This article provides the information that you need to configure Microsoft Exchange Server 2007 with multiple address lists so different groups of users can have their own address list and secure those address lists so that groups of users can see only their specific address list.
Note: This is officially not supported in exchange 2007 but it does supported by Microsoft in exchange 2010 SP2 which was released yesterday. Before going with exchange 2010 I would like to try with exchange 2007 in my lab, finally did it.
Note: Please do not try this in exchange server 2010. If you try to apply these steps in an Exchange 2010 environment, significant issues may occur, and it may not be possible to resolve these issues.
Domain Name: Exmailservice.com
DC : Exch-dc-01
Exchange server 2007: Exch32-Srv-01 (all three roles installed)
Domain Name: Lab01.com
We consider here as the Exmailservice.com domain acquired Lab01.com, in Lab01.com there are no exchange server whereas exmailservice.com already has exchange server 2007 installed. So we are going to have linked mailbox concept here and then we will segregate the GAL for security reasons.
I’ve created forest truest between two domains and I’m able to create linked mailbox but when I logged into Lab01.com user also able to see the address list of Exmailservice.com domain as you can see here:
Here I logged in using the Lab01 domain user(first user) who is also able to see the exmailservice.com address lists which is not recommend by our security team.
To achieve this we are going to follow the below steps:
1. Configuring a Segregated Organization
2. Adding a Segregated Company to the Environment
3. Adding a New User to the Environment
4. Post User Creation Steps
1. Configuring a Segregated Organization:
By default the users in exchange server 2007 can see all the address lists, you must create different address lists, GAL and offline address lists to separate them to appropriate users with the help of filter.
Preparing Your Environment for Segregated Exchange:
Set the dsHeuristics value
Create an Organizational Unit to contain all segregated virtual organization OUs
Modify permissions on the All Address Lists container
Delete the default Address Lists
Restrict Access to the Default Global Address List
Restrict Access to the Offline Address Lists container
Create a Security Group for all Hosted Groups
Set dsHeuristics Value:
Expand CN=Windows NT.
Select CN=Directory Service.
Right click CN=Directory Service and click Properties.
Select the attribute dsHeuristics.
Set value to 001
Create an Organizational Unit to contain all segregated virtual organization OUs:
Start Active Directory Users and Computers.
In the left pane, right-click your domain (the very top object).
Click New, and select Organizational Unit.
Type Companies, and click OK.
Modify permissions on the All Address Lists container:
To delete default address lists please use below commands:
remove-addresslist “All Contacts”
remove-addresslist “All Groups”
remove-addresslist “All Rooms”
remove-addresslist “All Users”
remove-addresslist “Public Folders”
Restrict Access to the Default Global Address List:
To use the Exchange Management Shell to modify the security permissions on the Default
Global Address Listfor the Authenticated Users group
Run following command:
Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "Authenticated Users"
-AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True
Restrict Access to the Offline Address Lists Container:
To use the Exchange Management Shell to modify the security permissions on the Offline Address Lists Container for the Authenticated Users group
remove-adpermission $container -user "NT AUTHORITYAuthenticated Users" -ExtendedRights 'ms-Exch-Download-OAB'
$oabContainer = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft
To verify this you can run this command:
Get-ADPermission $oabContainer -user "authenticated users"
The output should be like this:
Identity User Deny Rights
Offline Address L… NT AUTHORITYAuth… False ms-Exch-Download-OAB
Offline Address L… NT AUTHORITYAuth… False ListChildren
Offline Address L… NT AUTHORITYAuth… True ReadProperty
Create a Security Group for all Hosted Groups:
If you already created this group manually using GUI please make sure that was Security group.
Please use below command to create a new security group:
New-DistributionGroup -Name "All Hosted Groups SG" -OrganizationalUnit "Exmailservice.com/Companies"
-SamAccountName "AllHostedGroupsSG" -Alias "AllHostedGroupsSG" -Type "Security"
To remove the default permission run the below command:
Add-ADPermission -Identity "CN=Address Lists Container,CN=Exmailservice,CN=Microsoft Exchange,
CN=Services,CN=Configuration,DC=Exmailservice,DC=com" -User "All Hosted Groups SG"
-AccessRights GenericRead -Deny
Note: You must modify the example DN to reflect the DN for your Address Lists container. Normally only the “DC” entries need to be modified if the Exchange installation was a “default” installation
2. Adding a Segregated Company to the Environment:
Create an Organizational Unit for the Company
Start Active Directory Users and Computers.
In the left pane, select the Companies OU.
Right-click the Companies OU.
Click New, and select Organizational Unit.
Type Lab01, and click OK.
