Article ID: 818190
Article Last Modified on 10/25/2007
APPLIES TO
- Microsoft Exchange 2000 Server Standard Edition
- Microsoft Exchange 2000 Enterprise Server
- Microsoft Exchange Server 2003 Enterprise Edition
- Microsoft Exchange Server 2003 Standard Edition
This article is a consolidation of the following previously available articles: 818190 and 888827
SYMPTOMS
A Lightweight Directory Access Protocol (LDAP) filter error causes the Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 Recipient Update Service not to stamp newly created users with e-mail addresses. Therefore, new users cannot access their Exchange mailboxes. Additionally, they cannot send and receive e-mail messages. One or more of the events that are listed in the "More Information" section may appear in the event logs.
CAUSE
LDAP queries are used in filter rules to specify the recipient membership of address lists and recipient policies. A malformed filter can cause the Recipient Update Service not to process the recipient membership policy. This causes new user account attributes to not update as expected. New users also cannot access their Exchange mailboxes nor send and receive e-mail messages.
RESOLUTION
To resolve this problem, correct or remove the LDAP query that is failing. The "More Information" section contains lists of events to help you locate the incorrect filter.
For additional information about how to manage address lists in Exchange 2000, see the Exchange 2000 Recipient Management guide. To obtain this guide, visit the following Microsoft Web site:
MORE INFORMATION
The event logs can help you locate the problem filter. When the filter error occurs, the following events may be logged in the Application event log on the Exchange computer:
MSExchangeAL Event ID 8011
Event Type: Information
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8011
Computer: ExchangeServerName
Description: Searching directory distinguished name at base '<GUID=GUID>' using filter '(|(objectCategory=user)(objectCategory=group))(|(extensionAttribute8=*attributeValue*)(mailNickname=*user*)))' and requesting attributes ObjectClass; ReplPropertyMetaData.
Note The following LDAP query that appears in the event description that was discussed earlier is not valid:
(|(extensionAttribute8=*attributeValue*)((mailNickname=*user)))
In this particular case, the correct filter is:
(|(extensionAttribute8=*attributeValue*)(mailNickname=*user))
The incorrect filter incorrectly contains an extra pair of parentheses around "(mailNickname=*user)".
The following two events indicate that the filter in the previous MSExchangeAL 8011 event contains the incorrect filter:
MSExchangeAL Event ID 8018
Event Type: Information
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8018
Computer: ExchangeServerName
Description: Abandoning request '54415' on directory distinguished name. DC=domain,DC=domain name,DC=com.
MSExchangeAL Event ID 8007
Event Type: Information
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8007
Computer: ExchangeServerName
Description: Closing LDAP session to directory distinguished name . DC=domain,DC=example,DC=com.
The following events may also appear in the Application Event Log of the Exchange computer:
MSExchangeAL Event ID 8020
Event Type: Information
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8020
Computer: ExchangeServerName
Description: LDAP Search of directory computername.example.com at base 'distinguished name' using filter '(& (mailnickname=*) (| (objectCategory=publicFolder) ))' was unsuccessful. Directory returned the LDAP error:[0x51] Server Down.
MSExchangeAL Event ID 8025
Event Type: Warning
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8025
Description: LDAP Get Next Page call on directory Files.Example.com for pagesize 20, was unsuccessful with error:[0x57] Filter error.
Note The hexadecimal error 0x57 maps to the LDAP error 87. The LDAP error 87 corresponds to the LDAP_FILTER_ERROR error.
If LDAP Interface Events diagnostics logging is set to at least "2" for the NTDS service on the Domain Controller used to process the Recipient Update Service requests, either of the following events may appear in its Directory Service Event Log.
NTDS LDAP Event ID 1216
Event Type: Warning
Event Source: NTDS LDAP
Event Category: LDAP Interface
Event ID: 1216
Computer: DomainControllerName
Description: Internal event: An LDAP client connection was closed because of an error.
Client ID: 22857
Additional Data
Error value: 87
NTDS LDAP Event ID 1216
Event Type: Warning
Event Source: NTDS LDAP
Event Category: LDAP Interface
Event ID: 1216
Computer: DomainControllerName
Description: The LDAP server closed a socket to a client because of an error condition, 87. (Internal ID c0603b2::30549).
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
The LDAP Interface Events diagnostics logging is specified at the following registry location:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics
For additional information on Windows Server diagnostics logging, click the following article number to view the article in the Microsoft Knowledge Base:
314980 How to configure Active Directory diagnostic event logging in Windows Server
Additional query words: XADM, RUS
Keywords: kbenv kbnofix kbbug KB818190
