Roll Up 6 for Exchange Server 2007 SP3

Earlier today Microsoft has been released roll up 6 for Exchange Server 2007 SP3.

For Exchange Server 2007 RU6 Download click here

For description of roll up 6 click here

Important issues which are resolved here are:

Note: Those who are running forefront security for exchange make sure that disabling the forefront before updating the roll up and enabling once it is done.

And also you could see this article here.

GAL Segregation in Exchange 2007

Note: This complete article wrote with reference of  please visit this page if you need more information in detail.

This article provides the information that you need to configure Microsoft Exchange Server 2007 with multiple address lists so different groups of users can have their own address list and secure those address lists so that groups of users can see only their specific address list.

Note: This is officially not supported in exchange 2007 but it does supported by Microsoft in exchange 2010 SP2 which was released yesterday. Before going with exchange 2010 I would like to try with exchange 2007 in my lab, finally did it.

Note: Please do not try this in exchange server 2010.  If you try to apply these steps in an Exchange 2010 environment, significant issues may occur, and it may not be possible to resolve these issues.

My Setup:

Existing domain:

Domain Name:

DC : Exch-dc-01

Exchange server 2007: Exch32-Srv-01 (all three roles installed)

New Domain:

Domain Name:

We consider here as the domain acquired, in there are no exchange server whereas already has exchange server 2007 installed. So we are going to have linked mailbox concept here and then we will segregate the GAL for security reasons.

I’ve created forest truest between two domains and I’m able to create linked mailbox but when I logged into user also able to see the address list of domain as you can see here:

Before GAL segregation

Here I logged in using the Lab01 domain user(first user) who is also able to see the address lists which is not recommend by our security team.

To achieve this we are going to follow the below steps:

1.      Configuring a Segregated Organization

2.      Adding a Segregated Company to the Environment

3.      Adding a New User to the Environment

4.      Post User Creation Steps


1. Configuring a Segregated Organization:

By default the users in exchange server 2007 can see all the address lists, you must create different address lists, GAL and offline address lists to separate them to appropriate users with the help of filter.

Preparing Your Environment for Segregated Exchange:

  • Set the dsHeuristics value
  • Create an Organizational Unit to contain all segregated virtual organization OUs
  • Modify permissions on the All Address Lists container
  • Delete the default Address Lists
  • Restrict Access to the Default Global Address List
  • Restrict Access to the Offline Address Lists container
  • Create a Security Group for all Hosted Groups

Set dsHeuristics Value:

  1. Open ADSIEdit.
  2. Expand CN=Configuration.
  3. Expand CN=Services.
  4. Expand CN=Windows NT.
  5. Select CN=Directory Service.
  6. Right click CN=Directory Service and click Properties.
  7. Select the attribute dsHeuristics.
  8. Set value to 001

Create an Organizational Unit to contain all segregated virtual organization OUs:

  1. Start Active Directory Users and Computers.
  2. In the left pane, right-click your domain (the very top object).
  3. Click New, and select Organizational Unit.
  4. Type Companies, and click OK.

Modify permissions on the All Address Lists container:

get-adpermission “All Address Lists” | Where {($_.User -like ‘NT AuthorityAuthenticated Users’) -and ($_.IsInherited -eq $false)} | Remove-ADPermission

confirm yes to apply this settings.

To delete default address lists please use below commands:

remove-addresslist “All Contacts”

remove-addresslist “All Groups”

remove-addresslist “All Rooms”

remove-addresslist “All Users”

remove-addresslist “Public Folders”


Restrict Access to the Default Global Address List:

To use the Exchange Management Shell to modify the security permissions on the Default 
Global Address Listfor the Authenticated Users group
Run following command:

Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "Authenticated Users" 
-AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True

Restrict Access to the Offline Address Lists Container:

To use the Exchange Management Shell to modify the security permissions on the Offline Address Lists Container for the Authenticated Users group

Please run the below commands one by one:

Step 1:

$container = “CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=Exmailservice,DC=com ”

Step 2:
remove-adpermission $container -user "NT AUTHORITYAuthenticated Users" -ExtendedRights 'ms-Exch-Download-OAB'


$oabContainer = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft 
To verify this you can run this command:
Get-ADPermission $oabContainer -user "authenticated users"
The output should be like this:

Identity             User                 Deny  Rights

Offline Address L… NT AUTHORITYAuth… False ms-Exch-Download-OAB

Offline Address L… NT AUTHORITYAuth… False ListChildren

Offline Address L… NT AUTHORITYAuth… True  ReadProperty

Create a Security Group for all Hosted Groups:

If you already created this group manually using GUI please make sure that was Security group.

