none
Segregated GAL problem - This e-mail message cannot be delivered to USER because the e-mail address is no longer valid RRS feed

  • Question

  • I am using websitepanel to automtically create the hosted organizations, however when I try to send email between them using outlook 2010 I get a warning:

    This e-mail message cannot be delivered to USER because the e-mail address is no longer valid

    However, emails are delivered without a problem.

    Here is the setting from - Organization configuration / Accepted domains / userdomain Properties - Authoritative Domain

    I have not made any other modifications to the WSP installation or recomendations.

    I believe that this problem relates to a GAL segregation issue.

    Can other users check if they are also getting this?

    Thanks jk

     


    jason kinsella
    • Moved by Inesa Fain Monday, November 8, 2010 8:02 PM (From:WebsitePanel - Support)
    Monday, November 1, 2010 4:18 AM

All replies

  • Yes --> http://social.msdn.microsoft.com/Forums/en-US/wspdiscuss/thread/273dbdf7-6370-4b70-848d-14032a686a7d

    In addition, Outlook2010 shows the legacyExchangeDN in the (what's it called ??) "people-pane" as well as when hovering over the name in the address bar.

    I reproduced in a (new!) lab environment with Outlook in online mode, meaning it's not a address-book, .nk file or sync issue.

     

    Another edit: I also attempted to get some assistance from PSS, but they declined, stating GAL seggregation is unsupported in Ex2k10
    (hence this question -> http://social.msdn.microsoft.com/Forums/en-US/wspsupport/thread/4d5ae540-8936-43a3-9f30-9a448c33ae22)

    If anyone from the WSP team has an idea, that would be much appreciated !!

     

    • Edited by MarcusB Thursday, November 4, 2010 8:32 PM more info
    Thursday, November 4, 2010 8:16 PM
  • Hi,

     

    http://social.msdn.microsoft.com/Forums/en-US/wspentsupport/thread/ed6b1ce0-0e7e-4fe2-9541-cf728ac9f2d2  

     

    I would like to ask you to test / disable such rule on Outlook client level first (check / confirm).

     

    You know... it's just can be helpful for other WSP users.

     

    Thank you in advance.


    Best regards, Dmitry Fitsner Support@ExpertServices.us | WebsitePanel Installations, Support & Consulting | Enterprise Solutions Planning & Deployment & Support
    Monday, November 8, 2010 11:37 PM
    Answerer
  • Hello Dmitry,

    thx for getting involved.

    Not sure I understand what you're asking - I assume you mean disabling Mailtips in Outlook (?). If that's what you're asking, then yes, that of course takes care of the Mailtips message, but not the display of the LegacyExchangeDN.

    Thx - Marcus.

     

    Tuesday, November 9, 2010 12:40 AM
  • Hi Marcus,

    You are right (just for test)! 

    What exact Exchnage 2010 version do you use? Does it SP1 (without "hosting" switch)?

    Is it possible for your side to just provide/send (e-mail below) me with full step by step description - how/where to reproduce (***screenshots appreciated).

    It would be interesting to investigate / reproduce such issue.

    I'm sure... it can be helpful.

    Thanks in advance!


    Best regards, Dmitry Fitsner
    Tuesday, November 9, 2010 2:51 AM
    Answerer
  • Hi Marcus, Dmitry,

    I'm running Exchange 2010 (not SP1 / no hosting switch) and I've had a number of clients notice this too and have even had them make contact with me wondering if I'd changed my email address because suddenly it's showing as an invalid address in the presence bar/indicator at the top of new emails.

    We also run hosted PBX and VoIP, and for security and privacy reasons, the presence/state of extensions outside an organisation's PBX cannot be monitored, so I had assumed it may have been normal for a mult-tenant environment to know that my address was on the Exchange server but could not be monitored from a presence perspective because of segregated GALs.

    However, if this is a bug, or is something that is fixable, I'd much appreciate knowing how to fix it.

    I'll send you some screenshots via email.

    Kerry

    Tuesday, November 9, 2010 12:06 PM
  • Hi Dmitry,

    same as Kerry: Ex2010 RTM, WSP 1.0.2 in Lab environment (1.0.1 in production environment).

    Steps to reproduce? It might be easier just to show you - as I said, I reproduced in a lab environment - I have no problem giving you access to it.

    M.

    Tuesday, November 9, 2010 5:36 PM
  • Hi Marcus,

    Already trying to reproduce. Thanks.


    Best regards, Dmitry Fitsner Support@ExpertServices.us | WebsitePanel Installations, Support & Consulting | Enterprise Solutions Planning & Deployment & Support
    Tuesday, November 9, 2010 11:44 PM
    Answerer
  • Hi Marcus,

     

    Do you have the same contact e-mail address in the Personal Address Book (as in OAB)?

