Exchange, GAL, AD, disabled users, several questions

Our environment is Windows Server 2012 R2 domain @ 2008 DFL/FFL with Exchange 2013.

When we disable a user in AD, email does not bounce and I would expect it to.  I think it's because we are at 2008 DFL/FFL.  To test this, I logged into another domain I manage that is 2012 R2 DFL/FFL and tested.  When I disable users there, the mail bounces.

In my 2008 DFL/FFL I have to manually disable the mailbox before mail bounces.  

So, my question is, is something broken?  In a 2008 DFL/FFL domain with Exchange 2013, should mail bounce when a user is disabled in AD?  Must I manually disable the mailbox as well?  Why?  This seems counter intuitive as I clearly recall disabling a user in AD killed access to everything in earlier versions of Windows.



Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I was under the impression that this behaviour changed back in Exchange 2003 and hadn't spotted anything about 2013 reverting back to generating an NDR for disabled user accounts.
Amit KumarCommented:

By default if you disable account from AD then mail will not bounce until you don't disable mailbox this happens almost in all Exchange versions.

Even this is as expected because sometimes we have some users from Legal/marketing/sales department they leave the co. but they have some transaction in between so vendors can send e-mail to old employee. In this case we usually disable account in AD so no one will be able to access his/her mailbox for authenticity purpose but we configure mail forwarding to his/her superior or new joiner.

When we are ok that no transactions are made to old employee then we disable the mailbox.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

crp0499CEOAuthor Commented:
I'm sorry to be a pain, but I have a domain that is 2012 R2 and Exchange 2013.  When I disable the user in AD, mail bounces immediately without having to interact with Exchange.

In the domain that is the subject of this post, that does not happen.

That "difference" has me confused.  In all previous domains I have managed with say 2008 and exchange 2010, disabling the AD account also bounces the mail.
Amit KumarCommented:
No it can't be true as I have Exchange 2010 with 2008 R2 and we have lot of accounts disabled but mailbox are live and mails are not bouncing back.

Do one thing, when you disable AD account in Windows 2012 R2 domain with Exchange 2013.. try to search if mailbox exists?

you can use EAC or try below command:

get-mailbox -id UserName | ft Name,SamaccountName,PrimarySMTPAddress
For the domain that you get the NDR messages for - is there any transport rules setup?
Could you maybe post the exact NDR message you are getting?
crp0499CEOAuthor Commented:
I understand your wonder.  I'm wondering too.  In domain one, when I disable the user in AD, mail bounces immediately, but the user still shows in the GAL.  My NDR says the user does not exist.

In domain two, when I disable the user, the mail does not bounce.  It's really got me baffled.
crp0499CEOAuthor Commented:
Camy, no transport rules.  The NDR says the user does not exit for the domain that is working properly.
Amit KumarCommented:
If NDR says user does not exist means you are disabling Mailbox not account from AD. Please explain steps you do to disable account in Windows 2012 + Exchange 2013
crp0499CEOAuthor Commented:
Amit, I that's my point, I am ONLY going into AD and right clicking user and disabling the account.  I am not disabling the mailbox.

That works as expected in my test domain.

In my real domain, when I disable the user, the mail does not bounce.  To me, that is wrong and that is what I'm trying to figure out.
Until you figure it out it might also be worth considering why it works as you expect in the test domain given our expectation that it's actually the real domain that is "working correctly". This might help understand what is going on so you can configure the real domain as you wish.
crp0499CEOAuthor Commented:
Well, in my idle time, I hit two more domains that I manage and it works the same there.  Disabling a user in AD, bounces the email.  

I mean if you think about it, that's how it should work and that's the only way I've ever seen it work.  To think that I can have a mailbox attached to a disabled user still receive email is just crazy.  This really has me stumped.

I guess to spin it the other way, to think that I have to go to two places to kill a user is just nuts.
Amit KumarCommented:
Before anything this is just to be clear that if Account is disabled in AD and mailbox is live then mail won't get bounced. This is what Exchange works
crp0499CEOAuthor Commented:
Amit, I completely understand what you are saying, hence my post.  

I have logged into three domains I manage...all running 2012 R2 and Exchange 2013 and when I disable a user in AD, mail bounces.

I am onsite with a 2012 R2 domain and Exchange 2013 and when I disable a user, mail does not bounce.  The ONLY difference is all three domains working as they should are all 2012 R2 DFL/FFL.  The one domain NOT working right is 2008 DFL/FFL.

I'm thinking that's the difference.
Amit KumarCommented:
Can you more explain about DFL/FFL
crp0499CEOAuthor Commented:
Domain Functional Level and Forest Functional Level

In the domains where the DFL and FFL are 2012 R2, disabling a user in AD causes mail to bounce.  Verified on three diff domains.

In the domain where DFL and FFL is 2008 only, this is not the case.  I have to disable in both places.
Amit mentioned about but what do the mailboxes look like in Exchange after you disabled the user account? Visible? Disconnected?
Maybe i'm just showing my ignorance of 2012 compared to earlier versions but think i'm a bit stumped!

I know you said the only difference was the DFL/FFL but Exchange patched to the same level on the domains too?
crp0499CEOAuthor Commented:
Patch levels might be off by a bit, but pretty close.

In all four domains, they mailboxes show enabled.  

The site I am at right now, the one that's not working like I think it should, the mailbox shows enabled, but the user is disabled in AD and mail does not bounce.

In the other three sites, the user is disabled, the mailbox is enabled, but mail bounces.   The NDR says the user does not exist, which is correct and what I expect.  IF the user is disabled in AD, then the user should not get mail or access to any other AD related resources.  This is how it works in every domain I've even set up.  

Now I arrive here today to this domain, which I did not set up, and I can send mail to any disabled user and I get no bounce.  That's just crazy.  I'm going to up the DFL/FFL here and see if that makes a difference.
crp0499CEOAuthor Commented:
ok, mystery solved.  I bumped up the domain functional level and forest functional level and now when I disable a user in AD, the mail bounces immediately without me having to do anything to the mailbox.  

thanks for the sounding board guys.  I'll split the points.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Glad you got to the bottom of it and i'll keep that in mind for the future.
I suspect i might Google this another couple of times to see if i can find any more information on it!
crp0499CEOAuthor Commented:
Camy - yes!  It's VERY confusing for me as EVERYONE on the planet tells me that's not right.  Everyone says I have to disable in two places, both AD and the mailbox so I'm really freaking out, but at least I'm getting consistent performance across the board.
crp0499CEOAuthor Commented:
Once the DFL and FFL were raised to 2012 R2, disabling a user account in AD caused the mail to bounce as expected.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.