Debugging Distribution Lists
Why it is folly to run more than one Active Directory domain in a forest.
by Ben Schorr and Jim McBee
October 4, 2004
For about a year, users have been reporting to our help desk that they send messages to distribution lists and sometimes the messages never arrive. I thought it was their imagination but it just happened to me. We are running Exchange 2000. Can you guys explain this?
Kelly, Salt Lake City
Jim: Without knowing a lot more about your environment, I'm guessing that you have more than one Active Directory domain in your forest. When you create mail-enabled global or Domain Local groups, the membership attribute is only replicated to the domain controllers within the domain in which you create the group. However, Exchange 2000 and 2003 servers consult a global catalog server to enumerate mail-enabled group membership. The global catalog server could be a domain controller in any domain in the forest.
Ben: A quick-and-dirty solution for you is not available, but you do have some options. The first would be to convert all of your mail-enabled global groups to mail-enabled universal groups. The membership of universal groups is replicated to all global catalog servers. This can, however, have an adverse effect on Active Directory replication in a larger Active Directory because the membership lists on e-mail-based distribution groups are often very dynamic. However, in Windows 2003 Active Directory that is in Windows 2000 forest functional level, this is not as much of an issue due to improvements in replication.
Jim: Another option is to configure all of your mail-enabled global and Domain Local groups so that only a specific Exchange server is designated the expansion server. This is done on a group-by-group basis on the Exchange advanced property page (see Figure 1). You will need to make sure that your designated expansion server only uses global catalog servers from the domain that contains the groups it will be expanding. In a large environment that makes heavy use of mail-enabled groups, this can place quite a load on the expansion server. And, if you ever remove that server from production, you need to reassign all of the groups to a new expansion server.
Ben: In a situation where the other domain is an "empty root," it might be best to manually configure all of your servers to use only global catalog servers from their own domain. While this is a bit of hassle upfront, it will save you a lot of administration time in the long run. This is configured on the Directory Access property page of each server. Unless you have a specific reason to, configure only the Global Catalog server manually; this will allow the Exchange server to still dynamically find domain controllers and a configuration DC if necessary.
Jim: Of course, if you have multiple domains in your environment that each have mail-enabled users and groups, then you are back to either switching to all universal groups or manually designated expansion servers. Consider also the possibility of creating universal groups in which global groups in each domain are nested. Then specify the global groups to use specific expansion servers.
Back to top