Bridgehead server to check distribution group delivery restrictions for RGC

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2006-09-18

The Microsoft® Exchange Server Analyzer Tool queries the following attributes for each routing group connector object (msExchRoutingGroupConnector) detected in the Active Directory® directory service to determine whether delivery restrictions are set based on distribution group membership.

dLMemRejectPerms

Contains the domain names (DNs) of a distribution list (DL) whose members may not send through this routing group connector.

dLMemSubmitPerms

Contains the DNs of a distribution list (DL) whose members may send through this routing group connector.

If the Exchange Server Analyzer finds routing group connectors that have delivery restrictions based on distribution group membership, the Exchange Server Analyzer queries the msExchSourceBridgeheadServersDN attribute of the detected routing group connectors to determine whether the server being analyzed is set as a bridgehead server for any of those connectors.

Finally, the Exchange Server Analyzer reads the following registry key to determine whether the CheckConnectorRestrictions registry value is present and configured:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Resvc\Parameters

The Exchange Server Analyzer displays a warning if the following conditions are true:

  • A routing group connector is used to restrict delivery based on distribution group membership.

  • The Exchange server being analyzed is designated as the bridgehead server for that routing group connector and is tasked with the distribution group expansion.

  • The CheckConnectorRestrictions key is present, set to 1, and therefore enabled.

The default behaviors for the categorizer is to recursively expand distribution groups and check restrictions for each message that passes through the system.

When you create a routing group, you designate a group of servers that can communicate directly with each other. For servers in different routing groups to communicate with each other, you must connect the routing groups.

The preferred connection method is a routing group connector because this connector is designed and intended specifically for connecting routing groups.

Servers that can send mail over a routing group connector are bridgehead servers. A bridgehead server is a combination of a Simple Mail Transfer Protocol (SMTP) virtual server and an Exchange server that is responsible for delivering all messages through a connector.

When you create a routing group connector, you can choose to keep all the servers as bridgehead servers for that connector or else specify that only a selected set of servers act as bridgehead servers for that connector. The designated bridgeheads are the servers that are tasked with the expansion of distribution group membership.

When you send mail by using routing group connectors that have delivery restrictions set based on distribution group membership, the message categorizer has to expand the membership of the distribution group, obtain the full list of DNs of the members, and then compare the list of DNs to the list sender’s DNs. An access operation or a deny operation occurs when a DN on both lists match. If a distribution group is nested in another distribution group, the nested distribution is also expanded.

This warning indicates that the delivery restrictions based on distribution group membership may cause messages destined for the bridgehead to queue as the categorizer checks the restrictions.

To address this warning:

  • Configure the routing group connector to a local routing group as referenced in Microsoft Knowledge Base article 329171, "XADM: Mail Delivery Is Slow if Recipients Are Configured with Delivery Restrictions Based on Group Membership" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=329171).

  • Use a dedicated and more robust global catalog server as the designated bridgehead server for the connector.

  • Configure individual mailboxes and not distribution groups for delivery restrictions as referenced in Microsoft Knowledge Base article 812298, "Mail delivery is slow after you configure delivery restrictions that are based on a distribution list" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=812298).

  • Consider implementing SMTP Sender Filtering.

  • For servers that run Microsoft Exchange Server 2003 Service Pack 2 (SP2) or a later version, consider implementing non-hierarchal restriction checking. For servers that run Exchange versions earlier than Exchange 2003 SP2, consider upgrading to Exchange 2003 SP2.

For More Information

For more information about non-hierarchal restriction checking, see Consider non-hierarchical restriction checking.

For more information about SMTP Sender Filtering, see "How to Enable Sender Filtering" in the Administration Guide for Exchange Server 2003 (https://go.microsoft.com/fwlink/?LinkId=71832).

For more information about the effect of distribution group restriction on Exchange mail flow, see the following Microsoft Knowledge Base articles: