Is There a replication delay between Exchange 2010 and Active Directory?
If I change group membership of a user in Active Directory then force replication between DCs, sometimes it's still another 30 minutes or so before the change shows any effect on the Exchange server. Does Exchange maintain a copy of the Active Directory database? If so, is there some way to force replication? Edit: Here's the reason I ask. One of my desktop support people called me and said he was able to Send As another user. I checked the permissions on the Exchange server, and he didn't have any permissions through the Server. He said the other user hadn't delegated any permissions to him. I opened Outlook on another computer under a test user account and tried to do a send as from that user. I was very surprised when the email went through. I tried to Send As a few other users and two more went through before one failed. The permissions list on these user accounts is pretty long, so rather than stare and compare, I decided to remove groups from my test user to see which group might be giving it Send As rights. I removed all IT-related groups, forced replication between all of the DCs in the same site with the Exchange servers and at my site. I could still Send As. I removed all groups except for Domain Users and forced replication again. After confirming that replication had occurred and my test user was logged into the local computer with no group memberships except Domain Users and the local computer Users. But I could still Send As this other user! Very big problem. I worked on another problem for a bit and came back and tried it again. This time I wasn't able to Send As anything but my test user. Removing those groups from my test user actually did remove my Send As permissions, but there was a delay between when I made the change and forced replication between DCs and when the Exchange server picked up on the change, which implies that there is some kind of replication going on between Exchange and the DC that doesn't appear in AD Sites and Services.
June 13th, 2011 5:12pm

Exchange does not store any AD database replica. It access AD using Exchange AD topology Service. All the exchange information like address list, email policies etc are stored in AD. By default Exchange Server connects to default AD server in the same site and pulls the information. 1. To solve your issue, make sure Exchange is connecting to the right AD in the Site. type get-exchangeServer command to know the Domain controller use set-exchangeserver to manully specify the AD DC. http://technet.microsoft.com/en-us/library/aa998561.aspxThanks Uday Kiran, Senior Consultant Cyquent Technology Consultants, Dubai Please Mark as answer if it helps you
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2011 6:36pm

Thanks, Uday. I didn't think that Exchange stored a copy of the AD database, but I can't think of any other explanation for what's going on. My test account (call it test.user) was a member of several IT groups about 2 hrs ago. I removed it from those groups and was still able to Send As another user (call it real.user) for at least 30-40 minutes after that. (Replication interval for servers within this site is 15 minutes.) Around 9:20 pm, the change in group membership finally caught up with test.user, and I was no longer able to Send As real.user. Then I used get-exchangeserver to see what dc my mailbox and cas servers are connected to and then made sure that I was using that server to edit accounts. I added all the IT groups back to test.user, waited about 3 minutes and tried to send a message as real.user. No good. It still says I don't have permission to send as that user. It's been 15 minutes now and I still can't send the message.
June 13th, 2011 10:35pm

It seems to take somewhere between 30 and 60 minutes for a group membership change in AD to take effect on mailbox access in Exchange 2010.
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2011 4:25pm

Hi, The Send As permission isn't granted until after replication has occurred. Replication times depend on your Exchange and network configuration. To grant the permission immediately, stop and then restart the Microsoft Exchange Information Store service. http://technet.microsoft.com/en-us/library/bb676368.aspxPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 14th, 2011 11:24pm

I would say replication time between the servers totally depends on the kind of Network infrastructer you have. No matter they are Exchange, AD or any other server. If you are running on Optical Fiber Network things will be lightning fast as compare to CAT5 or 6 Network. Cheers,Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2011 11:52pm

The 4 Exchange servers are in a single site with 2 DCs and it is 100% fiber.
June 16th, 2011 11:53am

You are probably being caught out by cached information. Exchange caches a lot of permissions etc and that cache is only flushed every 120 minutes by default. You can force it ti flush by restarting the information store. It is not recommended to reduce that cache time as it can cause significant performance issues. However if you grant a permission to a group and then change the membership of the group (ie you don't change the actual permission list) then that change usually takes effect quicker because Exchange has cached the group has permission, but appears to do a live lookup of the group membership. Group membership changes are subject to Active Directory replication though, which is outside of the control of Exchange. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2011 12:22pm

It's really only the group membership that seems to be a problem. Without changing any permissions for the group or user, if I add (or remove) the user to the group, the user's effective permissions to mailboxes in Exchange don't seem to change for about an hour.
June 16th, 2011 12:58pm

I'm wondering if there might be something cached in IIS. All of my Outlook clients are using Outlook anywhere via https on both slow and fast network connections.
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2011 12:59pm

Did you ever find a solution to this issue? Ive noticed that exchange has started taking up to 4 days to replicate new groups or changes to peoples details(title etc). I've been searching online KB's etc for hours but haven't found anything useful.
May 22nd, 2012 12:24am

Check if they are in outlook cached mode, cached mode has a tendency to not reflect changes timely or at all.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2012 11:19am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics