Topic Last Modified: 2006-08-21
The Microsoft® Exchange Server Analyzer Tool queries the following attributes for each Simple Mail Transfer Protocol (SMTP) connector object (msExchRoutingSMTPConnector) detected in the Active Directory® directory service to determine whether delivery restrictions are set based on distribution group membership.
Contains the domain names (DNs) of a distribution list (DL) whose members may not send to through this SMTP connector.
Contains the DNs of a distribution list (DL) whose members may send through this SMTP connector.
If the Exchange Server Analyzer finds SMTP connectors that have delivery restrictions based on distribution group membership, the Exchange Server Analyzer then queries the msExchSourceBridgeheadServersDN attribute of the detected SMTP connectors to determine whether the server being analyzed is set as a bridgehead server for any of those connectors.
Finally, the Exchange Server Analyzer reads the following registry key to determine whether the CheckConnectorRestrictions registry value is present and configured:
The Exchange Server Analyzer displays a warning if the following conditions are true:
- An SMTP connector is used to restrict delivery based on
distribution group membership.
- The Exchange server being analyzed is designated as the
bridgehead server for that SMTP connector and is tasked with the
distribution group expansion.
- The CheckConnectorRestrictions key is present, set to 1,
and therefore enabled.
The default behaviors for the categorizer is to recursively expand distribution groups and check restrictions for each message that passes through the system.
When you send mail by using a connector that accepts or denies messages from a distribution group, the message categorizer has to expand the membership of the distribution group, obtain the full list of DNs of the members, and then compare the list of DNs to the list sender’s DNs. An access operation or a deny operation occurs when a DN on both lists match. If a distribution group is nested in another distribution group, the nested distribution is also expanded.
The designated bridgehead is the server tasked with the expansion of distribution group membership.
Restriction checking is controlled by the CheckConnectorRestrictions registry value that must be set on the Exchange bridgehead server that is the source for the connector that is being checked. If you specify a restriction but do not create the CheckConnectorRestrictions registry value, the restriction is not checked.
By default, connector restriction checking is turned off. System performance is significantly affected if distribution groups are expanded and restrictions are checked for each message that passes through the system.
This warning indicates that the delivery restrictions based on distribution group membership may cause messages destined for the bridgehead to queue as the categorizer checks the restrictions.
To address this warning:
- Design a dedicated routing group for connector restrictions and
configure it to a local routing group as referenced in Microsoft
Knowledge Base article 329171, "XADM: Mail Delivery Is Slow if
Recipients Are Configured with Delivery Restrictions Based on Group
- Use a dedicated and more robust global catalog server as the
designated bridgehead server for the connector.
- Configure individual mailboxes and not distribution groups for
delivery restrictions as referenced in Microsoft Knowledge Base
article 812298, "Mail delivery is slow after you configure delivery
restrictions that are based on a distribution list" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=812298)
- Consider implementing SMTP Sender Filtering.
- For servers that run Microsoft Exchange Server 2003
Service Pack 2 (SP2) or a later version, consider implementing
non-hierarchal restriction checking. For servers that run Exchange
versions earlier than Exchange 2003 SP2, consider upgrading to
Exchange 2003 SP2.
For More Information
For more information about non-hierarchal restriction checking, see Consider non-hierarchical restriction checking.
For more information about SMTP Sender Filtering, see "How to Enable Sender Filtering" in the Administration Guide for Exchange Server 2003 (http://go.microsoft.com/fwlink/?LinkId=71832).
For more information about the effect of distribution group restriction on Exchange mail flow, see the following Microsoft Knowledge Base articles:
- 329171 "XADM: Mail Delivery Is Slow if Recipients Are
Configured with Delivery Restrictions Based on Group Membership"
- 895407 "In Exchange Server 2003, message delivery to local
mailboxes and to external mailboxes is slower than you expect after
you configure delivery restrictions based on distribution groups"
- 839949 "Troubleshooting mail transport and distribution groups
in Exchange 2000 Server and in Exchange Server 2003"