Gal Segregation question
hy all!i read the whitepaper about gal segregation http://technet.microsoft.com/en-us/library/bb936719.aspxGAL segragation is actually deployed in a production environment and works fine.Now i should add a customer, following the Resource Forest model.So i set up a Trust from the Exchange resource forest to the new user forest; then i created a new OU, address list (AL), distribution group etc in the Exchange resource forest.Unfortunately this configuration does not work correctly.When, from the user forest, i try to create a new Outlook profile, i got the "The action cannot be completed. The name cannot be matched to a name in the address list. " error message.To check if the solution can work, i installed a new exchange organization in a resource forest model, i set up gal segregation and created a linked mailbox. In this quite new environment, the solution worked fine. So i was happy about the chance to replicate that configuration in a production environment.unfortunately, i cannot succeeded to get it working in the production environment. i dobled-checked the permission, and could not find differences.The odd thing is that, if i try to expand the external customers' AL by LDP, i can expand the AL and the GAL using both the account from the user forest and that from the Exchange resource forest. If i use a local user in the Exchange resource forest of that new customer, i can successfully create a new Outlook profile and when i login, all is fine.Also if i uncheck the deny on the Default GAL, all is fine from the external forest too.The users have the right AL in the showinaddressbook attribute.so, i don't think there is a permission problem, but something odd, due to the external forest. Of course, the account from the external user forest does not have a showInAddressBook attribute, and i'm going to think it might be the problem.But why does it works fine in the quite new environment built from scratch?Any hint appreciated.Pacho
June 3rd, 2009 5:52pm

Hi Pacho, Firstly, please check whether I understand the current situation correctly. You have created a Exchange Resource Forest Topology and configured Gal segregation on the Exchange Resource Forest. Nevertheless, an error "The name cannot be matched to a name in the address list" is encountered when attempting to configure Outlook Profile by using the user alias in User Forest. You can configure Outlook Profile successfully by using the user alias in Exchange Resource forest. If I am off base, please let me know. If I understand your problem correctly, I think that it is normal behavior. I would like to explain that Linked mailbox actually create a disabled mailbox-enabled user object in Exchange Resource Forest. Then, grant the User in User Forest Full Access Permission and Send As permission to let the user in User Forest able to access the mailbox and send as the email address. Nevertheless, the GAL only includes the disabled mailbox-enabled user object. Therefore, when checking name to create Outlook Profile, we need to type the disabled mailbox-enabled user object alias. Otherwise, the user will not be found in GAL. When logon Outlook, we could provide the user credential of the User Forest as the user has Full Access Permission to the mailbox. Mike
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2009 8:48am

Hi Pacho, Any updates regarding the issue?Mike
June 12th, 2009 9:30am

Hy Mike! sorry for the delay, i've spent some days on holydays. i'm back now, unfortunately... Of course, when i try to create te profile i type the mailbox alias, i use the external account to logon. the logon succedees, but for some odd reason it looks like the mailbox alias cannot found itself in the GAL. Consider please that i setup a staging forest from scratch (dcpromo of a new forest, user and resource forest), and everything works fine. Thanks for the support. Pacho
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2009 9:53am

Hi Pacho, Thanks for your response. I understand that you have install a new resource forest and user forest, the user in user forest is able to create outlook profile for mailbox on resource forest and logon the mailbox fine. At this time, I would like to list some possible causes that the error The action cannot be completed. The name cannot be matched to a name in the address list: 1. Please check the showInAddressBook attribute of the mailbox user. Please ensure the Global Address List is listed in the attribute 2. Please check the permission of the Global Address List. By default, the Authenticated Users group has GenericRead and Open-Address-Book Permission. Or, you can configure specific user to have permissions in order to read the Global Address List. 3. On the mailbox user object, by default, the Authenticated users Group has some Read permissions. If the permissions are denied, you may encounter the error. Mike
June 15th, 2009 6:58am

1. the showInAddressBook attribute is correctly populated.2. the default gal has denied GenericRead and Open-Address-Book Permission as by the whitepaper i said before3. the mailbox user object has the correct permissions for the Authenticated Users groupthanks for the supportpacho
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2009 1:11pm

