Sunday, February 24, 2013

Fixing IMCEAEX NDRs - Missing X500 Addresses

My Lyrical Inspiration

IMCEA and me tell each other NDR tales
Stare at the
rejected mai
rejected by you. Ah, no, no, she's rejected by me."
Frowning in the transport
Coming through in
When everybody
bounces you, you will never be delivered

Imagine the following scenarios

  • A user complains about something weird going on with their mailbox
    • Admin disconnects that mailbox and creates a new mailbox for the user
    • User complains that they are not receiving emails from internal users
    • User can receive emails from external senders
    • Other users complain they can’t send email to the user
    • Emailing the user from OWA works
    • Emailing the user from Outlook works when selecting them from the Address Book
  • You migrate from Exchange 2003/2007 to Exchange 2010
    • The mailbox move fails
    • A new mailbox is created and the previous mailbox imported via PST
    • Same complaints as above
  •  Provisioning software “accidently” disables the user
    • The software “fixes” the issue by adding a new mailbox to the account
    • User complains they are missing their email
    • User complains that they are not receiving emails from internal users
    • Users report receiving NDRs like the example below

Delivery has failed to these recipients or groups:
Han Solo
The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.

Diagnostic information for administrators:
Generating server:
#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

The scenarios are pretty similar except the timeframe. All stem from Outlook caching the LegacyExchangeDN for the user and not being able to find that in the Exchange system. The fix is to add the LegacyExchangeDN as an X500 address as a Proxy Address to the user’s mailbox. The real issue is that we are usually reactive on this and wait until a user reports the problem and sends us a NDR. Even then, we still have to convert the mumbo-jumbo that the NDR says into a valid X500 address. I don’t like being reactive or waiting for users to open tickets with this issue. I figured out that I can find this information in the Message Tracking Logs in Exchange with the EventID of FAIL. This isn’t the only information that can be gleaned from the FAIL events, but that’s a story for another day.

The basics of my script

  •  Search message tracking logs for X days for all FAIL events that have a recipient that matches IMCEAEX (See the example above)
  •  Convert the IMCEAEX address to a valid X500 address (strip out the junk)
  • Filter out the duplicates leaving only unique instances
  • Determine the potential user name from the X500 address and search for an existing mailbox.  
  • Add the X500 address to the user’s mailbox.

Here’s the script - Download 

Example Usage

  • AutoHeal
    • Attempt to fix the invalid accounts by adding the missing X500 address as a Proxy Address
  • Days
    • Number of days to search in the logs. Default is 1
  •  Servers
  • Filter the list of server(s) to use. Defaults to all Transport servers.

Find-X500Failures -days 1 -AutoHeal
Script Output

Searching for messages sent after: 02/22/2013
Found 90 Unique user(s)

Name              Alias              Status                              
----              -----              ------                              
Johnny B Good     Johnny.B.Good      Updated                             
Eddie Du Little   Eddie.Du.Little    Updated


  1. Great script! Thanks! But it easily misses the associated user, so what could be added that when it cannot find the user it would allow an entry box to hand-enter the answer - otherwise keep automation??

  2. Unable to download the script :(

  3. Changed $start Date format to dd/MM/yyyy to make work in uk.

    Get-MessageTrackingLog : Cannot bind parameter 'Start'. Cannot convert value "11/25/2016" to type "System.DateTime"

    Could you amend to also show groups with invalid addresses?

    thank you