When sending e-mail messages to a mail-enabled public folder that have been replicated from old Exchange Server 2000/2003/2007, Exchange Server 2010 environment mails are rejected with NDR. RRS feed

  • General discussion

  • Hi, I would like to share with you issue that I’ve solved regarding mail-enabled PF that migrated from Exchange 2000/2003/2007 to 2010, I’ve searched & contacted my MVP leader – there’s no official KB regarding this issue right now, so I’m posting here in order to share this among others.

    Note: There’s article(s) that talked about PF replication from Exch2000/2003/2007 to 2010 – this is the same issue as well.



    E-mail messages that been sent to mail-enabled public folder in Exchange Server 2010 environment rejected with the following NDR:

    “#< #5.2.0 smtp;554 5.2.0 STOREDRV.Deliver.Exception:ObjectNotFoundException; Failed to process message due to a permanent exception with message The Active Directory user wasn’t found. ObjectNotFoundException: The Active Directory user wasn’t found.> #SMTP#”

    Sometimes Exchange Server 2010 is documented as well Event ID 1020 on the Event Viewer with this information:

    “Log Name: Application

    Source: MSExchange Store Driver

    Event ID: 1020

    Level: Error



    The store driver couldn’t deliver the public folder replication message "Hierarchy (" because the following error occurred: The Active Directory user wasn't found.”



    In an environment where Microsoft Exchange Server 2000 or Microsoft Exchange Server 2003 previously existed, and all those servers have been removed, there is a chance that an Administrative Group (First Administrative Group or another custom Administrative Group) remains with a Servers container, but no servers inside it.


    During replication, when the Exchange 2010 Store Driver sees the empty Servers container in Active Directory, it's expecting a System Attendant object inside the container and when it is not found the error occurs.



    To work around the issue, delete the empty Servers container. This can't be done through Exchange System Manager. Use the ADSI Edit tool to remove it using the following steps:


    Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2003 Server, Microsoft Windows Server 2008, Microsoft Exchange 2010 Server or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.


    1.       Start the ADSI Edit MMC Snap-in. Click Start, then Run, and type adsiedit.msc, and then click OK.

    2.       Connect & Expand the Configuration Container [], and then expand CN=Configuration,DC=DNSDomainName,DC=com.

    3.       Expand CN=Services, and then CN=Microsoft Exchange, and then expand CN=YourOrganizationName.

    4.       You will see an empty Administrative Group. Expand the CN=YourAdministrativeGroupName.

    5.       Expand CN=Servers.

    6.       Verify there are no server objects listed under the CN=Servers container.

    7.       Right click on the empty CN=Servers container and choose Delete.

    8.       Verify the modification, and try to send again the E-mail to the mail-enabled public folder.


    Applies to

    Exchange Server 2010, Standard Edition

    Exchange Server 2010, Enterprise Edition

    Netanel Ben-Shushan, MCSA/E, MCTS, MCITP, Windows Expert-IT Pro MVP. IT Consultant & Trainer | Website (Hebrew): | IT Services: | Weblog (Hebrew): | E-mail:
    Wednesday, May 11, 2011 5:00 PM

All replies

  • Thanks for sharing the knowledge, Netanel. It would definitely help others who get the same issue

    Additional Information:

    Public Folder Replication Fails Due To Empty Legacy Administrative Group

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, May 12, 2011 2:43 AM
  • Thank you for posting fixed the issue and we back in business.

    Thanks again, Alex Samol

    Alex Samol

    Wednesday, June 6, 2012 7:18 PM
  • I have just renamed (Rename would be easier than AD Restore) the entry CN=First Administrative Group to CN=First Administrative Group OLD and from now on everything works fine! All mails are successfully sent to mail enabled public folders!

    Thank you for your posting!

    Thursday, October 4, 2012 9:23 AM
  • Thanks for the detailed information, solved the problem for me after a 2003 -> 2010 migration.
    Tuesday, September 10, 2013 11:56 AM
  • Perhaps not a KB article describing a failed delivery of e-mail, but there's a KB article describing the empty Servers container:

    HP has an article that describes it, though:

    --- Rich Matheisen MCSE&I, Exchange MVP

    Tuesday, September 10, 2013 7:06 PM
  • Thanks, solved problem in Exchange 2010 to Exchange 2013 migration.
    I needed to clean AD from Exchange 2003 entries and i havn't delete the CN=Servers containers.

