Exchange Email Address Policy

Posted on 2015-01-12
Medium Priority
Last Modified: 2015-01-29
Hello Experts,
I walked into a problem today and I really don’t know how to begin to fix this. A little quick history about this Exchange 2010 setup. I have two servers in a DAG and two CAS Servers. On Friday evening 1/12/14 I have a round of Windows Updates and I installed Exchange 2010 SP3 Update Rollup 8. Everything went well or at least I thought. On Monday I started getting calls that people who were sending email to internal distribution groups we looking like they were being sent out to the local user but would just disappear and never reach their intended destination. After looking into the Mail flow troubleshooter it looks like I am seeing this:

The email address for recipient xx@thecompany.com was updated to the email address xx@company.com. The message is in the process of being delivered. The funny thing it the messages are trying to go to our old domain which is simply missed the word “the”.

I determined that the update must have done something to the default email address policy. Now this 2010 environment was upgraded from Exchange 2003 almost 4 years ago. When I look at the default email address policy in the EMC I don’t see anything but when I look in the console and do a
get-emailaddresspolicy I get a warning that I need to include the –IncludeMailboxSettingOnlyPolicy. When I do that I can see the default policy in the console.

I tried to create a new policy and applied it and it seemed to work but I can’t get rid of the old default policy, now when I do the get-emailaddresspolicy –includemailboxsettingonlypolicy I can see both polices. I tried the remove-emailaddresspolicy with no luck.

Anyone that can offer some assistance, I would greatly appreciate it. I still can’t get my distribution lists to work but I feel that solving this problem may help me in that direction.

Question by:BAYCCS
  • 8
  • 5
LVL 63

Accepted Solution

Simon Butler (Sembee) earned 2000 total points
ID: 40545358
Sounds like you didn't update things properly when you migrated from Exchange 2003.
You probably had a mailbox manager policy on Exchange 2003 which really should have been removed. That old policy is probably from those days and is now getting in the way.

You tried

get-emailaddresspolicy "policyname" | remove-emailaddresspolicy

Replacing policyname with the name of the suspect email address policy?


Author Comment

ID: 40545378

Thank you for your reply. I just tried the above command to remove the default policy but I receive the error:

The operation couldn't be performed because object 'default policy' couldn't be found on dc.domain.local (name of the dc)
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40545406
If you run

get-emailaddresspolicy "default policy" –includemailboxsettingonlypolicy  | select identity, version

what comes back? (I am doing it off memory, so if nothing comes back, do | fl instead and then look for version).

That will show whether it is a policy created by Exchange 2003 or 2010.

I expect this is going to require an adsiedit hack.

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 40545419
Here are the outputs. The FL ended up telling me it was legacy.

[PS] C:\Windows\system32>get-emailaddresspolicy "default policy" -includemailboxsettingonlypolicy  | select identity, ve

Identity                                                    version
--------                                                    -------
Default Policy

[PS] C:\Windows\system32>get-emailaddresspolicy "default policy" -includemailboxsettingonlypolicy  | FL

RunspaceId                        : 0d534552-fea8-44af-addf-5aa941e23bbe
RecipientFilter                   :
LdapRecipientFilter               : (mailnickname=*)
LastUpdatedRecipientFilter        :
RecipientFilterApplied            : False
IncludedRecipients                :
ConditionalDepartment             : {}
ConditionalCompany                : {}
ConditionalStateOrProvince        : {}
ConditionalCustomAttribute1       : {}
ConditionalCustomAttribute2       : {}
ConditionalCustomAttribute3       : {}
ConditionalCustomAttribute4       : {}
ConditionalCustomAttribute5       : {}
ConditionalCustomAttribute6       : {}
ConditionalCustomAttribute7       : {}
ConditionalCustomAttribute8       : {}
ConditionalCustomAttribute9       : {}
ConditionalCustomAttribute10      : {}
ConditionalCustomAttribute11      : {}
ConditionalCustomAttribute12      : {}
ConditionalCustomAttribute13      : {}
ConditionalCustomAttribute14      : {}
ConditionalCustomAttribute15      : {}
RecipientContainer                :
RecipientFilterType               : Legacy
Priority                          : Lowest
EnabledPrimarySMTPAddressTemplate : @theoceancountylibrary.org
EnabledEmailAddressTemplates      : {smtp:@library.ocl, SMTP:@theoceancountylibrary.org, X400:c=US;a= ;p=OCLMAIL;o=Exch
DisabledEmailAddressTemplates     : {}
Enabled                           : True
HasEmailAddressSetting            : False
HasMailboxManagerSetting          : False
NonAuthoritativeDomains           : {}
AdminDescription                  :
AdminDisplayName                  :
ExchangeVersion                   : 0.0 (6.5.6500.0)
Name                              : Default Policy
DistinguishedName                 : CN=Default Policy,CN=Recipient Policies,CN=OCLMAIL,CN=Microsoft Exchange,CN=Service
Identity                          : Default Policy
Guid                              : b6c0453f-3ed9-4e6b-a431-f18e729d1dba
ObjectCategory                    : LIBRARY.OCL/Configuration/Schema/ms-Exch-Recipient-Policy
ObjectClass                       : {top, msExchGenericPolicy, msExchRecipientPolicy}
WhenChanged                       : 1/12/2015 1:58:36 PM
WhenCreated                       : 6/25/2007 3:33:37 PM
WhenChangedUTC                    : 1/12/2015 6:58:36 PM
WhenCreatedUTC                    : 6/25/2007 7:33:37 PM
OrganizationId                    :
OriginatingServer                 : TRLIB2.LIBRARY.OCL
IsValid                           : True

[PS] C:\Windows\system32>get-emailaddresspolicy "default policy" -includemailboxsettingonlypolicy  | select identity, ve

Author Comment

ID: 40545428
I also attempted to delete one of my distribution groups and re-add it but it created it with the @oceancountylibrary.org when it is missing "the" in the domain name. It looks like the policy has some old stuck info in it.

Author Comment

ID: 40545501
Another piece to the puzzle:

Then in the EMC and I go to E-mail Address Polices the default policy isn't listed there. I can only see that using the shell. In the EMC I get this message:

Recipient policy objects that don't contain e-email addresses won't be shown unless you include the IncludeMailboxSettingOnlyPolicy parameter in the Get-EmailAddressPolicy cmdlet
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40546183
It is as I suspected - an old Exchange 2003 Recipient Update Services policy, which wasn't removed correctly during the removal of Exchange 2003.

One last thing to try...

Set-EmailAddressPolicy “Default Policy” -IncludedRecipients AllRecipients

Then see if that allows you to do anything. If it doesn't, then it is ADSIEDIT I am afraid.


- In the Configuration container, navigate to CN=Recipient Policies,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>,DC=<com>
- In the middle pane, view the properties of the Default Policy.
- Remove the value(s) of the MsExchMailboxManagerFolderSettings attibute so that it’s now <Not Set>
- Edit the MsExchPolicyOptionList attribute and remove all the attributes that do not begin with 0xfc.  The policy that begins with 0xfc is the email addressing policy.

Then repeat the upgrade command I have outlined above.
I would then probably delete the policy.


Author Comment

ID: 40546544
Well the good news since we last spoke is that I found an article online that basically outlined what you mentioned above and I was able to restore the default policy into the EMC and perform the upgrade to it. With that said I am now back to just the distribution group problem. For some reason if try to send mail to a group that was created years ago on the legacy 2003 exchange box, the messages are going to the old domain missing "the" in front of it. In the smtp properties the correct domain is showing and is also set to the default and when I look at the message in the Exchange 2010 Delivery Reports tool I get this:

The e-mail address for recipient "admin@thedomain.com was updated to the e-mail address "admin@domain.com". and it looks like it is trying to go outbound since we technically don't have that domain anymore and it isn't in the list of accepted domains.

Now I opened up ASDI on that particular distribution group and I found that the targeted address was set to admin@domain.com. I edited it to say admin@thedomain.com and exchange seems to pass the message off to our Barracuda and then back to the Exchange box and it is stuck in the queue showing as a loop.

Any ideas on where to look for that?
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40547067
Have you actually deleted the old email address policy? If not, then I would do that to begin with.
Once you have done that, give the domain time to replicate the change, then apply your other email address policy. That should update all of the mail enabled objects with the address from the live domain.


Author Comment

ID: 40547137
When I try to delete it, I get an error basically saying that I can't delete the default policy.

Author Comment

ID: 40547195
So I am trying a different solution, I took one of my distribution groups and disabled it in the Exchange 2010 EMC and tried to recreate it and when I do that I am now getting bounce backs saying #550 5.1.1 Resolver.ADR.RecipNotFound; not found ##

looking in ASDI the group has old Exchange Attributes. I try to delete them but when I recreate the group they seem to come back. Is there anyway I can delete all the Attributes and basically create a new Exchange group from the current AD group?
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40547209
That makes sense.
Is the default policy applied? If not, then leave it like that.
Furthermore the policy level should be set to "Lowest" with one or more policies set higher.

By strict best practises, the policy domain should match your internal Windows domain - so if your domain is example.local, then that is what the default policy is set to, and is then no longer touched.


Author Comment

ID: 40548960
Okay, so I managed to fix most of my distribution groups by doing this:

1) checking the groups attributes in AD, if the group contains a targeted address attribute it seems to have it in this format xx@domain.com and it is missing the word the. If this is the case then I know I have to proceed to do the following

2) disable the group in the Exchange EMC

3) Use ADEditor and remove all the Exchange sttributes

4) Recreate the distribution group in the EMC and select existing group

5) Add an X500 address that points to the legacyExchangeDN attribute

6) Once I did that to all I updated the Address Book and had the Outlook clients download a new copy. Mostly everyone can now send email to the groups. Some still had to delete the cached address that came up.

My only problem now is still, some of my OWA clients are having trouble sending to some of the groups. Some users can send to a particular group and some get a bounce back that has the X500 5.1.1 error. I have tried deleting the users cache in IE and that still isn't working. Correct me if I am wrong but OWA users use the Address Book that is on the server right? I am lost why some users would still have trouble and some aren't sending e-mailto the same group. Would you have any ideas?

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I am posting this in case anyone runs into similar issues that I did, this may save you a lot of grief: Condition: 1. Your NetBIOS domain name contains an ampersand " & " character.  (e.g. AT&T) 2. You've tried to run any Microsoft installation…
This article describes Top 9 Exchange troubleshooting utilities that every Exchange Administrator should know. Most of the utilities are available free of cost. List of tools that I am going to explain in this article are:   Microsoft Remote Con…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
To export Lotus Notes to Outlook PST or Exchange and Domino Server files to Exchange Server or PST files with ease, go for Kernel for Lotus Notes to Outlook conversion tool. Through the video, you can watch the conversion process. A common user with…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question