How to Fix Legacy GAL Segmentation Issues in Exchange 2010

I’m working for a customer who is migrating from Exchange 2003 to Exchange 2010.  The customer used “old school” GAL segmentation to create different address lists and Default Global Address Lists (GALs) for some users.  Prior to Exchange 2010 SP2, this was done by configuring ACL permissions on Address Lists using ADSI Edit.  Not only was this fairly complex, it was also not officially supported by Microsoft.  There was still a genuine business need for GAL segmentation and a number of companies did it anyway.



Exchange 2010 SP2 introduces GAL segmentation using Address Book Policies (Thanks, Greg Taylor!)  This is the only GAL segmentation that is supported by Microsoft.  The trouble is that only Exchange 2010 mailboxes can benefit from this form of segmentation.  If you’re doing a migration from a previous version to 2010, the legacy mailbox users won’t see it.  In the case of my customer, that means ripping out all the legacy ACLs first and configuring Address Book Policies later.



I ran into some strange issues when I reset the ACL permissions, so I want to explain what I did and how I did it to overcome these issues.



The organization had a very elaborate set of permissions on their address lists.  They had 8 separate All Users address lists and 5 separate Default Global Address Lists.  With many child domains, it made it difficult to determine which permissions were applied and which were inherited at all the different levels.  I decided to use ADSI Edit to delete all the address lists and GALs and recreate them on the Exchange 2003 side.  Here’s how I did this:



  • Open ADSI Edit and navigate to CN=All Address Lists,CN=Address Lists Container,CN=[OrgName],CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=[domain],DC=[com]
  • Delete all the address lists in this container except All Rooms (All Contacts, All Groups, All Users, etc.).  All Rooms is an Exchange 2010 address list and will not need to be recreated.



  •  Navigate to CN=All Global Address Lists,CN=Address Lists Container,CN=[OrgName],CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=[domain],DC=[com]
  • Delete all the Global Address Lists including the Default Global Address List

Now recreate the address lists and Default Global Address List in Exchange 2003.  I did it this way to ensure that current 2003 mailboxes can use the new lists.



Once the address lists have been created and replicated throughout the domain, you can upgrade them to Exchange 2010 versions using OPath and you should be good to go.



However, if your organization used ACLs for Exchange 2003 GAL segmentation there’s a very good chance that OWA was segmented, as well.  OWA GAL segmentation is done an entirely different way, and if you don’t undo these changes Exchange 2010 users will not see the Default Global Address List or the All * lists in Outlook.



OWA GAL segmentation is done by configuring the msExchangeQueryBaseDN attribute on the user object in AD.  Normally this attribute is empty (Null).  For GAL segmentation in OWA, the msExchangeQueryBaseDN attribute is set to the distinguishedName of the OU where you want the GAL scoped to.






Simply clear the msExchangeQueryBaseDN value for the user, wait for it to replicate and the address lists will show up for online (non-cached mode) users.  The user doesn’t even need to close Outlook.



Cached mode users will need to download the new OAB to see the address lists.  This will happen automatically within 24 hours, or the user can download the OAB manually in Outlook.  You’ll need to either let the OAB update automatically at 4am or update it manually with the Update-GlobalAddressList cmdlet first.



 Here’s an EMS one-liner that will clear the msExchangeQueryBaseDN for all users in the organization:

Get-Mailbox | Foreach{ $dn = “LDAP://” + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQueryBaseDN.Clear();$obj.SetInfo()}