Troubleshooting mail transport and distribution groups in Exchange 2000 Server and in Exchange Server 2003

This article contains information about the groups that are used by Microsoft Exchange 2000 and Microsoft Exchange Server 2003 for mail distribution and access control lists (ACLs). This article also lists answers to some frequently-asked questions (FAQ) about how to troubleshoot distribution groups in Exchange 2000 and in Exchange 2003.

Overview of groups that are used by Exchange 2000 and Exchange 2003

The following groups are used by Exchange 2000 and Exchange 2003.

Domain local groups

Domain local groups have the following attributes:

• In a native-mode domain, local groups can contain user accounts, global groups, and universal groups from any domain in the forest and can also contain domain local groups from the same domain.
• In a mixed-mode domain, local groups can contain user accounts and global groups.
• You can assign permissions to local groups only for objects in the domain where the local group exists. You cannot assign permissions to network resources and public folders in other domains.
• You can convert a local group to a universal group when the local group is located in a native-mode domain if there is not another local group nested inside the local group.
• The group object is listed in the global catalog, but the group membership is not listed in the global catalog.
• Microsoft Outlook users in other domains cannot view the full membership of the global group.
• Group membership must be retrieved on demand if expansion occurs in a remote domain.

Domain global groups

Domain global groups limit membership to the local domain where the domain global group is located. Global groups permit one level of nesting. For example, you can have domain global groups that are members of a parent global group. Domain global groups have the following attributes:

• Global groups in native-mode domains can contain user accounts from the same domain and global groups from the same domain.
• Global groups in mixed-mode domains can contain user accounts from the same domain.
• You can assign permissions to global groups for all domains in the forest, regardless of the location of the global group.
• A global group in a native-mode domain can be converted to a universal group if the global group is not a member of any other global group.
• Global groups can contain only recipient objects from the same domain.
• The group object is listed in the global catalog, but the group membership is not listed in the global catalog.
• Outlook users in other domains cannot view the full membership of the global group.
• Group membership must be retrieved on demand if expansion occurs in a remote domain.

Universal distribution groups (UDG)

Universal groups behave most like Microsoft Exchange Server 5.5 distribution lists. Universal groups have the following attributes:

• Universal groups in a native-mode domain can contain user accounts from any domain, global groups from any domain, and universal groups from any domain in the forest.
• Universal groups of the security type, named universal security groups (USGs), can be used only in native-mode domains. Universal groups of the distribution type, named universal distribution groups (UDGs), can be used in mixed-mode and in native-mode domains.
• Outlook users in any domain can view full membership of the distribution group.
• Membership is not retrieved from remote domain controllers.
• Membership modifications incur replication to the global catalog servers.

Query-based distribution groups (QDG)

A query-based distribution group (QDG) is a new feature of Exchange 2003 and is only available in environments where there are only Exchange 2000 servers or only Exchange 2003 servers. A query-based distribution group runs the Lightweight Directory Access Protocol (LDAP) filter on the distribution group every time mail is sent to the distribution group. Query-based distribution groups have the following attributes:

• Query-based distribution groups can have restrictions. You can set restrictions on who can send messages to a query-based distribution group.
• Query-based distribution groups can be nested. You can nest a global group or a universal distribution group in a query-based distribution group.

The membership of the query-based distribution group is formed from an LDAP filter. The following is an example of a filter for a distribution group:

Note There are limitations to using query-based distribution groups with domain controllers that are running Microsoft Windows 2000 Service Pack 3 (SP3) or earlier.

For additional information about how to troubleshoot query-based distribution groups in Exchange 2003, click the following article number to view the article in the Microsoft Knowledge Base:

Distribution groups and global catalog servers

The type of distribution groups that you use is an important consideration. Membership of global group objects is replicated to every domain controller in a forest. However, the membership of global groups can only be visible from domain controllers or global catalogs that are located in the same domain as the group.

Only universal group memberships are replicated across all domains to all global catalog servers in the forest. Microsoft always recommends using universal distribution groups for mail distribution in a multi-domain environment.

The following are two examples that demonstrate the use of distribution groups:

• If you create a global group in domain A, the group object and its membership are replicated in domain A, but only the group object (and not the membership) or member attribute is replicated to domain B. The Exchange message categorizer picks a list of global catalog servers from the DsAccess component to use for expansion of the distribution group. The list of global catalog servers is retrieved from an automatic discovery or a manual hard-coding of global catalog servers.
• An Exchange server named Server1 uses a global catalog from domain A. A user on Server1 sends mail to the global group on domain A. The Exchange message categorizer on Server1 can read the membership of the group and successfully deliver the messages. However, the Exchange server named Server2 uses a global catalog from domain B. If a user on Server2 sends a message to the same group (whose object name is replicated to domain B), the Exchange message categorizer cannot read the member attribute of the group and deliver the message.

Distribution groups, the Exchange message categorizer, and expansion servers

You can use an expansion server to work around the limitation that membership in global groups is not visible outside the home domain of that global group. If you specify an expansion server, and the expansion server uses a global catalog from the home domain of the global group, mail is delivered to that global group.

Note To expand a distribution group that is used in the ACL of a connector, message delivery may fail if the global catalog that Exchange server uses to check the restrictions is a global catalog from the local domain. Microsoft strongly recommends using universal distribution groups for mail distribution in a multi-domain environment.

How the Exchange message categorizer expands a distribution list

When a message is sent to a distribution group, the Exchange message categorizer checks if the distribution group must be expanded locally or remotely. If the expansion server is set to “Any” (without the quotation marks), the sending server expands the distribution group. If the expansion server is set to a specific server, one copy of the message is sent by using SMTP to the specific expansion server for expansion.

The message categorizer of the expansion servers retrieves the list of members from the member attribute of the distribution group. To read from the global catalog, the message categorizer uses the security context of the LocalSystem account that the Simple Mail Transfer Protocol (SMTP) service runs under, and that represents the permission that the Domain\Exchange$ account has. The message categorizer retrieves the list of members and converts the distinguished names (DNs) to Relative Distinguished Names (RDNs), and then runs a batched LDAP search on the global catalog server to retrieve attributes that are required to route mail to recipients.

Distribution groups and restrictions

The following is a list of attributes that are used when you configure restrictions on objects to control whether messages can be sent or cannot be sent to a distribution group:

• The authOrig attribute. The authOrig attribute contains a list of DNs of users who have permission to send to the distribution group.
• The unauthOrig attribute. The unauthOrig attribute contains the list of DNs of users who do not have permissions to send to the distribution group.
• The dlMemRejectPerms attribute. The dlMemRejectPerms attribute contains the DNs of groups that do not have permissions to send to the distribution group.
• The dlMemSubmitPerms attribute. The dlMemSubmitPerms attribute contains the DNs of groups that have permissions to send to a specific group. When sending mail to a distribution group that has a restriction, the message categorizer has to expand the membership of the distribution group, obtain the full list of DNs of the members, and then compare the list of DNs to the list sender’s DNs. An access operation or a deny operation occurs when a DN on both lists match. If a distribution group is nested in another distribution group, the nested distribution is also expanded. If you use distribution groups on a connector, every time a message is sent by using that connector, the distribution group is expanded to retrieve the list of DNs, and the list of DNs is compared with the list of senders’ DNs to generate either an access operation or a deny operation.

Restricted distribution groups in Exchange 2003

Exchange 2003 has a new feature that permits mailbox users or distribution groups to receive e-mail messages only from authenticated users. This feature permits you to restrict inbound Internet e-mail for specific users or for distribution groups. The feature is enabled when you click to select the From authenticated users only check box in Message restrictions settings for an individual user or a distribution group.

When Exchange 2003 expands a distribution group that can only receive mail from authenticated users or can only receive mail from distribution groups that have the msExchRequireAuthToSendTo attribute set to true, the Exchange message categorizer does not permit unauthenticated mail that is sent by using SMTP to the distribution group. Mail to restricted distribution groups is accepted only if the messages are submitted by using the store driver or if the messages are authenticated by using SMTP or if the Resolve anonymous e-mail option is turned on in the SMTP virtual server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Frequently-asked questions about distribution groups in Exchange 2000 and in Exchange 2003

Q1: In what situations is mail not delivered to a global distribution group?

A1: Mail that is sent to a global distribution group is not delivered in a multi-domain environment in any one of the following situations:

• The Exchange server that expands the distribution group is using a global catalog server that is located in a domain that is different from the domain that the distribution group is located in.
• The Exchange server that expands the distribution group is using a global catalog server that does not have the member attribute of that distribution group.

Q2: What if using global groups for mail distribution is the only option in a particular environment?

