-
Title
Users not mail-enabled or Mailbox-enabled because of DSA/Exchange LDAP Filter Issues -
Description
While trying to Mail Enable users using Directory Synchronization, you receive an error:
Common AcAdSwitches Error 0xe1000023. LDAP filter error
-
Cause
This Error has nothing to do with using an LDAP filter used within the Synchronization scope of the DSA for bringing users into scope.
This Error is referring to the LDAP Filter used in the Exchange Organizations involved in the Migration Project. When mail enabling objects DSA is examining all the address books in source and in target domains, when DSA comes across an address book (or e-mail policy) with an invalid filter then it will fail. This Filter may be functional within the Exchange Organization but the DSA has issue with the syntax of the Filter.
Several other KB articles describe different issues with the Filters including double asterix, double round brackets etc. These issues should be rectified in previous Hotfixes for the product.
-
Resolution
In newer releases of the product the error may be thrown if the Exchange Organization still has reference to old decommissioned Exchange servers in the Directory. The LDAP error in the DSA log should refer to the servers it is finding the problematic Filter on.
In a recent case the customer had decommissioned the server but it was still present in the Directory. Once they had removed the entries, DSA could proceed and Mail Enable users.
Attached to this KB are two screenshots of the location of this filter in Exchange 2003 and Exchange 2007\2010