I've hosted domains on the Exchange 2007 Enterprise. I can see the email addresses but none of the DG appears in the Global Catalogue of that hosted domain. I've clustered mailbox server running Ex07 SP2 and the OS is Windows 2008 SP1. Ent. thanks in advance.

DG = Distribution Group ? Anil

yes sir :)

Hi, If you are using addresslist seggregation you will have to add the custom attribute for it to show in the right addresslist. /MartinExchange is a passion not just a collaboration software.

Make sure you point all your servers to the 2008 Machine. This means the GC must be with 2008 machine. Regards, Vishal Verma

I hope you have default GAL setup in your ENV. Are you able to check DG in OWA ?. what about outlook in cached mode ? Hou much time you are waiting when see DG in outlook cached mode after creation. New DG should show in OWA immedeiatly. Please respond with all check. Anil

The AD server is Windows 2003. I've no issues with Default GAL. I can't see the hosted domain DG in the Outlook but I can via OWA.

Can you download the OAB if you go to "Tools - Send / Receive - Download address book - uncheck only get updates" ? /MartinExchange is a passion not just a collaboration software.

Hi Vministrator, Any update for your issue? Suppose you are using the cach mode for outlook, so please deownload the oab follow above referred. Regards! Gavin

I tried dolwnload the Full ASddreBook and removed the checked for Cache Mode too but same result. I doubt if it has to do with any security permission and modify it using ADSIEDIT.

Are you using any addresslist segregation? Is your Outlook in online or cached mode? Does the behavior change if you switch between them? Did you confirm that it is a generel issue and not just one computer/outlook? Could you tell us more about what you mean with "Hosted domain"? /MartinExchange is a passion not just a collaboration software.

Yes this is same in all three hosted domain (three of our comapnies) except the default company where I've no problem. Are you using any addresslist segregation? Yes - everyone has their own- I've used the custom attributes and department info for each hosted domain. i can see all the user in their respective AL b ut not in the GAL. DG never shows up in anyone of these but they do showup in the Default GAL. Is your Outlook in online or cached mode? Does the behavior change if you switch between them? No Change. Did you confirm that it is a generel issue and not just one computer/outlook? Its with every hosted domain users. Could you tell us more about what you mean with "Hosted domain"? Hosted Domain- I'm hosting mulitple domains on my Exchange 2007 Ent Server. We have 8 companies but so far we are hosting 3 of them. the default comopany is detup from the day first. For those 3 companies I've created different OU and Securtity Group etc ...following the doc from Technet. Everything works fine except GAL.

Is this the guide you followed? http://technet.microsoft.com/en-us/library/bb936719(EXCHG.80).aspx If so you need a GAL per company you host, and the GAL needs to in to include all users and goups with the customattribute set for what ever you called the company. I have used the same guide and it works like a charm. One thing I don't really understand is that you write the default GAL works just fine, but according to the guide that GAL should never be used in a setup with address list segregation. /MartinExchange is a passion not just a collaboration software.

Please check the below mentioned article, White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007 http://technet.microsoft.com/en-us/exchange/bb936719(EXCHG.80).aspx Yes same - this is what MSFT Support asked me to follow.

As i wrote I used the same, but all companies are created the same way with taht guide. /MartinExchange is a passion not just a collaboration software.

and eoes it work perfectly for you . do you see the GAL for each individual domains while you logged in as a user for that domain?

Hi, Yes I have a GAL per company and it works perfectly. I created a script for creating DG i think, but I can follow up on that tomorrow when I am on the system again. /MartinExchange is a passion not just a collaboration software.

Hi mracket, Any update for your issue? I strongly suppose that some configuration issue with the address list segregation. Regards! Gavin

working on it today.. will update it

Hi, here is my script #This step gets a domain controller name ## $DC = "dc01.domain.local" "Using Domain Controller - $DC" ## Get company name ## "Type company name:" $CompanyName = [Console]::ReadLine() $CompanyName = $CompanyName.Trim() ## Get OU name ## "Type name for distributionslist:" $DISTLISTE = [Console]::ReadLine() $DISTLISTE = $DISTLISTE.Trim() " " ".............................................." "1 Creating Security Group for $CompanyName" ".............................................." new-distributiongroup -name "$DISTLISTE" -Type "security" -OrganizationalUnit "domain.local/customers/$CompanyName/accounts" -SamAccountName "$DISTLISTE" -domaincontroller $DC " " ".............................................." #"2 Add Security Group for $CompanyName" to "SG_All_Hosted_Groups" ".............................................." Get-distributiongroup "SG_All_Hosted_Groups" | Add-DistributionGroupMember -Member "$DISTLISTE" -domaincontroller $DC " " ".............................................." "3 Set customattribute1 for the new security group to $CompanyName" ".............................................." set-distributiongroup "$DISTLISTE" -customattribute1 "$CompanyName" -domaincontroller $DC -RequireSenderAuthenticationEnabled:$False #" " #".............................................." #"4 Add rights for $CompanyName to view address list" #".............................................." get-addresslist "$companyname AL" -domaincontroller $DC | add-adpermission -USER "$DISTLISTE" -extendedrights "Open Address list" -deny:$false -domaincontroller $DC /Martin Exchange is a passion not just a collaboration software.

