Skip to main content

Upgrading Dynamic Distribution Groups

Dynamic distribution groups These are distribution groups for which membership is based on specific recipient filters rather than a defined set of recipients. Dynamic distribution groups were called query-based distribution groups in Exchange 2003.

Source: Microsoft Exchange TechNet library

If you created query-based Distribution Group in Exchange 2003 it was filtered by using LDAP query language. Exchange 2007 is using OPATH as query language which is simpler to use than LDAP. During transition from Exchange 2003 to Exchange 2007, now called dynamic distribution groups, are not automatically converted to OPATH query-language. Query-based distribution groups work but if you want to see members from Exchange Management Shell or do something else with the group within Exchange 2007, you simply can't or the use is limited.

So, you need to convert LDAP query language to OPATH. When creating new Dynamic Distribution Group in Exchange 2007, there are some conditions (filters) you can choose from. But as you will see there are only few.


For example, if you have a query based distribution group that uses City as a filter point, then, if you check your conditions options, you will see that City is not included in the GUI. You can still use Exchange Management Shell though. To query users for dynamic distribution group that have City attribute assigned, you need to enter the opath query through Exchange Management Shell.

To change existing Dynamic Distribution Group which uses LDAP filter to use OPATH filter you use:

Set-DynamicDistributionGroup -Identity "GROUPNAME" -RecipientFilter {(Alias -ne $null -and City -like 'Ljubljana') -and -not(Name -like 'SystemMailbox{*') -and -not(Name -like 'CAS_{*')}

In this case all the users that have Ljubljana as the City attribute will be members of this Dynamic Distribution Group.

Lists of Active Directory group attributes can be found on Microsoft's web site for different operating systems but I suggest that you try the name as it is written in AD properties. For example, City in LDAP is l (L in small letters) but in OPATH you just write City (see example).

Comments

  1. Were are running Exchange 2007...We have created two new Dynamic Distribution groups, but they are only visible and functional for DOmain Admins. When the staff opens their Address book > All Groups, there appears blank lines where the groups should be displayed. It's like they are there but not accessible. Is there something in AD (running WIndows Server 2003) that we need to change?

    ReplyDelete
  2. Out of the head, I would think of something like Inherited permissions problem. It looks like default settings are somehow changed. Unchecked permission inheritance on user object can sometimes have unusual consequences.

    ReplyDelete
  3. Thank you, this was a great help.

    ReplyDelete

Post a Comment

Popular posts from this blog

Netscaler vs Exchange 2019 "time out during ssl handshake stage

If you are using Citrix Netscaler as load balancer in front of Exchange 2019 server you must know this: Microsoft Exchange 2019 is secured by default and allows only TLS 1.2. Therefore default schannel settings are as follows (using IISCrypto tool from Nartac Software): While Citrix Netscaler offers following Cipher Suites: TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 TLS_DH_anon_WITH_DES_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA Now, you will fi

Reason: [{LED=250 2.1.5 RESOLVER.GRP.Expanded; distribution list expanded};{MSG=};{FQDN=};{IP=};{LRT=}]

 If you got this error checking the mail flow for a distribution group, it means the distribution group is closed and only internal senders can send e-mail to this group. When outside user sends e-mail to this group you get  Reason: [{LED=250 2.1.5 RESOLVER.GRP.Expanded; distribution list expanded};{MSG=};{FQDN=};{IP=};{LRT=}] Set Delivery for this group to internal and external users and your problem will be solved. 

Ports that need to be open on Firewall for Edge Transport servers

Ports that need to be open on firewall for Edge Server subscription with Hub Server to function properly: For Inbound traffic: SMTP - TCP port 25 (from Internet) SMTP - TCP port 25 (from Edge server to Hub server on internal network) For Outbound traffic: SMTP - TCP/UDP port 25 (from Edge to Internet) SMTP - TCP/UDP port 25 (from Hub to Edge server) LDAP for EdgeSync - TCP port 50389 (from Hub to Edge server) Secure LDAP for EdgeSync - TCP port 50636 (from Hub to Edge server) Since Edge server needs to communicate with Hub server it is important that it can resolve Hub transport servers by FQDN and Hub transport servers must be able to resolve Edge servers by its FQDNs. To accomplish this you need to either open 53 (DNS) port and configure internal network adapter to use internal DNS but as a security precaution I would suggest to enter DNS records for Edge servers on local DNS manually and to fill hosts file on Edge servers with FQDNs for Hub transport servers.