Exchange, GAL, AD, disabled users, several questions
Our environment is Windows Server 2012 R2 domain @ 2008 DFL/FFL with Exchange 2013.
When we disable a user in AD, email does not bounce and I would expect it to. I think it's because we are at 2008 DFL/FFL. To test this, I logged into another domain I manage that is 2012 R2 DFL/FFL and tested. When I disable users there, the mail bounces.
In my 2008 DFL/FFL I have to manually disable the mailbox before mail bounces.
So, my question is, is something broken? In a 2008 DFL/FFL domain with Exchange 2013, should mail bounce when a user is disabled in AD? Must I manually disable the mailbox as well? Why? This seems counter intuitive as I clearly recall disabling a user in AD killed access to everything in earlier versions of Windows.
Thoughts?
Thanks
Cliff
When we disable a user in AD, email does not bounce and I would expect it to. I think it's because we are at 2008 DFL/FFL. To test this, I logged into another domain I manage that is 2012 R2 DFL/FFL and tested. When I disable users there, the mail bounces.
In my 2008 DFL/FFL I have to manually disable the mailbox before mail bounces.
So, my question is, is something broken? In a 2008 DFL/FFL domain with Exchange 2013, should mail bounce when a user is disabled in AD? Must I manually disable the mailbox as well? Why? This seems counter intuitive as I clearly recall disabling a user in AD killed access to everything in earlier versions of Windows.
Thoughts?
Thanks
Cliff
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm sorry to be a pain, but I have a domain that is 2012 R2 and Exchange 2013. When I disable the user in AD, mail bounces immediately without having to interact with Exchange.
In the domain that is the subject of this post, that does not happen.
That "difference" has me confused. In all previous domains I have managed with say 2008 and exchange 2010, disabling the AD account also bounces the mail.
In the domain that is the subject of this post, that does not happen.
That "difference" has me confused. In all previous domains I have managed with say 2008 and exchange 2010, disabling the AD account also bounces the mail.
No it can't be true as I have Exchange 2010 with 2008 R2 and we have lot of accounts disabled but mailbox are live and mails are not bouncing back.
Do one thing, when you disable AD account in Windows 2012 R2 domain with Exchange 2013.. try to search if mailbox exists?
you can use EAC or try below command:
get-mailbox -id UserName | ft Name,SamaccountName,Primar
Do one thing, when you disable AD account in Windows 2012 R2 domain with Exchange 2013.. try to search if mailbox exists?
you can use EAC or try below command:
get-mailbox -id UserName | ft Name,SamaccountName,Primar
For the domain that you get the NDR messages for - is there any transport rules setup?
Could you maybe post the exact NDR message you are getting?
Could you maybe post the exact NDR message you are getting?
ASKER
I understand your wonder. I'm wondering too. In domain one, when I disable the user in AD, mail bounces immediately, but the user still shows in the GAL. My NDR says the user does not exist.
In domain two, when I disable the user, the mail does not bounce. It's really got me baffled.
In domain two, when I disable the user, the mail does not bounce. It's really got me baffled.
ASKER
Camy, no transport rules. The NDR says the user does not exit for the domain that is working properly.
If NDR says user does not exist means you are disabling Mailbox not account from AD. Please explain steps you do to disable account in Windows 2012 + Exchange 2013
ASKER
Amit, I that's my point, I am ONLY going into AD and right clicking user and disabling the account. I am not disabling the mailbox.
That works as expected in my test domain.
In my real domain, when I disable the user, the mail does not bounce. To me, that is wrong and that is what I'm trying to figure out.
That works as expected in my test domain.
In my real domain, when I disable the user, the mail does not bounce. To me, that is wrong and that is what I'm trying to figure out.
Until you figure it out it might also be worth considering why it works as you expect in the test domain given our expectation that it's actually the real domain that is "working correctly". This might help understand what is going on so you can configure the real domain as you wish.
ASKER
Well, in my idle time, I hit two more domains that I manage and it works the same there. Disabling a user in AD, bounces the email.
I mean if you think about it, that's how it should work and that's the only way I've ever seen it work. To think that I can have a mailbox attached to a disabled user still receive email is just crazy. This really has me stumped.
I guess to spin it the other way, to think that I have to go to two places to kill a user is just nuts.