     

    Can reproduce it using of another machine/Outlook 2010 client?

     

    A lot of WSP users suppose, that problem somehow connected  to a GAL segregation issue… Most probably they are right, but we all just can’t confirm 100% / additional investigation/testing required!

     

    Ok…So… you can try to add some permissions (like showed below) / check. In case of unhelpful, rollback changes.

     

    ***Please note, that ExpertServices didn’t test such configuration on Exchange 2010 (it was tested on Exchange 2010 SP1 / without “hosting” switch only + additional configuration steps) - right now... SP1 unsupported configuration.

     

    So, any changes on your own risk.

     

    I would like to recommend you to test on LAB environment only!

     

    Test scenario:

     

    Before… ensure, that you’ve done according to http://help.dotnetpanel.com/DotNetPanel%20Hosted%20Exchange%20Solution/DNP%20Hosted%20Exchange%20Solution%20Pre-Deployment%20Tasks.aspx (Modifying Address Lists Containers)

     

    LIKE:

     

    ***Disable permissions inheritance (uncheck "Include inheritable permissions from this object's parent" in Security > Advanced tab) for CN= All Address Lists, CN=All Global Address Lists and CN= Offline Address Lists containers. – Suppose… already done.

     

    So… Open ADSI Edit.

     

    Connect to Configuration naming context. Navigate CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration.

     

    Right-click -> Properties -> Attribute Editor. Set the property  dsHeuristics to 001 (default value is <not set>).

     

    Restart ADSI console (close/open).

     

    ***For the following containers  All Address Lists, All Global Address Lists, Offline Address Lists make the following:

     

    Add “authenticated users” and grant permission “List objects” and set “Apply to” to “This object only”.

     

    Check outlook client (if it’s possible, restart Outlook / Exchange server box). Make sure, you can’t see another HO information.

     

     

     

    ***We can just suppose, that a lot of Hosting Providers just disabling the MailTip http://technet.microsoft.com/en-us/library/dd638109(EXCHG.140).aspx :-)

     

    Set-OrganizationConfig -MailTipsAllTipsEnabled $false

     

    Outlook 2010 client would not be able to retrieve MailTips.“mailtips could not be retrieved”

     

    Let’s check settings:

     

    Get-OrganizationConfig | fl *mailtips*

     

    MailTipsExternalRecipientsTipsEnabled : False

    MailTipsLargeAudienceThreshold: 25

    MailTipsMailboxSourcedTipsEnabled: True

    MailTipsGroupMetricsEnabled: True

    MailTipsAllTipsEnabled: False

     

    Another way is disable (change to >>> do not display MailTip) under the Outlook clien configuration settings.

     

    Outlook >File> Options > Mail > MailTips 

    Please let me know about the results.

     

    Thanks.


    Best regards, Dmitry Fitsner Support@ExpertServices.us | WebsitePanel Installations, Support & Consulting | Enterprise Solutions Planning & Deployment & Support
    Wednesday, November 10, 2010 12:53 AM
    Answerer
  • Hi Dmitry,

    Do you have the same contact e-mail address in the Personal Address Book (as in OAB)?

    No - "clean" setup for testing.

    Can reproduce it using of another machine/Outlook 2010 client?

    Yes - in both cached and online mode.

    ***Please note, that ExpertServices didn’t test such configuration on Exchange 2010 (it was tested on Exchange 2010 SP1 / without “hosting” switch only + additional configuration steps) - right now... SP1 unsupported configuration.

    As I mentioned, my lab environment is Ex2010 RTM - don't know if that's relevant or not.

    Before… ensure, that you’ve done according to http://help.dotnetpanel.com/DotNetPanel%20Hosted%20Exchange%20Solution/DNP%20Hosted%20Exchange%20Solution%20Pre-Deployment%20Tasks.aspx (Modifying Address Lists Containers)

     

    Double- and triple checked. All according to available documentation.

    Please let me know about the results.

    No difference. As I mentioned before, disabling Mailtips (either client or server side) of course takes care of the "no longer valid" message, but the LegacyExchangeDN is still being displayed.

    I should probably say that *my* priority is fixing the display of the legacyExchangeDN. I can live without MailTips, if push comes to shove. Turning off functionality is not cool, but most clients are not aware of MailTips, how they work and what they do anyway.
    That doesn't mean that I'm not interested in a fix, of course :)

    The display of the legacyExchangeDN is a no-go though. Noone else is seeing this behaviour?

    M.

     

    Wednesday, November 10, 2010 5:59 PM
  • My Outlook client doesn’t show the legacyExchangeDN attribute (just can't reproduce).

     

    I don’t think, that legacyExchangeDN problem is somehow connected to MailTips issue, but probably connected to environment settings.

     

    My recommendations (test scenario) were connected to MailTips issue***

     

    So, I would be appreciate in case someone test it on LAB environment (***without legacyExchangeDN issue). It should be chaked at least twice (on two different LAB environments)

    So... we will be able to search another solution ;-)

    Marcus,

    Did you try (please see below)?

    >>>Open ADSI Edit.

     

    Connect to Configuration naming context. Navigate CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration.

     

    Right-click -> Properties -> Attribute Editor. Set the property  dsHeuristics to 001 (default value is <not set>).

     

    Restart ADSI console (close/open).

     

    ***For the following containers  All Address Lists, All Global Address Lists, Offline Address Lists make the following:

     

    Add “authenticated users” and grant permission “List objects” and set “Apply to” to “This object only”.

     

    Check outlook client (if it’s possible, restart Outlook / Exchange server box). Make sure, you can’t see another HO information.


    Best regards, Dmitry Fitsner Support@ExpertServices.us | WebsitePanel Installations, Support & Consulting | Enterprise Solutions Planning & Deployment & Support
    Wednesday, November 10, 2010 6:31 PM
    Answerer
  • I'm also having the exact same issue.

    Not sure if there can be some rule to force all contacts to use email address instead of Alias or legacyExchangeDN. Having contacst show up as Alias or legacyExchangeDN is absolutly useless.

    Hope there is a solution soon.

    Thanks!

    Cole

    Wednesday, November 10, 2010 6:37 PM
  • Today I setup a new PC with Outlook 2010 and setup my profile again and can not email people which are in my personal contacts but are part of other organizations we host. I have changed nothing in the configuration. Any updates would be greatly appreciated.

    Thanks, Cole

    Friday, November 12, 2010 4:22 AM
  • Hi Cole,

     

    Did you try to set/change (please see below)?

     

    For the following containers  All Address Lists, All Global Address Lists, Offline Address Lists make the following:

    ·         Right-click -> Properties -> Security -> Advanced button. Uncheck “Include inheritable permission from this object’s parent” and copy existing permissions.

    ·         Remove all permission for the following accounts “anonymous logon”, “everyone” and “authenticated users

    ·         Add “authenticated users” and grant permission “List objects” and set “Apply to” to “This object only

     

    Thanks.

     

     


    Best regards, Dmitry Fitsner Support@ExpertServices.us | WebsitePanel Installations, Support & Consulting | Enterprise Solutions Planning & Deployment & Support
    Tuesday, November 16, 2010 12:51 AM
    Answerer
  • Hi Dmitry,

    The 'List Objects' does not appear to be available. Do I need to set the dsHeuristics to 001 before this will show up? Setting the dsHeuristics property was not in the original setup notes for Exchange, is this something new that needs to be done for Exchange 2010 RTM and WebsitePanel?

    Also, I should mention the reason I couldn't email the user from within my own organization is he deleted his mailbox and then recreated it and the internal Alias email address was not setup.

    That said, I'm hoping these permissions issues can solve the email resolutions issues. Once I hear back from you, I will add the permissions.

    Thanks in advance,

    Cole

    Tuesday, November 16, 2010 4:13 AM
  • Hi Cole,

    I would appreciate you, in case you test it on LAB environment fist (recommended).

    ***There is no working solution yet. We are just trying to check / confirm (all settings on your own risk).

    Please keep me informed.

    Thank you for your understanding.


    Best regards, Dmitry Fitsner Support@ExpertServices.us | WebsitePanel Installations, Support & Consulting | Enterprise Solutions Planning & Deployment & Support
    Tuesday, November 16, 2010 9:47 PM
    Answerer
  • Hi Dmitry,

    I enabled the settings as listed above and did various testing over the last few hours and nothing has changed. I even tried creating a new organization and serveral new exchange accounts but the same issues are still there.

    Upon reading more about the dsHeuristics attribute it would seem setting this property to 001 would actually hide more properties.

    To me it seems like all users need to be able to resolve the Exchange Legacy DN property against the GAL to get the email addresses but are not able to because of permissions. I think the GAL needs some extra permission which will allow OWA and Outlook to resolve without showing the whole GAL.

    Also disabling Mailtips has had no effect on existing outlook accounts.

    Hoping to find a solution soon.

    Thanks Cole

    Wednesday, November 17, 2010 6:02 AM
  • Likewise Dmitry.

    I've changed all necessary permissions via ADSI Edit and there's no change to how MailTips presents the "invalid" email addresses.

    I've since rolled all permissions back to how they were previously.

    Also, disabling MailTips ends up delivering a different ongoing error .. something like "MailTips Could Not be Accessed" (not a direct quote, only from memory).

    I would rather have the occassional "invalid email address" error when mailing someone on the Exchange Server who's outside my OU than to have a MailTips error on every single email, so it was rolled back too.

    So essentially, I'm back at square one. Here's hoping we can find an answer to this issue because it causes confusion and concern for some customers.

    Kerry

    Friday, November 19, 2010 11:23 AM
  • Hi,

    We’ve investigated/discussed with some of our customers and you know… we are just unable to reproduce both issues on clean Exchange 2010 SP1 deployment (sure… changing ADSI permissions / without hosting switch).

    However… still able to reproduce on any Exchange production environment updated to SP1.

    Just need to understand differences… and most probably we’ll find solution.

    So... right now, additional investigation time required.

    Thanks.


    Best regards, Dmitry Fitsner Support@ExpertServices.us | WebsitePanel Installations, Support & Consulting | Enterprise Solutions Planning & Deployment & Support
    Tuesday, November 23, 2010 9:38 PM
    Answerer
  • Thanks Dmitry, but please remember, most of the hosters in this thread are not using Exchange 2010 SP1. We're simply using the original release of Exchange 2010, and in my case, I'm still using DNP, not WSP.

    Kerry

    Tuesday, November 23, 2010 9:56 PM
  • Thank you for your reply.

    I know. Just trying to test any possible solutions.

    Thanks.


    Best regards, Dmitry Fitsner Support@ExpertServices.us | WebsitePanel Installations, Support & Consulting | Enterprise Solutions Planning & Deployment & Support. Website: expertservices.us
    Monday, November 29, 2010 6:08 PM
    Answerer
  • Hi Dmitry,

    any news? Anything I can do to help/test ?

    Btw: Outlook 2007 displays the legacyExchangeDN as well (for members of "foreign" orgs).

    Thx - Marcus.

    Monday, December 20, 2010 9:05 PM
  • Hi Marcus,

    Hmm.. unfortunately... the one right way how to resolve is to update to SP1 (sure, you can update to SP1, but on your own risk, I'm still testing).

    As I note before... everything is working fine on clean Exchange SP1 deployment (without hosting switch).

    Thanks.


    Best regards, Dmitry Fitsner Support@ExpertServices.us | WebsitePanel Installations, Support & Consulting | Enterprise Solutions Planning & Deployment & Support. Website: ExpertServices.us
    Tuesday, December 21, 2010 9:07 PM
    Answerer
  • I did some testing in my lab environment:

    Guess what: legacyExchangeDN problem gone !

    • created additional users in both orgs and verified Outlook and OWA functionality (GALs, ALs etc)

    I did not test/verify: Outlook Anywhere functionality

    Can someone verify these results in their lab or test enviroment ?

    Also: if someone has an Exchange RTM test enviroment already set up, it'd be interseting to see if the solution is the AD hack only, or if it's a combination of Ex SP1 and the AD hack (my lab environment is running out of disk space so I couldn't do any VM snapshots - meaning I'd have to do a complete reinstall to test this :( ).

    Thx - Marcus.

     

    • Edited by MarcusB Saturday, January 1, 2011 9:55 PM content corrected - see below
    Thursday, December 30, 2010 11:13 PM
  • Hi Marcus,

    In your 6th step you say you installed Exchange 2010 RTM, did you mean you installed Exchange 2010 SP1? If not, what was the difference between Step 2 "installed Exchange 2010 RTM (typical, with 2003 support)" and Step 6 "installed Exchange 2010 RTM"?

    I have several lab environments setup and I would like to test this ASAP if you can clarify what I need to do.

    Thanks in advance!

    Cole 

    Saturday, January 1, 2011 8:49 PM
  • Hey Cole,

    sorry - my bad (typo).

    Step 2 is "Installed Ex2010 RTM" (i.e. no service pack)
    Step 6 should be "Installed Ex2010 SP1"

    Again, sorry 'bout that ...

     

    Saturday, January 1, 2011 9:54 PM
  • Hey Marcus,

    I implemented Omar's AD permissions on a Exchange 2010 RTM installation and was able to get get the LegacyExchangeDN to resolve to the proper addresses. I tested using Outlook 2010 via Outlook anywhere.

    I then installed SP1 to see if all stayed the same and it did.

