Free Microsoft Outlook Resources & Whitepapers

Namespace Mining

We host out own Exchange server.  We recently have had issue sending emails to anyone associated with windows live email address.  I have been in contact with Windows Live domain support and they are reporting our IP is being tagged as a Namespace Miner.  One of the employees here does send out a mass email once a week and I can only assume that it is related to that.

What can I do to prevent the namespace mining from taking place? 

Any help or insight would be appreciated.



Post your answer or comment

comments powered by Disqus
After implementing Exchange Server 2007, our outgoing mail is being blocked by several receipients as potential spam (ie, The mail server IP connecting to Windows Live Hotmail has exhibited namespace mining behavior). In our case, we have configured the mail transport server to route mail directly to the internet. Our receive connector is configured to allow incoming connections from our upstream email filter.
Our external DNS, our internal AD namespace is [server]
When contacted the SMTP server responds with the internal name based on the server name (no matter what we set the FQDN name in the send connector). According to MS, this is by design. (from the documentation: If the Send connector is configured on a Hub Transport server that also has the Mailbox server role installed, any value that you specify for the FQDN field is not used. Instead, the FQDN of the server that is displayed by using the Get-ExchangeServer cmdlet is always used.)
MS tells me that I have to use the Remove-ADPermission cmdlet to remove the Ms-Exch-Send-Headers-Routing permission from the security principals that use the connector. MS doesn't specify what security principals the rights sould be removed from, but they do warn that it would not be removed from internal messages.
All I want to do is make sure the SMTP box responds with the externally registered name.
Do I really have to modify the security principals? If so, what would the script look like?

Users on our exchange server 2007 cannot send email to hotmail or windows
live accounts. We get the following message. #550 SC-002 Mail rejected by Windows Live
Hotmail for policy reasons. The mail server IP connecting to Windows Live
Hotmail has exhibited namespace mining behavior. If you are not an
email/network admin please contact your E-mail/Internet Service Provider for
help. Email/network admins, please visit for email
delivery information and support ##

Users on our exchange server 2007 cannot send email to hotmail or windows
live accounts. We get the following message. #550 SC-002 Mail rejected by Windows Live
Hotmail for policy reasons. The mail server IP connecting to Windows Live
Hotmail has exhibited namespace mining behavior. If you are not an
email/network admin please contact your E-mail/Internet Service Provider for
help. Email/network admins, please visit for email
delivery information and support ##

I need some help on how to configure our domain namespace to support Exchange 2000. I would like to keep the same internal/external namespace. Here is how I think it should be done: I would have an internal AD integrated DNS server, on the outside I would have a Win2k "primary" DNS without AD installed. Exchange 2000 would go on the "primary" DNS server on the outside. The reason for no AD on the outside box is because I need to do zone transfers to a NT 4 DNS box and it doesn't work when the outside DNS is AD integrated (NT4 doesn't support SRV or dynamic update zone files....learned this the hard way.) Will the way I propose above work? I need to hide the internal clients from the internet, but the clients must have internet access and e-mail access to the intranet/internet.

I've tried a split namespace where the internal/external namespace was different. I setup the Exchange server on the external DNS. The problem with this setup is that I had both DNS servers AD integrated. I created a "secondary" zone (which had our external namespace) pointing at the NT4 machine. This worked great for outgoing e-mail, and user-user e-mail, but I couldn't receive incoming internet e-mail. I believe it was because the Exchange server was residing technically on the "internal" namespace and the MX record was pointing to the external namespace. Exchange didn't know what to do with these e-mails coming in with the external name so it would bounce them. What I should have done was have 1 AD integrated DNS server on the inside and a "secondary" Win2k DNS server (no AD installed) on the this correct?

Please, someone verify this is how it's done...I've formatted these servers like 10 times now and I'm getting frustrated over the whole incomming internet e-mail problem.


Can somebody tell me how to config the Internet Mail Connector for a shared SMTP namespace.
I have an old organization running Exchange 5.5.
I have a new organization on a W2k server with AD running Exchange 2000. Exchange 2000 is configured to share the namespace with the old 5.5. If I sent mail from within the new organization and it can not deliver the mail it will forward it to the old organization.

Thanks in advance!

My company picked up a Zimbra server and I've been tasked with integrating the two.  I already configured it so that email delivery is successful from Zimbra (reconfigured to a secondary MTA) to Exchange (MX record).  That was the hard part I thought.

