Exchange 2007 objects are not stamped with ShowInAddressBook and never end up in the GAL after a gal sync

When mailbox enabled objects are created they go through a stamping process to mail enable them. In Exchange 2003 the RUS (Recipient Update Service) is responsible for doing this. One of the main tasks of the Recipient Update Service is to populate the ShowInAddressBook attribute for objects in Active Directory. All mail-enabled objects have this attribute, including users, contacts, groups, public-folders and any other object in Active Directory that supports showInAddressBook attribute and has a mailNickname attribute.

Every time that a user, a group, or any object is added or modified in Active Directory, the Recipient Update Service picks up that object, determines which of the available address lists it belongs to, and adds that address list to the showInAddressBook attribute of the object. One exception for this is if the mailbox is hidden. In that case, the msExchHideFromAddressLists attribute is set to TRUE, so the Recipient Update Service will not stamp any address lists, and will remove any that are already present on the attribute.

The showInAddressBook attribute has two purposes.

1. To let people see the entry listed in the address list by means of Messaging Application Programming Interface (MAPI) client, such as Microsoft Outlook.
2. It allows users to "resolve a name" on a MAPI client.

Address Lists

By default, there are several address lists configured in Microsoft Exchange 2003 Server and Exchange Server 2007. The most important is the Default Global Address. Exchange 2003 and Exchange 2007 allow you to have several global address lists, and several other address lists with a much richer definition than earlier versions of Exchange Server. For example, you can create an address list called "Top Executives" that searches for entries that have "VP," "President," "CEO," or "Director" in the title.

By default, Exchange 2003 and Exchange 2007 provide the following address lists, plus the default global address list:

  • All Contacts
  • All Groups
  • All Rooms (Added in Exchange 2007)
  • All Users
  • Public Folders

How Exchange Uses the ShowInAddressBook Attribute to Resolve Names

To set up Microsoft Outlook to access an Exchange mailbox, you must create a profile for that mailbox. When you configure the Microsoft Exchange Server service in the profile, one of the steps is to enter your Exchange server name, and your mailbox alias.

When you click the Check Name button, Outlook attempts to resolve the alias to a mailbox on the Exchange server. Outlook uses MAPI to contact the Exchange server that you specify and queries to see if there is an entry that matches the alias that you entered. The server then searches for any mail-enabled objects that belong to at least one address list and that also match the alias. After the name has been resolved, the client is ready to log on. If a user does not have any address lists in the showInAddressBook attribute, it does not belong to any address list. Therefore, that user will not be able to resolve their alias to a mailbox.

This behavior occurs if the mailbox is hidden, which causes the msExchHideFromAddressLists attribute to be set to TRUE. In this case, you cannot resolve the name, and therefore, cannot create a profile in Outlook. To be able to access this mailbox, you need to unhide this object, create the profile, and then hide it again.

How To Fix (If you are running Exchange 2003)

1. Save out and clear your Windows Application Log.
2. Turn up diagnostic logging for MSExchangeSA\Proxy Generation.
3. In the ESM (Exchange System Manager) navigate to Organization | Recipients | Recipient Update Service container.
4. Right click the Recipient Update Service (Domain).
5. Select ‘Update Now’.

NOTE: If you select rebuild it will force a full rebuild and it can take a long time, in some cases hours.

6. Check the Application Log for errors. At this point if the RUS ran, the users should be stamped. Other things to look when troubleshooting this on Exchange 2003 are as follows:

  • The schedule of the RUS and what it is set to
  • Is the Update Interval set to never run?
  • Is the RUS pointing to a domain controller in another site (which then replication has to take affect)?
  • Is the RUS pointing to a domain controller that is offline or no long in existence?

Changes in Exchange 2007 (The RUS (Recipient Update Service) has been removed!)

One change in Exchange 2007 is that we removed RUS and it no longer exists in the Exchange 2007 product. If you are using a different process to create the objects (Quest, MIIS, etc) we do *NOT* stamp these attributes There are three new commands that you can run via the Microsoft Exchange Management Shell to achieve this:

  • Get-EmailAddressPolicy – This cmdlet is used to return all of the attributes on a policy or a set of policies.
  • Update-EmailAddressPolicy – This cmdlet is used to apply an e-mail address policy to all recipients.
  • Set-Mailbox–ApplyMandatoryProperties – This cmdlet is used to modify the settings of an existing mailbox. You can use this cmdlet for one mailbox at a time!

Once you run the cmdlets to stamp the objects you should then see them in the GAL and you can rebuild your Offline Address List.

How to Fix (If you are running Exchange 2007)

1. Open the EMS (Exchange Management Shell)
2. Run the following cmdlet: Get-EmailAddressPolicy

Note: You will see the following output:

[PS] c:\Get-EmailAddressPolicy

Name                       Priority                           RecipientFilter
Default Policy            Lowest

3. Run the following cmdlet: Update-EmailAddressPolicy –Identity “Your Policy Name Here”
4. Run the following cmdlet: Set-Mailbox–ApplyMandatoryProperties –Identity YourUserName

Once you run the following command in verbose mode you will see the following output for verification:

[PS] C:\>Set-Mailbox -ApplyMandatoryProperties -Identity ShowInAddressBookUser -V
VERBOSE: Set-Mailbox : Beginning processing.
VERBOSE: Set-Mailbox : Administrator Active Directory session settings are: View Entire Forest:
'False', Default Scope: 'OABWorld.local', Configuration Domain Controller: 'GC01.OABWorld.local',
VERBOSE: Set-Mailbox : Searching objects "ShowInAddressBookUser" of type "ADUser" under the root "$null".
VERBOSE: Set-Mailbox : Previous operation run on domain controller 'GC01.OABWorld.local'.
VERBOSE: Set-Mailbox : Processing object "OABWorld.local/Users/showInAddressBook".
VERBOSE: Setting mailbox "ShowInAddressBookUser".
VERBOSE: Set-Mailbox : Applying RUS policy to the given recipient"OABWorld.local/Users/showInAddressBook" with the home domain controller "$null".
VERBOSE: Set-Mailbox : The RUS server that will apply policies on the specified recipient is "e2k7.OABWorld.local".
VERBOSE: Set-Mailbox : The properties changed are: "{ AddressListMembership={ '\All Users','\Default Global Address List', '\My Custom Global Address List' }, EmailAddresses={ 'X400:C=US;A=;P=OABWorld;O=Exchange;S=showInAddressBook;', 'SMTP:showInAddressBook@OABWorld.local' },WindowsEmailAddress='showInAddressBook@OABWorld.local',
<OriginalWindowsEmailAddress='showInAddressBook@OABWorld.local'> }".
VERBOSE: Set-Mailbox : Saving object "OABWorld.local/Users/showInAddressBook" of type "ADUser" and state "Changed".
VERBOSE: Set-Mailbox : Previous operation run on domain controller 'GC01.OABWorld.local'.
VERBOSE: Set-Mailbox : Ending processing.

NOTE: You can run the following command to run this against all of your users:Get-User | Set-Mailbox -ApplyMandatoryProperties

This is a must read!!! For more information on the -ApplyMandatoryProperties switch and why this even exists, please read Evan Dodds blog post: https://blogs.technet.com/evand/archive/2007/02/28/applymandatoryproperties.aspx 

Dave