    I did notice that there were some isues in OWA where if I tried to add the sender to my contacts I get the error "No match was found for one or more people or addresses. This may be because the people or addresses no longer exists." and if I click on the properies of the sender I get an access denied error.

    I also noticed that I can see all organization address lists in Outlook 2010 but could only see the users in mine. If I tried to access the other organization address lists I received the error 'The Bookmark is invalid'. I then checked the 'All Users' address book and every organization's users are showing up in there including the administrator user and Discovery Search Mailbox.

    I also noticed that if scheduling an meeting you are able to see the other users free/busy time. Perhaps not a big deal to some but something I noticed.

    Lastly, I tried to download the offline address book and recieved an error. This could be related to something else.

    Are you seeing any of the above issues with your lab environment?

    Thanks Cole

     

    Sunday, January 2, 2011 3:01 AM
  • I managed to fix a couple of the issues:

    The issue where I can see all organization address lists in Outlook 2010 was fixed by removing the 'Authenicated Users' security group which has the 'List Contents' permissions, not inherited which is applied to 'This object and all descendant objects' on the 'Address Lists Container' using the ADSI tool.

    Also, the OAB is was fixed as I need to generate the OABs for the organizations.

    Also, the new users where being created with the ExchQueryBaseDN but this was fixed by implementing the App Key setting descibed in http://social.msdn.microsoft.com/Forums/en-US/wspentsupport/thread/f4db8636-a3a3-4c1c-93dd-82390f9d1d8f

    So the only really important thing left would be to get OWA so show the correct address when double clicked oppossed to the "Access Denied' error.

    I have not tested in Outlook 2007 using Outlook Anywhere yet.

    Cheers, Cole

    Sunday, January 2, 2011 9:06 PM
  • Confirmed this also works in Outlook 2007 with Outlook Anywhere.
    Monday, January 3, 2011 2:46 AM
  • Just noticed that I can not delete/move any emails from in OWA since SP1 was installed. I checked the most common causes of the issue and none of the resolutions seem to apply to my configuration.
    Tuesday, January 4, 2011 2:19 AM
  • Hi Cole,

    Not good. You and I are getting inconsistent results.

    I did notice that there were some isues in OWA where if I tried to add the sender to my contacts I get the error "No match was found for one or more people or addresses. This may be because the people or addresses no longer exists." and if I click on the properies of the sender I get an access denied error.
    Confirmed.
    I also noticed that I can see all organization address lists in Outlook 2010 but could only see the users in mine. If I tried to access the other organization address lists I received the error 'The Bookmark is invalid'. I then checked the 'All Users' address book and every organization's users are showing up in there including the administrator user and Discovery Search Mailbox.
    Confirmed.
    I also noticed that if scheduling an meeting you are able to see the other users free/busy time.
    Confirmed.
    Just noticed that I can not delete/move any emails from in OWA since SP1 was installed. I checked the most common causes of the issue and none of the resolutions seem to apply to my configuration.
    Nope - works fine here. Both delete and shift-delete as well as move.
    The issue where I can see all organization address lists in Outlook 2010 was fixed by removing the 'Authenicated Users' security group which has the 'List Contents' permissions, not inherited which is applied to 'This object and all descendant objects' on the 'Address Lists Container' using the ADSI tool.

    that DACL doesn't exist in my environment (??).

    More headscratching: I was messing around with some other entries and all of a sudden the free/busy info was hidden on the "foreign" users. I retraced my steps (to figure out which permission caused this) and un-did the edits, but the free/busy info is still gone. I know, sounds weird, but I'm positive I reverted everything back.

    Would it be too much to ask if I sent you a list with all the DACLs in my lab and if you could compare them to your environment?

    Thx - M.

     

    Tuesday, January 4, 2011 11:06 PM
  • I managed to fix the issue with OWA where I could not delete the Emails. I had previously removed the loopback binding on the on the default website which I believe was causing the issue. I actually recreated then enviroment again and did not remove them and everything worked correctly after SP1 update.

    Sure, send them over to support AT vdatasystems.com and I will do a comparison. I'm very curious to know what the change is to hide the Free/Busy info too.

    Cheers, Cole

    Wednesday, January 5, 2011 2:13 AM
  • Kindly check this site http://forums.msexchange.org/m_1800542177/mpage_1/key_/tm.htm#1800542177

    there's nice solutions i tested it


    Mohamed Abd Elhamid Abd Elaziz Microsoft System Administrator My blog: http://Mabdelhamid.wordpress.com/

    • Proposed as answer by M.Abdelhamid Sunday, November 11, 2012 6:06 AM
    Sunday, November 11, 2012 6:06 AM