War On Errors Sign In
Article ID: 31460
Last Reviewed: 6/29/2012 12:41:17 PM

Global Address list is empty after Exchange 2010 SP1 installation when configured for address list segregation

Problem

After the installation of Microsoft Exchange 2010 SP1 in an environment where Address List segregation was configured using Web Site Panel your users experience an empty Global Address List.


Resolution

This issue is due to changes in Microsoft Exchange Server 2010 SP1 where OWA and Outlook now use ACL to protect and display Address Lists. In previous versions of Exchange OWA required the DS User property msExchQueryBaseDN to be set in order to correctly display the address list. After SP1 OWA no longer uses this setting and having anything set causes the Global Address List in Outlook clients to be empty. Although at this time there is no complete fix in order to restore GAL to existing clients you can follow the following steps and it will correct the issue.



Note: New Organizations or Users created with WebsitePanel will need to have msQueryBaseDN cleared after creation as of version 1.0.2 because it is still being set incorrectly. You can choose to recompile the DLL used by website panel instructions are at bottom of page.



In the document for Websitepanel Exchange Integration setup certain guidance is given to set the permissions on the "All Address List" DN and sub folders in order to enable Address List Segregation. This documentation no longer works properly and in a new implementaton must be ignored completely. If you are upgrading from a version of Exchange Pre-SP1you need to revert security settings by doing the following:



Re-enable "Include Inheritable permissions from this object's parent" on "All Address List" DN.







You need to create two rules on the following sub-DN of "Address Lists container" (Also make sure "Include inheritable permssions" is checked as well)



All Contacts

All Groups

All Rooms

All Users

Public Folders

All Global Address Lists

Offline Address Lists



1. Allow rule for Authenticated Users allowing "Open Address List" Permission <not Inherited>







2. Allow rule for Authenticated Users allowing "List Contents, Read All Properties and Read Permissions" Permission <not inherited>







Next you need to enable dsHeuristics in order to enable Active Directory Object Mode. To do this you use ADSI Edit to get to properties of:

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration

Set the Property dsHeuristics to 001



This will enable Object Security Mode which will allow us to change the rules in the Address List Container to display only Address Lists a user has permission to without showing the Parent folder. The following rules need to be changed:



1. A <not inherited> rule existing on "Address List Container" needs to be changed from "List Contents" to "List Object"







2. A <not inherited> rule existing on "All Address Lists" needs to be changed from "List Contents" to "List Object"







In Order for your clients to avoid getting an "Invalid Bookmark Error" when clicking on the "All Address List" listing inside Outlook address books you can add a rule for Authenticated Users for "Open Address List" Permission on "All Address Lists" DN for only that object as show above. This is not a default rule.



Once this is all complete your Address List permissions are properly set and you are ready for the last step to restore the GAL and the yet to be resolved one. Using ADSI Edit connect to the Default Naming Context and browse to the DN where your users are located. Right Click on any user to display the properties window. Find a property named msExchQueryBaseDN and clear it. (In previous versions of exchange prior to SP1 this setting was used to set the Address list for OWA but now this has broken and no longer does this. This setting is the root cause of the Blank GAL but all steps above are required because of the original documentation of WebsitePanel not applying these securities based on Microsoft Guidance).



Once Cleared you should be able to see the proper GAL in OWA and Outlook for your clients.







A command can be used to initially clear all the settings for all users but at this point any new users will have this setting set by WebsitePanel. The Following Exchange Shell command will clear this setting for all users. This is done at your own risk.



et-mailbox -resultsize unlimited | Foreach { $dn = "LDAP://" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.PutEx(1,"msExchQueryBaseDN",0);$obj.setinfo()}



In Order to correct the problem that WebsitePanel continues to set the field incorrectly on new users you can download the source for WebsitePanel and modify it so that it no longer does this. This is done at your own risk.



1.       Download source codes of the latest version from sourceforge.net http://websitepanel.svn.sourceforge.net/viewvc/websitepanel/WebsitePanel/Releases/1.0.2/?view=tar and extract to the project folder.

2.       Locate  “\1.0.2\Sources\WebsitePanel.Server.sln” solution file in the project folder and open it in the Visual Studio 2010.

3.       Locate “Exchange2007.cs” source file under “WebsitePanel.Providers.HostedSolution” project.

4.       Remove or comment out the following string at lines #1818 and #1930:

SetADObjectPropertyValue(mailbox, "msExchQueryBaseDN", globalAddressListDN);

5.       Rebuild “WebsitePanel.Providers.HostedSolution” project.

6.       Locate recompiled “WebsitePanel.Providers.HostedSolution.dll” in the “\1.0.2\Sources\WebsitePanel.Server\bin” folder and copy it to the “c:\WebsitePanel\Server\bin” folder on all Exchange servers.





Keywords:
address list Exchange 2010 empty global address address list segregation Open Address List Authenticated Users List Contents Address List" DN Exchange 2010 Outlook address books Microsoft Exchange Server previous versions Websitepanel Exchange Integration setup certain guidance Outlook clients Web Site Panel following steps new users CN=Windows NT CN=Configuration complete fix Invalid Bookmark Error Default Naming Context new users gals following rules security settings Property dsHeuristics address list segregation Open Address List Authenticated Users List Contents Address List" DN Exchange 2010 Outlook address books Microsoft Exchange Server previous versions Websitepanel Exchange Integration setup certain guidance Outlook clients Web Site Panel following steps new users CN=Windows NT CN=Configuration complete fix Invalid Bookmark Error Default Naming Context new users gals following rules security settings Property dsHeuristics