Exchange Server 2007 and Universal Groups

Recently, the question was asked on one of the mailing lists I frequent: why does Exchange Server 2007 make me create all my new distribution groups as universal groups?

The answer is just a little bit convoluted. And it really only applies to so-called "enterprise" customers - those with more than one or two domains in their Active Directory forest, even though it can effect even SBS (Small Business Server) customers.

In earlier releases of Exchange Server (Exchange 2000 and Exchange 2003), distribution groups could have any of the valid group scopes (domain local, global, universal).

If you want a full explanation of what those scopes mean, see KB 231273.

However, the big thing to know is that domain local groups can only have their membership evaluated by the domain controllers in the domain where they are created (or by a global catalog server for that domain). So if you create a distribution group with domain local scope, or you have a mail-enabled security group with domain local scope, you've got a problem.

Still don't see why? I told you it was convoluted. Surprise

Well, that group is going to be in the global address list. This means that e-mail can be sent to that group from anywhere in the enterprise. Let's say that the group is created in Domain-A and consists of users who have their mailboxes in that domain and are hosted on an Exchange server in Domain-A.

Now, a user in Domain-B picks the address for that group out of the global address list and sends it off to her local Exchange server, which is also in Domain-B.

Her local Exchange server cannot expand the group! And therefore Exchange will return the message to her with a non-delivery report.

That is definitely not expected behavior.

How do you get around it? Well, you can put a global catalog server for Domain-A in the Active Directory site where the Exchange server for Domain-B sits. That can get expensive, both in terms of hardware and in other resources. You can put your Exchange servers in a separate resource forest and run something like MIIS/IIFP to keep all your domains and forests in sync in terms of users and passwords and the like (which can also be expensive in terms of various resources).

Or - you can make the group a universal group. Sounds much simpler, doesn't it? Smile

What are the downsides?

Well, you can't have a universal group until you are in at least Windows 2000 native mode (note: this is not the Exchange mode I am talking about, this is the Active Directory mode). Some large customers can't make that change. Believe it or not, there are still thousands of NT 4.0 servers in corporate networks all over the world.

Also, if you can't go to at least Windows 2003 interim domain functional level, then you can't use an Active Directory feature called LVR - Linked Value Replication with your Active Directory universal groups. Without LVR, when you replicate a group's membership, you replicate the ENTIRE MEMBERSHIP every time. So if a group has hundreds or thousands of members, this can seriously increase your replication traffic - since universal groups have their entire membership replicated to ALL global catalogs in the enterprise.

And finally, you can't go to Windows 2003 interim, or Windows 2003 native, as long as you have Windows 2000 domain controllers in your forest.

Whew.

If you want more information about domain and forest functional levels in Windows Server, what they affect and why you may or may not can change them, see KB 322692. However, if those changes impact you, you probably already know about them.

So, to fix the original problem (where Exchange could sometimes not expand a group to send e-mail to it), the Exchange developers had a couple of choices. They were:

1]  Make a big change to how Exchange expands groups and attempt to contact source-domain group catalogs (which may not be available!) to do that expansion, including all the overhead and delay introduced by that.

or

2]  Make mail-enabled groups be universal groups.

Well, the answer seems obvious to me. And apparently was obvious to the Exchange developers!

So, to get Exchange groups acting the way you expect, you need to be at Windows Server 2003 Domain Functional Level (DFL) and Forest Functional Level (FFL) and have all your mail-enabled groups be universal groups.

If you are a small company this is probably easy to do. If you are a large company, I encourage you to examine using PowerShell to automate the process. Smile

Until next time...

Thanks for reading! I hope you found this interesting. If you have topics that you would like to see me cover, send me an e-mail or leave a message in the forums.

Published Thursday, February 28, 2008 3:50 PM by michael

Comments

Friday, March 07, 2008 1:22 PM by subject: exchange

# Weekend reading

Microsoft Helps Connect Apple iPhone Users to Microsoft’s Exchange Server Optimize Entourage to better

Wednesday, July 09, 2008 7:44 AM by gustavof

# re: Exchange Server 2007 and Universal Groups

I think Exchange documentation is not clear about using Windows 2003 interim mode. Could you confirm if having one forest with one domain -both set to interim mode- I could upgrade from Exchange 2003 to 2007?

Thanks.

Thursday, February 26, 2009 12:58 PM by JBarsodi

# re: Exchange Server 2007 and Universal Groups

Excellent info as always Michael, this helped me solve a problem we started noticing after we began our 2007 transition.