Hi, here is my script #This step gets a domain controller name ## $DC = "dc01.domain.local" "Using Domain Controller - $DC" ## Get company name ## "Type company name:" $CompanyName = [Console]::ReadLine() $CompanyName = $CompanyName.Trim() ## Get OU name ## "Type name for distributionslist:" $DISTLISTE = [Console]::ReadLine() $DISTLISTE = $DISTLISTE.Trim() " " ".............................................." "1 af 15, Creating Security Group for $CompanyName" ".............................................." new-distributiongroup -name "$DISTLISTE" -Type "security" -OrganizationalUnit "domain.local/customers/$CompanyName/accounts" -SamAccountName "$DISTLISTE" -domaincontroller $DC " " ".............................................." #"3 af 15, Add Security Group for $CompanyName" to "SG_All_Hosted_Groups" ".............................................." Get-distributiongroup "SG_All_Hosted_Groups" | Add-DistributionGroupMember -Member "$DISTLISTE" -domaincontroller $DC " " ".............................................." "4 af 15, Set customattribute1 for the new security group to $CompanyName" ".............................................." set-distributiongroup "$DISTLISTE" -customattribute1 "$CompanyName" -domaincontroller $DC -RequireSenderAuthenticationEnabled:$False #" " #".............................................." #"9 af 15, Add rights for $CompanyName to view address list" #".............................................." get-addresslist "$companyname AL" -domaincontroller $DC | add-adpermission -USER "$DISTLISTE" -extendedrights "Open Address list" -deny:$false -domaincontroller $DC /Martin Exchange is a passion not just a collaboration software. is step#2 missing?

I've just noticed that I can see the GAL for the hosted domain when I login via OWA. It shows every email id or DG created for that company, which is exaclty I wanna see in Outlook anywhere.

Sorry i just haven't changed the step markings, I use the script as shown above. Are you creating them the same way? I notice that you now write in "Outlook anywhere", so is it only from outside the company there are problems or is it also if you are inside the firewall with Outlook in online mode? /MartinExchange is a passion not just a collaboration software.

let me create a test account. The account I was checking it was outside the firewall. good point mracket.

same result even on the lan (insode firewall)

In online mode? Online mode should resemble the OWA so in theory you should see the same both places. Are you able to download the OAB? /Martin Exchange is a passion not just a collaboration software.

i've created a test account and I doubt if it is downloading the OAB for this domain. How do make sure if OAB is generated and user is able to download it?

Hi, You can update it with the cmdlet: >Update-OfflineAddressBook "Address list name" You can download it on the client by going to "Tools - send / receive - download address book - uncheck the changes only mark" /MartinExchange is a passion not just a collaboration software.

oh yes, i did it already but there is way you can see if the OAB is really created/updated on the file level.

Hi, On the CAS server you can browse down to the Exchange program folder and under the clientaccess folder you can see a folder per OAB, check the timestamp on the files in those folders. /MartinExchange is a passion not just a collaboration software.

the timestapms are from todays morning 9:12 AM. I've updated it again but does not see any change or current timestamp./

I'm testing it on my virtual server -don't want to mess up the prodcution server :)

I can see the Address List and I can see the GAL of the particular hosted domain. What I don't see when i create a new user accout it does not show up in the Address List but it does in the Global Address List. when I create the Distribution Group of any hosted domian it doesn't appear in the Global Address List. Do I need to make this Distribution Group a member of security group under that hosted domain OU?

Hi, The DG has to be a member of the defined security group created when the hosted setup was created. In my script it looks like this: Get-distributiongroup "SG_All_Hosted_Groups" | Add-DistributionGroupMember -Member "$DISTLISTE" -domaincontroller $DC As to the Addresslist not being updated it sounds like something is missing in the create user script you are using. To be of more help please post the script you are using to create users and distributionsgroups with. /MartinExchange is a passion not just a collaboration software.

orry forf the late reply. I use gui for creating new mailboxes and related stuff . I'm almost done with a new exchange serve (test environmen) with multiople hosting domain environment. I'm going to follow the MSFT document step by step and see if that solves my issue and help me to troubleshoot where did I do wrong, if I did :) I'll be able to update this post on Friday hopefully. Happy Thnaks giving day guys.

Sounds good. Keep us updated :) Like said i followed that whitepaper, and I have scripts for putting all the permissions and settings on new users and groups. I also have scripts for creating the new companies that could be hosted on the server. /MartinExchange is a passion not just a collaboration software.

Hi, Any updates? I just read your post again, and you use gui for creating mailboxes and so on. I believe that one of the things that addresslist segregation requires is the creating of users with scripts, or at least that is the easiest way since you add and remove permissions to addresslists when creating a new user and addresslist. The script i posted earliere was about the creating of an addresslist, but I have a similar one when creating a mailbox. /MartinExchange is a passion not just a collaboration software.

it looks fine in the OWA, now i'm trying to configure the Outlook, since it is on the same network as our production exchange i'm facing problem for the autodiscovery, I'm editing the host files and related stuff to replicate the configuration. I want to see if that works same as it does in OWA.

