Once a site has no Exchange 5.5 servers in it, that old "Highest Priority" policy based on legacyExchangeDN isn't needed anymore. As people decommission their 5.5 servers and move to pure Exchange ...
Updated Jul 01, 2019
Version 2.0
Blog Post
There are three parts to an LDAP query: 1) the root of the search (the top container where the search will start), 2) the scope of the search (Base, One Level, or Subtree), 3) the filter. When you can specify all three of these, you can build a query for pretty much anything. For instance, to return all users in a single OU, you just specify that OU as the search root, you set your scope to One Level (so that it only returns users in that OU and doesn't traverse subcontainers), and you set the filter to something like (objectClass=user).
Unfortunately, recipient policies do not let you specify all three of these parameters. For recipient policies, the root of the search is always the root of the domain that the RUS points to. The scope of the search is always Subtree, so it traverses every child container. The only thing you get to specify is the filter. It is impossible to distinguish between OU's based on filter alone (unless you populate an attribute on the users that will signify what OU they are in).
You may say, "but every user has a distinguishedName attribute, and that attribute shows what OU they're in." True, but you can not do substring searches on DN-valued attributes in the Active Directory. For instance, (distinguishedName=*,OU=myOU,DC=domain) is not a valid LDAP query.
So now you may say, "Well that's dumb, why doesn't Active Directory support substring searches against DN-valued attributes?" RFC 2251 in section 4.1.9 refers to X.500 for what the matching rules do. A DN-valued attribute follows the distinguishedNameMatch matching rule, defined in X.501 section 12.5.2. This matching rule does matches of whole DNs, which is what AD implements.
The reason this works for query-based DG's is that they allow you to specify the root of the search. They still don't let you specify the scope, which will always be a Subtree search.
Unfortunately, recipient policies do not let you specify all three of these parameters. For recipient policies, the root of the search is always the root of the domain that the RUS points to. The scope of the search is always Subtree, so it traverses every child container. The only thing you get to specify is the filter. It is impossible to distinguish between OU's based on filter alone (unless you populate an attribute on the users that will signify what OU they are in).
You may say, "but every user has a distinguishedName attribute, and that attribute shows what OU they're in." True, but you can not do substring searches on DN-valued attributes in the Active Directory. For instance, (distinguishedName=*,OU=myOU,DC=domain) is not a valid LDAP query.
So now you may say, "Well that's dumb, why doesn't Active Directory support substring searches against DN-valued attributes?" RFC 2251 in section 4.1.9 refers to X.500 for what the matching rules do. A DN-valued attribute follows the distinguishedNameMatch matching rule, defined in X.501 section 12.5.2. This matching rule does matches of whole DNs, which is what AD implements.
The reason this works for query-based DG's is that they allow you to specify the root of the search. They still don't let you specify the scope, which will always be a Subtree search.