Adding a UPN Suffix:
Adding a new UPN suffix allows users of the new company to log on with a different UPN address than that used in the domain
Start Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts (not your domain name) and select Properties.
· On the Alternative UPN Suffixes tab, type Lab01, click Add, and click OK
Modify the UPN Suffix attribute:
By modifying the upnSuffix attribute, you limit the domain dropdown list when creating new users in Active Directory. The list will only include the UPN of the original domain and the new suffix added below.
Expand the Domain Naming Context.
Right click the OU and select Properties.
Select the upnSuffixes attribute and click Edit.
Enter the new company UPN suffix and click Add (Example: Lab01.com).
Click OK two times to close out of the properties.
You must configure an accepted domain before that SMTP namespace can be used in an e-mail address policy.
MS recommends: Accepted domains are configured on computers that have the Hub Transport server role installed and on computers that have the Edge Transport server role installed. We recommend that you configure accepted domains only on the Hub Transport server role and then populate that data on the Edge Transport server by using the Edge Subscription process.
After you configure the accepted domain, you must verify that a public Domain Name System (DNS) mail
exchange (MX) resource record for that SMTP namespace exists and that the MX resource record references
a server name and an IP address that is associated with the Exchange organization.
Create a new email address policy:
For a recipient to receive or send e-mail messages, the recipient must have an e-mail address. E-mail address policies generate the primary and secondary e-mail addresses for your recipients (which include users, contacts, and groups) so they can receive and send e-mail.
Use below command to create new email address policy:
Here we are filtering the recipients using their company name. In this scenario if the user company
name is equal to Lab01 this address policy will apply to them.
As you can see in above figures if the company name is set to Lab01 their primary email address will be
like in second picture.
Create a new address list:
Run the following command to create Lab01 address list:
New-AddressList -Name "Lab01 AL" -Container '' -IncludedRecipients 'AllRecipients' -conditionalcustomattribute1 "Lab01"
Modify the permissions on the address list:
Important: While failure to perform this step will not allow users from one company to see the users of another company, it will allow them to see the names of the address book entries for every company from within Outlook. This will mean that all segregated users will be aware of the names of the other segregated groups in the organization.
Run below commands to achieve this:
Get-AddressList "Lab01 AL" | Remove-ADPermission -User "Authenticated Users" -AccessRights genericread
-ExtendedRights "open address list" -deny:$false
Get-AddressList "Lab01 AL" | Add-ADPermission -User "Lab01 SG" -extendedrights "open address list"
Create a new Global Address List:
GALs define a set of rules for looking up users in a global address book—for example, by alias name, long name, group name, and so on. Use the following procedure to create a GAL for the organizational unit Lab01.
To create an OAB that uses Web-based distribution for clients running Outlook 2007, run the following command:
New-OfflineAddressBook -Name "Lab01 OAB" -Server exch32-srv-01 -AddressLists " Lab01 AL "
-VirtualDirectories "exch32-srv-01OAB (Default Web Site)"
Create a new offline address list for Lab01 users
Note: If you configure OABs to use public folder distribution, but your organization does not have any
public folder infrastructure, you will receive a warning or an error resembling the following: WARNING:
Your organization does not have a public folder tree. Only Outlook 2007 or later can access offline
address books from a web-based distribution point, if one is configured.
To create an OAB that uses public folder distribution for clients running Outlook 2003 or earlier, run the following command:
New-OfflineAddressBook -Name " Lab01 OAB" -Server exch32-srv-01 -AddressLists "Lab01 AL "
-VirtualDirectories "exch32-srv-01OAB (Default Web Site)" -publicfolderdistributionenabled $true
Modifying the offline address list permisssion:
Use the following procedure to set the appropriate permissions on the Lab01 OAB. After you perform
this procedure, only users who are members of the Lab01 security group will be able to access the
offline address list.
Get-OfflineAddressBook "Lab01 OAB" | Add-ADPermission -User ' Lab01 SG' -ExtendedRights 'ms-Exch-Download-OAB' -Deny:$false
Modifying the offline address list permisssion
3. Adding a new user into the environment:
create a mailbox for new user
To use the Exchange Management Shell to add a single member to a distribution group
Modify thespecific filter attribute:
Use one of the following procedures to modify the custom attribute that is used to identify the
user(s) of the virtual company (company inthis document’s examples).