    Thursday, October 24, 2013 9:45 AM
  • I am doing an Exchange 2003 to 2010 migration.  I have this same error and I cannot get the public folders to replicate.  My issue is that I still have the 2003 Exchange server running.  However, my servers are in a child domain of a forest and some of the Administrative Groups in the forest do have empty server containers.

    I am trying to find out if these other empty server containers are the cause of my replication and mail-enabled public folder NDR errors.  Can anyone point me at a document on this?


    Monday, January 6, 2014 7:49 PM
  • Awesome! Resolved my issue as well. Thanks for this! 
    Friday, January 10, 2014 9:38 AM
  • There is no good reason to retain an empty "Servers" container. It doesn't matter what domain they're in because the Configuration naming context of the AD is replicated to every DC in the forest (which is why you can't have more than one Exchange organization in a forest). 

    Remove them.

    --- Rich Matheisen MCSE&I, Exchange MVP

    Saturday, January 11, 2014 4:55 PM
  • Got a quick question.. if I am running a dedicated Exchange 2010 environment then is there any actual need for me to have the "CN=First Administrative Group" container? 

    Reason I ask is that previous admins look to have "ripped" out the Exchange 2003 server without properly decommissioning it. I am on a clean up operation and Exchange BPA keeps complaining about the Routing Group and other things it finds on the scan relating to Exchange 2003. I would really like to remove the entire container for "CN=First Administrative Group" as I no longer have any Exchange 2003 servers..

    Everywhere I read says just delete the "CN=Servers" container but question is why not the whole lot...?

    Saturday, January 11, 2014 5:31 PM
  • This solved my problem too. Thanks a lot!

    I had this issue after migration Active Directory from 2008R2 to 2012R2.

    Monday, May 5, 2014 6:46 AM
  • Thanks for writing this fix up, it worked for my problem too!
    Saturday, May 10, 2014 10:23 PM

    I am trying to follow this but having some issues.

    i see 3 objects in the servers container.  Am I at the correct location?

    What to do?

    • Edited by Vax4444 Wednesday, May 14, 2014 3:43 PM
    Wednesday, May 14, 2014 3:24 PM
  • I have an exchange 2003 server that will be decommissioned. However after replicating my Public folder servers to exchange 2010 i faced the exact issue described above.

    The CN=Servers container is not empty. I find all my exchange 2010 servers there. has this been observed b anyone else ?

    <i am using ADSIedit in exchange 2003>

    please suggest ?

    Monday, October 13, 2014 9:10 AM
  • Sounds like you are looking in the wrong Administrative Group container which is why you are seeing your Exchange 2010 servers in there.

    When you install Exchange 2003 only you will see a container named by default as "CN=First Administrative Group" container. But this could be named anything if you changed the Organization Name on the installation when you installed the first Exchange 2003 server into the domain/forest. 

    You will notice that when you install Exchange 2010 part of the AD setup is to create a new configuration container and is named by default "CN=First Administrative Group (FYDIBOHF23SPDLT)".

    So it sounds like you are not looking in the right location within ADSIEdit. 

    You may find the following article also helpful for this issue which is the same resolution:

    I recommend though that you ensure your Exchange 2003 servers are fully uninstalled or no longer present in your environment before you go deleting the Servers container though.. The following Microsoft article will help with this:

    Monday, October 13, 2014 8:27 PM
  • Bless you! And all who sail in you! :)
    Thursday, November 13, 2014 3:59 PM
  • Excellent Article, fixed our issue.

    Thanks for posting


    Thursday, November 20, 2014 3:18 PM
  • Thanks, you the best...working very good after !
    Monday, May 11, 2015 2:16 PM
  • Merci beaucoup.
    Thursday, February 11, 2016 4:19 PM
  • I just have to say it...

    "You're the real MVP"

    Thanks, regards, tim

    Thursday, August 11, 2016 11:27 AM