Michael Smolens
asked on
Exchange Email Address Policy
Hello Experts,
I walked into a problem today and I really don’t know how to begin to fix this. A little quick history about this Exchange 2010 setup. I have two servers in a DAG and two CAS Servers. On Friday evening 1/12/14 I have a round of Windows Updates and I installed Exchange 2010 SP3 Update Rollup 8. Everything went well or at least I thought. On Monday I started getting calls that people who were sending email to internal distribution groups we looking like they were being sent out to the local user but would just disappear and never reach their intended destination. After looking into the Mail flow troubleshooter it looks like I am seeing this:
The email address for recipient xx@thecompany.com was updated to the email address xx@company.com. The message is in the process of being delivered. The funny thing it the messages are trying to go to our old domain which is simply missed the word “the”.
I determined that the update must have done something to the default email address policy. Now this 2010 environment was upgraded from Exchange 2003 almost 4 years ago. When I look at the default email address policy in the EMC I don’t see anything but when I look in the console and do a
get-emailaddresspolicy I get a warning that I need to include the –IncludeMailboxSettingOnly Policy. When I do that I can see the default policy in the console.
I tried to create a new policy and applied it and it seemed to work but I can’t get rid of the old default policy, now when I do the get-emailaddresspolicy –includemailboxsettingonly policy I can see both polices. I tried the remove-emailaddresspolicy with no luck.
Anyone that can offer some assistance, I would greatly appreciate it. I still can’t get my distribution lists to work but I feel that solving this problem may help me in that direction.
Thanks
-Mike
I walked into a problem today and I really don’t know how to begin to fix this. A little quick history about this Exchange 2010 setup. I have two servers in a DAG and two CAS Servers. On Friday evening 1/12/14 I have a round of Windows Updates and I installed Exchange 2010 SP3 Update Rollup 8. Everything went well or at least I thought. On Monday I started getting calls that people who were sending email to internal distribution groups we looking like they were being sent out to the local user but would just disappear and never reach their intended destination. After looking into the Mail flow troubleshooter it looks like I am seeing this:
The email address for recipient xx@thecompany.com was updated to the email address xx@company.com. The message is in the process of being delivered. The funny thing it the messages are trying to go to our old domain which is simply missed the word “the”.
I determined that the update must have done something to the default email address policy. Now this 2010 environment was upgraded from Exchange 2003 almost 4 years ago. When I look at the default email address policy in the EMC I don’t see anything but when I look in the console and do a
get-emailaddresspolicy I get a warning that I need to include the –IncludeMailboxSettingOnly
I tried to create a new policy and applied it and it seemed to work but I can’t get rid of the old default policy, now when I do the get-emailaddresspolicy –includemailboxsettingonly
Anyone that can offer some assistance, I would greatly appreciate it. I still can’t get my distribution lists to work but I feel that solving this problem may help me in that direction.
Thanks
-Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you run
get-emailaddresspolicy "default policy" –includemailboxsettingonly policy | select identity, version
what comes back? (I am doing it off memory, so if nothing comes back, do | fl instead and then look for version).
That will show whether it is a policy created by Exchange 2003 or 2010.
I expect this is going to require an adsiedit hack.
Simon.
get-emailaddresspolicy "default policy" –includemailboxsettingonly
what comes back? (I am doing it off memory, so if nothing comes back, do | fl instead and then look for version).
That will show whether it is a policy created by Exchange 2003 or 2010.
I expect this is going to require an adsiedit hack.
Simon.
ASKER
Here are the outputs. The FL ended up telling me it was legacy.
[PS] C:\Windows\system32>get-em ailaddress policy "default policy" -includemailboxsettingonly policy | select identity, ve
rsion
Identity version
-------- -------
Default Policy
[PS] C:\Windows\system32>get-em ailaddress policy "default policy" -includemailboxsettingonly policy | FL
RunspaceId : 0d534552-fea8-44af-addf-5a a941e23bbe
RecipientFilter :
LdapRecipientFilter : (mailnickname=*)
LastUpdatedRecipientFilter :
RecipientFilterApplied : False
IncludedRecipients :
ConditionalDepartment : {}
ConditionalCompany : {}
ConditionalStateOrProvince : {}
ConditionalCustomAttribute 1 : {}
ConditionalCustomAttribute 2 : {}
ConditionalCustomAttribute 3 : {}
ConditionalCustomAttribute 4 : {}
ConditionalCustomAttribute 5 : {}
ConditionalCustomAttribute 6 : {}
ConditionalCustomAttribute 7 : {}
ConditionalCustomAttribute 8 : {}
ConditionalCustomAttribute 9 : {}
ConditionalCustomAttribute 10 : {}
ConditionalCustomAttribute 11 : {}
ConditionalCustomAttribute 12 : {}
ConditionalCustomAttribute 13 : {}
ConditionalCustomAttribute 14 : {}
ConditionalCustomAttribute 15 : {}
RecipientContainer :
RecipientFilterType : Legacy
Priority : Lowest
EnabledPrimarySMTPAddressT emplate : @theoceancountylibrary.org
EnabledEmailAddressTemplat es : {smtp:@library.ocl, SMTP:@theoceancountylibrar y.org, X400:c=US;a= ;p=OCLMAIL;o=Exch
ange;}
DisabledEmailAddressTempla tes : {}
Enabled : True
HasEmailAddressSetting : False
HasMailboxManagerSetting : False
NonAuthoritativeDomains : {}
AdminDescription :
AdminDisplayName :
ExchangeVersion : 0.0 (6.5.6500.0)
Name : Default Policy
DistinguishedName : CN=Default Policy,CN=Recipient Policies,CN=OCLMAIL,CN=Mic rosoft Exchange,CN=Service
s,CN=Configuration,DC=LIBR ARY,DC=OCL
Identity : Default Policy
Guid : b6c0453f-3ed9-4e6b-a431-f1 8e729d1dba
ObjectCategory : LIBRARY.OCL/Configuration/ Schema/ms- Exch-Recip ient-Polic y
ObjectClass : {top, msExchGenericPolicy, msExchRecipientPolicy}
WhenChanged : 1/12/2015 1:58:36 PM
WhenCreated : 6/25/2007 3:33:37 PM
WhenChangedUTC : 1/12/2015 6:58:36 PM
WhenCreatedUTC : 6/25/2007 7:33:37 PM
OrganizationId :
OriginatingServer : TRLIB2.LIBRARY.OCL
IsValid : True
[PS] C:\Windows\system32>get-em ailaddress policy "default policy" -includemailboxsettingonly policy | select identity, ve
rsion
[PS] C:\Windows\system32>get-em
rsion
Identity version
-------- -------
Default Policy
[PS] C:\Windows\system32>get-em
RunspaceId : 0d534552-fea8-44af-addf-5a
RecipientFilter :
LdapRecipientFilter : (mailnickname=*)
LastUpdatedRecipientFilter
RecipientFilterApplied : False
IncludedRecipients :
ConditionalDepartment : {}
ConditionalCompany : {}
ConditionalStateOrProvince
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
ConditionalCustomAttribute
RecipientContainer :
RecipientFilterType : Legacy
Priority : Lowest
EnabledPrimarySMTPAddressT
EnabledEmailAddressTemplat
ange;}
DisabledEmailAddressTempla
Enabled : True
HasEmailAddressSetting : False
HasMailboxManagerSetting : False
NonAuthoritativeDomains : {}
AdminDescription :
AdminDisplayName :
ExchangeVersion : 0.0 (6.5.6500.0)
Name : Default Policy
DistinguishedName : CN=Default Policy,CN=Recipient Policies,CN=OCLMAIL,CN=Mic
s,CN=Configuration,DC=LIBR
Identity : Default Policy
Guid : b6c0453f-3ed9-4e6b-a431-f1
ObjectCategory : LIBRARY.OCL/Configuration/
ObjectClass : {top, msExchGenericPolicy, msExchRecipientPolicy}
WhenChanged : 1/12/2015 1:58:36 PM
WhenCreated : 6/25/2007 3:33:37 PM
WhenChangedUTC : 1/12/2015 6:58:36 PM
WhenCreatedUTC : 6/25/2007 7:33:37 PM
OrganizationId :
OriginatingServer : TRLIB2.LIBRARY.OCL
IsValid : True
[PS] C:\Windows\system32>get-em
rsion
ASKER
I also attempted to delete one of my distribution groups and re-add it but it created it with the @oceancountylibrary.org when it is missing "the" in the domain name. It looks like the policy has some old stuck info in it.
ASKER
Another piece to the puzzle:
Then in the EMC and I go to E-mail Address Polices the default policy isn't listed there. I can only see that using the shell. In the EMC I get this message:
Recipient policy objects that don't contain e-email addresses won't be shown unless you include the IncludeMailboxSettingOnlyP olicy parameter in the Get-EmailAddressPolicy cmdlet
Then in the EMC and I go to E-mail Address Polices the default policy isn't listed there. I can only see that using the shell. In the EMC I get this message:
Recipient policy objects that don't contain e-email addresses won't be shown unless you include the IncludeMailboxSettingOnlyP
It is as I suspected - an old Exchange 2003 Recipient Update Services policy, which wasn't removed correctly during the removal of Exchange 2003.
One last thing to try...
Set-EmailAddressPolicy “Default Policy” -IncludedRecipients AllRecipients
Then see if that allows you to do anything. If it doesn't, then it is ADSIEDIT I am afraid.
http://blogs.msmvps.com/expta/2011/06/13/fix-for-quot-default-policy-quot-with-mailbox-manager-settings-cannot-be-managed-by-the-current-version-of-exchange-management-console/
- In the Configuration container, navigate to CN=Recipient Policies,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Co nfiguratio n,DC=<doma in>,DC=<co m>
- In the middle pane, view the properties of the Default Policy.
- Remove the value(s) of the MsExchMailboxManagerFolder Settings attibute so that it’s now <Not Set>
- Edit the MsExchPolicyOptionList attribute and remove all the attributes that do not begin with 0xfc. The policy that begins with 0xfc is the email addressing policy.
Then repeat the upgrade command I have outlined above.
I would then probably delete the policy.
Simon.
One last thing to try...
Set-EmailAddressPolicy “Default Policy” -IncludedRecipients AllRecipients
Then see if that allows you to do anything. If it doesn't, then it is ADSIEDIT I am afraid.
http://blogs.msmvps.com/expta/2011/06/13/fix-for-quot-default-policy-quot-with-mailbox-manager-settings-cannot-be-managed-by-the-current-version-of-exchange-management-console/
- In the Configuration container, navigate to CN=Recipient Policies,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Co
- In the middle pane, view the properties of the Default Policy.
- Remove the value(s) of the MsExchMailboxManagerFolder
- Edit the MsExchPolicyOptionList attribute and remove all the attributes that do not begin with 0xfc. The policy that begins with 0xfc is the email addressing policy.
Then repeat the upgrade command I have outlined above.
I would then probably delete the policy.
Simon.
ASKER
Well the good news since we last spoke is that I found an article online that basically outlined what you mentioned above and I was able to restore the default policy into the EMC and perform the upgrade to it. With that said I am now back to just the distribution group problem. For some reason if try to send mail to a group that was created years ago on the legacy 2003 exchange box, the messages are going to the old domain missing "the" in front of it. In the smtp properties the correct domain is showing and is also set to the default and when I look at the message in the Exchange 2010 Delivery Reports tool I get this:
The e-mail address for recipient "admin@thedomain.com was updated to the e-mail address "admin@domain.com". and it looks like it is trying to go outbound since we technically don't have that domain anymore and it isn't in the list of accepted domains.
Now I opened up ASDI on that particular distribution group and I found that the targeted address was set to admin@domain.com. I edited it to say admin@thedomain.com and exchange seems to pass the message off to our Barracuda and then back to the Exchange box and it is stuck in the queue showing as a loop.
Any ideas on where to look for that?
The e-mail address for recipient "admin@thedomain.com was updated to the e-mail address "admin@domain.com". and it looks like it is trying to go outbound since we technically don't have that domain anymore and it isn't in the list of accepted domains.
Now I opened up ASDI on that particular distribution group and I found that the targeted address was set to admin@domain.com. I edited it to say admin@thedomain.com and exchange seems to pass the message off to our Barracuda and then back to the Exchange box and it is stuck in the queue showing as a loop.
Any ideas on where to look for that?
Have you actually deleted the old email address policy? If not, then I would do that to begin with.
Once you have done that, give the domain time to replicate the change, then apply your other email address policy. That should update all of the mail enabled objects with the address from the live domain.
Simon.
Once you have done that, give the domain time to replicate the change, then apply your other email address policy. That should update all of the mail enabled objects with the address from the live domain.
Simon.
ASKER
When I try to delete it, I get an error basically saying that I can't delete the default policy.
ASKER
So I am trying a different solution, I took one of my distribution groups and disabled it in the Exchange 2010 EMC and tried to recreate it and when I do that I am now getting bounce backs saying #550 5.1.1 Resolver.ADR.RecipNotFound ; not found ##
looking in ASDI the group has old Exchange Attributes. I try to delete them but when I recreate the group they seem to come back. Is there anyway I can delete all the Attributes and basically create a new Exchange group from the current AD group?
looking in ASDI the group has old Exchange Attributes. I try to delete them but when I recreate the group they seem to come back. Is there anyway I can delete all the Attributes and basically create a new Exchange group from the current AD group?
That makes sense.
Is the default policy applied? If not, then leave it like that.
Furthermore the policy level should be set to "Lowest" with one or more policies set higher.
By strict best practises, the policy domain should match your internal Windows domain - so if your domain is example.local, then that is what the default policy is set to, and is then no longer touched.
Simon.
Is the default policy applied? If not, then leave it like that.
Furthermore the policy level should be set to "Lowest" with one or more policies set higher.
By strict best practises, the policy domain should match your internal Windows domain - so if your domain is example.local, then that is what the default policy is set to, and is then no longer touched.
Simon.
ASKER
Okay, so I managed to fix most of my distribution groups by doing this:
1) checking the groups attributes in AD, if the group contains a targeted address attribute it seems to have it in this format xx@domain.com and it is missing the word the. If this is the case then I know I have to proceed to do the following
2) disable the group in the Exchange EMC
3) Use ADEditor and remove all the Exchange sttributes
4) Recreate the distribution group in the EMC and select existing group
5) Add an X500 address that points to the legacyExchangeDN attribute
6) Once I did that to all I updated the Address Book and had the Outlook clients download a new copy. Mostly everyone can now send email to the groups. Some still had to delete the cached address that came up.
My only problem now is still, some of my OWA clients are having trouble sending to some of the groups. Some users can send to a particular group and some get a bounce back that has the X500 5.1.1 error. I have tried deleting the users cache in IE and that still isn't working. Correct me if I am wrong but OWA users use the Address Book that is on the server right? I am lost why some users would still have trouble and some aren't sending e-mailto the same group. Would you have any ideas?
1) checking the groups attributes in AD, if the group contains a targeted address attribute it seems to have it in this format xx@domain.com and it is missing the word the. If this is the case then I know I have to proceed to do the following
2) disable the group in the Exchange EMC
3) Use ADEditor and remove all the Exchange sttributes
4) Recreate the distribution group in the EMC and select existing group
5) Add an X500 address that points to the legacyExchangeDN attribute
6) Once I did that to all I updated the Address Book and had the Outlook clients download a new copy. Mostly everyone can now send email to the groups. Some still had to delete the cached address that came up.
My only problem now is still, some of my OWA clients are having trouble sending to some of the groups. Some users can send to a particular group and some get a bounce back that has the X500 5.1.1 error. I have tried deleting the users cache in IE and that still isn't working. Correct me if I am wrong but OWA users use the Address Book that is on the server right? I am lost why some users would still have trouble and some aren't sending e-mailto the same group. Would you have any ideas?
ASKER
Thank you for your reply. I just tried the above command to remove the default policy but I receive the error:
The operation couldn't be performed because object 'default policy' couldn't be found on dc.domain.local (name of the dc)