Julie
asked on
Accepted Domains
Hi, I wonder if someone can give us some guidance. I hope this makes sense.
In exchange 2010 console, under organization configuration > hub transport > accepted domains, we have :
abc.co.uk - authoritative (default true)
def.london - authoritative (default false)
abc.co.uk is our AD domain and we have no issue with this. def.london is a new accepted domain which has an MX record pointing to our external exchange IP.
In order to send and receive emails from testuser@def.london, we did the following :
created a new AD OU New Division in abc.co.uk
created a new mailbox testuser@abc.co.uk with the SMTP address of testuser@def.london
In exchange console, under organization configuration > hub transport > e-mail address policies, we have :
New Policy - priority 1(applied) – for recipient container abc.co.uk/New Division
Default Policy - priority Lowest (applied)
We can successfully send and receive emails from/to testuser@abc.co.uk and they appear to come from testuser@def.london. Great.
We now need currentuser@abc.co.uk to be able to send and receive emails for testuser@def.london, and have granted currentuser@abc.co.uk full access rights and send as permission to testuser@abc.co.uk.
Unfortunately, every time we attempt to send an email in Outlook 2010 using testuser@abc.co.uk in the From field, we get :
"You can't send a message on behalf of this user unless you have permission to do so …."
Interestingly, if we change the primary SMTP address on testuser@abc.co.uk to testuser@abc.co.uk, we can send as with currentuser@abc.co.uk.
Have we missed a step, or is this simply not possible using a primary SMTP address from the accepted domain?
Best regards
Julie
In exchange 2010 console, under organization configuration > hub transport > accepted domains, we have :
abc.co.uk - authoritative (default true)
def.london - authoritative (default false)
abc.co.uk is our AD domain and we have no issue with this. def.london is a new accepted domain which has an MX record pointing to our external exchange IP.
In order to send and receive emails from testuser@def.london, we did the following :
created a new AD OU New Division in abc.co.uk
created a new mailbox testuser@abc.co.uk with the SMTP address of testuser@def.london
In exchange console, under organization configuration > hub transport > e-mail address policies, we have :
New Policy - priority 1(applied) – for recipient container abc.co.uk/New Division
Default Policy - priority Lowest (applied)
We can successfully send and receive emails from/to testuser@abc.co.uk and they appear to come from testuser@def.london. Great.
We now need currentuser@abc.co.uk to be able to send and receive emails for testuser@def.london, and have granted currentuser@abc.co.uk full access rights and send as permission to testuser@abc.co.uk.
Unfortunately, every time we attempt to send an email in Outlook 2010 using testuser@abc.co.uk in the From field, we get :
"You can't send a message on behalf of this user unless you have permission to do so …."
Interestingly, if we change the primary SMTP address on testuser@abc.co.uk to testuser@abc.co.uk, we can send as with currentuser@abc.co.uk.
Have we missed a step, or is this simply not possible using a primary SMTP address from the accepted domain?
Best regards
Julie
Could you try opening testuser mailbox from currentuser account and send on this way?
it need to be set as authoritative so that you can send and receive as that domain
once you have done that you can have multiple email domain and any mailbox given right can send as that account
once you have done that you can have multiple email domain and any mailbox given right can send as that account
ASKER
Hi Miguel
Yes, in currentuser's Outlook, we've added testuser mailbox, and testuser@abc.co.uk is available from the list when we click "From" in the email form. When we Send, we get an undeliverable failure containing the error above.
Yes, in currentuser's Outlook, we've added testuser mailbox, and testuser@abc.co.uk is available from the list when we click "From" in the email form. When we Send, we get an undeliverable failure containing the error above.
ASKER
Hi irweazelwallis, all entries under accepted domains in exchange are authoritative.
I have tested this exact scenario in my lab and user@abc.com can "send as" user@123.com without any issues. I have Authoritative Accepted Domains for abc.com and 123.com. User1 for abc.com had absolutly no issues sending AS user2@123.com.
The Send As permission is an Active Directory specific permission so make sure that your AD replication is working properly. Also have you treid to use Online Mode for Outlook to see if you still get the same issue? Or also re-creating the profile.
What you are seeing is either a caching or replication issue.
Will.
The Send As permission is an Active Directory specific permission so make sure that your AD replication is working properly. Also have you treid to use Online Mode for Outlook to see if you still get the same issue? Or also re-creating the profile.
What you are seeing is either a caching or replication issue.
Will.
ASKER
Hi Will
All our clients run Outlook in cached mode. We took this setting of for this particular user and tried to send as again. Instead of a undeliverable failure message, we get a pop-up message instead.
We tried the same through OWA, just in case this is what you meant by Online Mode, with the same result.
Just to be clear, def.london has only been added to exchange and the external domain's DNS settings, it is not an active directory domain.
I'd assume AD is replicating OK as we haven't encountered any other issues. These amendments were performed some 48 hours ago, so hopefully any "propogation/replication" process would have completed?
Do let me know if I've misunderstood anything.
Julie
All our clients run Outlook in cached mode. We took this setting of for this particular user and tried to send as again. Instead of a undeliverable failure message, we get a pop-up message instead.
We tried the same through OWA, just in case this is what you meant by Online Mode, with the same result.
Just to be clear, def.london has only been added to exchange and the external domain's DNS settings, it is not an active directory domain.
I'd assume AD is replicating OK as we haven't encountered any other issues. These amendments were performed some 48 hours ago, so hopefully any "propogation/replication" process would have completed?
Do let me know if I've misunderstood anything.
Julie
So using Outlook in Online mode determines it is not a caching issue.
Have you checked your AD replication/health? Use the below commands.
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCDiag /v
Also, if you open ADUC find the account where you have send as permissions set and do the following
- open the properties for this account
- click on the security tab
- click advanced security button
- check to make sure that your account has Send As permissions
Also has the Exchange services been restarted or Exchange server been rebooted?
I would start by also re-starting the Exchange Information Store Service.
Will.
Have you checked your AD replication/health? Use the below commands.
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCDiag /v
Also, if you open ADUC find the account where you have send as permissions set and do the following
- open the properties for this account
- click on the security tab
- click advanced security button
- check to make sure that your account has Send As permissions
Also has the Exchange services been restarted or Exchange server been rebooted?
I would start by also re-starting the Exchange Information Store Service.
Will.
ASKER
The Exchange services have not been restarted, and the server has not been rebooted. We have security updates to apply at the weekend, so we can perform those steps then.
Regarding the Send As permissions in ADUC, we can indeed see the permission added in the security settings.
In respect of the replication commands, these have been performed on both DC's and although we don't fully understand the output, the only error that we can see is similar to the following :
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
We'll attempt the Send As again on Monday to see if the Exchange restart is the cure all.
Best regards
Julie
Regarding the Send As permissions in ADUC, we can indeed see the permission added in the security settings.
In respect of the replication commands, these have been performed on both DC's and although we don't fully understand the output, the only error that we can see is similar to the following :
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
We'll attempt the Send As again on Monday to see if the Exchange restart is the cure all.
Best regards
Julie
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The email setup is as we want it, the right people can "Send As" and we've added another Accepted Domain without problem.
Thanks to everyone who contributed.
Julie
Thanks to everyone who contributed.
Julie
ASKER
The solution was to ensure both the original account and the "Send As" account are in the same Active Directory OU, and, in addition, we removed the condition on the E-mail Address policy since only those users we've explicitly granted permission to would access the desired account.
Comments were extremely useful, particularly regarding troubleshooting replication, but they didn't resolve the issue in this case.
Comments were extremely useful, particularly regarding troubleshooting replication, but they didn't resolve the issue in this case.