I'm now setting up a shared SMTP namespace for the two using the domain that Exchange server was already authoritative for, let's call it which is also the Active Directory domain.  I changed the default recipient policy on Exchange removing and adding office.local which of course is authoritative.  I then added a new recipient policy with the original domain and unchecked the "This Exchange Organization is responsible for all mail delivery to this address" checkbox.  So Exchange should no longer be authoritative for  I then added a connector forwarding all mail to the Zimbra server with the only Exchange server as the bridgehead.  The address space on the connector is set for Entire Organization and the "Allow messages to be relayed to these domains" is checked.  Restarted routing and smtp servicxes, have even restarted the server.

The problem is that when I am sending email from Exchange to the other server which should go via the connector, it never attempts to send to the remote server as seen through Message Tracking, just automatically NDRs with a 5.1.1.  It's not a problem with the other server as if I set the SMTP connector to forward all unresolved recipients to that server, the mail gets delivered.  If I was ignorant I'd leave it that way but real unresolved recipients start looping between servers.

Any idea what I'm missing?  I've deleted and created the connector a couple times with reboots.  I thought this was the easy part.  :(

I have a question and it is this...
If I have set up my DNS namespace using .local, what changes must I make to my dns server/exchange server to enable me to pickup email for my registered .com domain name?
I have asked my ISP to associate an MX record to my firewalls public IP address, and I have configured port forwarding (25) to the 2003 exchange server on my internal domain.
Thanks in advance.

I've been reading sharing namespace articles on this and Microsof't's website.... some of the examples talks about mergers, 2 domains, namespaces etc..etc... Here's my scenario below,  please reply with holes in my logic or "sounds about right"...thanks

I have taken over an AD domain/network,   everything is a MESS.  Old servers, messy AD, permissions, login scripts, etc..etc..    To let you know how bad it was,  every user had local admin rights on both citrix servers....Since we are only 70 users, it seems easier to build a new network, domain etc..etc..  Timing is perfect since our data center is forcing us to move to a new location in April.  I would like to start building the new domain,  at the new data center now, and migrate users 5-10 at a time or more once all the kinks are worked out.   I'm starting fresh with a new domain  AD called,  new exchange server but i'd like to use the same email namespace "".   I will have a T1 line and VPN tunnel to connect the domains and use the same subnet  here's what i understand.... I make our existing exchange 2000 server non-authoritative for  Setup a connector to forward unresolved email addresses to our new email server on the new domain which will be authoritative for  Our external mail routing will be handled by,   ....    I will test this of course,  but if I delete a user in AD, john smith,  and bill smith wants to email him,   the current exchange 2000 server will not be able to resolve john smith's email address ( since he's not in AD) and forward to the new exchange server ( 2003 server)...?    would it be better to just disable the account in AD instead of deleting?  

Please shoot holes in this theory,   i have just started researching this,  feel free to shoot me some links and go back to the drawing board comments, thanks!

I have a client with a 2 location setup running Exchange 2003. They want to install 2010 asap. However, the namespace planning is getting a bit complicated and I want to make sure I've got the right settings. They have a location in the US and UK. They also have a location in Singapore, but they are looking to move those mailboxes to the UK site. There are different SMTP addresses for each site and different OWA names too. For example, they have,, They would like to keep these names as their users have ActiveSync enabled and are used to these names. I have read Henrik Walther's article over and over again, but I still have some questions. I think that article assumes there is one SMTP namespace because he references 1 autodiscover name. But, in this case, I have three SMTP namespaces to work with. If Autodiscover is going to work for ActiveSync, Outlook Anywhere, then I would need to have an external Autodiscover namespace for each SMTP address. I guess you could use CNAME records, but that seems messy. Then he points out that:

"Then why not use a different certificate for each datacenter where the certificate principal name in the EU datacenter is and in the US datacenter? Wouldn’t this fix the Outlook connectivity problem that occurs during cross-site *overs and site failovers? Nope unfortunately it won’t, well at least not for all Outlook client versions."

Well, everyone is using Outlook 2010, so does this mean that I can use two SSL certs with different cert principal names?

This is what I have so far for each datacenter and I need help confirming that this will work. Because of the different SMTP namespaces, I think the behavior will be almost like an Active/Passive setup in which different names will be used. The .local addresses are in there to comply with their internal AD name. They are not in a position to allow the external DNS zones internally yet.

US Side

UK Side

Internally, will be the internal name for the US Exchange Web Services and will be the internal name for UK Exchange Web Services. The CAS Arrays will be and Those names don't need to be on the SSL cert.

Am I on the right track or no? Freakin' complicated!

I have been asked to create a new DAG and also make sure all Outlook Clients will be configured to use COLO as the primary site going forward. All outlook clients are configured with the CAS server internal FQDN from HQ and I need to force them to change to server FQDN in COLO or CAS array FQDN in COLO if I am able to do so. Also external namespaces need to point to COLO site as well.

Here is a description of my current environment.

We currently have a 2 node DAG replicating across 2 AD sites. HQ is currently our Primary site, and COLO is currently our Secondary site. I have been asked to move all of our Exchange Services to the COLO AD site and make that our new Primary site. We are currently running Exchange 2010 SP1 RU6 and the rest of our Topology is set up identical in both sites including an Edge Transport server and a HUB/CAS server as well.
I’ve already created a new DAG with 3 nodes. 2 nodes exist in the COLO (one is Lagged 14 days), and the other node exists in HQ. We currently have different namespaces set up on both CAS servers and each is internet facing with OWA access enabled on both. The only service we have configured to proxy besides IMAP is Activesync since our MDM solution cannot handle the 451 redirect correctly.
I plan on moving all mailboxes to the new DAG soon, but need to make sure I correctly change the DNS entries so the current URLs and, etc. will point to the COLO CAS server instead of the current HQ CAS server.
Also, we do not have a Client Access Array Object in place and I would really like to implement one during this time as well. I plan on migrating every mailbox to the new DAG since the new MB servers are partitioned the way we want them, and built for growth. I know if we are running sp2 ru3 then clients will be prompted to close and reopen outlook to reflect the new CAS (RPC endpoint) server, but sp2 ru3 also has an issue with local move requests behaving incorrectly when a mailbox move is completing. That will leave users disconnected for long periods of time while the local move request fails at cleaning up the old mailbox 6 times.

Currently when i move mailboxes, Clients are still connecting to HQ CAS along with COLO CAS at the same time when I check connection status. From reading all the conflicting technet articles, the only way to force clients to stop using the old CAS server is to shut it down or change the DNS of the internal IP address so the Outlook client will have to look for the other CAS server.

I need some assistance in planning this move. We currently have over 2500 users and are growing rapidly every week. What do you recommend? After reading this post back to myself, I realize I didn't do a great job at describing our environment. If I need to create a diagram to better explain my situation, just let me know. Also, I would be more than happy to export any logs that would help explain things a bit simpler.

Thank you for taking the time to read this. Any advice is much appreciated.


Pre-deploment analyzer report pointing to informatinal item "NetBios and DNS domain name mismatch". Its informational not critical or warning. We have Scenario3 as described here

Everything seems to work well.
Q: Our servers can all reach each other, do we still need to follow the steps for a disjoint namespace? Crearting a GPO to enable DNS suffix search and modifying the msDS-AllowedDNSSuffixes



I'm having trouble after migrating a primary dns zone to active directory

Before: private namespace is mycompany.local
DC1 - W2K SP4 - DNS (primary) - DHCP - all FSMO roles
DC2 - W2K SP4 - DNS (secondary) - DHCP (different scope from DC1)
No errors in DNS eventlog.

--> I upgraded mycompany.local zone to active directory integrated to get
benefists of multimaster replication:
everything went fine on DC1, so I had a fresh copy of text dns file
transformed into systemMicrosoftDNSmycompany.local branch of AD.
--> I forced AD replication in AD Sites And Services to DC2.
Still good, but DNS on DC2 was still saying "secondary" as its own
description after1h.

--> I ended up to change secondary zone to active dir integrated on 2nd DC
(I know, this is nonsense), and DNS Mgmt Tool prompted "a zone
mycompany.local already exist in AD, what you want to do: delete zone in AD
and populate with source or take existing": I opted for the second choice.

Panic: zone mycompany.local disappeared from DC2; after restarting DNS on
DC1, even the first one was gone(!)
Panic2: what can I do?
I restored text file and create zone as before (primary on DC1 and secondary
on DC2).

0) everything works fine (DHCP, name resolution, recursion, forwarding, ecc)
1) records still exist in AD;
2) I rebooted DC2 and once again zone mycompany.local was gone; I recreated
the zone as secondary and "tranfer from master" works;
3) I'm scared of rebooting DC1.

After all, can I still make a clean reliable DDNS implementation of
mycompany.local in both servers?
AD Integrated would be preferred. Article Q294328 was not so clear to me.
I Need help.
Thank you in advance

We wanted to gradually migrate our existing Exchange2K org to a new
Tree-Domain-Org. Is there a way both our old and new setups can share our
namespace so that an email addressed to addressed to
will find it's way to the correct server in either Tree?

I have sbs 2003 premium and NOT using ISA

I am trying to connect a user's outlook through RPC over HTTP, but the
configuration for proxy, and exchange name has the .local namespace which
isn't routable through internet. At least i am thinking this is where my
problem is at. Does anyone has a way that i can hit the server w/ just the
IP or a better solution?

Problem or error: the server could not be found.

Doing the same configuration internally works fine with RPC over HTTP [but
it recognizes the .local namespace]

Is it possible to span 2 domains with a single smtp namespace?

I expect the answer is categorically "no" but, let me explain.

Due to a recent formation into a group structure we are decommissioning two
single forest, single domain networks into a single forest with three
domains. I won’t bore you with the details.

We have built a forest in parallel to the existing ones to accommodate our
needs, but the issues we have come down to dns.

We need to transfer our smtp address from old domain to the new one, but
this automatically conflicts.

We can remove the old exchange server and transfer mx records to point to
the new server and use exmerge to rebuild the mailboxes. This would be the
simplest way but most disruptive as it is the “Big Bang” approach.

Ideally we would like Exchange to span both domains, similar to a load
balancing scenario. This way we can slowly migrate users between domains,
but it would require a bridgehead server to pass e-mail to a second exchange
server on another domain with the same smtp namespace.

Is it possible to set up a connector or a relay to send to a second server
if the mailbox is not homed in the local domain?

I need to receive mail on a exch2003 server from a exch2000 server in another
forest but connected to our network. The other exch server is hosting the
mail for our whole organization. I would like to use the same smtp
namespace. I don't really care about syncing the gal. I have been doing a
little research and was thinking that procedure in article 321721 would do it
for me, even though this article explains the sharing of smtp address spaces
to a foreign mail system. Would this setup work for me also. I also would
like to create the addresses for the exch2000 mail recipients in our address
book so our users wouldn't have to type in the whole address each time. Same
for them also.


I have configured a shared namespace between one Exchange 2000 and one
Exchange 2003 server, according to KB articles 319759 and 321721.

The public MX points at the 2003 server, which should then forward
unresolved recipients over the newly created connector to the Exchange 2000
server. However when I try to send mail to a recipient that exists on the
2000 box, I get the following NDR:

Your message did not reach some or all of the intended recipients.

Subject: test
Sent: 29/8/2005 12:17 PM

The following recipient(s) could not be reached: on 29/8/2005 12:18 PM
There was a SMTP communication problem with the recipient's
email server. Please contact your system administrator.

I have two different exchange organizations with the same smtp namespace
(example.., One org is Ex2k and I'm migrating the users in
phases over to the new org Ex2k3. All emails inbound and outbound route
through the Ex2k org. I have IIFP installed for GAL synch. I have an smtp
connector between both orgs. I also have "This exchange is responsible for
mail delivery" unchecked for both org's default policy.

I get an error message: A configuration error in the e-mail system caused
the message to bounce between two servers or to be forwarded between two
Contact your administrator.

I need to have all mail routed through the Ex2k org, and migrated users need
to send and receive email between the 2 orgs with there email



As an MCSE (2003) and MCSA:Messaging, I like to think I know all I should about Exchange, but this time I need to scream for help!!

I'm a network admin for part of a larger group of companies.

We accept mail for the group smtp namespace (let's call it to our Exchange 2003 Organisation, then forward to the individual companies within the groups, who all have their own unfederated AD Forests/Exchange Organisations. This is done using either DNS SMTP connectors, or direct SMTP connectors.

The receiving servers send as "", but receive using their old company namespace.

The issue we are suffering is that when an e-mail is sent to a list of people "", and those people work for different companies within the group, the following process takes place :

1. We accept the mail
2. We forward the mail to each server containing recipients
3. The receiving servers place the mail in the mailbox of the recipient, then forward to the rest of the recipients
4. These mails come to us for distribution
5. etc until the loop times out and NDRs are issued...

Although the message has been received by the individual recipients, the sender still receives the NDR and bleats!

Is there any way we can expand the recipient list using Exchange, and only forward one copy of each mail to each recipient, so that the receiving server simply places the mail in the recipients mailbox and doesn't try forwarding on?

These mail servers cannot be set as responsible for the namespace or they wouldn't be able to send mail to other users in the group.

Many thanks in advance!!

Environment: Exchange 2010 deployment planning

What do we do from a certificate stand point if we do not own our internal namespace? If we do not own our internal namespace would it be possible for me to provide exchange services (i.e. OWA, Outlook Anywhere, ActiveSync, AutoDiscover, etc) to my internal and external clients. If I have an SSL certificate with only my external namespace listed in the certificate (, and I change my Internal URL for the exchange services (virtual directories) that I want to offer to the URL of my external namespace? Would users be able to access these services internally? Would I run into any issues, if so please give me details.

As far as autodiscover is concerned I will probably use the SRV record method eliminating the need for the autodiscover name to be in the external cert.

Thanks in advance

Hi All.  I recently reconfigured an SMTP name space previously only used by Exchange 2003 so that I could integrate a 3rd party mail server (Zimbra).  I followed the documentation here.  My address space of in the default recipient policy became domain.local.

The way I understand this to work is that Exchange checks the destination address  and if an Exchange mailbox exists, delivers it there, and if not, forwards it to the other mail environment.  This appears to work just fine although I don't like the idea of possible spam and mistyped addresses getting forwarded to the 3rd party system to NDR.

However, I had a problem with RightFax 9.x.  In order to send a fax, a user types the recipient as [FAX:Jane Doe@555-1212].  The problem is that when these are sent in the system, the recipient address becomes IMCEAFAX-Jane which are not valid mailboxes.  They never get routed through the Rightfax connector and eventually NDR with the looping 4.4.6.  According to message tracking, it seems like the Exchange org realizes its a fax and sends it to the Exchange server with the RightFax connector which then sends it to the bridgehead server in the new shared namespace connector which forwards it to the 3rd party which sends it back and it loops like this over and over until the 15 hop count is reached.

Now I am assuming that what is happening here is that initially its recognized as a fax and forwarded to the server where the RightFax connector is but once there, the Exchange categorizer evaluates its "rules" and determines that the shared name space connector takes priority and re-routes it that direction.  Its as if the shared name space connector has a priority of 1 and the Rightfax connector has a priority of 2 although it doesn't appear you can set this?

Any ideas?  I had to completely delete the new connector in order to allow the faxes to get routed properly again until I can find a course of action for this issue.

One of our associate offices is running Exchange 2003 server and has the domain (in line with our corporate standards). They are going to open another office that's not going to be connected via a WAN and want to set-up a new namespace for the new office. I'm not currently running Ex2003 (will be soon, though), so I want to check something with the experts!

Rather than using a different namespace, I want to get them to configure a SMTP connector between the existing Exchange system and that of the new office (which I believe will also be running Exchange) and then un-check the box for the domain on the existing system for "'This Exchange Organisation is responsible for all mail delivery to this address". As I understand it, mail received which is not destined for someone on the local Exchange org will then be relayed to the new office.

I'm assuming that the new office can then be configured to relay to a smart host (the existing office) for sending, so that the current addressing format is preserved.

Does this make sense? My only concern at the moment is what happens to NDRs.



I have setup cross forest free busy for two forests using unique smtp namespaces, which works fine. Users are able to open the mail enabled forest contact from the GAL and can see the detailed freebusy calendar information.

I now need to share the smtp namespace. I understand that that i can set this as a secondary namespace and use address rewriting on an edge transport, but we have no edge server and no plans to add one yet.

I have added a local autodiscover xml file with redirection on a client on forest A to point to forest b and this creates a successful 'test-email autoconfiguration' test. However opening the calendar information fails with 'the recipient server could not be contacted'

Does anyone have any ideas? Ive toyed with the idea its a certificate configuration error, but im not sure?

The certificate is signed by an internal cert auth
The forests are trusted and galsync is working fine.

Many thanks for anyones help in this.


I'm configuring Exchange 2007 (SBS 2008) and could do with some clarification on setting up a shared namespace.

I have my own domain and am also part of another, , that is shared with another company. is hosted on my server and by an ISP. My default email address is rather than (for historical reasons).

I've set Exchange to be authoratitive for but am unsure whether to set as an internal or external relay. I have some mailboxes on my server and there are some at the ISP but the users of the ISP held mailboxes don't have, or require, access to my server. If I set it as an external relay then the domain isn't listed as an acceptable domain in the Email Address Policy wizard and if I add the domain address manually the wizard fails with an error stating that the domain is not an accepted domain (so an accepted domain isn't necessarily accepted!).

The next area of confusion for me is to whether the Send Connector for the shared domain should be specified as Custom, Internal or Internet. Email from internal addresses to external addresses will be sent via the ISP's smarthost so I'm guessing that I should specify Internet but, having looked through the settings for each type, does it actually matter which type I choose as all of them can be configured to use a smarthost?

Many thanks in anticipation for any assistance provided.

Jerry Cope

Not finding an answer? Try a Google search.