I mean if you think about it, that's how it should work and that's the only way I've ever seen it work. To think that I can have a mailbox attached to a disabled user still receive email is just crazy. This really has me stumped.
I guess to spin it the other way, to think that I have to go to two places to kill a user is just nuts.
Before anything this is just to be clear that if Account is disabled in AD and mailbox is live then mail won't get bounced. This is what Exchange works
ASKER
Amit, I completely understand what you are saying, hence my post.
I have logged into three domains I manage...all running 2012 R2 and Exchange 2013 and when I disable a user in AD, mail bounces.
I am onsite with a 2012 R2 domain and Exchange 2013 and when I disable a user, mail does not bounce. The ONLY difference is all three domains working as they should are all 2012 R2 DFL/FFL. The one domain NOT working right is 2008 DFL/FFL.
I'm thinking that's the difference.
I have logged into three domains I manage...all running 2012 R2 and Exchange 2013 and when I disable a user in AD, mail bounces.
I am onsite with a 2012 R2 domain and Exchange 2013 and when I disable a user, mail does not bounce. The ONLY difference is all three domains working as they should are all 2012 R2 DFL/FFL. The one domain NOT working right is 2008 DFL/FFL.
I'm thinking that's the difference.
Can you more explain about DFL/FFL
ASKER
Domain Functional Level and Forest Functional Level
In the domains where the DFL and FFL are 2012 R2, disabling a user in AD causes mail to bounce. Verified on three diff domains.
In the domain where DFL and FFL is 2008 only, this is not the case. I have to disable in both places.
In the domains where the DFL and FFL are 2012 R2, disabling a user in AD causes mail to bounce. Verified on three diff domains.
In the domain where DFL and FFL is 2008 only, this is not the case. I have to disable in both places.
Amit mentioned about but what do the mailboxes look like in Exchange after you disabled the user account? Visible? Disconnected?
Maybe i'm just showing my ignorance of 2012 compared to earlier versions but think i'm a bit stumped!
I know you said the only difference was the DFL/FFL but Exchange patched to the same level on the domains too?
Maybe i'm just showing my ignorance of 2012 compared to earlier versions but think i'm a bit stumped!
I know you said the only difference was the DFL/FFL but Exchange patched to the same level on the domains too?
ASKER
Patch levels might be off by a bit, but pretty close.
In all four domains, they mailboxes show enabled.
The site I am at right now, the one that's not working like I think it should, the mailbox shows enabled, but the user is disabled in AD and mail does not bounce.
In the other three sites, the user is disabled, the mailbox is enabled, but mail bounces. The NDR says the user does not exist, which is correct and what I expect. IF the user is disabled in AD, then the user should not get mail or access to any other AD related resources. This is how it works in every domain I've even set up.
Now I arrive here today to this domain, which I did not set up, and I can send mail to any disabled user and I get no bounce. That's just crazy. I'm going to up the DFL/FFL here and see if that makes a difference.
In all four domains, they mailboxes show enabled.
The site I am at right now, the one that's not working like I think it should, the mailbox shows enabled, but the user is disabled in AD and mail does not bounce.
In the other three sites, the user is disabled, the mailbox is enabled, but mail bounces. The NDR says the user does not exist, which is correct and what I expect. IF the user is disabled in AD, then the user should not get mail or access to any other AD related resources. This is how it works in every domain I've even set up.
Now I arrive here today to this domain, which I did not set up, and I can send mail to any disabled user and I get no bounce. That's just crazy. I'm going to up the DFL/FFL here and see if that makes a difference.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad you got to the bottom of it and i'll keep that in mind for the future.
I suspect i might Google this another couple of times to see if i can find any more information on it!
I suspect i might Google this another couple of times to see if i can find any more information on it!
ASKER
Camy - yes! It's VERY confusing for me as EVERYONE on the planet tells me that's not right. Everyone says I have to disable in two places, both AD and the mailbox so I'm really freaking out, but at least I'm getting consistent performance across the board.
ASKER
Once the DFL and FFL were raised to 2012 R2, disabling a user account in AD caused the mail to bounce as expected.
https://social.technet.microsoft.com/Forums/en-US/79ad6811-de01-4e94-8703-b76af7a305e5/how-to-prevent-disabled-ad-accounts-from-receiving-mails-in-exchange-2010?forum=exchange2010