It all starts with the error  – Unhandled Exception “Multiple objects with legacy DN ADCDisabledMail were found.”

Normally, these are leftover from the 5.5 Active Directory Connector and probably part of an old migration effort. This issue can cause some LDAP lookup and other performance problems if left unresolved. This could also result in rapid log file growth, queues building from time to time, etc. Microsoft’s recommendation is to clear the legacyExchangeDN attribute when it has the value “ADCDisabledMail” so long as there are no ‘Active Directory Connectors’ touching the Exchange Organization.

Tool Set required:

  • ADModify.NET Tool.
  • Active Directory Users and Computers.
  • ADSIEdit.

LegacyExchangedDN Cleaning Procedure:

Before modifying any LegacyExchangeDN values, you must first validate that you are using the correct LDAP query to target the infected pool of users.  To do this, open ‘Active Directory Users and Computers’ and create a custom search query for locating the users with LegacyExchangeDN set to ADCDisabledMail.

  • LDAP Query string: (&(objectClass=user)(objectCategory=person)(legacyExchangeDN=ADCDisabledMail))
  • Open Active Directory Users and Computers and run the following query to discover what objects are returned by the query string.  To execute the LDAP Query,
  • ADUC > Saved Queries > New > Query
  • Enter name for query (i.e.  ADCDisabledMail)
  • Click “Define Query” button.
  • Next select Find > Custom Search > Click Advanced Tab > pasted LDAP Query String into text box.
  • (&(objectClass=user)(objectCategory=person)(legacyExchangeDN=ADCDisabledMail))
  • Click “OK”, then “OK” again.
  • View the results of the query.
  • To verify the objects meet the criteria of the LDAP Query, open ADSIEdit and verify the “LegacyExchangeDN” attribute value matches “ADCDisabledMail value.
  1. Download and extract ADModify.Net to a designated server to execute. (Can be any Domain Member Machine with correct .NET Framework version)
  2. Open the ADModify.exe and select “Modify Attributes” option.
  3. On the next screen select the correct options.
    1. Domain List – Select the domain.
    2. Domain Controller – Select Available DC.
    3. Show Only – Users, Contacts
    4. Domain Tree List – Advanced Features, Show Containers Only
    • Click the Green Arrow to display the Active Directory tree within the left pane.
    • Click on the domain and select the “Traverse Subcontainers (SubTree Search)” check box.
    • Click on ‘CUstom LDAP Query’ button and paste the below given query. Once pasted in text box, click OK.
        1. (&(objectClass=user)(objectCategory=person)(legacyExchangeDN=ADCDisabledMail))
        • Click on Add To List button. When you receive the “Enumerate entire domain warning..” select OK.
        • Verify the accounts that you received back from the query in Active Directory Users and Computers, matches what is displayed in the Results pane (Right Pane).
        • This will highlight every object in the right pane.
        • Click the “Next” button to proceed to the attribute modification window.
        • On the attribute screen select the “Custom” tab.
        • The custom tab is where we will define the attribute to modify and the value to set the attribute.
        • Select “Make a Custom modification” check box and enter the following values:
            1. Attribute Name – legacyExchangeDN
            2. Attribute Value – “null” (TYPE null without quotes)
            • Click “GO” button and verify that there were no failures.
            • IMPORTANT: Be sure to save and Log the Output/Log file produced by the ADModify process just executed.  This file (.xml) will be located within the same directory that ADModify.exe was run.  This file is used for Rollback function of ADModify in the event that you need to rollback the changes executed during this run of ADModify.ile can be saved and roll back executed at any time.
            • Next, verify that the legacyExchangeDN attribute value of “ADCDisabledMail” has been removed from all objects. To do this, open Active Directory Users and Computers and rerun the LDAP query. No results should be displayed.
            • NOTE:  If results are displayed, you can either allow ample time for AD replication to complete or make sure to target the same Domain Controller within ADUC that you did for ADModify.
            • Open Active Directory Users and Computers.
            • Re-run the LDAP query used within to target users.
            • If no results are returned, then attribute modification was successful.

            This is how we did it.

            • Logged out to an Exchange 2007 server in the domain.
            • Ran the LDAP query.
            • Verified that the uses returned by the query had “LegacyExchangeDN” attribute value match “ADCDisabledMail” value using ADSIEdit.
            • Logged on to an Exchange 2007 Hub Transport server and ran ADModify.
            • Verified that the list presented by ADModify matched the AD query.
            • Selected a couple of users and executed the (custom) attribute modification.
            • Verified using ADSIEdit (LegacyExchangeDN not set any more) and AD (query returned less users)
            • Repeated the steps again for remaining users.
            • Verified using ADSIEdit and AD query. Query returned 0 results this time.
            • Saved the XML file.

            Recovery Plan:

            Rollback the changes using Rollback function of ADModify. Save the Output/Log file produced by the ADModify process and roll back can be executed at any time.

            I’ll caution that because ADModify is so easy to use – it’s also very easy to shoot one’s toes off – make sure to take care when aiming (usage courtesy: Brock).

            –Thanks, Jinesh.