Please use below command to create a new security group:

New-DistributionGroup -Name "All Hosted Groups SG" -OrganizationalUnit "" 
-SamAccountName "AllHostedGroupsSG" -Alias "AllHostedGroupsSG" -Type "Security"
To remove the default permission run the below command:

Add-ADPermission -Identity "CN=Address Lists Container,CN=Exmailservice,CN=Microsoft Exchange,
CN=Services,CN=Configuration,DC=Exmailservice,DC=com" -User "All Hosted Groups SG" 
-AccessRights GenericRead -Deny

Run below command:

Add-ADPermission -Identity “CN=Address Lists Container,CN=Exmailservice,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Exmailservice,DC=com” -User “All Hosted Groups SG” -AccessRights ReadProperty -Properties “Open Address List” -Deny

Note: You must modify the example DN to reflect the DN for your Address Lists container. Normally only the “DC” entries need to be modified if the Exchange installation was a “default” installation

2. Adding a Segregated Company to the Environment:

Create an Organizational Unit for the Company

  1. Start Active Directory Users and Computers.
  2. In the left pane, select the Companies OU.
  3. Right-click the Companies OU.
  4. Click New, and select Organizational Unit.
  5. Type  Lab01, and click OK.

    Create a new OU called companies

Adding a UPN Suffix:

Adding a new UPN suffix allows users of the new company to log on with a different UPN address than that used in the domain

  • Start Active Directory Domains and Trusts.
  • Right-click Active Directory Domains and Trusts (not your domain name) and select Properties.
  • ·         On the Alternative UPN Suffixes tab, type Lab01, click Add, and click OK


Modify the UPN Suffix attribute:

By modifying the upnSuffix attribute, you limit the domain dropdown list when creating new users in Active Directory. The list will only include the UPN of the original domain and the new suffix added below.

  • Open ADSIEdit.
  • Expand the Domain Naming Context.
  • Right click the OU and select Properties.
  • Select the upnSuffixes attribute and click Edit.
  • Enter the new company UPN suffix and click Add (Example:
  • Click OK two times to close out of the properties.

Create a Security Group for the Users:


use powershell to create a security group:


  • New-DistributionGroup -Name “Lab01 SG” -OrganizationalUnit “ Lab01” -SamAccountName “Lab01 SG” -Alias “Lab01 SG” -Type “Security”

    Create a new security group for Lab01 users
Run below command to member of all hosted groups sg:
  • Get-DistributionGroup -Name “All Hosted Groups SG” | Add-DistributionGroupMember -Member “Lab01 SG”


Making member of all hosted groups

Create a new accepted domain:


You must configure an accepted domain before that SMTP namespace can be used in an e-mail address policy.

MS recommends: Accepted domains are configured on computers that have the Hub Transport server role installed and on computers that have the Edge Transport server role installed. We recommend that you configure accepted domains only on the Hub Transport server role and then populate that data on the Edge Transport server by using the Edge Subscription process.

Use below command to create new accepted domain:

New-AcceptedDomain -Name "Lab01" -DomainName "" -DomainType Authoritative
Create a new accepted domain for Lab01 domain

After you configure the accepted domain, you must verify that a public Domain Name System (DNS) mail 
exchange (MX) resource record for that SMTP namespace exists and that the MX resource record references 
a server name and an IP address that is associated with the Exchange organization.

Create a new email address policy:

For a recipient to receive or send e-mail messages, the recipient must have an e-mail address. E-mail address policies generate the primary and secondary e-mail addresses for your recipients (which include users, contacts, and groups) so they can receive and send e-mail.

Use below command to create new email address policy:

new-EmailAddressPolicy -Name "Lab01" -IncludedRecipients 'AllRecipients' -ConditionalCompany "Lab01" 
-Priority '1' -EnabledEmailAddressTemplates ""
Using company name for filtering the objects
Results of Lab01 domain users email address
Here we are filtering the recipients using their company name. In this scenario if the user company 
name is equal to Lab01 this address policy will apply to them.

As you can see in above figures if the company name is set to Lab01 their primary email address will be 
like in second picture.

Create a new address list:

Run the following command to create Lab01 address list:

New-AddressList -Name "Lab01 AL" -Container '' -IncludedRecipients 'AllRecipients' -conditionalcustomattribute1 "Lab01"

Modify the permissions on the address list:

Important: While failure to perform this step will not allow users from one company to see the users of another company, it will allow them to see the names of the address book entries for every company from within Outlook. This will mean that all segregated users will be aware of the names of the other segregated groups in the organization.


Run below commands to achieve this:

Get-AddressList "Lab01 AL" | Remove-ADPermission -User "Authenticated Users" -AccessRights genericread 
-ExtendedRights "open address list" -deny:$false

Get-AddressList "Lab01 AL" | Add-ADPermission -User "Lab01 SG" -extendedrights "open address list" 

Create a new Global Address List:


GALs define a set of rules for looking up users in a global address book—for example, by alias name, long name, group name, and so on. Use the following procedure to create a GAL for the organizational unit Lab01.

Run the following command:

New-GlobalAddressList -Name "Lab01 GAL" -RecipientFilter {(alias -ne $null -and company -eq "Lab01")}
Creating new GAL for Lab01 domain
Create a new offline address list:

To create an OAB that uses Web-based distribution for clients running Outlook 2007, run the following command:

New-OfflineAddressBook -Name "Lab01 OAB" -Server exch32-srv-01 -AddressLists " Lab01 AL " 
-VirtualDirectories "exch32-srv-01OAB (Default Web Site)"
Create a new offline address list for Lab01 users
Note: If you configure OABs to use public folder distribution, but your organization does not have any 
public folder infrastructure, you will receive a warning or an error resembling the following: WARNING: 
Your organization does not have a public folder tree. Only Outlook 2007 or later can access offline 
address books from a web-based distribution point, if one is configured.

To create an OAB that uses public folder distribution for clients running Outlook 2003 or earlier, run the following command:

New-OfflineAddressBook -Name " Lab01 OAB" -Server exch32-srv-01 -AddressLists "Lab01 AL " 
-VirtualDirectories "exch32-srv-01OAB (Default Web Site)" -publicfolderdistributionenabled $true

Modifying the offline address list permisssion: 

Use the following procedure to set the appropriate permissions on the Lab01 OAB. After you perform 
this   procedure, only users who are members of the Lab01 security group will be able to access the 
offline address list.

Get-OfflineAddressBook "Lab01 OAB" | Add-ADPermission -User ' Lab01 SG' -ExtendedRights 'ms-Exch-Download-OAB' -Deny:$false
Modifying the offline address list permisssion


3. Adding a new user into the environment:


  • create a mailbox  for new user

To use the Exchange Management Shell to add a single member to a distribution group

Run the following command for single user:

get-mailbox “second user” | add-distributiongroupmember -identity “Lab01 SG”

Adding single user into the environment

Run the following command for multiple users:

   get-mailbox -organizationalunit "Lab01" | add-distributiongroupmember -identity "Lab01 SG"

Modify the msExchUseOAB attribute:

Run the following command for single user:

set-mailbox "second user" -offlineaddressbook "Lab01 OAB"
Modify the msExchUseOAB attribute

Modify the msExchQueryBaseDN attribute:

Run the following command:To use the Exchange Management Shell to modify the msExchQueryBaseDN 
attribute  for multiple users

$user = ([ADSI]”LDAP://DC01:389/CN=second user,ou= Lab01,ou=companies,dc=exmailservice,dc=com”).psbase; $user.Properties[“msExchQueryBaseDN”].Value = “ou= Lab01,ou=companies,dc=Exmailservice,dc=com”; $user.CommitChanges();

Changing the msExchQueryBaseDN attribute via GUI:

Changing the msExchQueryBaseDN attribute

Modify the specific filter attribute:

Use one of the following procedures to modify the custom attribute that is used to identify the 
user(s)   of the virtual company (company inthis document’s examples).

For single user:

set-mailbox "seconduser" -company "Lab01"

For multiple users:

get-mailbox -organizationalunit "Lab01" | set-mailbox -company "Lab01"

4. Post user creation steps:

When the above user creation steps have been taken, the following processes must be run to update 
the Address List, GAL, OAB, and redistribute content and re-stamp files with the appropriate permissions:

·         Update Address List
·         Update Global Address List
·         Update Offline Address Book
·         Redistribute content and re-stamp files with new permissions

Use below commands to update all the address lists:

Update-addresslist "Lab01 AL"
Update-globaladdresslist "Lab01 GAL"
Update-offlineaddressbook "Lab01 OAB"
Update-FileDistributionService "exch32-srv-01" -type oab

Final result:
Final result
After login using the second user who is part of Lab01 domain we could only see the address list of those who is part of the same( domain. 

Comparison between before GAL segregation and after GAL segregation:
Comparison between before GAL segregation and after GAL segregation

As you see here the above part of the figure shows address list of exmailservice domain which is not showing after our GAL segregation in the bottom of the figure.

I hope you would have enjoyed reading this, please give us your valuable feedback.

Language preference changes after installing “Microsoft Exchange Server 2007 Service Pack 3 Unified Messaging Language Packs” – Unified messaging

Installation of “Microsoft Exchange Server 2007 Service Pack 3 Unified Messaging Language Packs” caused us an issue which i would like to share

Problem :
After installing this patch, user language prefrence will changed to english. Who ever calls the extension is hearing in English.

After going throught the basic stuff like, disabling and enabling UM in french for the user and resetting the pin, nothing worked

Atlast, one of my collegue helped to get this sorted out, asking me to follow the action plan

Action plan:

1. log in to OWA
2. log into their mailbox.
3. Click the Options button in the top right corner.
4. Click the Regional Settings option on the Right pane.
5. In the Language field have them make sure its set to preferred language
6. Make sure they hit the Save button after they have changed it.
7. Log out.

Mails to certain domains does not work – Additional information

Its a known issue that mail flow certain domains does not work if your exchange server 2007 satisfies the following condition

* Os : windows 2008
* Exchange : Exchnage 2007

I tried the following steps and end up finding few things

1. Mail flow will work to all the domains except few
2. When you smart host to that particular domain, the mail will go through
3. When you do a telnet and drop a mail to the remote domain, mail will go through

This can be resolved by running the hot fix
Mail flow to certain domains does not work when you run Exchange Server 2007 on a Windows Server 2008-based computer

When a mail is generated to a remote domain (problamatic domain), the server will query for the AAAA record.

Which is odd.

You can test this by running a netmon trace.

So it is obvious that mail will not go through because the remote server will not responsd to the AAAA record query

At times running the hot fix won’t fix the problem.  So, Just create a new send connector and add the remote server ip as a smart host for time being

Additional information:
This also happened to me for Exchange server 2010 as well.

Unable to send TLS mails to external domains – E2k7

Topology: Exchange 2007 > Watch Guard firewall > Microsoft ForeFront > Internet

Send connector is smart-hosted to Microsoft ForeFront

Exchange 2007 exhibits a feature known as ‘Opportunistic TLS’ > if the remote domain accepts TLS mails Exchange would send in TLS, else Exchange will send in non-TLS format

Inspite of this, his Exchange server is sending non-TLS mails to remote domains which accept TLS


–          From the Exchange server, ran a telnet to ForeFront ( on port 25, and there was no STARTTLS verb/blob advertised

–          So ideally, Exchange would send mail only in non-TLS format

–          However, when we do a telnet to ForeFront (elnet 25), we see STARTTLS verb

–          Thus, though ForeFront advertises STARTTLS verb, it’s not seen when running a telnet from the Exchange server

Suspected Watch Guard to be running ESMTP Proxy, which is stripping off the verbs from being displayed

Though Cx confirmed that the firewall did not proxy any SMTP, logged in to the console and found ESMTP outbound settings

ESMTP was enabled, and there was a check mark for 8-BITMIME (this was the only verb displayed when Cx ran a telnet to ForeFront)

We checked BINARYMIME (from that list), saved the firewall config, and then ran a telnet to ForeFront > now we could see BINARYMIME verb also displayed (along with 8-BITMIME)

Thus it was confirmed that it was indeed the firewall which was stripping off the verbs, the following link which discusses about issues with TLS and Encryption caused by Watchguard Firebox Firewall:

Resolution: The Watchguard firewall has two options for SMTP mail: SMTP Proxy and SMTP Packet Filter. The default choice, when a user first sets up mail, is the SMTP Proxy. Change to SMTP Packet Filter, and that should resolve the issue.

