Nested distribution group found but flat restriction checking enabled
Topic Last Modified: 2006-08-21
The Microsoft® Exchange Server Analyzer Tool queries the following attributes for each distribution group object in all domains found in the Active Directory® directory service to determine whether any of the groups are used to set delivery restrictions based on membership in the group:
Contains the DNs of recipients or connectors that will not accept messages from this group.
Contains the DNs of recipients or connectors that will accept messages from this group.
If the Exchange Server Analyzer finds that there are group objects that are used to set delivery restrictions, the Exchange Server Analyzer then examines those groups to determine whether they contain any nested groups.
The Exchange Server Analyzer also reads the following registry key to determine whether the RestrictionMethod registry value is present and how it is configured:
The Exchange Server Analyzer displays a warning if the following conditions are true:
Distribution group membership is used to set delivery restrictions.
There are distribution groups nested in the distribution groups that have delivery restrictions set.
The RestrictionMethod registry value is present and set to force flat restriction checking.
This warning indicates that, although the RestrictionMethod registry value is set to force flat (non-hierarchical) restriction checking, the distribution groups that have delivery restrictions set have other distribution groups embedded in them (nested). Flat restriction checking will not correctly identify the allowed or denied senders if the distribution groups contain nested distribution groups. With flat restriction checking, nested distribution groups are not expanded.
The default behaviors for the categorizer is to recursively expand distribution groups and check restrictions for each message that passes through the system.
When you send mail to a user who accepts or denies messages from a distribution group or send mail that travels through a connector that accepts or denies message from a distribution group, the message categorizer has to expand the membership of the distribution group, obtain the full list of DNs of the members, and then compare the list of DNs to the list sender’s DNs. An access operation or a deny operation occurs when a DN on both lists match. If a distribution group is nested in another distribution group, the nested distribution is also expanded.
The RestrictionMethod value determines how the categorizer will process restrictions. If you set the value of RestrictionMethod to 2, the transport components on this server that runs Exchange Server will not expand membership of distribution groups when the server checks restrictions. This configuration provides the best performance for restriction checks. Additionally, for the RestrictionMethod registry entry to take effect, all distribution groups that include users who have delivery restrictions must be flat. That is, the restricted distribution groups must not have nested distribution groups.
To address this warning, do not nest distribution groups within other distribution groups that are used for delivery restrictions when flat restriction checking is enabled.
For more information about non-hierarchal restriction checking, see Consider non-hierarchical restriction checking.
For more information about the effect of distribution group restriction on Exchange mail flow, see the following Microsoft Knowledge Base articles:
895407 "In Exchange Server 2003, message delivery to local mailboxes and to external mailboxes is slower than you expect after you configure delivery restrictions based on distribution groups" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=895407).
839949 "Troubleshooting mail transport and distribution groups in Exchange 2000 Server and in Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=839949).
812298 "Mail delivery is slow after you configure delivery restrictions that are based on a distribution list" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=812298).
For more information about the RestrictionMethod registry value, see Microsoft Knowledge Base article 895407, "In Exchange Server 2003, message delivery to local mailboxes and to external mailboxes is slower than you expect after you configure delivery restrictions based on distribution groups" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=895407).
For more information about the registry value, see Microsoft Knowledge Base article 277872, "XCON: Connector Delivery Restrictions May Not Work Correctly" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=277872).