An LDAP filter error causes the Exchange Recipient Update Service not to stamp newly created users

A Lightweight Directory Access Protocol (LDAP) filter error causes the Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 Recipient Update Service not to stamp newly created users with e-mail addresses. Therefore, new users cannot access their Exchange mailboxes. Additionally, they cannot send and receive e-mail messages. One or more of the events that are listed in the "More Information" section may appear in the event logs.

LDAP queries are used in filter rules to specify the recipient membership of address lists and recipient policies. A malformed filter can cause the Recipient Update Service not to process the recipient membership policy. This causes new user account attributes to not update as expected. New users also cannot access their Exchange mailboxes nor send and receive e-mail messages.

To resolve this problem, correct or remove the LDAP query that is failing. The "More Information" section contains lists of events to help you locate the incorrect filter.

For additional information about how to manage address lists in Exchange 2000, see the Exchange 2000 Recipient Management guide. To obtain this guide, visit the following Microsoft Web site:

The event logs can help you locate the problem filter. When the filter error occurs, the following events may be logged in the Application event log on the Exchange computer:

MSExchangeAL Event ID 8011

Event Type: Information
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8011
Computer: ExchangeServerName
Description: Searching directory distinguished name at base '<GUID=GUID>' using filter '(|(objectCategory=user)(objectCategory=group))(|(extensionAttribute8=*attributeValue*)(mailNickname=*user*)))' and requesting attributes ObjectClass; ReplPropertyMetaData.

The following two events indicate that the filter in the previous MSExchangeAL 8011 event contains the incorrect filter:

MSExchangeAL Event ID 8018

Event Type: Information
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8018
Computer: ExchangeServerName
Description: Abandoning request '54415' on directory distinguished name. DC=domain,DC=domain name,DC=com.

MSExchangeAL Event ID 8007

Event Type: Information
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8007
Computer: ExchangeServerName
Description: Closing LDAP session to directory distinguished name . DC=domain,DC=example,DC=com.

The following events may also appear in the Application Event Log of the Exchange computer:

MSExchangeAL Event ID 8020

Event Type: Information
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8020
Computer: ExchangeServerName
Description: LDAP Search of directory computername.example.com at base 'distinguished name' using filter '(& (mailnickname=*) (| (objectCategory=publicFolder) ))' was unsuccessful. Directory returned the LDAP error:[0x51] Server Down.

MSExchangeAL Event ID 8025

Event Type: Warning
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8025
Description: LDAP Get Next Page call on directory Files.Example.com for pagesize 20, was unsuccessful with error:[0x57] Filter error.

Note The hexadecimal error 0x57 maps to the LDAP error 87. The LDAP error 87 corresponds to the LDAP_FILTER_ERROR error.

If LDAP Interface Events diagnostics logging is set to at least "2" for the NTDS service on the Domain Controller used to process the Recipient Update Service requests, either of the following events may appear in its Directory Service Event Log.

NTDS LDAP Event ID 1216

Event Type: Warning
Event Source: NTDS LDAP
Event Category: LDAP Interface
Event ID: 1216
Computer: DomainControllerName
Description: Internal event: An LDAP client connection was closed because of an error.
Client ID: 22857
Additional Data
Error value: 87

NTDS LDAP Event ID 1216

Event Type: Warning
Event Source: NTDS LDAP
Event Category: LDAP Interface
Event ID: 1216
Computer: DomainControllerName
Description: The LDAP server closed a socket to a client because of an error condition, 87. (Internal ID c0603b2::30549).

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: The LDAP Interface Events diagnostics logging is specified at the following registry location: For additional information on Windows Server diagnostics logging, click the following article number to view the article in the Microsoft Knowledge Base: