Creating a new mailbox in Exchange 2007 with the new-mailbox cmdlet fails with Address List Service not Available

When creating mailboxes in Exchange 2007 the mailbox API's must have access to a domain controller in order to apply recipient polices for stamping purposes. Under certain conditions creating a new mailbox with the Exchange 2007 ESM or using the following Powershell cmdlet (new-mailbox) will fail with the following error:

Event ID: 8325
Event Category: Address List Synchronization
Event Source: MSExchangeAL
Event Type: Error
Date: 5/1/2007
Time: 1:52:04 PM
Description: The service can't work properly because Email Address Policy 'CN=XXXX,CN=Recipient Policies,CN=Corp,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=OAB,DC=com' has an invalid filter rule (PurportedSearch). The error is 'Invalid token.'. Use the Exchange Management Console to correct this problem. New users, contacts, and groups won't be fully provisioned until this is fixed.

If you are running setup for the first time you might also see this error:

Event ID: 1002
Event Category: Microsoft Exchange Setup
Event Source: MSExchangeSetup
Event Type: Error
Date: 5/1/2007
Time: 1:46:43 PM
Description: Exchange Server component Mailbox Role failed. Error: The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error.

You might also see the following text in your ExchangeSetupLog file:

[11/10/2007 2:21:49 PM] [2] Applying RUS policy to the given recipient "MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e" with the home domain controller "COMPUTERNAME.domain.com".

[11/10/2007 2:21:49 PM] [2] [ERROR] The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error.

[11/10/2007 2:21:49 PM] [1] Exception : Microsoft.Exchange.Configuration.MonadDataProvider.MonadDataAdapterInvocationException: The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error. It was running command '$error.Clear(); $count=0; $ExchangeServers = Get-ExchangeServer -DomainController $RoleDomainController; foreach($server in $ExchangeServers) { if(($server.AdminDisplayVersion.Build -gt 641) -and ($server.IsMailboxServer -eq $true)) { $count++; } } if( $count -eq 1) { Set-OrganizationConfig -DomainController $RoleDomainController; }'. ---> Microsoft.Exchange.Data.Directory.RusServerUnavailableException: The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error.
at
Microsoft.Exchange.Data.Directory.Recipient.RecipientUpdateService.LocateServer()
at
Microsoft.Exchange.Configuration.Tasks.RecipientTaskHelper.ApplyRusPolicy(ADSystemConfigurationSession configurationSession, ADRecipientSession recipientSession, ADRecipient recipient, Fqdn domainController, String serverName, TaskVerboseLoggingDelegate logHandler, TaskWarningLoggingDelegate writeWarning)
at
Microsoft.Exchange.Configuration.Tasks.RecipientTaskHelper.ApplyRusPolicy(ADSystemConfigurationSession configurationSession, ADRecipientSession recipientSession, ADRecipient recipient, Fqdn domainController, String serverName, TaskVerboseLoggingDelegate logHandler, TaskErrorLoggingDelegate writeError, TaskErrorLoggingDelegate throwTerminatingError, TaskWarningLoggingDelegate writeWarning)

--- End of inner exception stack trace ---

at
Microsoft.Exchange.Configuration.MonadDataProvider.MonadCommand.ClosePipeline(MonadAsyncResult asyncResult)
at
Microsoft.Exchange.Configuration.MonadDataProvider.MonadCommand.EndExecute(MonadAsyncResult asyncResult)
at
Microsoft.Exchange.Management.Deployment.ComponentInfoBasedTask.ExecuteScript(Stringscript, Boolean handleError, Int32 subSteps, LocalizedString statusDescription)
at
Microsoft.Exchange.Management.Deployment.ComponentInfoBasedTask.GenerateAndExecuteTaskScript(InstallationCircumstances installationCircumstance)

[11/10/2007 2:21:49 PM] [1] [WARNING] An unexpected error has occurred and a Watson dump is being generated: The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error. It was running command '$error.Clear(); $count=0;
$ExchangeServers = Get-ExchangeServer -DomainController $RoleDomainController; foreach($server in $ExchangeServers) { if($server.AdminDisplayVersion.Build -gt 641) -and ($server.IsMailboxServer -eq $true)) { $count++; } } if( $count -eq 1) { Set-OrganizationConfig -DomainController $RoleDomainController; }'.

[5/18/2007 2:21:49 PM] [1] [ERROR] The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error. It was running command '$error.Clear(); $count=0; $ExchangeServers = Get-ExchangeServer -DomainController $RoleDomainController; foreach($server in $ExchangeServers) { if(($server.AdminDisplayVersion.Build -gt 641) -and ($server.IsMailboxServer -eq $true)) { $count++; } } if( $count -eq 1) { Set-OrganizationConfig -DomainController $RoleDomainController; }'.

