangeDN:

LegacyExchangeDN : /o=CONTOSO/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=50e51545f2314ac3ab6a1503b9d0ae1e-Maria White
0
 
LVL 5

Expert Comment

by:basil2912
Comment Utility
Hello,

Yeah, I agree it is weird, but it looks for the old legacyExchangeDN and not the new one.

I am wondering if the name change also has something to do.
To test add x500 with the old name and also test with @contoso.com.

Btw, did you add X500: at the beginning of the address?
0
 

Author Comment

by:Sleezed
Comment Utility
I added four X500 alias variations till now:

Type:X.500 Value:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white
Type:X500 Value:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white@contoso.com
Type:X.500 Value:X500:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white
Type:X500 Value:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white

I added the last 2 today, and the issue is intermittent so I can't say for sure if they made any difference. I had added the second one two weeks back on its own, and it hadn't made a difference.

Unfortunately the old server has been decommissioned. I might be able to find a way to get hold of the old legacyExchangeDN attribute...but it will be a nightmare. Having said that, shouldn't the one listed in the NDR suffice?
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
The fourth value in the list should be sufficient. If the senders still receive delivery failure then its possible that their cache had a different legacy email address and you must collect the address from NDR and add it.
0
 

Author Comment

by:Sleezed
Comment Utility
I may have narrowed it down a bit. Even though I'm adding proxy addresses and they are appearing in the user properties in the GAL/OAB, the X500 address doesn't actually resolve when I try sending an email to it (To > Check Names doesn't work), from both Outlook and OWA.
0
 

Author Comment

by:Sleezed
Comment Utility
Update: Only one of the proxy addresses I added resolves successfully, and the emails go through:

X500:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white@contoso.com

The rest do not resolve with Check Names in either Outlook or OWA.
0
 

Accepted Solution

by:
Sleezed earned 0 total points
Comment Utility
UPDATE (for any others who may be having the same issue):

So I may have found the solution...

I recreated the problem in my Exchange test lab. What solved it was the proxyAddresses method (the same one I tried i.e. adding the X500 address to the user object/mailbox). In order to avoid confusion with the format, what I did was instead of adding email address aliases in the mailbox, I directly inputted the X500 address in the user's AD attribute. This is a summary of the steps I took:

Go to Active Directory Users and Computers > View > Advanced Features. Now find the user from AD and right-click > attribute editor. Find the attribute "proxyaddresses". Click Edit... . Add the X500 address there directly in the format X500:/o... so I added X500:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white

After updating the GAL and OAB manually, and clearing the auto-complete, NK2 and OAB caches from Outlook and VOILA! I could resolve the X500 address with Check Names! Also the emails went through successfully. (This is on my test lab).

So on the production system I simply removed all the X500 proxyaddresses from Attribute Editor in AD, and added the X500 address again from scratch. I added two:

X500:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white
X500:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white@contoso.com

I'm not entirely sure which is actually needed but at this point the issue has been dragged on for far too long and I just need to solve it ASAP.

After adding those X500 entries in proxyAddresses in AD, updating GAL and OAB, removing all caches from Outlook and downloading the OAB again, I could FINALLY resolve the X500 alias and send an email successfully. This is an intermittent issue so I'll give it a week or so to see if the issue resurfaces.
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now