Recipients Lists
In this post I will try to bring you the way that all Recipient Lists, such as Address Lists or Distribution Lists behave in Exchange Server 2007 and what should we do with our old ones from Exchange Server 2003 and a few advices to some possible issues you may experience.
Distribution Lists Types
Most of the distribution lists types that you can get in Exchange Server 2007 are familiar if you have been dealing with Exchange Server 2003 as we can see below:
- Universal Distribution Group: This is the primary type of distribution group you will use for sending messages to large groups of recipients. You cannot assign permissions to this type of group.
- Universal Security Group: You can use this type of group to assign permissions to a group of recipients access permissions to resources in Active Directory and to send messages to all the recipients in the group.
- Non Universal Group: These are groups created in Exchange Server 2003. You will have limited access to them. You should change the scope of the group or create a new one with universal scope so they can become a universal group.
- Dynamic Distribution Group: This type of group doesn’t have a static list of recipients. It uses recipient filters to generate its membership when a message is sent to the group. Every time you will send a message to this group Exchange will query Active Directory. These groups are useful but should be used carefully. Every time a message is sent to these groups you should expect increased processor/disk/network activity.
Automatic Group Conversion
By definition, universal distribution groups and universal security groups are groups of recipients that are created to expedite the mass sending of e-mail messages and other information. However, unlike universal distribution groups, universal security groups can also be used to assign permissions. In Exchange, only the Active Directory objects that have security principals can be used to grant permission to a public folder or to a mailbox folder. However, it is possible for an Outlook user to use a universal distribution group to grant permission to a public folder or to a mailbox folder. In this case, the universal distribution group is automatically converted to a universal security group by the Information Store service. This is the default behavior in Exchange Server 2007. This can potentially growth user security token.
It is possible to modify this behavior to prevent the automatic conversion of universal distribution groups to universal security groups. The msExchDisableUDGConversion attribute of your Exchange Organization object in Active Directory is used to control how the Information Store service responds to requests for conversion of universal distribution groups to universal security groups. The following are the acceptable values for the msExchDisableUDGConversion attribute that you can edit on ADSIEdit tool:
- 0: Universal distribution groups are automatically converted to universal security groups when they are used to grant permissions to public folders or mailbox folders.
- 1: Outlook cannot request the conversion. However, Exchange system processes can still convert a universal distribution group to a universal security group (e.g. Exchange upgrade).
- 2: Automatic conversions do not occur.
Exchange Server 2003 Coexistence
The Dynamic Distribution Groups created in Exchange Server 2003 won’t be displayed in the management console. This is caused by the fact that in Exchange 2003 they use an LDAP filter while in Exchange Server 2007 they use an OPATH filter. In order to find which dynamic distribution groups needs an upgrade you may run the Exchange Management Shell cmdlet Get-DynamicDistributionGroup | Format-List Name,*RecipientFilter*,ExchangeVersion and look for these properties:
- LDAPRecipientFilter: Populated but RecipientFilter is empty (Exchange Server 2003 doesn't populate RecipientFilter);
- RecipientFilterType: Legacy;
- ExchangeVersion: 0.0 (6.5.6500.0)
In order to solve this issue you have to set the RecipientFilter property by using the cmdlet Set-DynamicDistributionGroup –recipientfilter {... } –forceupgrade$true (the parameter –forceupgrade will disable the compatibility notification). After the upgrade you will be able to manage the Dynamic Distribution Groups using only the Exchange Management Console. Distribution Lists with Global or Domain Local scope cannot be created in Exchange Server 2007. Preexisting mail-enabled non-universal groups will be kept but you will have limited management capabilitites. Using mail-enabled non-universal distribution groups may lead to unpredictable membership expansion. This is due to the way group membership is replicated across Global Catalogs in multi-domain environments. In order to have full compatibility you should change the scope of the group or create a new one with universal scope.
Distribution Lists Common Issues
A couple of common issues that you may experience are, either you are unable to send an email to a distribution list if you are sending that from an external email address to your organization, or simply you can't see the distribution list at all using Exchange Management Console.
On the first issue, generally that behaviour occurs if you enable the option "Require that all senders are authenticated“ in the Distribution List properties on Mail Flow Settings on Message Delivery Restrictions. This flag will refuse all mails from non-authenticated users. This issue can be easily tested using a telnet session or Outlook Express to send a message using non-authenticated SMTP session. It can be solved from the Exchange Management Console as described above or through Exchange Management Shell cmdletSet-DistributionList –RequireSenderAuthenticationEnabled $true.
On the second one this issue occurs if the group scope is Global or Domain Local. It can be easily checked using Active Directory Users and Computers. It can be solved by changing the group scope to Universal or by creating a new group with Universal scope.
Address Lists Types
An address list is a collection of recipients and other Active Directory objects. Each address list can contain one or more types of objects (e.g. users, contacts, groups, public folders, conference rooms and other resources). You can use address lists to organize recipients and resources, making it easier to find the recipients and resources you want. Address lists are updated dynamically. Therefore, when new recipients are added to your organization, they are automatically added to the appropriate address lists. Address lists reside in Active Directory, therefore, mobile users who are disconnected from the network are also disconnected from these server-side address lists, however, you can create Offline Address Books for users who are disconnected from the network. These can be downloaded to a user's hard disk drive. Frequently, to conserve resources, Offline Address Books are subsets of the information in the actual address lists that reside on your servers.
When users want to use their client application to find recipient information, they can select from available address lists. Several address lists, such as the Global Address List, are created by default. Exchange Server 2007 contains the following default address lists, which are then automatically populated with new users, contacts, groups, or rooms as they are added to your organization:
- Global Address List: This address list contains all recipients in the organization. During setup, Exchange creates various default address lists. The most familiar address list is the Global Address List. By default, the it contains all recipients in an Exchange Organization. In other words, any mailbox-enabled or mail-enabled object in an Active Directory forest that has Exchange installed is listed here. For ease of use, it is organized by name, not by e-mail address.
All Contacts
: This address list contains all contacts in your organization. Contacts are those recipients who have an external -mail address. If you want a contact information to be available to all users in your organization, you must include the contact in the GAL.
All Groups: This address list contains all mail-enabled groups in your organization. Mail-enabled groups are a group of recipients that are created to expedite the mass e-mailing of messages and other information. When an e-mail message is sent to a mail-enabled group all members of that list receive a copy of the message.
All Rooms: This address list contains all resources that have been designated as a room in your organization. Rooms are resources in your organization that can be scheduled by sending a meeting request from a client application. The user account that is associated with a room is disabled.
All Users: This address list contains all mail and mailbox-enabled users in your organization including equipment mailboxes. A mail-enabled user represents a user outside your Exchange Organization with an external e-mail address. All messages sent to mail-enabled users are routed to this external e-mail address. A mail-enabled user is similar to a contact, except that a mail-enabled user has Active Directory logon credentials and can access resources. A mailbox-enabled user as referred before has a mailbox on your Exchange Organization and obviously Active Directory credentials. Last but not least Equipment Mailboxes work as Rooms but are more related to video or audio equipment you may want to reserver, and so these ones have a disabled Active Directory user.
Public Folders: This address list contains all mail-enabled public folders in your organization. Access permissions determine who can view and use the folders. Public folders are stored on computers running Exchange.
Populating Address Lists
Address lisys are no longer dependent on the Recipient Update Service. In earlier versions of Exchange, the Recipient Update Service (a component within System Attendant service) updated the address lists and e-mail addresses in Active Directory. In Exchange Server 2007, changes to e-mail addresses and address lists are applied directly to Active Directory. As a result, when changes are made to address lists, you can immediately see the changes in Active Directory Users and Computers without having to wait for Recipient Update Service to perform the update.
In Exchange Server 2003 and Exchange Server 2000, the graphical user interface for filtering address lists was complex, containing nested lists that had hundreds of properties. In Exchange Server 2007, the most common filters are defined as precanned filters, which contain a simple and intuitive filter control.
Besides the predefined ones there were some improvements on the customized ones too. For the few administrators that require advanced filtering requirements not met by precanned filters, you can create custom filters that can be defined by using the OPATH filter syntax in the Exchange Management Shell. OPATH is a querying language designed to query object data sources.
Exchange Server 2007 allows you to filter the results of a command by using the recipient type. For example, the Get-User, Get-Recipient, Get-Mailbox, Get- MailUser, Get-Contact, Get- MailContact, Get-Group, Get- DistributionGroup, and Get- DynamicDistributionGroup Exchange Management Shell cmdlets have a - Filter parameter with which you can specify the users or groups to retrieve with the command. When combined with the Set-AddressList or New- AddressList cmdlets, you can specify a set of users or groups to retrieve by using a filter string. This type of filter does not modify any configuration or attributes of objects. It only modifies the set of objects that the command returns.
As said before any change is applied directly and immediately, however if by any chance you want to do it off of labour hours Exchange Server 2007 has the ability to schedule the application of address lists at a later time. You can specify when changes to the address list should be applied. You can also specify the amount of time that the tasks should run. If you prefer to do it using Exchange Management Shell you can use the Update-AddressList cmdlet to schedule or simply apply it with immediate effects.
Address Lists Common Issues
A couple of common issues that you may experience are, either you are unable to edit an address list properties, or changes you have done on an address list don't show up when you see them.
On the first issue if address lists have been created using Exchange Server 2003 they must be upgraded in order to be able to modify them using Exchange Management Console. This is due to the fact that Exchange Server 2007 uses OPATH filters based on the Exchange Management Shell instead of using LDAP filters as in Exchange Server 2003. In order to have a list of the address lists which should be upgraded you may use Get-AddressList | Format-List Name,*RecipientFilter*,ExchangeVersion or Get-GlobalAddressList | Format-List Name,*RecipientFilter*,ExchangeVersion Exchange Management Shell cmdlets. If one of the below conditions occurs you will have to upgrade the Address Lists:
- LDAPRecipientFilter: Populated but RecipientFilter is empty (Exchange Server 2003 doesn't populate RecipientFilter);
- RecipientFilterType: Legacy;
- ExchangeVersion: 0.0 (6.5.6500.0)
At least three of the basic Address Lists can be corrected using precanned filters:
- Set-AddressList "All Users" -IncludedRecipients* MailboxUsers***
- Set-AddressList "All Groups" -IncludedRecipients* MailGroups***
- Set-AddressList "All Contacts" -IncludedRecipientsMailContacts
Others may need custom filters (Public Folders and Global Address List)
- Set-AddressList "Public Folders" -RecipientFilter { RecipientType -eq 'PublicFolder' }
- Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}
On the second issue since Exchange Server 2007 has no Recipient Update Service, the address lists must be manually updated if you experience the described issue, using Exchange Management Console or the Exchange Management Shell cmdlet Update-AddressList. If that still doesn't work and in order to troubleshoot issues related to the Recipient Update Service API you may enable diagnostic logging of the Recipient Update Service API using the cmdlets Get-EventLogLevel MSExchangeAL and Set-EventLogLevel.