A2: You can use global groups for mail distribution in a single domain forest or if you specify a particular server as the expansion server for every global group. A global group that has an expansion server that is set to “Any” (without the quotation marks) means that the sending Exchange server expands the global group. This configuration is likely to fail in a multi-domain environment. Additionally, you can also hard-code Exchange to use only the global catalog that has the member attribute of the distribution group.

Q3: When are expansion servers used?

A3: Use expansion servers in environments that have multiple Exchange servers and many distribution groups and nested distribution groups. If a large distribution group contains members that are homed on the same Exchange server, set the expansion server to that local server. By doing so, only one copy of the message is sent to the expansion servers.

Q4: Delivery status notifications or non-delivery reports (NDRs) are not delivered to the distribution group. Why?

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

A4: Exchange server does not send NDRs, read receipts, delivery receipts, or out-of-office messages to members of distribution groups. Delivery status notifications are sent either to the sender of the message or to the owner of the distribution group and NDRs are sent only to the owner of the distribution group. To configure Exchange server to send additional reports to the owner of the distribution group, add the following registry entry, and then set the registry entry to a value of 79: Q5: Are there possible issues that may occur if a firewall exists between Exchange servers in an organization and the firewall does not permit XEXCH50 Extended Simple Mail Transfer Protocol (ESMTP) functionality?

A5: When an Exchange server expands a distribution group, the XEXCH50 component is used to send a BIFINFO component in the message to determine certain items including as expansion servers, report configurations, and sender properties. If a firewall prevents the XEXCH50 component from transmitting the BIFINFO component, you may experience unexpected behavior when Exchange Server expands the distribution group.

Q6: Why does Exchange 2000 Server use global catalogs from outside the Active Directory site when Exchange 2000 Server expands restrictions on a connector that has restrictions that are based on distribution groups?

A6: Although the Exchange 2000 message categorizer component uses the list of global catalog servers that are obtained from the DsAccess component, the list of global catalog servers that Exchange 2000 routing uses for connector restrictions can span outside the Active Directory site.

Q7: Why do members of a distribution group sometimes receive duplicate copies of a message?

A7: If you send a message to a user and to a distribution group that the user is also a member of, two copies of the message are generated. Exchange uses the duplicate detection mechanism in the store to detect duplicate messages based on the message ID and the date in the header to remove one of the duplicate messages. However, if one of the messages is a MIME message and if the other message is a Transport Neutral Encapsulation Format (TNEF) message, Exchange may not detect the duplicate messages and both messages may be delivered to the recipient.

Q8: Why is a message that is sent to an empty distribution group not returned as undeliverable?

A8: By design, Exchange server works this way. If you want to configure Exchange server so that when a message is not delivered, a delivery report is sent to the distribution group owner, use Exchange System Manager to configure the group to use the Send delivery reports to group owner option or to use the Send delivery reports to message originator option. For more information about how to do so, see the "delivery reports" topic in Exchange Server Help.

Q9: If the Authenticated Users group is removed from the organizational unit where the distribution groups are located, why are NDRs received when messages are sent to that distribution group?

A9: If the Authenticated Users group is removed from organizational group where a distribution group is located, and the Domain\Exchange$ account does not have Read permissions to the organizational unit, the Exchange message categorizer does not have permissions to expand the distribution group and route messages to it.

Q10: What is the purpose of the setting the HKLM\System\CurrentControlSet\Services\SMTPSVC\Parameters\DynamicDlPageSize registry entry to a value of 31?

A10: The message categorizer generates paged LDAP searches when query-based distribution groups are expanded. Windows 2000 SP3-based domain controllers support only one paged search at a time. However Exchange 2000 sends more than one paged search at a time. You can configure Exchange 2000 on a Windows 2000 SP3-based computer to generate one paged search at a time if you set the DynamicDlPageSize registry entry to a value of 31.

By default, Exchange 2003 on a Windows 2000-based computer or Exchange 2003 on a Microsoft Windows Server 2003-based computer generates one paged search at a time. Windows Server2003-based domain controllers can process up to 10 paged LDAP cookies for searches.

Q11: What are some methods that can be used to troubleshoot messages that are sent to a global distribution list that is expanded in a remote domain?

A11: Using the Regtrace.exe command-line tool to trace the CAT module and look for entries that are similar to the following: For additional information about the Regtrace.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:

For more information about the role of groups and access control lists in Exchange 2000 Server, visit the following Microsoft Web site: