locked
New-EmailAddressPolicy fails on accepted domain, but the domain does exist. RRS feed

  • Question

  • Hey, everyone. I hope you can help with this, because I'm a bit stumped.

    I'm working at a college, running Exchange 2010 SP1 RU2 and we have some students in a separate AD domain, in the same forest as the faculty and staff. Faculty and staff have an email address policy of %g_%s@college.edu. We're trying to get our students - (who have AD accounts, but not mailboxes; they're MailUsers that are hosted in the cloud) to have an address policy of %g_%s@student.college.edu.

    When I try to run the New-EmailAddressPolicy cmdlet, I keep running into an error where Exchange says that it references a domain that isn't listed as an accepted domain. However, it very much IS in the list of accepted domains.

    For your reference, here's the actual output from the screen that I'm seeing. I've tried doing it through the EMC as well, but nothing doing there, either.

    Anyone have any insight into this? It's important, because as student users are modified, they're being restamped with the default @college.edu address, instead of the @student.college.edu address.

    Thanks for any help!

     

    [PS] C:\Windows\system32>new-EmailAddressPolicy -Name 'Students' -RecipientContainer 'student.college.edu' -IncludedRecipients 'MailUsers' -Priority 'Lowest' -EnabledEmailAddressTemplates 'SMTP:%g_%s@student.college.edu' -domaincontroller rootdc.college.edu
    The SMTP address template 'SMTP:%g_%s@student.college.edu' is invalid because it references a domain that isn't configured
    as an accepted domain for your organization.
      + CategoryInfo     : InvalidData: (SMTP:%g_%s@student.college.edu:SmtpProxyAddressTemplate) [New-EmailAddressPolicy], ArgumentException
      + FullyQualifiedErrorId : 7859297B,Microsoft.Exchange.Management.SystemConfigurationTasks.NewEmailAddressPolicy
    
    [PS] C:\Windows\system32>Get-AcceptedDomain
    
    Name              DomainName           DomainType          Default
    ----              ----------           ----------          -------
    college.edu          college.edu          Authoritative        True
    Student            student.college.edu      ExternalRelay        False
    
    
    [PS] C:\Windows\system32>
    

    Tuesday, April 5, 2011 1:07 PM

Answers

  •  because as student users are modified, they're being restamped with the default @college.edu address, instead of the @student.college.edu address.

    Hi Steve,

    What's the students' email addresses before modifying?

    If they have been already stamped with @student.college.edu, how about clear "Automatically update e-mail addresses based on e-mail address policy"?

    Frank Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by emma.yoyo Wednesday, April 13, 2011 2:40 AM
    Thursday, April 7, 2011 2:48 AM

All replies

  • Its failing because you have set the domain as an external relay domain. All an external relay domain does is allow Exchange to accept email for a domain, before handing off to another non-Exchange server. If you want to use that domain for internal users as well, then that setting will have to be changed.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Tuesday, April 5, 2011 2:46 PM
  • I actually don't want to do so at all.

    The use case is farily simple. We have lots of users that have their mail hosted off-site. They need AD accounts, and we want them in the GAL. However, they keep getting re-assigned the wrong address (the @college.edu) address.

    What I want to do is be able to have an address policy apply to these users such that they are provisoned with the correct address, which is external. (The @student.college.edu) address.

    Is there a better way to do this? It's 35,000 accounts, so I can't have anything that is done per-user.

    Thanks!

    Tuesday, April 5, 2011 3:01 PM
  • When these mail enabled users were created, were they set with the external email address:

    Enable-MailUser -Identity User -ExternalEmailAddress user@external.example.com

    If so, then the behaviour you are seeing is correct and cannot be changed. For a mail enabled user to work, they will need to have two email addresses, an internal one and the external one. They must be different. It would appear that you are trying to set both the internal and external address to be the same.

    Simon.

     


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Tuesday, April 5, 2011 3:32 PM
  • Thanks for the replies...

    So you're telling me that I have to have an internal address, even when there's no business case for that whatsoever?

    These users have their mail hosted (by Microsoft) at the Live@EDU hosting program. We're running this via ILM exactly as Microsoft has prescribed (and in fact, set up.) We don't want these users to receive mail with the @college.edu address, only the @student.college.edu address.

    They're in a separate domain entirely, if that makes any difference.

    Essentially, what we want is a security principal (AD account) that has an associated external address that has no internal address at all.

    Message flow is working fine, it's just that the address policy keeps re-writing the attributes.

    Thoughts?

    Tuesday, April 5, 2011 3:43 PM
  • It is a technical requirement. For the object to be in the domain, it needs to have an internal SMTP email address so that email can be routed to it by Exchange. Contacts do the same thing - they will have an external and an internal address.

    When I am designing environments from scratch that would have this requirement, I would usually recommend the use of a dummy domain across all mail enabled objects - like "example.local" . The email address policies are then adjusted so that the Internet addresses only go to the those with mailboxes.

    This may be something that you should look at doing if you want to remove the domain from the non mailbox users, but test it first in a lab platform.

    The bottom line is that you must have something internal and something external. If your environment is setup with only one domain in the accepted domain list then all mail enabled objects will have the same domain for their internal address.

    Simon.

     


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Tuesday, April 5, 2011 4:02 PM
  •  because as student users are modified, they're being restamped with the default @college.edu address, instead of the @student.college.edu address.

    Hi Steve,

    What's the students' email addresses before modifying?

    If they have been already stamped with @student.college.edu, how about clear "Automatically update e-mail addresses based on e-mail address policy"?

    Frank Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by emma.yoyo Wednesday, April 13, 2011 2:40 AM
    Thursday, April 7, 2011 2:48 AM
  • Hi Steve,

    Any updates?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, April 8, 2011 7:59 AM
  • Hi Steve,

    Any updates?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Hi, Frank:

    Sorry for not responding yesterday. I was out sick.

    Anyways, that's kind of what I was thinking, my only concern is that there are about 34,000 of them, and once I take that off, I can't ever put it back, because then it immediately gives them an @college.edu address.

    Currently, they all have @student.college.edu addresses, and that doesn't seem to get changed unless we modify the account in some way (such as a name change or other administrative event.) In those cases, then the account is re-stamped. What's interesting, is that if I just go in and create a new MailUser with an external address from scratch in the EMC, it only has that one external address. Modify it, and WHAM, there's another @college.edu address.

    It seems like this should be simple: lots of organizations want external entities in the GAL that don't (and should not) get internal addresses.

    Do you think clearing that flag is the only way to accomplish this? It's a lot of accounts, so I was thinking of doing a "get-mailuser | set-mailuser -emailaddresspolicyenabled $false"

    Thanks!

    Friday, April 8, 2011 12:33 PM