Detecting LDAP filters that could cause Exchange 2007 setup problems


Some customers have experienced a problem where the following error is generated when installing the Mailbox role on an Exchange 2007 server (typically the first Exchange 2007 Mailbox server in the org):

Exchange server address list service failed to respond

You might also see events logged in the Application log of the server. For full symptom details, please see KB 935636.

The above error is usually caused by setup failing to parse an LDAP filter properly. There are two types of LDAP filters we're aware of that cause this problem (and if someone has seen other filters - please let us know!).

The first is a filter where an attribute name is immediately preceded by a logical operator:

(&attribute=value)

Although Active Directory itself has no problem ignoring the unnecessary '&', Exchange 2007 setup doesn't like this at all.

The other type of filter that causes the problem is a DN-valued attribute containing parentheses in the value:

(homeMDB=CN=Mailbox Store (SERVER1),CN=First Storage Group,CN=...)

The parentheses surrounding the server name in the value confuse setup, causing the same behavior.

Fortunately, these problems are easy to fix. For the first, you can simply remove the unnecessary '&' character from the filter by using ADSI Edit to change the purportedSearch attribute on the policy. For the second, you can rename the store in Exchange System Manager so that it no longer contains parentheses, and then change the filter to reflect the new name.

To help identify problem filters, I've written a little script that will check the filters on all address lists and recipient policies for these two problems. You can run this on any machine in the forest where PowerShell has been installed. There's no need to install any Exchange components, as it doesn't rely on them at all, so you can run this before you even start deploying Exchange 2007.

Please note: this script is not officially supported by Microsoft Support Services.

The script takes no parameters. Just change into the folder where you've put the script and run it:

PS C:\Users\administrator\Desktop> .\CheckFilters

The script is not signed, so you may need to adjust your execution policy using set-executionpolicy in order to allow it to run. The output will look like this:

Evaluating: Default Policy
Filter is good.
Evaluating: Test Policy
Filter is good.
Evaluating: Default Global Address List
Filter is good.

If it finds a problem filter, it will tell you what problems it found on that filter:

Evaluating: Lab2 Mailboxes
Warning: a homeMDB value contains parentheses.
Warning: an attribute name is immediately preceded by a logical operator.

Hopefully this script will make it easier to identify the problem filters when setup fails, and since it can also be used to check for these problems ahead of time, you can get your filters fixed before you ever run setup, avoiding the problem entirely!

To download the script itself, please go here.

- Bill Long


Comments (3)
  1. Matt says:

    You use the homeMDB value in your example. How do you reconcile that with the fact that E2007 requires you to use an Administration Group name of “Exchange Administrative Group (FYDIBOHF23SPDLT)” which, obviously, contains parenthesis?

  2. schmihe1 says:

    hmm,

    ok, if a storage group has a carp name, containing parentheses, we can change it

    but this other case you mention, is it possible to remove the "&" sign from the filter without causing problems in the Exchange 2003 environment ?

    Maybe correcting a LDAP filter is even better than let a wrong sign in ?

    But who is adding this wrong character ? assume Exchange 2003 himself right ?

    (obviously a bug then ?)

  3. bday says:

    Ouch, we’ve got 200 mail stores with parenthises in the names. Time to check the address list filters…. :)

Comments are closed.

Skip to main content