Tom, How the external domain listed on the Enterprise Recipient Policy? (especially the 'authoritative' checkbox).
SMTP domains being shared between multiple messaging environments gets pretty complicated, and Lotus and Exchange won't share a common LDAP instance for Sendmail to use. I wonder why your config doesn't just have each messaging system set outgoing addresses and let Sendmail forward the traffic out as-is... --James -----Original Message----- From: "Tom Kern" <[EMAIL PROTECTED]> To: "[email protected]" <[email protected]> Sent: 11/23/06 5:19 PM Subject: Re: [ActiveDir] mailNickName(OT) Hey, thanks Brian. I really appreciate that. I know you can do that with the RUS and I'm sure they know, but they don't. It could have something to do with sharing the external domain with exchange,lotus, and funmail, but i'm not totally sure. Thanks!! Happy Thanksgiving,btw. On 11/23/06, Brian Desmond <[EMAIL PROTECTED]> wrote: > Hi Tom, > > Glad to hear you've moved on to bigger things. It only gets more fun as > the numbers get larger. :) > > With regard to your email address question, you can update the recipient > policy the RUS uses to automatically stamp everything with > [EMAIL PROTECTED] You would set your recipient policy to include > [EMAIL PROTECTED] to generate this for each object. Reference Q285136 > for more info. > > 8 People for 110K mailboxes seems like a lot to me, but that's just me. > > Thanks, > Brian Desmond > [EMAIL PROTECTED] > > c - 312.731.3132 > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Thursday, November 23, 2006 9:11 AM > To: [email protected] > Subject: Re: [ActiveDir] mailNickName(OT) > > I ask because the reason mailNickName is in "firstname.lastname" > format, is due to a dirsync process that runs once a day and reads > that attribute to do an address rewrite. > When a mailbox enabled user is created, the RUS stamps it with an > "[EMAIL PROTECTED]". > Later, the dirsync process adds "[EMAIL PROTECTED]", so > when mail goes out, sendmail rewrites the RHS portion of the smtp > addy. > if mailNickName is sAMAccountName, it doesnt work. > > > Sometimes during the provisioning process, the lan access guys forget > to set this attribute to that value, so the exchange team was looking > for a way to automatically generate the value in the correct format, > kinda like displayName. > > I just started here about 2 months ago, so i'm not complelety sure how > the process works and i'm trying not to annoy everyone with too many > questions. > > This is the first truly large corp i've ever worked for. Before i was > the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 > member Exchange team for a 110,000 user bank that you've all heard of > and i guess i'm trying to wrap my head around how a org this size > works... > i'm actually kinda surprised no one on the exchange team knows how to > script or is very knowldgable about AD. > Then again the AD team doesn't seem that knowldgable about AD. > > They just migrated from EX 5.5 to EX2K3 when i started, so i guess > they are trying to get up to speed witn exchange. > > i only made the MS comment because a corp this large seems to have a > lot of resurces at MS and I saw that someone from MS did their EX2K3 > design doc. > I'm not under the illusion that just because someone is from MS that > they know what they are doing but i guess i have illusions about > companies this size and that they would somehow get the better support > from MS and other vendors. > > Thanks for your responses and help. > > On 11/22/06, Al Mulnick <[EMAIL PROTECTED]> wrote: > > I think I see the reason that it hasn't been as big a problem as it > could > > be. The id is not yet everywhere. You will run into those collisions. > > Statistically (note, I'm not a statistician, but I sometimes play one > on the > > internet) your numbers are just too large not to. When you hook in > MIIS, > > you'll start to see a lot of john smith's and you'll have to map them > and > > come up with rules to automatically resolve those if possible. I > dunno > > though, you may be an organization that enjoys manual processes. > > > > Even for first.lastname for smtp addresses I'm reasonably sure there's > > either a really strong nepotism policy in your organization or you've > got > > some *process* that allows for making those unique. I've worked in > much > > smaller shops that had such policies (sadly, no strong nepotism rule, > but > > that's another story altogether.) > > > > I second what joe says about not taking their word for anything. I'll > go so > > far as to qualify that and say that the best answer you should get > from a > > consultant or on-site resource is "it depends." What that really means > is > > that depending on the information available, your current best > practice as > > it was intended is to do x. I can't begin to tell you how many things > that > > started from the product teams as "the product only does this" later > ends up > > to be, " for the love of <insert your favorite deity here> don't do > this!!!" > > Think clustering and you'll know what I'm talking about. > > > > Every bit of it depends. But Microsoft developers need more > parameters than > > "it depends" so they come up with scenarios. And they narrow those > down out > > of necessity. If you fit in that scenario, your stuff is a tested > scenario. > > If not, it's something they may have thought of but didn't think > enough > > customers would use and so didn't spend time testing thoroughly - aka > if it > > works, it was meant to do that. If it does not, what the ^%$# were you > > thinking? Don't you read that (often non-existent) documentation that > > explicitly says not to do that? Or didn't you know that it wouldn't > work > > like that? I mean, it's common sense right? > > > > Anyhow, I always remember two things about consultants - without > common > > understanding, there can be no common sense (I ripped that off in case > you > > wonder) and everything should be explicitly written down. When in > doubt ask > > for the project notes and verify that the information you're working > off of > > is explicitly stated and see if you can find out why. I can tell you > if it's > > a Microsoft employee, you should have no issue asking that person > directly > > to see if they can remember what the thinking was behind that and if > that's > > still considered a best practice in light of what you want to do. > It's > > entirely possible that the way the question was asked, the answer > makes > > perfect sense (within that context anyway). It's more probable the > question > > wasn't asked because nobody thought it was important to ask at the > time. > > Exchange folks rarely care about such things unless they also happen > to be > > deep in Directory Services - rare animal that can do that and carry on > a > > conversation with a non-geek ;) > > > > Out of curiousity, what made you ask in the first place? > > > > > > > > On 11/22/06, Tom Kern <[EMAIL PROTECTED]> wrote: > > > The place I'm currently at is a large 110,000 + user bank. > > > They use the hr employee id# for sAMAccountName and upn and in turn > the > > dn. > > > They use firstname.lastname for smtp and mailNickName and > > > consquently legacyExchangeDN. > > > Why, I have no idea. > > > > > > They had a lot of input from MS in setting up their forest/exchange > > > ORG, so I'm not sure why it is this way. > > > > > > For some backround, they use lotus as well as exchange and use a > dirX > > > ldap server for common address book and sendmail address rewrite. > > > For the hour db, they use peoplesoft which they are going to sync up > > > with AD with MIIS soon. > > > I'm not sure what all this has to do with mailNickName format, but > it > > > may provide some backround or potential trouble in the future. > > > Thanks for all your input. > > > > > > > > > On 11/22/06, Al Mulnick < [EMAIL PROTECTED]> wrote: > > > > Other than being used for access by other protocols such as pop, > imap, > > and > > > > owa, last I checked it's also the value used for the x.400 like > address > > > > which is used for mail delivery internally by Exchange. You > wouldn't > > want > > > > that to be non-unique else you might have to call somebody like > joe to > > come > > > > in and help clean up :) > > > > > > > > I'm surprised that this company you're at has not gone to unique > values > > for > > > > this. I'm equally surprised they don't have other issues with > their > > > > Exchange deployment, but it's possible you haven't gotten far > enough > > into it > > > > yet to notice some of them. > > > > > > > > I've blogged about my thoughts regarding what should be globally > unique > > in > > > > an AD/Exchange environment. It's a long enough blog it may even > be a > > good > > > > candidate for an essay or possibly a sleep aid. > > > > > > > > If you want the details, have a read. The short answer is that > you want > > > > every user to be unique and to have a consistent and trouble-free > > > > experience. That keeps you from being up late at night with > > international > > > > customers first and your local in-country customers the next day. > > > > Mailnickname is one of the attributes that should be unique same > as > > > > samaccountname and smtp address (some are enforced per forest, > some per > > > > domain but all should be enforced regardless in my opinion). Since > they > > can > > > > often feed on one another, I maintan that samaccountname should be > the > > > > user's foundational, non-changing, never touched as long as that > person > > is a > > > > member of the company in good standing, network id. Exchange > relies on > > > > Active Directory and as such you're better following the same > rules . > > > > > > > > > > > > Al > > > > > > > > On 11/22/06, joe <[EMAIL PROTECTED]> wrote: > > > > > > > > > > The mailnickname isn't populated in a similar way to display > name. The > > > > > common ways for mailnickname generation and its population are > through > > the > > > > > RUS, by CDOEXM, or by the special ADUC extension (and no ADUC > doesn't > > use > > > > > CDOEXM). This is unlike displayname which has ADUC as its common > way > > to be > > > > > populated. Certainly they could have done something like that > but they > > > > > didn't. > > > > > > > > > > Changing