Nested distribution group found in delivery restrictions

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2006-08-21

The Microsoft® Exchange Server Analyzer Tool queries the following attributes for each distribution group object in all domains found in the Active Directory® directory service to determine whether any of the groups are used to set delivery restrictions based on membership in the group:

If the Exchange Server Analyzer finds that there are group objects that are used to set delivery restrictions, the Exchange Server Analyzer examines those groups to determine whether they contain any nested groups.

The Exchange Server Analyzer also reads the following registry key to determine whether the RestrictionMethod registry value is present and how it is configured:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeTransport\Parameters\RestrictionMethod

The Exchange Server Analyzer displays a warning if the following conditions are true:

• Distribution Group membership is used to set delivery restrictions.

• There are distribution groups nested in the distribution groups that have delivery restrictions set.

• The RestrictionMethod registry value is present and not set to force flat restriction checking.

This error indicates that delivery restrictions based on distribution group membership may significantly affect Exchange mail flow performance.

The default behaviors for the categorizer is to recursively expand distribution groups and check restrictions for each message that passes through the system.

When you send mail to a user who accepts or denies messages from a distribution group or send mail that travels through a connector that accepts or denies message from a distribution group, the message categorizer has to expand the membership of the distribution group, obtain the full list of DNs of the members, and then compare the list of DNs to the list sender’s DNs. An access operation or a deny operation occurs when a DN on both lists match. If a distribution group is nested in another distribution group, the nested distribution is also expanded.

The RestrictionMethod value determines how the categorizer will process restrictions. If you set the value of RestrictionMethod to 2, the transport components on this server that runs Exchange Server will not expand membership of distribution groups when the server checks restrictions. This configuration provides the best performance for restriction checks. Additionally, for the RestrictionMethod registry entry to take effect, all distribution groups that include users who have delivery restrictions must be flat. That is, the restricted distribution groups must not have nested distribution groups. The expansion logic will not work if the restricted distribution groups are nested.

For distribution groups that are used in connector restrictions, it is recommended that you set the RestrictionMethod registry entry value on a connector bridgehead server that has no mailboxes. For Active Directory user restrictions, if the restricted distribution groups have expansion servers, we recommend that you create the RestrictionMethod registry entry on the expansion servers.

To address this error:

• Examine those users who have distribution group delivery restrictions set and remove unnecessary restrictions.

• Configure individual mailboxes and not distribution groups for delivery restrictions as referenced in Microsoft Knowledge Base article 812298, "Mail delivery is slow after you configure delivery restrictions that are based on a distribution list" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=812298).

• For servers that run Microsoft Exchange Server 2003 Service Pack 2 (SP2) or a later version, consider implementing non-hierarchal restriction checking. For servers that run Exchange versions earlier than Exchange 2003 SP2, consider upgrading to Exchange 2003 SP2.

To create the RestrictionMethod registry entry and set its value to 2

1. Open a registry editor, such as Regedit.exe or Regedt32.exe.

2. Navigate to: HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeTransport\Parameters

3. In the left pane, click Parameters.

4. On the Edit menu, point to New, and then click DWORD Value.

5. Type RestrictionMethod, and then press ENTER to name the new registry entry.

6. Right-click RestrictionMethod and then click Modify.

7. Type 2, and then press ENTER.

8. Close the registry editor.

Before you edit the registry, and for information about how to edit the registry, see Microsoft Knowledge Base article 256986, "Description of the Microsoft Windows registry" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=256986).