Exchange Email Address Policy

Hello Experts,
I walked into a problem today and I really don’t know how to begin to fix this. A little quick history about this Exchange 2010 setup. I have two servers in a DAG and two CAS Servers. On Friday evening 1/12/14 I have a round of Windows Updates and I installed Exchange 2010 SP3 Update Rollup 8. Everything went well or at least I thought. On Monday I started getting calls that people who were sending email to internal distribution groups we looking like they were being sent out to the local user but would just disappear and never reach their intended destination. After looking into the Mail flow troubleshooter it looks like I am seeing this:

The email address for recipient was updated to the email address The message is in the process of being delivered. The funny thing it the messages are trying to go to our old domain which is simply missed the word “the”.

I determined that the update must have done something to the default email address policy. Now this 2010 environment was upgraded from Exchange 2003 almost 4 years ago. When I look at the default email address policy in the EMC I don’t see anything but when I look in the console and do a
get-emailaddresspolicy I get a warning that I need to include the –IncludeMailboxSettingOnlyPolicy. When I do that I can see the default policy in the console.

I tried to create a new policy and applied it and it seemed to work but I can’t get rid of the old default policy, now when I do the get-emailaddresspolicy –includemailboxsettingonlypolicy I can see both polices. I tried the remove-emailaddresspolicy with no luck.

Anyone that can offer some assistance, I would greatly appreciate it. I still can’t get my distribution lists to work but I feel that solving this problem may help me in that direction.

Who is Participating?
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
Sounds like you didn't update things properly when you migrated from Exchange 2003.
You probably had a mailbox manager policy on Exchange 2003 which really should have been removed. That old policy is probably from those days and is now getting in the way.

You tried

get-emailaddresspolicy "policyname" | remove-emailaddresspolicy

Replacing policyname with the name of the suspect email address policy?

BAYCCSAuthor Commented:

Thank you for your reply. I just tried the above command to remove the default policy but I receive the error:

The operation couldn't be performed because object 'default policy' couldn't be found on dc.domain.local (name of the dc)
Simon Butler (Sembee)ConsultantCommented:
If you run

get-emailaddresspolicy "default policy" –includemailboxsettingonlypolicy  | select identity, version

what comes back? (I am doing it off memory, so if nothing comes back, do | fl instead and then look for version).

That will show whether it is a policy created by Exchange 2003 or 2010.

I expect this is going to require an adsiedit hack.

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

BAYCCSAuthor Commented:
Here are the outputs. The FL ended up telling me it was legacy.

[PS] C:\Windows\system32>get-emailaddresspolicy "default policy" -includemailboxsettingonlypolicy  | select identity, ve

Identity                                                    version
--------                                                    -------
Default Policy

[PS] C:\Windows\system32>get-emailaddresspolicy "default policy" -includemailboxsettingonlypolicy  | FL

RunspaceId                        : 0d534552-fea8-44af-addf-5aa941e23bbe
RecipientFilter                   :
LdapRecipientFilter               : (mailnickname=*)
LastUpdatedRecipientFilter        :
RecipientFilterApplied            : False
IncludedRecipients                :
ConditionalDepartment             : {}
ConditionalCompany                : {}
ConditionalStateOrProvince        : {}
ConditionalCustomAttribute1       : {}
ConditionalCustomAttribute2       : {}
ConditionalCustomAttribute3       : {}
ConditionalCustomAttribute4       : {}
ConditionalCustomAttribute5       : {}
ConditionalCustomAttribute6       : {}
ConditionalCustomAttribute7       : {}
ConditionalCustomAttribute8       : {}
ConditionalCustomAttribute9       : {}
ConditionalCustomAttribute10      : {}
ConditionalCustomAttribute11      : {}
ConditionalCustomAttribute12      : {}
ConditionalCustomAttribute13      : {}
ConditionalCustomAttribute14      : {}
ConditionalCustomAttribute15      : {}
RecipientContainer                :
RecipientFilterType               : Legacy
Priority                          : Lowest
EnabledPrimarySMTPAddressTemplate :
EnabledEmailAddressTemplates      : {smtp:@library.ocl,, X400:c=US;a= ;p=OCLMAIL;o=Exch
DisabledEmailAddressTemplates     : {}
Enabled                           : True
HasEmailAddressSetting            : False
HasMailboxManagerSetting          : False
NonAuthoritativeDomains           : {}
AdminDescription                  :
AdminDisplayName                  :
ExchangeVersion                   : 0.0 (6.5.6500.0)
Name                              : Default Policy
DistinguishedName                 : CN=Default Policy,CN=Recipient Policies,CN=OCLMAIL,CN=Microsoft Exchange,CN=Service
Identity                          : Default Policy
Guid                              : b6c0453f-3ed9-4e6b-a431-f18e729d1dba
ObjectCategory                    : LIBRARY.OCL/Configuration/Schema/ms-Exch-Recipient-Policy
ObjectClass                       : {top, msExchGenericPolicy, msExchRecipientPolicy}
WhenChanged                       : 1/12/2015 1:58:36 PM
WhenCreated                       : 6/25/2007 3:33:37 PM
WhenChangedUTC                    : 1/12/2015 6:58:36 PM
WhenCreatedUTC                    : 6/25/2007 7:33:37 PM
OrganizationId                    :
OriginatingServer                 : TRLIB2.LIBRARY.OCL
IsValid                           : True

[PS] C:\Windows\system32>get-emailaddresspolicy "default policy" -includemailboxsettingonlypolicy  | select identity, ve
BAYCCSAuthor Commented:
I also attempted to delete one of my distribution groups and re-add it but it created it with the when it is missing "the" in the domain name. It looks like the policy has some old stuck info in it.
BAYCCSAuthor Commented:
Another piece to the puzzle:

Then in the EMC and I go to E-mail Address Polices the default policy isn't listed there. I can only see that using the shell. In the EMC I get this message:

Recipient policy objects that don't contain e-email addresses won't be shown unless you include the IncludeMailboxSettingOnlyPolicy parameter in the Get-EmailAddressPolicy cmdlet
Simon Butler (Sembee)ConsultantCommented:
It is as I suspected - an old Exchange 2003 Recipient Update Services policy, which wasn't removed correctly during the removal of Exchange 2003.

One last thing to try...

Set-EmailAddressPolicy “Default Policy” -IncludedRecipients AllRecipients

Then see if that allows you to do anything. If it doesn't, then it is ADSIEDIT I am afraid.

- In the Configuration container, navigate to CN=Recipient Policies,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>,DC=<com>
- In the middle pane, view the properties of the Default Policy.
- Remove the value(s) of the MsExchMailboxManagerFolderSettings attibute so that it’s now <Not Set>
- Edit the MsExchPolicyOptionList attribute and remove all the attributes that do not begin with 0xfc.  The policy that begins with 0xfc is the email addressing policy.

Then repeat the upgrade command I have outlined above.
I would then probably delete the policy.

BAYCCSAuthor Commented:
Well the good news since we last spoke is that I found an article online that basically outlined what you mentioned above and I was able to restore the default policy into the EMC and perform the upgrade to it. With that said I am now back to just the distribution group problem. For some reason if try to send mail to a group that was created years ago on the legacy 2003 exchange box, the messages are going to the old domain missing "the" in front of it. In the smtp properties the correct domain is showing and is also set to the default and when I look at the message in the Exchange 2010 Delivery Reports tool I get this:

The e-mail address for recipient " was updated to the e-mail address "". and it looks like it is trying to go outbound since we technically don't have that domain anymore and it isn't in the list of accepted domains.

Now I opened up ASDI on that particular distribution group and I found that the targeted address was set to I edited it to say and exchange seems to pass the message off to our Barracuda and then back to the Exchange box and it is stuck in the queue showing as a loop.

Any ideas on where to look for that?
Simon Butler (Sembee)ConsultantCommented:
Have you actually deleted the old email address policy? If not, then I would do that to begin with.
Once you have done that, give the domain time to replicate the change, then apply your other email address policy. That should update all of the mail enabled objects with the address from the live domain.

BAYCCSAuthor Commented:
When I try to delete it, I get an error basically saying that I can't delete the default policy.
BAYCCSAuthor Commented:
So I am trying a different solution, I took one of my distribution groups and disabled it in the Exchange 2010 EMC and tried to recreate it and when I do that I am now getting bounce backs saying #550 5.1.1 Resolver.ADR.RecipNotFound; not found ##

looking in ASDI the group has old Exchange Attributes. I try to delete them but when I recreate the group they seem to come back. Is there anyway I can delete all the Attributes and basically create a new Exchange group from the current AD group?
Simon Butler (Sembee)ConsultantCommented:
That makes sense.
Is the default policy applied? If not, then leave it like that.
Furthermore the policy level should be set to "Lowest" with one or more policies set higher.

By strict best practises, the policy domain should match your internal Windows domain - so if your domain is example.local, then that is what the default policy is set to, and is then no longer touched.

BAYCCSAuthor Commented:
Okay, so I managed to fix most of my distribution groups by doing this:

1) checking the groups attributes in AD, if the group contains a targeted address attribute it seems to have it in this format and it is missing the word the. If this is the case then I know I have to proceed to do the following

2) disable the group in the Exchange EMC

3) Use ADEditor and remove all the Exchange sttributes

4) Recreate the distribution group in the EMC and select existing group

5) Add an X500 address that points to the legacyExchangeDN attribute

6) Once I did that to all I updated the Address Book and had the Outlook clients download a new copy. Mostly everyone can now send email to the groups. Some still had to delete the cached address that came up.

My only problem now is still, some of my OWA clients are having trouble sending to some of the groups. Some users can send to a particular group and some get a bounce back that has the X500 5.1.1 error. I have tried deleting the users cache in IE and that still isn't working. Correct me if I am wrong but OWA users use the Address Book that is on the server right? I am lost why some users would still have trouble and some aren't sending e-mailto the same group. Would you have any ideas?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.