the format is ok, most companies don't do it but some > do. But > > if > > > > > there is going to be a change, change to something that is > guaranteed > > to > > > > > be > > > > > unique in your organization. Display names are very often not > unique; > > > > > definitely not unique at scale which is why Al said, it don't > > scale.... Go > > > > > to any larger company in the US and type in Smith, Jones, Brown, > or > > > > > Johnson > > > > > in the GAL and you will likely see multiple Alan's, Andrew's, > Amy's, > > > > > Bob's, > > > > > Carol's, Fred's, John's, Steve's, etc... If you are > multi-national try > > > > > Chang, Chen, Gupta, Singh, Lopez, Hernandez, Jannsen, Smit, > Larsen, > > Berg, > > > > > Schulz, or Schmidt. > > > > > > > > > > The attribute is used quite a bit in Exchange. Where all it is > used I > > will > > > > > let some Exchange person respond if they want, but look quickly > at a > > > > > mailbox > > > > > enabled user and check how many times you see the value. Note > that > > none of > > > > > the other attributes that use mailNickname in their initial > generation > > > > > will > > > > > change if you change mailnickname, you absolutely wouldn't want > that > > or > > > > > else > > > > > it would break certain types of delivery for that user. I have > seen > > some > > > > > nasty issues in larger orgs that resulted in mailNicknames not > being > > > > > unique. > > > > > The problems can be solved by mechanisms other than unique > > mailNicknames > > > > > but > > > > > unique mailNicknames is by far the easiest way to handle it. I > have a > > tool > > > > > that reports bad Exchange attribute settings in an Org and > duplicate > > > > > mailNickname is one of them that I flag as fairly high priority > due to > > my > > > > > experiences. > > > > > > > > > > joe > > > > > > > > > > > > > > > -- > > > > > O'Reilly Active Directory Third Edition - > > > > > http://www.joeware.net/win/ad3e.htm > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf > > Of Tom Kern > > > > > Sent: Tuesday, November 21, 2006 10:07 PM > > > > > To: [email protected] > > > > > Subject: Re: [ActiveDir] mailNickName(OT) > > > > > > > > > > well, the company i currently work for sets the mailNickName of > all > > > > > users to "firstname.lastname". > > > > > I didnt know there was any issue with changing the format of > that > > > > > attribute. > > > > > > > > > > we have around 110,000 users mixed between Exchange and Lotus > Domino > > > > > and this is the format they have been using(why, i'm not sure, I > just > > > > > started here) > > > > > > > > > > I thought there could be a way to change the default format of > the > > > > > mailNickName attribute the same way you could change the format > of the > > > > > displayname. > > > > > > > > > > What issues can arise by changing the mailNickname format. > > > > > > > > > > I mean, what is this attibute for used exactly? > > > > > I thought this was only used for POP3 and IMAP and maybe OWA and > ADC. > > > > > And I didnt think changing it could affect anything. > > > > > Can you guys educate me, please? > > > > > > > > > > Thanks > > > > > > > > > > On 11/21/06, joe < [EMAIL PROTECTED]> wrote: > > > > > > Not that I am aware of. > > > > > > > > > > > > I am with Al on this, keep it as the sAMAccountName. This > value > > while > > > > > isn't > > > > > > enforced to be unique really should be. Using sAMAccountName > helps > > with > > > > > that > > > > > > though it still allows duplicates in different domains. > > > > > > > > > > > > joe > > > > > > > > > > > > -- > > > > > > O'Reilly Active Directory Third Edition - > > > > > > http://www.joeware.net/win/ad3e.htm > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: [EMAIL PROTECTED] > > > > > > [mailto:[EMAIL PROTECTED] On > > Behalf Of Tom Kern > > > > > > Sent: Tuesday, November 21, 2006 5:19 AM > > > > > > To: activedirectory > > > > > > Subject: [ActiveDir] mailNickName(OT) > > > > > > > > > > > > Is there anyway to change the format of the mailNickName > attibute to > > > > > > be something other than sAMAccountName automatically? > > > > > > Is there something like a "display specifiers" change that > could > > > > > > change the format during the automatic generation of it to be > > > > > > "firstname.lastname" or can this only be scripted? > > > > > > > > > > > > Thanks > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: > > http://www.mail-archive.com/[email protected]/ > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: > > http://www.mail-archive.com/[email protected]/ > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > List archive: > > http://www.mail-archive.com/[email protected]/ > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > List archive: > > http://www.mail-archive.com/[email protected]/ > > > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > http://www.mail-archive.com/[email protected]/ > > > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/[email protected]/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/[email protected]/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
