Exchange 2007 and MS08-003 on DCs: LDAP error 5005 UNABLE_TO_PROCEED


EDIT: This post has been updated on 6/19/2008 - the Resolution section has been updated.

Issue:

Exchange support has become aware of an issue where Exchange 2007 SP1 administrators are receiving an error message in the Exchange Management Console after applying the February round of updates from Microsoft.

You may also receive an error in Exchange Management Shell when running a command that uses the -sortby option:

Get-Mailbox : Active Directory operation failed on <domain name>. This error could have been caused by user input or by the Active Directory server being unavailable. Please retry at a later time. Additional information: Additional information: The directory service encountered an unknown failure. Active directory response: 000020EF: SvcErr: DSID-020A0F27, problem 5005 (UNABLE_TO_PROCEED), data 87
.
At line:1 char:12
+ get-mailbox <<<< -ResultSize unlimited -SortBy "alias"

Systems Affected:

Exchange 2007 SP1 - Exchange Management Console and Exchange Management Shell
Exchange 2007 RTM - Exchange Management Shell only

DC running Windows 2003 SP2 + MS08-003
DC running Windows 2003 SP1 + MS08-003
DC running Windows 2008 RTM

Cause:

This issue is being caused by the change that was made with the installation of MS08-003 to prevent a malformed search from crashing LSASS on a Windows 2003 Domain controller. That same change is already implemented in Windows 2008 RTM. The change is unexpectedly catching some legitimate search cases being performed by the Exchange Management Console / Management Shell.

Mitigating Factors:

This issue will only occur if the total size of the search you are doing exceeds the size of the domain controller's temp table, you request that the search be sorted, and you request more than one page of the search be returned. By default the temp table has a maximum of 10,000 objects.

This issue will not occur at all if you have less than 10,000 recipients in your domain.

PowerShell commands will only throw this error when using the -sortby switch.

Resolution:

Microsoft has released hotfixes for this issue.  You can obtain more information on the issue and the fix from the following KB articles:

Windows 2003:
LDAP queries fail for large result sets after security update MS08-003 is applied on a Windows Server 2003-based computer
http://support.microsoft.com/?id=949876

Windows 2008:
953235  MS08-035: Vulnerability in Active Directory could allow denial of service
http://support.microsoft.com/default.aspx?scid=kb;EN-US;953235

Workarounds:

Until you are ready to apply the above mentioned fixes, this issue can be worked around using one of the following methods:

Method 1: Exchange Management Console
In the Exchange Management console use the filter options to filter the maximum results to something less than 10,000. This can be done by creating a filter similar to the following:

In this method you will still get the error when you first start the console but you will be able to use the console going forward by filtering to as smaller set of results.

Method 2: Exchange Management Console
Reduce the number of entries being returned to lower than the max page size. The default value for the max page size is 1000. Changing the "Maximum Number of Recipients to Display" to 998 will generally prevent the error from occurring. To learn more about this setting please go
here.

This will prevent you from getting the error when coming into the Exchange Management Console. You may also have to also use Method 1 to filter the results so that you can get the objects returned that you want to manage.

Method 3: Exchange Management Shell
You can remove the -sortby switch and use sort-object to sort the results after they are returned. (eg get-mailbox -resultsize unlimited | sort-object -property alias)

We recommend that you DO NOT remove MS08-003 from your Domain Controllers to work around this issue. This issue is only impacting the GUI and is easily worked around, no Exchange functionality is impaired by this problem.

We will update this post when we get any new information on this.

- Matthew Byrd

Comments (2)
  1. osama says:

    I did not install SP1 but i am getting this message!!

    Our organisation is having 14,500 Mailboxes.

    Hope they solve this issue soon.

  2. Eric Sabo says:

    Does anyone know when the patch will be out to correct this?

Comments are closed.

Skip to main content