Mail flow between server is not working – E2K7


Recently i’ve encountered a problem that i was not able to send and receive emails between two sites where E2K7 is installed
  • You would get the following error
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SmtpReceive
Event ID: 1035
Inbound authentication failed with error LogonDenied for Receive  connector Default XXXXXXXXX. The authentication mechanism is  Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is
  • Enable the verbose logging for the receive connector on the receiving site and send a test email from the other site.
If the SMTP-Receive log shows “235 Authenication failed”
  • The Time difference between the DC and Exchange server
  • Authenticated users is not listed in the local security group on the Exchange server
  • Synchronize the time between the DC and the exchange server
  • Add the authenticated users to the “Access this computer from the network” under local security policy

Message rejected due to unacceptable attachments – E2K7

When third party application or mails from the internet sends a message to your organisation, where you have Edge-Transport Server is receiving server, then You may get an NDR saying “Unacceptable Attachment”
The attachment sent by the application or by users in the internet may be listed in the AttachmentFilterEntry.
But in some cases the attachmet get rejected by Attachment Filter Agent, though its not listed in AttachmentFilterEntry
The reason being is that the attachment may not be recognised by the Attachment Filter Agent.  For example “.zip” file may get rejected by the Attachment filter Agent
This is a know issue and update rollup 5 wil fix this as per Microsoft.
*But even the a different attachment other than .zip can be rejected due to the same reason
1. Install the recent rollup update
2. Add a key in the file EdgeTransport.exe.config file, under <appSettings>  </appSettings>
<add key=”AllowInvalidAttachment” value=”true” />

What you find in piple-line tracing for trouble shooting – E2K7

1. There would be 11 copies of each message
2. Message Header
Message header will be useful when the emails that are not in the proper format when sent and received from the server.  Since you have 11 copies of the message, you can compare the message header with other copy to see is there any change in the message header
3. Which Transport Agent fired at each stage
This will be very useful if the message message is not reaching the mail box.  If the message is not reaching the mailbox, it is obvious one of the Transport Agent would have rejected the mail.  This information will help us to find out which agent rejected the email
4. You can enable the piple line tracing for one user or all the users.  And it cannot be enabled on per domain basis

POP3/IMAP4 service wont start after E2k7 SP1 Update


Microsoft Exchange IMAP4/POP3 service does not start after installation/attempt install of SP1 Exchange server 2007, Additionally the following events are logged in the Application Log:

Event ID: 1000
Source : NET Runtime 2.0 Error Reporting
Type: Error
Faulting application, version, stamp
481f7fea, faulting module kernel32.dll, version 5.2.3790.4062, stamp 462643a7,debug
0, fault address 0x000000000000dd10.

Event ID: 7009
Event Source: Service Control Manager
Event Type: Error
Timeout (30000 milliseconds) waiting for the Microsoft Exchange POP3 service to connect.


The following dll files could be corrupted as a result of unsuccessful install of SP1



From a different (working) E2K7 SP1 environment, we could copy the above-mentioned files from the
C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap
(this is the default location, it could also be in a different location if customer has customized it)

Restart Microsoft Exchange Transport
Attempt to start POP3 and IMAP4, if the issue persists, reapply SP1 for exchange server 2007


I found interesting concept somewhere in the web  to  reduce the spam that comes in to the organization.

As we all know mx record plays a major role for receiving email.  And it is also the entry point for the spam to enter into the organization.

“Nolisting” is a concept of creating more than two mx records, and setting the primary mx record to “nowhere”(ie

As per RFC-(forgot the number), a genuine email from a genuine sender should try the secondary if the primary is not available or invalid.

Spammers won’t strain much to try to resend the email to the secondary mx record.  This way you can reduce the spam coming into your organization