CRITICAL UPDATE - Exchange 2010 Address List Segregation and Current Support Stances
Back on Wednesday, [January 06, 2010] I published the following blog: Exchange 2010 Address List Segregation – Update. In this blog I made the following statement: "I think you will be happy to know that I am towards the end of wrapping up the Exchange 2010 Address List Segregation white paper. I will post another update as soon as we are finished with the editing and when it will be posted.". After working with development we agreed to post this blog to state a few things:
- We all know and agree that many customers are looking for this whitepaper to be completed. This *IS* a top priority for us, however this is going to take some time to complete.
- There is *NO* guarantee that the whitepaper will be completed by the release of SP1 for Exchange 2010 which is targeted for the 2nd half of the 2010 calendar year.
I need to mention the support stances here.
- There is *NO* support for Exchange 2003 address list segregation.
- There is *NO* supported upgrade path from Exchange 2003 address list segregation to anything.
- If you have a mixed organization (Exchange 2003 and Exchange 2007) you must have everything on Exchange 2007 for you to be in a supported configuration. For more information on this please see this blog: http://blogs.msdn.com/dgoldman/archive/2008/02/17/exchange-2007-address-list-segregation-document-updates.aspx This blog clearly defines the support stance and what needs to be done to migrate.
- There *IS* support for a native organization using Exchange 2007 and address list segregation if you have followed the Exchange 2007 address list segregation whitepaper.
- There is *NO* supported upgrade path from Exchange 2007 using Address List Segregation to Exchange 2010 using Address List Segregation.
- There is *NO* support at this current time for Exchange 2010 using Address List Segregation until the whitepaper has been approved and published to the web.
- If you are using the 2007 address list segregation whitepaper to host customers and you run in to a problem, you will be told that you are using an unsupported configuration. At this point you will need to remove the address list segregation in order to receive support. This is documented in the 2007 Address List Segregation whitepaper http://technet.microsoft.com/en-us/exchange/bb936719(EXCHG.80).aspx#Unsupp
“It is also important to understand that any attempt to use this whitepaper to configure Exchange 2007 for a commercial "hosting" solution is not supported. This whitepaper is not a replacement for the Microsoft HMC (Hosting and Collaboration) software. The information that is provided in this whitepaper is meant for internal segregation use only.”
If you are planning on using Exchange 2010 and you currently have Exchange 2007 using Address List segregation *YOU MUST* remove all address list segregation from your organization to avoid running into the bug that we are currently working on at this time. PLEASE HEED THIS WARNING!!
In order to revert your organization back to a default exchange installation permission set you can follow this blog: http://blogs.msdn.com/dgoldman/archive/2007/05/16/missing-permissions-on-the-address-lists-container-breaks-the-oab-generation-process.aspx and http://blogs.msdn.com/dgoldman/archive/2008/04/03/how-to-prepare-your-organization-for-exchange-2007-address-list-segregation.aspx
I mentioned that I would speak about the nature of this problem. Due to the architectural changes in Exchange 2010, Address Book queries are performed in a different way than we did in prior versions of Exchange. I am not going to explain this in full, however you can view this blog for those new component changes: http://blogs.msdn.com/dgoldman/archive/2010/03/15/exchange-2010-address-list-segregation-update.aspx
The problem that I ran in to was that if you already had the deny permission set on the default global address list from using the 2007 Address List segregation white paper and you have installed Exchange 2010 the exchange server will not have the ability to read the default global address list. At this point the default global address list object would be removed from all of the objects showInAddressList attribute. Here is what happens once this occurs:
- Users will start missing from the default global address list
- Users in their respective companies will no longer show up in that companies global address list
- Users can show up in another companies global address list
- Outlook users crash upon logging in to their mailbox
Your only option to fix this
- Keep your Exchange 2010 servers intact.
- You will need to reset the ACL's on the default global address list. This means you will need to reapply the 'Read' and 'Open Address List' for the Authenticated Users group.
- You will need to open up powershell and run the following command "update-globaladdresslist"
- Run Get-Mailbox | set-mailbox -ApplyMandatoryAttributes
WARNING: In the event that this does not fix it for any objects in your organization this becomes a manual fix from here. You will need to look up the object that is still having a problem using ADSIEdit.msc and look at the showInAddressList attribute. You will need to add the legacyExchangeDN for the default global address list and this will fix the problem for that object.
NOTICE: This blog has been approved by the Microsoft Exchange Product Group.