We are having an issue with the email address policy self resolving internal collisions by appending the number "2" to email addresses.

Basically what we do is new employees receive contacts for the GAL automatically. The user can then choose to create a user object or even get an exchange account via online self-provisioning site.

So our process deletes the contact object, then creates a user object. That user object is then mail-enabled.  At that moment the email address policy kicks in and adds a few addresses  ( [user]@[domain] [user]@excahnge.[domain] etc)

here is example code of how we sometimes do this manually for users that don't self-provision.

#remove contact
Get-ADObject -filter { cn -eq $user } -Server $script:dc | Remove-ADObject -Confirm:$false -Server $script:dc

#create new user object
New-ADUser -Name $user -SamAccountName $user -Enabled $true -ChangePasswordAtLogon $True  -UserPrincipalName $userPrincipalName -DisplayName $User_displayname -Path $ou -GivenName $userFirstName -Surname $userLastName -AccountPassword $Private -Server $script:dc

#mail enable user object
Enable-MailUser -identity $user -ExternalEmailAddress $externalAddress -Alias $user -domainController $script:dc 

Now the problem seems to be that even thought the contact is deleted the address is still somewhere in the system because when the user is mail enabled their addresses look like this: [user]2@[domain] and [user]2@exchange.[domain]. it sticks 2s on all of them

best guess is the policy sees the old address *somewhere* but rather than fail it just appends a 2 to avoid the collision and goes on it's merry way.  All the script lines run against the same DC and all the exchange servers point to one DC.

what is causing this and how do we stop it ?

Is there time for AD replication in between the removal of the contact object and the mail enabling of the AD user account?

I've put small sleeps in without help. I don't know how long it might be taking. I don't want to keep adding delays until the app appears to hang. Also this is a more recent phenomena, it used to work fine.

We did have some replication problems in the past but those were alleviated by using the -domaincontroller parameter and making sure all commands run on the same server. 

the weird thing is if it is replication I don't know to what. The object is indeed gone or I would get an "already exists" error when I create the user object. the server does not see any object but the address policy still sees the addresses somewhere.

Do you have the AD recycle bin enabled? I wonder if recycled AD accounts that had an email address are still "seen" by the address policy. I don't have a system I can use to check this unfortunately.

No, I don't believe we do. Never heard of that feature and it appears to be off by default.