MORE INFORMATION

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

To troubleshoot this issue, follow these steps.

Note In this procedure, the "user account" is the Active Directory user account whose name cannot be resolved, the "administrator account" is any account in the Domain admins group, and "user" refers to the user whose account you are logged on as.

1. Verify that the Active Directory account that you use either to create the client profile or to log on to the mailbox has been mailbox-enabled.
   
   Verify that the account that you use to log on to the workstation or the account for which you enter credentials in the Outlook Enter password dialog box is mailbox-enabled. If this account is not mailbox-enabled, the account cannot check names.
   
   To make this account mailbox-enabled, start the Active Directory Users and Computers snap-in, right-click the user account, click Exchange Tasks, and then click Create mailbox.
2. Verify that the user can use the Active Directory account to view sibling objects in the Users container (or in the Active Directory organizational unit that contains the user account). To do so:
   1. Start Ldp.exe, and then type the user credentials of the account that is not resolving to bind to port 389 of a domain controller (type the user credentials in the following format: domain/user/password).
   2. Find the user in the User container or its parent organizational unit.

   The user must be able to find themselves in their organizational unit while they are bound to the domain controller with their credentials. If Ldp.exe reports that there are "no children" in the organizational unit, the computer may not have the appropriate permissions.
   
   To resolve this issue:

   1. Start the Active Directory Users and Computers snap-in, click View, and then make sure that Advanced Features is checked.
   2. Right-click Users, click the Security tab, and then click the Authenticated Users group.
   3. Verify that Read permissions are assigned to either the Users container or to the organizational unit where the accounts are located.
3. Verify that the user account has been stamped by the Recipient Update Service after you mailbox-enable the user account. To do so, start Ldp.exe, use the user credentials to bind, and then verify that the following attributes have been populated to the account:
   • showInAddressBook ()
   • textEncodedORAddress
   • msExchUserAccountControl
   • msExchALObjectVersion
   • msExchPoliciesIncluded
   If these attributes are populated, the Recipient Update Service has stamped this user account. If these attributes have not been populated, troubleshoot the Recipient Update Service and the recipient policies to determine why the attributes have not been stamped.
4. Verify that the user can see both the Global Address List objects that are listed in the showInAddressBook attribute and the members of the Global Address List using Ldp.exe. To do so:
   1. Open the showInAddressBook attribute for the user (see step 3), copy the distinguished name values for the Global Address List objects, and then paste these values to a Microsoft Notepad file.
   2. Start Ldp.exe, and then use the user credentials of the account that is not resolving to bind to port 389 of a domain controller
   3. On the View menu, click Tree.
   4. Paste the distinguished name of one of the Global Address List objects in the Base Dn box.
   5. Double-click the Global Address List object that is displayed.
      
      The user should be able to see themselves as child objects.

   If Ldp.exe reports that there are "no children," the Global Address List object may not have the appropriate permissions. A user must be able to see at least one Global Address List object and its members. To resolve this issue, start Exchange System Manager, and then make sure that the user has permissions to view the Global Address List object's members. Make sure that the Authenticated Users group has List Content permissions.
   
   

   Note If you enter an incorrect distinguished name, Ldp.exe reports that there are "no children." Make sure that you enter the correct distinguished name.
5. Verify that the user can see themselves and their attributes in the global catalog. To do so, start Ldp.exe, and then use the user's credentials to bind to the global catalog on port 3268. If the user or the following attributes are not visible, you may be experiencing a replication latency or a property promotion problem.
   • mail
   • proxyAddresses
   • showInAddressBook

   For more information about replication latency or a property promotion problems, click the following article number to view the article in the Microsoft Knowledge Base:

   248717 How to modify attributes that replicate to the Global Catalog

6. Log on as an administrator, and then verify that there are no duplicates in the addressBookRoots attribute of the Microsoft Exchange object under Domain,cn=Configuration,cn=Services.
   
   You cannot specify both a parent container and a child of that parent as an address book root. For example, if you enter All Address Lists as an address book root, it has to be the only address book root. All your other address lists are listed under All Address Lists; if you enter both the parent object and child objects that exist under this parent object, you enter the child objects more than once. When you do so, Check Names and all other Global Address List and NSPI operations do not succeed.
7. Verify that Microsoft Exchange Server 5.5 is not installed on the global catalog server.
8. If the user who is checking names is an administrator who is checking names for another user, confirm that the administrator account that is being used is mailbox-enabled.
   
   The administrator account and the user that is being checked must be members of a common Global Address List. (The showInAddressBook attribute for both users must contain one common Global Address List object.) In addition, the common Global Address List object must be the administrator's Global Address List.

For more information about name resolution errors, click the following article numbers to view the articles in the Microsoft Knowledge Base: