Restricting Message Sizes in Exchange Server to Low Bandwidth Sites

Exchange Server has a series of different settings for controlling the maximum message size into and around an Exchange organization, but what about when parts of your organization have a considerably lower bandwidth than other parts, for example offices with servers in rural or hard to reach locations and require satellite WAN links or ships that are at sea.

For these and other examples it has been possible to limit the message size sent and from these limited bandwidth sites since Exchange Server 2007 SP1 by setting the MaxMessageSize property in Set-AdSiteLink

Set-AdSiteLink TitanicSiteLink -MaxMessageSize 2MB

Once an email is sent to a recipient in the target site Exchange Server (as part of the Categorizer component) determines the least cost route and sends the email. If the least cost route includes the site link on which you have limited your bandwidth then the email will be returned to the sender as an NDR if it exceeds the MaxMessageSize limit. If you only have one AD Site Link to your linited bandwidth site then Exchange routing will have to use that link. If you have more than one AD Site Link make sure they are all set to the limited size to that whatever the calculated least cost route is, the size limit will be enforced.

The only problem with this is that Exchange does not have the correct permissions within the Active Directory to be able to configure this setting. Therefore if you try the above Exchange Management Shell cmdlet it will fail with the following error:

Active Directory operation failed on dc-name. This error is not retriable. Additional information: Insufficient access rights to perform the operation.

Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    + CategoryInfo          : NotSpecified: (0:Int32) [Set-AdSiteLink], ADOperationException

    + FullyQualifiedErrorId : ADC691A4,Microsoft.Exchange.Management.SystemConfigurationTasks.SetAdSiteLink

The issue comes down to the fact that the Exchange Trusted Subsystem user account does not have permissions to the delivContLength attribute on the AD site link that you are trying to change. Therefore to make this setting in Exchange you need first to set the correct permissions in AD.

To set the correct permissions open Active Directory Sites and Services (if running Windows 2008 R2 or later) or ADSIEdit if using an earlier version of Windows. Expand Sites and Services to find Sites > Inter-Site Transports and right-click the IP container and choose Properties and change to the Security tab:


In ADSIEdit connect to the Configuration well known Naming Context and expand to CN=Configuration… > CN=Sites > CN=Inter-Site Transports and right-click CN=IP. Again select Properties and change to the Security tab:


Once in the Security tab click Advanced, click Add and type Exchange Trusted Subsystem. In the Permission Entry for IP dialog that appears once you click OK select the Properties tab and then select Descendant Site Link Objects in the Apply To box:


In this dialog find the Write delivContLength permission and click Allow.

Click OK enough times to close all the dialog boxes and windows and you have now granted Exchange the permission to set the MaxMessageSize property on any (and all future) AD site links that you have or may create.



, , , ,




Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.