Solved

Exchange NDR X500 issue

Posted on 2014-12-10
16
576 Views
Last Modified: 2016-06-03
Background: I have a customer which we migrated to Exchange 2013 SP1 from Exchange 2007 a while ago. The migration was done in a PST transfer manner with the import/export-pst cmdlets. The Exchange is running on a Win Server 2012 R2 VM on VMware ESX 5.5. Users use Outlook 2007 internally, as well as OWA and ActiveSync mobile externally. Let's call the domain contoso.com for security purposes.

Issue: Joe Doe is intermittently receiving NDR messages when sending/replying to internal emails to Maria Smith. Please note that Maria Smith was originally Maria White. The surname change happened BEFORE the migration, but this issue began AFTER the migration. The NDR is the following:

Diagnostic information for administrators:
 
Generating server: EX.contoso.local
 
IMCEAEX-_O=CONTOSO_OU=First+20administrative+20group_cn=Recipients_cn=maria+2Ewhite@contoso.com
Remote Server returned '550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found'
 
Original message headers:
 
Received: from EX.contoso.local (192.168.0.150) by EX.contoso.local
 (192.168.0.150) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 10 Dec
 2014 16:33:14 +0100
Received: from EX.contoso.local ([::1]) by EX.contoso.local ([::1]) with
 mapi id 15.00.0847.030; Wed, 10 Dec 2014 16:33:14 +0100
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary


What we did so far:
Cleared auto-complete cache in Outlook
Added the IMCEAEX address shown in the NDR as an X500 address alias in Maria Smith's mailbox. The resultant X500 address we used is:
/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white
Removed the .NK2 cache file from the Outlook profile
Checked Maria's LegacyExchangeDN attribute in the current AD object...its a jumble of numbers and characters...but I found some people online which said that I can ignore this.

NB. I tried sending an email directly to that X500 address internally from Outlook to test, but it sees it as an invalid address...not sure if its normal behavior or because the structure of the address is wrong...

I've read countless blogs and posts of people with exactly the same issue...and they solve it immediately with the X500 alias method...it isn't working for me and it's driving me nuts. Any ideas?
0
Comment
Question by:Sleezed
  • 8
  • 3
  • 3
  • +1
16 Comments
 
LVL 7

Expert Comment

by:Thomas Wheeler
ID: 40493264
Is the address book properly updating? You can run update-offline address book from the ems and then in outlook go to send and receive and select send and receive group download addressbook. Uncheck download changes since last send and receive this should download the whole address book
0
 

Author Comment

by:Sleezed
ID: 40493267
Yes it's updating no problem...checked it from the user's Outlook personally
0
 
LVL 7

Expert Comment

by:Thomas Wheeler
ID: 40493268
Get-OfflineAddressBook

Open in new window

then
Update-OfflineAddressBook -Identity "Default Offline Address Book"

Open in new window

do that for each entry
0
 

Author Comment

by:Sleezed
ID: 40493294
What will I gain by updating the OAB again? As mentioned I already did this and checked from the email client and it was updated successfully.
0
 
LVL 7

Expert Comment

by:Thomas Wheeler
ID: 40493343
I had the same issue when updating from 2010 to 2013 and pulled my hair out with this issue. It was only resolved by updating the oab on the server. Hope that helps you.
0
 
LVL 5

Expert Comment

by:basil2912
ID: 40493397
Seems you are missing the @contoso.com part. That is what the server is looking for.
0
 

Author Comment

by:Sleezed
ID: 40493400
I read in several locations that the @contoso.com part needs to be removed. In fact, I had originally done it with @contoso.com, but it still didn't work.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 5

Expert Comment

by:basil2912
ID: 40493427
I know all the blogs mention differently, but if you look at the problem that is what server needs. I assume I should settle with this and the test was unsuccessful.

Can you post/send me get-mailbox | fl for the user?
0
 

Author Comment

by:Sleezed
ID: 40493471
What are the attributes that you need exactly? The LegacyExchangeDN? It's this, but keep in mind this is the CURRENT legacyexchangeDN:

LegacyExchangeDN : /o=CONTOSO/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=50e51545f2314ac3ab6a1503b9d0ae1e-Maria White
0
 
LVL 5

Expert Comment

by:basil2912
ID: 40493964
Hello,

Yeah, I agree it is weird, but it looks for the old legacyExchangeDN and not the new one.

I am wondering if the name change also has something to do.
To test add x500 with the old name and also test with @contoso.com.

Btw, did you add X500: at the beginning of the address?
0
 

Author Comment

by:Sleezed
ID: 40493979
I added four X500 alias variations till now:

Type:X.500 Value:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white
Type:X500 Value:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white@contoso.com
Type:X.500 Value:X500:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white
Type:X500 Value:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white

I added the last 2 today, and the issue is intermittent so I can't say for sure if they made any difference. I had added the second one two weeks back on its own, and it hadn't made a difference.

Unfortunately the old server has been decommissioned. I might be able to find a way to get hold of the old legacyExchangeDN attribute...but it will be a nightmare. Having said that, shouldn't the one listed in the NDR suffice?
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
ID: 40494027
The fourth value in the list should be sufficient. If the senders still receive delivery failure then its possible that their cache had a different legacy email address and you must collect the address from NDR and add it.
0
 

Author Comment

by:Sleezed
ID: 40495556
I may have narrowed it down a bit. Even though I'm adding proxy addresses and they are appearing in the user properties in the GAL/OAB, the X500 address doesn't actually resolve when I try sending an email to it (To > Check Names doesn't work), from both Outlook and OWA.
0
 

Author Comment

by:Sleezed
ID: 40495746
Update: Only one of the proxy addresses I added resolves successfully, and the emails go through:

X500:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white@contoso.com

The rest do not resolve with Check Names in either Outlook or OWA.
0
 

Accepted Solution

by:
Sleezed earned 0 total points
ID: 40496334
UPDATE (for any others who may be having the same issue):

So I may have found the solution...

I recreated the problem in my Exchange test lab. What solved it was the proxyAddresses method (the same one I tried i.e. adding the X500 address to the user object/mailbox). In order to avoid confusion with the format, what I did was instead of adding email address aliases in the mailbox, I directly inputted the X500 address in the user's AD attribute. This is a summary of the steps I took:

Go to Active Directory Users and Computers > View > Advanced Features. Now find the user from AD and right-click > attribute editor. Find the attribute "proxyaddresses". Click Edit... . Add the X500 address there directly in the format X500:/o... so I added X500:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white

After updating the GAL and OAB manually, and clearing the auto-complete, NK2 and OAB caches from Outlook and VOILA! I could resolve the X500 address with Check Names! Also the emails went through successfully. (This is on my test lab).

So on the production system I simply removed all the X500 proxyaddresses from Attribute Editor in AD, and added the X500 address again from scratch. I added two:

X500:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white
X500:/O=CONTOSO/OU=First administrative group/cn=Recipients/cn=maria.white@contoso.com

I'm not entirely sure which is actually needed but at this point the issue has been dragged on for far too long and I just need to solve it ASAP.

After adding those X500 entries in proxyAddresses in AD, updating GAL and OAB, removing all caches from Outlook and downloading the OAB again, I could FINALLY resolve the X500 alias and send an email successfully. This is an intermittent issue so I'll give it a week or so to see if the issue resurfaces.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't know how to downgrade, my instructions below should be helpful.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now