Exchange Server - Admin Groups, Recipient Policies & X400 Addresses?

Asked By Paul Hutchings

15-Jun-08 10:54 AM

I've just completed taking a two site exchange organization from mixed
mode to native mode.

I now have two Administrative Groups:

SiteA
SiteB

If I look at my Recipient Policies I see I have:

A default policy, with a filter of "(mailnickname=*)" which sets smtp to
@ourdomain.com and X400 to "c=GB;a= ;p=OURORGNAME;o=SITEA"

A "SITEA" policy, with a filter of
sets smtp to @ourdomain.com and X400 to "c=GB;a= ;p=OURORGNAME;o=SITEA"

A "SITEB" policy with a filter of
sets smtp to @ourdomain.com and X400 to "c=GB;a= ;p=OURORGNAME;o=SITEB".

I'm unclear which I actually still need, obviously we have a shared smtp
namespace, but the X400 stuff is a bit beyond me tbh.

Also having got rid of the ADC and all 5.5 servers, do I still need the
Exchange 5.5 Service Account, and if not, is there a recommended
procedure to lose it?

Thanks in advance,
Paul

15-Jun-08 02:14 PM

You "ned" only the Default policy, in this case -- unless you're using
an X400 connector and need to distinguish between the two locations.

There's no "Exchange service account" needed to run Exchange 2000,
2003, or 2007. However, before you do anything with that account you
should verify that 1) it wasn't the account used to install Exchange,
and 2) that you haven't used the account somewhere else to do things.

The account used to install Exchange is probably a member of some
priviledged groups, it's also got the "Exchange organization
administrator" role in E2K7. Make sure you have a very good idea of
what the account was used for, and that you have some other way of
controlling the Exchange 2007 organization (i.e. delegate some other
account the "exchange organization administrator" role).

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com

15-Jun-08 02:57 PM

In article <ijma549mb35jvb7uf8ej0sbbvdptsi4fiv@4ax.com>,


We're not using any sort of X400 connector.

So, even though I physically have 2 sites/administrative groups, I can
give objects in each an X400 address that relates to SiteA?


Sorry but recipient policies are one element of Exchange 2003 that I've
never felt comfortable with as I always have this nightmare that one
wrong click and "bang" all your smtp addresses get stripped off or
something horrible!

15-Jun-08 03:41 PM

The need to have a unique "o" attribute went away when you stopped
using the Exchange 5.5 MTA (which may have been using the X400
transport). SMTP uses, well, a SMTP address. The mail- and
mailbox-enabled objects in the directory are resolved using the
legacyExchangeDN property value.


Even if you mistakenly removed a policy the addresses already assigned
would remain assigned.

In a simple Exchange organization there's not usually a need for ore
than one (the Default) or two (a policy that might assign addresses in
a DNS domain name different to the one used by the AD).

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com

15-Jun-08 03:58 PM

In article <3qra54lupbnkjavpc5372rh4ieee6d7n1l@4ax.com>,


Presumable I do *have* to have an "o" attribute?

I can't simply have ""c=GB;a= ;p=OURORGNAME" in the default policy?

If not, does the "o" value have to bear any relevance to my existing
exchange config or could I simlply use ""c=GB;a=
;p=OURORGNAME;o=Exchange" for example?

I guess I'm trying to understand the importance of the X400 attribute
values, beyond the fact that they have to be set to something.

15-Jun-08 05:12 PM

No, you can't omit it. :-)

It's part of the hierarchical structure of the X400 address.


No, it doesn't. The "o" simply the organizational unit value (c =
country, a = administrative management domain [ADMD], p = private
management domain [PRMD], o = organizational unit). It has
significance within the PRMD, but nowhere else.

You can use anything you like, but it's a lot easier to just ignore
it. Think of it like your appendix. Of what use is it? Do you care?


The X400 addresses have been in Exchange since dirt was white. They
have significance only in the X400 addressing scheme, which you left
behind when you stopped using the MTA to move messags between sites.
If you ever have need to use X400 for some reason you can always
create the necessary Email Address Policies (E2K7) or Recipient
Policies (E2K and E2K3) to assign them and then simply "apply" the
policies.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com

16-Jun-08 01:28 PM

In article <mg0b541qgqd6mhrhmc53f68kjqtuekm7g3@4ax.com>,


Thanks Rich, your explanation makes sense, it was just the concept that
people in Site B could have X400 addresses with Site A referenced in
them, but as you say it's a legacy thing so that makes much more sense
now.

cheers,
Paul

17-Jun-08 12:15 AM

Great explanation... I was going to add in that I spoke to a Microsoft
exchange tech awhile back for something else and he was helping me
tune up our exchange system.  He said, "whatever you do, NEVER, EVER,
remove the x400 stuff on a person's account or in your policies.
*think Egon's face when they were shutting down the containment
system* :)