Delen via

E2k10: Can't display a Recipient Scope with more than 1,000 objects returned

  • Artikel

We ran into an interesting problem in Exchange 2007 Service Pack 1 where certain kinds of LDAP queries were rejected by Windows 2008 domain controllers. Exchange was changing the BaseDN attribute on successive searches, but Win2k8 is a bit more restrictive about what it allows through LDAP, so those successive queries would fail.

You'd see an error message like this:

Get-Recipient : Active Directory operation failed on <Windows Server 2008 domain controller name>. Additional information: Active Directory rejected paged search cookie because a cookie handle was discarded by a domain controller or a different LDAP connection was used on subsequent page retrieval. Restart paged search

This was patched out in E2k7 Sp1 Ru9 and is covered by https://support.microsoft.com/kb/961551.

 

You can wind up with a similar error in Exchange 2010 when you're using Windows 2008 R2 Domain Controllers. If you're using the Exchange Management Console and attempt to list recipients when you have a scope configured that returns more than 1,000 objects, you'll get an error like this:

Active Directory operation failed on <Win2k8 DC name>. Additional information: Active Directory rejected paged search cookie because a cookie handle was discarded by a Domain Controller or a different LDAP connection was used on subsequent page retrieval. Paged search needs to be restarted and will succeed.

Additional information: The parameter is incorrect.

Active directory response: 00000057: LdapErr: DSID-0c090753, comment: Error processing control, data 0, v1db1. It was running the command `Get-Recipient -PropertySet ConsoleLargeSet -ResultSize '5000' -SortBy DisplayName -RecipientType 'UserMailbox'".

 

Parsing the cmdlet above, you can see that the result size has already been bumped to 5,000 objects, so we're not hitting the traditional 1k limit on LDAP searches. The actual problem is with the Win2k8 R2 DCs you're using. When certain properties are passed to those DCs via LDAP, and the query generates more than one page of responses, the DCs fail to respond as expected.

This problem is covered with a Windows-side hotfix. You can find that at https://support.microsoft.com/default.aspx?scid=kb;EN-US;2468316.