0

We have a hybrid deployment and have run into some troubles managing mail settings from the on-prem DCs. I believe the solution is to raise the functional level of the forrest to 2016, but I want to confirm before migrating.

Domain controllers run on Windows Server 2012 R2 Datacentre and current functional level matches. We use a mail-enabled security group for all staff. (staff@domain.tld) We need to restrict which internal users can send mail to all staff. Exchange admin keeps telling us to make the change on-prem. Our DCs seem to have no idea that this type of group is possible, and we cant find any way to manage the group on-prem.

Am I correct in thinking we need to raise the functional level to 2016? Is there an update we can apply to get this functionality from a forrest at 2012 level, or are we out of luck?

Tried to manage a group in the usual way (AD Users and Computers), on-prem AD thinks it's a security group and NOT a distribution group - Azure AD knows it's a mail-enabled security group.

Charles Miller
  • 1

2 Answers2

0

The functional level of the DCs is not related to your current situation.

If you migrated the emails and removed any Exchange Server of on your On-premises, you must edit your mail-enabled security group at the attributes tab in your Local DC.

Here you can find more information about the attributes.

UPDATED

In your Domain controller, you can add a user to your mail enabled group via PowerShell

$GroupIdentity = "GROUPNAME"
$User = Get-ADUser -Filter 'Name -like "USER-NAME"'
Set-ADGroup $GroupIdentity -Add @{authOrig=$User.DistinguishedName} 
# Get the user who can send emails to the Distribution Group
Get-ADGroup -Identity $GroupIdentity -Property "authOrig"  | ForEach-Object {$_.authoring}

After the execution of the command, you must force a synchronization in your Azure AD Connect.

Hope this helps!

SoySolisCarlos
  • 736
  • 1
  • 6
  • 13
  • Following the link you've provided, I have been attempting the procedure under the "Delivery Management" subheading under the "Use the EAC..." heading. When I do this, I get an error telling me to make the change on-prem. The Exchange Management Shell is only included in server 2016, 2019, and 2022, so this option is currently unavailable to me. – Charles Miller Mar 02 '23 at 15:24
  • You must edit your mail-enabled security group at the attributes tab in your Local DC. The attribute name is authoring. I updated the answer with the PowerShell command. – SoySolisCarlos Mar 03 '23 at 16:49
  • My DC has no concept of a mail-enabled security group. It knows of security groups and distribution groups. We've never had an exchange server, so we dont have access to the shell that these commands need to run in, and the DC schema doesnt have the attributes that we would need to edit. I'm installing the mangement tools from the Exchange CU 19 installer. – Charles Miller Mar 06 '23 at 08:23
0

Couple of points.

  1. With Windows 2012 R2 domain controllers, you cannot raise the functional level straight away. You need to introduce new domain controllers which are either 2016 or 2019, remove the 2012 R2 ones completely before the functional levels can be raised. This is something you need to plan for as all support for Windows 2012 R2 servers are ending soon.

  2. Raising the functional level has nothing to do with your issue.

  3. If you want to restrict users from emailing this mail enabled group, you need to make the change in Exchange Online (assuming that it is synchronized and Exchange Online sees it correctly). You can either create a transport rule or edit the properties of the group in Exchange Online (message restrictions options & stick in who can send to that group).

Hope this helps.

Specialist-Stand7592
  • 11
  • 2
  • Thanks for responding! I'm aware of point 1 - We've planned a migration to Server 2022 and will decomission the 2012 R2 servers as part of this migration. I'm not convinced about point 2, because when I attempt what you've described in point 3 I get an error stating that I must make the change on-prem, and I am currently unable to do this. – Charles Miller Mar 02 '23 at 15:18