Consider non-hierarchical restriction checking

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2005-11-18

The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the value of the serialNumber attribute for each Exchange Server object in the directory. If the Exchange Server Analyzer finds that the value for the serialNumber attribute for an Exchange Server 2003 server object contains Service Pack 2 in its string value, the Exchange Server Analyzer then reads the following registry key to determine whether the CheckConnectorRestrictions registry value is present and configured:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Resvc\Parameters

This condition indicates that the server checks sending and receiving restrictions before letting a message to be processed.

If the Exchange Server Analyzer finds that the value for CheckConnectorRestrictions is present, set to 1, and therefore enabled, the Exchange Server Analyzer also reads the HKLM\System\CurrentControlSet\Services\MSExchangeTransport\Parameters\RestrictionMethod registry key to determine whether the RestrictionMethod registry value is present and how it is configured.

If the Exchange Server Analyzer finds that the RestrictionMethod registry value is missing or set to a value other than 2, the Exchange Server Analyzer displays a best practice message.

In summary, the Exchange Server Analyzer displays a best practice message if the following conditions are true:

• The Exchange Server 2003 server has SP2 installed.

• The CheckConnectorRestrictions registry value from HKLM\System\CurrentControlSet\Services\Resvc\Parameters is configured to use a distribution list-based restriction to a connector on the local computer.

• The RestrictionMethod registry value from HKLM\System\CurrentControlSet\Services\MSExchangeTransport\Parameters\RestrictionMethod is missing or set to a value other than 2.

The RestrictionMethod value determines how the categorizer will process restrictions. The default behavior for the categorizer is to recursively expand distribution groups and check restrictions for each message that passes through the system. This default categorizer behavior can significantly affect performance and is not a best practice.

If you set the value of RestrictionMethod to 2, the transport components on this Exchange server will not expand membership of distribution groups when the server checks restrictions. This configuration provides the best performance for restriction checks. Additionally, for the RestrictionMethod registry entry to take effect, all distribution groups that include users who have delivery restrictions must be flat. That is, the restricted distribution groups must not have nested distribution groups. The expansion logic will not work if the restricted distribution groups are nested.

For distribution groups that are used in connector restrictions, it is recommended that you set the RestrictionMethod registry entry value on a connector bridgehead server that has no mailboxes. For Active Directory user restrictions, if the restricted distribution groups have expansion servers, we recommend that you create the RestrictionMethod registry entry on the expansion servers.

Important

This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore the registry if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.

To create the RestrictionMethod registry entry and set its value of 2

1. Open a registry editor, such as Regedit.exe or Regedt32.exe.

2. Navigate to: HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeTransport\Parameters

3. In the left pane, click Parameters.

4. On the Edit menu, point to New, and then click DWORD Value.

5. Type RestrictionMethod, and then press ENTER to name the new registry entry.

6. Right-click RestrictionMethod, and then click Modify.

7. Type 2, and then press ENTER.

8. Quit Registry Editor.

Before you edit the registry, and for information about how to edit the registry, see Microsoft Knowledge Base article 256986, "Description of the Microsoft Windows registry" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=256986).

For more information about the RestrictionMethod registry value, see Microsoft Knowledge Base article 895407, "In Exchange Server 2003, message delivery to local mailboxes and to external mailboxes is slower than you expect after you configure delivery restrictions based on distribution groups" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=895407).

For more information about the registry value, see Microsoft Knowledge Base article 277872, "XCON: Connector Delivery Restrictions May Not Work Correctly" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=277872).