For single user:
set-mailbox "seconduser" -company "Lab01"
For multiple users:
get-mailbox -organizationalunit "Lab01" | set-mailbox -company "Lab01"
4. Post user creation steps:
When the above user creation steps have been taken, the following processes must be run to update
the Address List, GAL, OAB, and redistribute content and re-stamp files with the appropriate permissions:
· Update Address List
· Update Global Address List
· Update Offline Address Book
· Redistribute content and re-stamp files with new permissions
Use below commands to update all the address lists:
Update-addresslist "Lab01 AL"
Update-globaladdresslist "Lab01 GAL"
Update-offlineaddressbook "Lab01 OAB"
Update-FileDistributionService "exch32-srv-01" -type oab
After login using the second user who is part of Lab01 domain we could only see the address list of those who is part of the same(Lab01.com) domain.
Comparison between before GAL segregation and after GAL segregation:
Comparison between before GAL segregation and after GAL segregation
As you see here the above part of the figure shows address list of exmailservice domain which is not showing after our GAL segregation in the bottom of the figure.
I hope you would have enjoyed reading this, please give us your valuable feedback.
Installation of “Microsoft Exchange Server 2007 Service Pack 3 Unified Messaging Language Packs” caused us an issue which i would like to share
After installing this patch, user language prefrence will changed to english. Who ever calls the extension is hearing in English.
After going throught the basic stuff like, disabling and enabling UM in french for the user and resetting the pin, nothing worked
Atlast, one of my collegue helped to get this sorted out, asking me to follow the action plan
1. log in to OWA
2. log into their mailbox.
3. Click the Options button in the top right corner.
4. Click the Regional Settings option on the Right pane.
5. In the Language field have them make sure its set to preferred language
6. Make sure they hit the Save button after they have changed it.
7. Log out.
Its a known issue that mail flow certain domains does not work if your exchange server 2007 satisfies the following condition
Condition * Os : windows 2008
* Exchange : Exchnage 2007
I tried the following steps and end up finding few things
1. Mail flow will work to all the domains except few
2. When you smart host to that particular domain, the mail will go through
3. When you do a telnet and drop a mail to the remote domain, mail will go through
This can be resolved by running the hot fix
Mail flow to certain domains does not work when you run Exchange Server 2007 on a Windows Server 2008-based computer
Reason: When a mail is generated to a remote domain (problamatic domain), the server will query for the AAAA record.
Which is odd.
You can test this by running a netmon trace.
So it is obvious that mail will not go through because the remote server will not responsd to the AAAA record query
At times running the hot fix won’t fix the problem. So, Just create a new send connector and add the remote server ip as a smart host for time being
This also happened to me for Exchange server 2010 as well.
Resolution: The Watchguard firewall has two options for SMTP mail: SMTP Proxy and SMTP Packet Filter. The default choice, when a user first sets up mail, is the SMTP Proxy. Change to SMTP Packet Filter, and that should resolve the issue.
Recently i’ve encountered a problem that i was not able to send and receive emails between two sites where E2K7 is installed
You would get the following error
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SmtpReceive
Event ID: 1035
Inbound authentication failed with error LogonDenied for Receive connector Default XXXXXXXXX. The authentication mechanism is Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is
Enable the verbose logging for the receive connector on the receiving site and send a test email from the other site.
If the SMTP-Receive log shows “235 Authenication failed”
The Time difference between the DC and Exchange server
Authenticated users is not listed in the local security group on the Exchange server
Synchronize the time between the DC and the exchange server
Add the authenticated users to the “Access this computer from the network” under local security policy
When third party application or mails from the internet sends a message to your organisation, where you have Edge-Transport Server is receiving server, then You may get an NDR saying “Unacceptable Attachment”
The attachment sent by the application or by users in the internet may be listed in the AttachmentFilterEntry.
But in some cases the attachmet get rejected by Attachment Filter Agent, though its not listed in AttachmentFilterEntry
The reason being is that the attachment may not be recognised by the Attachment Filter Agent. For example “.zip” file may get rejected by the Attachment filter Agent
This is a know issue and update rollup 5 wil fix this as per Microsoft.
*But even the a different attachment other than .zip can be rejected due to the same reason
1. Install the recent rollup update
2. Add a key in the file EdgeTransport.exe.config file, under <appSettings> </appSettings>
Message header will be useful when the emails that are not in the proper format when sent and received from the server. Since you have 11 copies of the message, you can compare the message header with other copy to see is there any change in the message header
3. Which Transport Agent fired at each stage
This will be very useful if the message message is not reaching the mail box. If the message is not reaching the mailbox, it is obvious one of the Transport Agent would have rejected the mail. This information will help us to find out which agent rejected the email
4. You can enable the piple line tracing for one user or all the users. And it cannot be enabled on per domain basis
From a different (working) E2K7 SP1 environment, we could copy the above-mentioned files from the
“C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap”
(this is the default location, it could also be in a different location if customer has customized it)
Restart Microsoft Exchange Transport
Attempt to start POP3 and IMAP4, if the issue persists, reapply SP1 for exchange server 2007