[11/10/2007 2:28:29 PM] [0] End of Setup

There are 6 causes for this error at this time:

1. The CN=Public Folders object is missing under CN=All Address Lists in the Active Directory directory service.

2. The Allow inheritable permissions from the parent to propagate to this object and all child objects check box is *not selected* on the CN=All Address Lists object and on the CN=Public Folders object. This checkbox must exist on both objects.

3. You are using an invalid LDAP search filter on your address list. LDAP queries are used in filter rules to specify the recipient membership of address lists and recipient policies. A malformed filter can cause the Recipient Update Service (in Exchange 2003) or (The RUS API's in Exchange 2007) not to process the email or recipient policy. This will cause new mailboxes in Exchange 2007 not to be created as well as your user account attributes to not update as expected. 

How to fix cause 3: If you using Exchange 2003 and you are trying to find users by groups you should be using the custom attributes that are available on the user object. By default if you use the Exchange Query Builder to create a filter for your Address List, Global Address List or Email policy it will look something like this:

(&(&(objectCategory=contact)(extensionAttribute1=fd)(&(&(&(|(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) )))(objectCategory=user)(extensionAttribute1=fd)))))

NOTE: extensionAttribute1 is what is on the Exchange 2003 side. On Exchange 2007 this maps to the CustomAttribute attribute.

Next from there the correct way to create the LDAP filter for an Address List is to do the following:

1. Right click your address list
2. Select the 'Advanced Tab' on the "Find Exchange Recipients Tab"
3. Select 'Field'
4. Select 'User'
5. Select 'Custom Attribute #'
6. Change the 'Condition" to: Is (exactly)
7. Add your value.

Once you have created your filter the way I listed above you will have something that looks like this:  (&(objectCategory=group)(extensionAttribute1=YourCustomAttribute1-10))

The Windows Query Engine has a limitation when you try to add groups with an 'OR' and it will break the filter. You will need to modify the filter as below if you want to also add contacts and groups to your filter.

(|(&(objectCategory=user)(extensionAttribute1=YourCustomAttribute1-10))(&(objectCategory=group)(extensionAttribute1=YourCustomAttribute1-10))(&(objectCategory=contact)(extensionAttribute1=YourCustomAttribute1-10)))

1. Apply this filter to the All Address List in choice: (&(&(|(&(objectCategory=user)(extensionAttribute1=YourCustomAttribute1-10))(&(objectCategory=group)(extensionAttribute1=YourCustomAttribute1-10))(&(objectCategory=contact)(extensionAttribute1=YourCustomAttribute1-10)))))
2. Apply this filter to the Global Address List in choice: (&(&(|(&(objectCategory=user)(extensionAttribute1=YourCustomAttribute1-10))(&(objectCategory=group)(extensionAttribute1=YourCustomAttribute1-10))(&(objectCategory=contact)(extensionAttribute1=YourCustomAttribute1-10)))))
3. Go to your Email policy in the Exchange 2003 ESM and pull up the Recipient filter and changed that filter to the same one as above. 

NOTE: The Email Policy custom search is linked to the PurportedSearch attribute on the Email Policy. This is what Exchange 2007 is looking for when it tries to stamp a user.

4. Replicate the domain controllers.
5. Mailboxes now are able to be created!!!

4. You modified an attribute of an address lists with an invalid value such as NOT SET. When the active directory resets an attribute value it will be set back to <Not Set>. In the cases that we have seen this in the object in question was the Default Global Address List.

5. The virtual server name is missing from the active directory. If this is the case you will see the following event id in the application log:

Event ID : 9317
Raw Event ID : 9317
Record Nr. : 4178596
Category : General
Source : MSExchangeSA
Type : Error
Generated : 3/12/2008 12:08:47 AM
Written : 3/12/2008 12:08:47 AM
Machine : ExchangeCluster-Node1
Message : Failed to register Service Principal Name for exchangeRFR; error code was c10379bc.

6. The System Attendant service has not started. Some times there can be a dependency problem and the System Attendant will not start even know your other Exchange services have.

7. Check to make sure that TCP Chimney functionality has been disabled. For more information on what the Scalable Networking Pack is: see here: https://www.microsoft.com/whdc/device/network/TCP_Chimney.mspx and https://msexchangeteam.com/archive/2007/07/18/446400.aspx.

To disable TCP Chimney, you can do this one of two ways and does not require a reboot.:

To Disable TCP Chimney, Navigate to the following registry key and set the value to 0. Note: You have to reboot the server after this registry change.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableTCPChimney"=dword:00000000

Or you can use the netsh command which I prefer without having to reboot:

Netsh int ip set chimney DISABLED

If that does help with the situation, you could also try disabling the following offloading keys under the above registry hive to disable the RSS features.

"EnableTCPA"=dword:00000000
"EnableRSS"=dword:00000000

Exchange 2007 uses OPATH filters instead of LDAP filters. For more information on OPATH you can see this blog: https://msexchangeteam.com/archive/2007/01/10/432143.aspx

Dave