Exchange 2007 and MS08-003 on DCs: LDAP error 5005 UNABLE-TO-PROCEED

Exchange support has become aware of an issue where Exchange 2007 SP1 administrators are receiving an error message in the Exchange Management Console after applying the February round of updates from Microsoft. You may also receive an error in Exchange Management Shell when running a command that uses the -sortby option: Get-Mailbox: Active Directory operation […]

Exchange support has become aware of an issue where Exchange 2007 SP1 administrators are receiving an error message in the Exchange Management Console after applying the February round of updates from Microsoft.

You may also receive an error in Exchange Management Shell when running a command that uses the -sortby option:

Get-Mailbox: Active Directory operation failed on <domain name>. This error could have been caused by user input or by the Active Directory server being unavailable. Please retry at a later time. Additional information: Additional information: The directory service encountered an unknown failure. Active directory response: 000020EF: SvcErr: DSID-020A0F27, problem 5005 (UNABLE_TO_PROCEED), data 87
.
At line:1 char:12
+ get-mailbox <<<< -ResultSize unlimited -SortBy "alias".

Systems Affected:

Exchange 2007 SP1 - Exchange Management Console and Exchange Management Shell
Exchange 2007 RTM - Exchange Management Shell only

DC running Windows 2003 SP2 + MS08-003
DC running Windows 2003 SP1 + MS08-003
DC running Windows 2008 RTM

Cause: This issue is being caused by the change that was made with the installation of MS08-003 to prevent a malformed search from crashing LSASS on a Windows 2003 Domain controller. That same change is already implemented in Windows 2008 RTM. The change is unexpectedly catching some legitimate search cases being performed by the Exchange Management Console / Management Shell.

Full Article

Microsoft, Exchange Server 2007, LDAP, SP1