Hi, I think you need to set the msExchQueryBaseDN as well, I am doing that in my script according to the whitepaper. /MartinExchange is a passion not just a collaboration software.

Yes I did that ;)

And you also remember to add the user to the security group that is a member of the SG_All_Hosted_Groups? /MartinExchange is a passion not just a collaboration software.

this script is very complicated for me. can you replace the domain with a domain name CONTOSO.LOCAL? There are three hosted domains, NEWYORK.COM, CONNECTICUT.COM,BOSTON.COM and each will have Distribution Group name ITSTAFF.

new-distributiongroup -name "$ITSTAFF" -Type "security" -OrganizationalUnit "contoso.local/NewYork.COM/$CompanyName/accounts" -SamAccountName "$ITSTAFF" -domaincontroller $Contoso What company name and account do i need to type here?

Hi, According to my script translated to your setup Dist_Network.com distribution should should be a member of SG_All_Hosted_Groups Dist_Connecticut.com distribution should should be a member of SG_All_Hosted_Groups Dist_Boston.com distribution should should be a member of SG_All_Hosted_Groups /MartinExchange is a passion not just a collaboration software.

new-distributiongroup -name "$ITSTAFF" -Type "security" -OrganizationalUnit "contoso.local/NewYork.COM/$CompanyName/accounts" -SamAccountName "$ITSTAFF" -domaincontroller $Contoso What company name and account do i need to type here? The company name is the OU that the hosted domain is located under. The $ITSTAFF should be a unique name for each hosted domain, so it could be SG_Network_ITStaff and SG_Boston_ITStaffExchange is a passion not just a collaboration software.

the company itself is NewYork.com which has only one OU which is a User OU. When I run the above cmdlet it comes up with error.

Hi, When you use addresslist segregation you should really have all the companies on the same level/design. There is not one company that has more rights or a different deisgn since the basic idea is to create everything to be the same for each company you host. When you created the Lab environment you talked about earliere, did you then follow the whitepaper all the way through? /MartinExchange is a passion not just a collaboration software.

My prodcution server uis setup as the document. I'm following the document in my lab step by step. as far as the cmdlet is concerned when I try to pass the value to the variable doesn't work but simple cmdlet work this way [PS] C:\>new-distributiongroup -name "ITSTAFF" -Type "security" -OrganizationalUnit "contoso.local/Hosting/Florida.com" -SamAccountName "ITSTAFF" -domaincontroller $contoso will keep u updated.

update here I'm following this doc step by step now. I got stuck at one of the step before that every step went fine. Restrict Access to the Default Global Address List Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "Authenticated Users" -AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True it throws this error [PS] C:\>Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "Authenticated Users" -AccessRights GenericRead -ExtendedRights Open-Addre ss-Book -Deny:$True Get-GlobalAddressList : The operation could not be performed because object 'De fault Global Address List' could not be found on domain controller 'EAI-HYPERV- 01.CONTOSO.LOCAL'. At line:1 char:22 + Get-GlobalAddressList <<<< "Default Global Address List" | Add-ADPermission -User "Authenticated Users" -AccessRights GenericRead -ExtendedRights Open-Addr ess-Book -Deny:$True ----------------- This Test Server name is EAI-HYPERV-01.CONTOSO.LOCAL Organization name is Connecticut

this command runs fine $galContainer = "CN=All Global Address Lists,CN=Address Lists Container,CN=<CONNECTICUT>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DClocal" It runs fine but doens't show any result after that when i run this command Get-ADPermission $galContainer -user "authenticated users" Note: The output should resemble this: Identity User Deny Rights \Global Address List NT AUTHORITY\Authenticated Users True Open-Address-Book \Global Address List NT AUTHORITY\Authenticated Users True ReadProperty \\Global Address List NT AUTHORITY\Authenticated Users True ListObject, GenericExecute it says there is no global addresslist [PS] C:\>Get-ADPermission $galContainer -user "authenticated users" Get-ADPermission : The operation could not be performed because object 'CN=All Global Address Lists,CN=Address Lists Container,CN=<connecticut>,CN=Microsoft E xchange,CN=Services,CN=Configuration,DC=contoso,DC=local' could not be found on domain controller 'EAI-HYPERV-01.CONTOSO.LOCAL'. At line:1 char:17 + Get-ADPermission <<<< $galContainer -user "authenticated users"

I figured out. I was typing the Organization name with <>

Thanks to all who contributed theie time here. Mike I'ce got your blog address from your profile. I'll mention your effort and a blog address on my blog in the coming. Don't forget to check my blog for this update http://adnanrafik.com/blog

Glad you got it fixed and glad to be of assistance :) /MartinExchange is a passion not just a collaboration software.

Hi Guys, i've created a new post to " how to setup the Public Fodler for these virtual domains? thanks in advance.