Problem Between Exchange 2007 and MS08-03
MS08-03, an "important" February security bulletin designed to prevent Denial of Service attacks against Active Directory and ADAM (Active Directory Application Mode) apparently has some issues with Exchange 2007 in larger organizations.
I first heard of this from Pete Kretche, a Systems Administrator for the University of Wisconsin Green Bay in an Exchange mailing list posting. He said:
Anyone noticed this on their Exchange 2007 server(s)?
Active Directory operation failed for <DC FQDN>. This error have been caused by user input or by the Active Directory server being unavailable. Please retry at a later time. Additional information: The directory service encountered an unknown failure.
Active Directory response: 000020EF: SvcErr: DSID-020A0EA3, problem 5005 (UNALBE_TO_PROCEED), data 87.
It was running command ‘get-recipient –ResultSize ‘10000’ –SortBy ‘DisplayName’ –RecipientType ‘Usermailbox”.
If so, check your DC’s for the February MS08-003 security patch KB943484. This patch limits the LDAP query capability to prevent DoS attacks. Apparently MS forgot to test Exchange 2007 against this patch. The patch is gone back in for some re-work and will be made available again sometime in March with the ability to change a reg value for the number of objects returned. I’m in no way advocating removing KB943484, just sharing information to keep fellow admins from pulling out their hair like I did today.
I e-mailed a Microsoft contact and verified that this is an ongoing issue and is currently being tracked by Microsoft Product Support Services.
Based on the error message and my knowledge of Active Directory limits, I would surmise that this is not going to happen in small or medium size shops. That is, shops who have less than 1,000 recipients.
You bigger guys might want to check this out...
Edit - later on 2008-02-26:
Pete was kind enough to forward the errors that occur. Please see the images below.
Note that the blank space on the first line of both images would contain the fully-qualified-domain-name of the domain controller that the Exchange Management Console was attached to.