Hi Pacho, Thanks for your post. Regarding the point 2, I would like to explain that the mailbox enabled user must belongs to one Global Address List. Otherwise, we will encounter problem when attempting to create Outlook Profile. In addition, the Global Address List should be accessible by using the credential which you provided when configuring Outlook profile. Otherwise, you will encounter problem when creating Outlook Profile. As the Default Global Address List has been denied to access, the Linked Mailbox User (disabled user on Resource Forest) should belong to another Global Address List and the Global Address List can be accessed by using the user credential of User in the User Forest. +++++++++++++++++++In addition, I would like to summarize your issue to check whether I understand your current situation correctly: 1. You have Resource Forest A and User forest B configured How to Deploy Exchange 2007 in an Exchange Resource Forest Topology http://technet.microsoft.com/en-us/library/aa998031.aspx 2. In addition, on the Resource Forest, you have Gal Segregation configured according to following article: White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007 http://technet.microsoft.com/en-us/library/bb936719.aspx 3. You have created a linked mailboxA on Resource Forest A connect to the UserB in User Forest B 4. When attempting to create Profile for the MailboxA by using the credential of UserB, an error is encountered indicated The action cannot be completed. The name cannot be matched to a name in the address list Please let me know whether I understand the current situation correctly. Thanks,Mike
June 19th, 2009 6:37pm

Mike, you understand the situation correctly. The linked-mailbox has 3 values in the showInAddressBook atribute: the default GAL a new GAL, say "Customer1 GAL" a new AL, say "Customer1 AL" Even if i delete the default GAL from the showInAddressBook, the result is the same. If i try to open the Customer1 GAL (with the user from the User Forest credentials), i succeed. The odd thing is that i can even open and browse the default GAL, which i shouln't, as i DENIED read + open address list to Authenticated Users.
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2009 3:01pm

Hi Pacho,Thanks for your response.Yesterday, I created a lab to local test your configuration on my lab. After some tests, I would like to share some information which I found:1. I created a ResourceLab forest (with Exchange 2007) and Userlab forest with two way trust. 2. I configured on Resourcelab to deny Authenticated users to open the "Default GAL" 3. I created a Linked Mailbox (Linkuser) 4. I created a GAL (Linked GAL) on Resourcelab for the Linked Mailbox (Linkuser). The Linked GAL does not including another other users 5. I am able to cofigure Outlook Profile with no problem by using the user credential of the UserLab forest. 6. I created another GAL (other GAL) on the Resourcelab for other users on the Resourcelab forest to simulate another company. The other GAL does not include the Linkuser. 7. After creating other GAL, when attempting to create Outlook Profile again, I encounter the error "The name cannot be a name in the address list" after providing user credential of the UserLab forest 8. I suspect it is because we query the Other GAL instead of the Linked GAL which including Linkuser. Therefore, I use following command to deny the Userlab\linkuser to open the Other GAL to test the issue:Get-GlobalAddresslist "Other GAL" | add-adpermission -user "userlab\linkuser" -accessrights genericread -extendedrights open-address-book -deny: $true9. Then, I am able to create the Outlook Profile with no problem by using the "userlab\linkuser" credentialTherefore, please check whether the production environment has other Global Address List configured. If other Global address list configured, please deny the user in the user forest to open other Global Address List to test the issue. Please let me know the resultThanks,Mike
June 24th, 2009 6:30pm

Mike,your test was very helpful to me.i tried to do what you said, unfortunately it still does not work.But at this point i think i need to restore my configuration to double check your solution.I will let you know in a few days.Thanks so much!Pacho
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2009 1:05pm

Mike, you rock!!your answer did not work for me in my production environment but let me think differently about permissions.i was think about positive permission, when i had to think about negative permissions.i read again the kb312287 about Outlook and GAL and it was then obvious what i should have been working on. After double checking the production environment and the test working environment i found that the AllCustomers group had not DENY READpermissions on the All Global Address list container.this permission fixed the problem in the test (restored from production) environment.i wish to thank you so much for your kindness and professionalism.i will then let you know if the issue will be solved in the production environment too.
June 29th, 2009 10:43am

Hi Pacho, Thanks for your response. I am glad to know that you are able to fix the issue on your lab. I think the issue occurs because the user in the user forest does not belong to any GAL in the Exchange Resource Forest. When you check name by using this users credential (user in user forest), the largest global address list is checked according to KB312287. If the Linked mailbox in Exchange Resource Forest does not belong to the largest global address list, the error will be received. Please let me know whether issue could be solved in production environment. Mike
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2009 8:56am

Mike,sorry for the delay.we implemented the solution in the production environment and it worked.many thanks for the decisive hint.Pacho
July 17th, 2009 5:15pm

Hi Pacho, You are welcome.Mike
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2009 5:18pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics