Rollback steps needed for 2003 GAL segregation (issued during upgrade to Exchange 2010) RRS feed

  • Question

  • Hi,

    It appears that my inherited Exchange 2003 Enterprise edition (2 node active/passive cluster) has had GAL segregation configured.  The environment was healthy while I introduced 2 Exchange 2010 servers into the environment.  The original server was a standalone cluster acting as back/front end.  The two new servers were installed on separate 20-08 R23 servers with mailbox/hub/CAS roles enabled (the reason for two is DAG).  The environment was prepared per MS instructions (schema extended etc etc etc).  No errors and all went super smoothly.  No issues during first few days of coexistence (nothing was done on new Exchange 2010). Free\Busy synchronized - all good.  1 mailbox migrated - All good.  Then I had to do some changes on the GAL and soon I discovered that some users were not seeing all aliases in Default GAL.

    When accessing Default GAL in Exchange 2003 System manager I receive a warning - Exchange System Manager version 8.0.30535 or great is required to edit this object.  When I display PREVIEW I see everyone

    When I view GAL from the Outlook client I am missing some users

    When I apply ALL USERS Address List in Exchange 2010 I get approximately 12 errors like this:

    Failed to update recipient "xxxxxxxxxxxxxx.com/yyyyyy/Michael C. zzzzzzzz". The following exception occurred: Active Directory operation failed on BOC-LYN-DC2.xxxxxxxxxxxxxx.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
    Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    When searching the Internet for the possibilities I ran into Exchange 2003 address list segregation and confirmed with the owner of the server such functionality was desired and implemented (each division of the company only saw address book of its members and nobody else)

    I found articles explaining that such setting can cause issues after Exchange 2010 is introduced into the organization - http://blogs.msdn.com/b/dgoldman/archive/2010/05/10/critical-update-exchange-2010-address-list-segregation-and-current-support-stances.aspx

    This article lists steps to be performed to fix this issue:

    1. Keep your Exchange 2010 servers intact.
    2. You will need to reset the ACL's on the default global address list. This means you will need to reapply the 'Read' and 'Open Address List' for the Authenticated Users group.
    3. You will need to open up powershell and run the following command "update-globaladdresslist"
    4. Run Get-Mailbox | set-mailbox -ApplyMandatoryAttributes


    step 2.  I performed it from E2003 System Manager as Global Address List is not to be found on Exchange 2010 (I only have: All Contacts, All Groups, All Users, All Rooms, and Public Folders).  Is it OK despite the fact I received a warning - Exchange System Manager version 8.0.30535 or great is required to edit this object.


    step 3.  Am I to do it from Exchange 2003 system?  I do not seem to have Powershell on it.  When  running this command from Powershell on Exchange 2010 I receive additional prompt:

    [PS] C:\Users\gsi_adm\Desktop>update-globaladdresslist

    cmdlet Update-GlobalAddressList at command pipeline position 1
    Supply values for the following parameters:

    I am not sure how to proceed

    step 4 - again am I supposed to run it on Exchange 2010 system and for each mailbox I receive an error when applying the All Users address list?


    will the above steps (1-4) entire fix the issue?


    Many thanks!!!

    Sunday, October 9, 2011 2:47 AM


  • Hi Martin,


    GAL segregation in Exchange 2010 system is not supported base on my research.


    Just for your information, if it is a pure Exchange 2003 environment, I would remove the additional GAL and then run setup /DomainPrep and Setup /Forestprep to revert back the GAL segregation.


    However, in the current situation, I’d suggest you contact Microsoft Advisory Services for further help. Microsoft Advisory Services provides consultative assistance for design, development and deployment issues. For specific information about the types of Advisory Services available, visit the
    <http://support.microsoft.com/gp/advisoryservice> web page.

    For more information about Microsoft
    Customer Support Service (CSS), please refer to: http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS.


    Your understanding is greatly appreciated. and I hope the issue can be fixed soon!

    • Proposed as answer by Fiona_Liao Tuesday, October 11, 2011 8:46 AM
    • Marked as answer by Fiona_Liao Friday, October 14, 2011 9:00 AM
    Tuesday, October 11, 2011 1:57 AM