Consider the following scenario:
In this scenario, you receive the following error:
The action 'Set-DistributionGroup', 'ModerationEnabled', can’t be performed on the object 'Office365' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.
The issue occurs because Exchange schema extension on-premise AD server is required if you activate DirSync service and no Exchange server is installed in your on-premises organization.
To resolve the issue, install Exchange schema extension on-premise AD server, and then edit/sync “authOrig” attribute which is a list of senders that are allowed to send to the distribution group. To do this, follow the steps below:
1) Obtain the Exchange Server 2010 DVD
2) Copy to or place the DVD in the Schema Master or Member Server of the Forest Root Domain.
3) Login as an account with the appropriate rights
4) Run the following Schema Update commands in the Forest Root Domain
a. It is highly recommend this be run from the Schema Master DC directly.b.
Using the Exchange 2010 DVD run the following commands in the order specified in the following table. Force replication in between each command.
Schema and Enterprise Admin
c. Check the following log to verify there were no errors.
d. Force replication, and verify updates are successful.
5) Create the DL in the local Active Directory
6) If you have Exchange installed, assign the permissions to the DL.
7) If you do not have Exchange installed, but do have the schema extensions, you will need the following attributes configured (all visible via ADSIEdit):
a. authOrig: List of senders that are allowed to send to the DL (This attribute is your requirement)
b. unAuthOrig: List of senders to BLOCK from sending to the DL
c. dlMemRejectPerms: Used in place of unAuthOrig when using SG’s to indicate senders to reject
d. dlMemSubmitPerms: Used in place of authOrig when using SG’s to indicates senders to approve
e. msExchRequireAuthToSendTo: Used to limit senders to only Authenticated users (internal) to be able to send to this DL.
NOTE: You will need to specify the DN of the objects added to these fields.
8) You should be able to use Contacts to allow senders from external to send to the DL, but will be prevented if msExchRequireAuthToSendTo is set to True.
9) Perform force directory synchronization.
Synchronize your directories
Office 365 Exchange Online post deployment