EDIT: This post has been updated on 6/19/2008 - the Resolution section has been updated.
Exchange support has become aware of an issue where Exchange 2007 SP1 administrators are receiving an error message in the Exchange Management Console after applying the February round of updates from Microsoft.
You may also receive an error in Exchange Management Shell when running a command that uses the -sortby option:
Get-Mailbox : Active Directory operation failed on <domain name>. This error could have been caused by user input or by the Active Directory server being unavailable. Please retry at a later time. Additional information: Additional information: The directory service encountered an unknown failure. Active directory response: 000020EF: SvcErr: DSID-020A0F27, problem 5005 (UNABLE_TO_PROCEED), data 87
At line:1 char:12
+ get-mailbox <<<< -ResultSize unlimited -SortBy "alias"
Exchange 2007 SP1 - Exchange Management Console and Exchange Management Shell
Exchange 2007 RTM - Exchange Management Shell only
DC running Windows 2003 SP2 + MS08-003
DC running Windows 2003 SP1 + MS08-003
DC running Windows 2008 RTM
This issue is being caused by the change that was made with the installation of MS08-003 to prevent a malformed search from crashing LSASS on a Windows 2003 Domain controller. That same change is already implemented in Windows 2008 RTM. The change is unexpectedly catching some legitimate search cases being performed by the Exchange Management Console / Management Shell.
This issue will only occur if the total size of the search you are doing exceeds the size of the domain controller's temp table, you request that the search be sorted, and you request more than one page of the search be returned. By default the temp table has a maximum of 10,000 objects.
This issue will not occur at all if you have less than 10,000 recipients in your domain.
PowerShell commands will only throw this error when using the -sortby switch.
Microsoft has released hotfixes for this issue. You can obtain more information on the issue and the fix from the following KB articles:
LDAP queries fail for large result sets after security update MS08-003 is applied on a Windows Server 2003-based computer
953235 MS08-035: Vulnerability in Active Directory could allow denial of service
Until you are ready to apply the above mentioned fixes, this issue can be worked around using one of the following methods:
Method 1: Exchange Management Console
In the Exchange Management console use the filter options to filter the maximum results to something less than 10,000. This can be done by creating a filter similar to the following:
In this method you will still get the error when you first start the console but you will be able to use the console going forward by filtering to as smaller set of results.
Method 2: Exchange Management Console
Reduce the number of entries being returned to lower than the max page size. The default value for the max page size is 1000. Changing the "Maximum Number of Recipients to Display" to 998 will generally prevent the error from occurring. To learn more about this setting please go here.
This will prevent you from getting the error when coming into the Exchange Management Console. You may also have to also use Method 1 to filter the results so that you can get the objects returned that you want to manage.
Method 3: Exchange Management Shell
You can remove the -sortby switch and use sort-object to sort the results after they are returned. (eg get-mailbox -resultsize unlimited | sort-object -property alias)
We recommend that you DO NOT remove MS08-003 from your Domain Controllers to work around this issue. This issue is only impacting the GUI and is easily worked around, no Exchange functionality is impaired by this problem.
We will update this post when we get any new information on this.