I was escalated a call today from one of my team members whom had found a user whom had left the company and then rejoined. Due to our Mailbox retention policy we still had the old mailbox within the store (with the AD Account Disabled and hidden from the Global Address List) – therefore their account had been re-enabled, unhidden and after the usual period of replication the mailbox sprang to life in the store.
You may well be forgiven for thinking “well that’s nice – fine and dandy what’s your point?” but an issue manifested itself whereby the user did not appear in the Global Address List – therefore the user could not logon to Outlook nor OWA.
My team member had checked the usual things (e.g. that the Hide from Address lists check box had been unchecked and that Replication had taken place) however the user still would not appear in the GAL.
I had a little think and arrived at the conclusion that the only possible answer must lie within the RUS.
Why would I suspect the RUS?
Well the odd thing is that it kind of came to me, essentially we are currently running a Co-Existence (Exchange 2003 / 2007) environment (yes… still… I know its a pain in the arse – but they will not give me the time to complete this migration in work time therefore it is happening during the off hours).
Additionally the user mailbox concerned was still resident within the Exchange 2003 clusters – therefore still under the remit of the Exchange 2003 RUS.
Before I go on I would like to explain a little about the RUS within and “Interop” or “Co-Existence” environment with Exchange 2007.
In the old days RUS was used to find and configure recipients.
Recipients (contacts, DL’s and Mailboxes) created within the Exchange enabled Active Directory Users and Computers are referred to as “partially provisioned” – essentially they have a few properties set by ADUC – however the other key properties are retrospectively and asynchronously completed via the RUS.
Within an Co-Existence model – Exchange 2003 based recipients will have the following properties configured by the RUS:
- Sets the proxyAddresses attribute for users based on recipient policies. It may not set it if the proxyAddresses attribute has been manually added
- Sets other mail attributes, such as textEncodedORAddress and mail
- Sets the showInAddressBook attribute based on the address lists that are present
- Sets the homeMDB, homeMTA, and msExchHomeServerName attributes
- Sets the msExchMailboxGuid attribute
- Sets the legacyExchangeDN attribute
- Sets the displayName attribute to the value of the mailNickname
- Groups that have the hideDLMembership set to true the RUS provisions some special access control entries on the group to restrict viewing the membership
- Configures an ACL on the “cn=Microsoft Exchange System Objects container within the configuration partition in AD to show delegated admin rights that are configured by the Exchange Delegate Wizard
- Maintains the members of the Exchange Enterprise Servers group
However for pure Exchange Exchange 2007 recipients most of the above has been dispensed with – essentially recipients are fully configured when the are created via the EMC or the EMS.
That being said the same logic which defines the above properties still exists in Exchange 2007 but is contained within the cmdlets that create the recipients.
Right back to the film – why I think that my Mailbox user was not showing due to the RUS
As I mentioned above I had a gut feeling that my problem was linked to the RUS – upon reviewing the Event Logs on the Exchange 2003 server which is responsible for hosting the RUS I found the following – interesting – events;
The key point of note in the above entry is “showInAddressBook” and correlating that with the native RUS activity of “showInAddressBook” essentially the MSExchangeAL (Part of the RUS) was reporting that it did not have the correct permissions when trying to update the “showInAddressBook” property within Active Directory (this would explain why the tickbox was un-ticked – but nothing was happening) another major clue was contained within a separate entry in the Event Log:
This suggested to me that the account that we were having problems with was not inheriting the default permissions that it should from the Directory Hierarchy.
In order to troubleshoot this I opened up ADUC and changed the view to “Advanced Features” (Open ADUC -> View -> Advanced Features) and then choose the “Security” tab and clicked on “Advanced” button which revealed the following:
As you can see on the above example the user concerned does not have the “Allow inheritable permissions from the parent to propagate to this object and all child objects…” check box set.
I checked the box above, allowed for both Directory Replication and indeed the RUS processes to run and the user then appeared in the Global Address List.
Interestingly enough not having the above check box can also cause problems for Exchange 2003 accounts that are then moved to Exchange 2007 when accessing OWA 2007.
I am not at this stage sure as to why the above might cause problems within an Interop environment (if anyone from the Exchange team is reading this and can shed some light on the situation that would be great) – but – I have also developed two scripts where script 1 will cycle through your AD environment and locate all accounts which suffer from the above and produce a report of all the account effected by the issue and the second script will take the output of the first script and fix the problem – both of which are downloadable from here:
Check for Accounts not inheriting permissions [1KB]
Fix for Accounts not inheriting permissions [1KB]
The default location for the report from script 1 (which is the input file for script 2) is placed in C:\Report.txt – in order to use the scripts download them to your Exchange server and then double click on them – each script will tell you when they are completed.
Note: If you intend to use the Fix Script you will have to of run the Check script
I hope that you find the above useful.
Hi Andy
I’ve seen this a few times – the issue with unticking the inhertited permissions is that it removes the “Exchange Servers” legacy group from the account and so the servers themselves can’t read the account info – hence no OWA or updates.
When you retick the box that group gets added back et voila.
You may want to check the “exact” differences by ubchecking and rechecking the box but essentially its rmeoving teh exchange legacy groups that does it.
HTH
Phil
By: Philip Flint on August 6, 2008
at 12:37 pm
Hi Andy !
your blog is great , love it.
i’ve encountered this serveral times now with implementations of exchange 2007 , same as you i do not know the nature of this..
with powergui , dmitry has some nice powershell cmdlets to solve this , and we know we love that
http://dmitrysotnikov.wordpress.com/2008/06/04/find-and-fix-broken-inheritance/
check it out.
By: ilantz on August 7, 2008
at 9:05 pm
LOL – Indeed – I am a fan of Dmitry’s stuff (and I love PowerGUI) – I have to admit when I blogged about this I thought that it was a unique situation, I was wrong – if anyone has updates where this occurs please keep em comin – the more the better – so it helps us all out.
By: Andy Grogan on August 7, 2008
at 9:25 pm
[...] The Recipient Update Service and Exchange 2007 – it broke a bit (Event IDs 8270 & 8315)… [...]
By: Weekend reading - subject: exchange on August 8, 2008
at 4:47 pm
[...] ran into a RUS problem that was similar to the problem posted by Andy at http://telnetport25.wordpress.com/ Fortunately for me, Andy had just posted his problem and solution less than a day before I ran [...]
By: Configuring Exchange 2007 « My Experiences with Exchange 2007 on August 12, 2008
at 1:56 am