Accepted Domains

Hi, I wonder if someone can give us some guidance.  I hope this makes sense.

In exchange 2010 console, under organization configuration > hub transport > accepted domains, we have :

abc.co.uk - authoritative (default true)
def.london - authoritative (default false)

abc.co.uk is our AD domain and we have no issue with this.  def.london is a new accepted domain which has an MX record pointing to our external exchange  IP.

In order to send and receive emails from testuser@def.london, we did the following :

created a new AD OU New Division in abc.co.uk
created a new mailbox testuser@abc.co.uk with the SMTP address of testuser@def.london

In exchange console, under organization configuration > hub transport > e-mail address policies, we have :

New Policy - priority 1(applied) – for recipient container abc.co.uk/New Division
Default Policy - priority Lowest (applied)

We can successfully send and receive emails from/to testuser@abc.co.uk and they appear to come from testuser@def.london.  Great.  

We now need currentuser@abc.co.uk to be able to send and receive emails for testuser@def.london, and have granted currentuser@abc.co.uk full access rights and send as permission to testuser@abc.co.uk.

Unfortunately, every time we attempt to send an email in Outlook 2010 using testuser@abc.co.uk in the From field, we get :

"You can't send a message on behalf of this user unless you have permission to do so …."

Interestingly, if we change the primary SMTP address on testuser@abc.co.uk to testuser@abc.co.uk, we can send as with currentuser@abc.co.uk.  

Have we missed a step, or is this simply not possible using a primary SMTP address from the accepted domain?

Best regards

Julie
JulieSenior Analyst/ProgrammerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Miguel Angel Perez MuñozCommented:
Could you try opening testuser mailbox from currentuser account and send on this way?
ChrisSenior Technical ArchitectCommented:
it need to be set as authoritative so that you can send and receive as that domain
once you have done that you can have multiple email domain and any mailbox given right can send as that account
JulieSenior Analyst/ProgrammerAuthor Commented:
Hi Miguel

Yes, in currentuser's Outlook, we've added testuser mailbox, and testuser@abc.co.uk is available from the list when we click "From" in the email form.  When we Send, we get an undeliverable failure containing the error above.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

JulieSenior Analyst/ProgrammerAuthor Commented:
Hi irweazelwallis, all entries under accepted domains in exchange are authoritative.
Will SzymkowskiSenior Solution ArchitectCommented:
I have tested this exact scenario in my lab and user@abc.com can "send as" user@123.com without any issues. I have Authoritative Accepted Domains for abc.com and 123.com. User1 for abc.com had absolutly no issues sending AS user2@123.com.

The Send As permission is an Active Directory specific permission so make sure that your AD replication is working properly. Also have you treid to use Online Mode for Outlook to see if you still get the same issue? Or also re-creating the profile.

What you are seeing is either a caching or replication issue.

Will.
JulieSenior Analyst/ProgrammerAuthor Commented:
Hi Will

All our clients run Outlook in cached mode.  We took this setting of for this particular user and tried to send as again.  Instead of a undeliverable failure message, we get a pop-up message instead.

We tried the same through OWA, just in case this is what you meant by Online Mode, with the same result.

Just to be clear, def.london has only been added to exchange and the external domain's DNS settings, it is not an active directory domain.

I'd assume AD is replicating OK as we haven't encountered any other issues.  These amendments were performed some 48 hours ago, so hopefully any "propogation/replication" process would have completed?

Do let me know if I've misunderstood anything.

Julie
Will SzymkowskiSenior Solution ArchitectCommented:
So using Outlook in Online mode determines it is not a caching issue.

Have you checked your AD replication/health? Use the below commands.

repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCDiag /v

Also, if you open ADUC find the account where you have send as permissions set and do the following
- open the properties for this account
- click on the security tab
- click advanced security button
- check to make sure that your account has Send As permissions

Also has the Exchange services been restarted or Exchange server been rebooted?

I would start by also re-starting the Exchange Information Store Service.

Will.
JulieSenior Analyst/ProgrammerAuthor Commented:
The Exchange services have not been restarted, and the server has not been rebooted.  We have security updates to apply at the weekend, so we can perform those steps then.

Regarding the Send As permissions in ADUC, we can indeed see the permission added in the security settings.  

In respect of the replication commands, these have been performed on both DC's and although we don't fully understand the output, the only error that we can see is similar to the following :

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set

We'll attempt the Send As again on Monday to see if the Exchange restart is the cure all.

Best regards
Julie
JulieSenior Analyst/ProgrammerAuthor Commented:
Well, the reboot over the weekend didn't seem to work.  Reviewing our setup notes and a number of additional articles today, we made a slight adjustment.

The email address policy for the accepted domain was targeting "DeptNew" OU in AD of which testuser@abc.co.uk (with smtp testuser@def.london) was a member.  However, currentuser@abc.co.uk, who we were granting Send As permission and Full Access rights to, was a member of "Dept10".  We moved currentuser@abc.co.uk into OU "DeptNew" and, after a client reboot, voila!  Both Outlook and OWA work.

We also removed the condition on the email address policy; not sure if this had a part to play as the department simply had "def" in it (this was added when we followed the article for the initial setup) ... and both accounts had nothing in this field.

We are going to run with this for a while, as we have at least two other accepted domains to add, but, fingers crossed, all seems to be working as we would like.

Thanks to all for the help ... sometimes just running through the procedures that have been performed can shed a little light, particularly with fresh eyes.

Thanks again.

Julie

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JulieSenior Analyst/ProgrammerAuthor Commented:
The email setup is as we want it, the right people can "Send As" and we've added another Accepted Domain without problem.

Thanks to everyone who contributed.

Julie
JulieSenior Analyst/ProgrammerAuthor Commented:
The solution was to ensure both the original account and the "Send As" account are in the same Active Directory OU, and, in addition, we removed the condition on the E-mail Address policy since only those users we've explicitly granted permission to would access the desired account.

Comments were extremely useful, particularly regarding troubleshooting replication, but they didn't resolve the issue in this case.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.