You cannot create an Exchange mailbox by using Active Directory Users and Computers after you install the September 2003 Exchange 2000 Server Post-Service Pack 3 Rollup (831605)



The information in this article applies to:

  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Exchange 2000 Server

SYMPTOMS

After you install the September 2003 Exchange 2000 Server Post-Service Pack 3 Rollup package, when you try to create a new user together with an Exchange mailbox by using Active Directory Users and Computers, the mailbox is not created, and you experience all the following symptoms:
  • When you create the new user by using Active Directory Users and Computers, and you click to select the Create an Exchange mailbox check box, NewObject appears in the Alias box instead of the user's alias that you expect.
  • When you type the correct alias in the Alias box and then finish the steps to create the new user, the user is created successfully, but the mailbox is not created.
  • If you view the new user's attributes, you see that the mailnickname attribute is not set.
  • You do not receive an error message, and no error events appear in the application log in Event Viewer when this issue occurs.
  • If you right-click the new user, click Exchange Tasks, and then follow the steps to create an Exchange mailbox, the mailbox is created successfully.
For additional information about the September 2003 Exchange 2000 Server Post-Service Pack 3 Rollup, click the following article number to view the article in the Microsoft Knowledge Base:

824282 September 2003 Exchange 2000 Server Post-Service Pack 3 Rollup

CAUSE

This issue occurs if you have the Check Point Next Generation firewall program installed in your Active Directory directory services forest.

When you use Active Directory Users and Computers to create a new user together with an Exchange mailbox, Active Directory is queried to enumerate the object classes in the schema. One of the queries that Exchange performs has the following Lightweight Directory Access Protocol (LDAP) filter:

(|(adminDisplayName=user)(lDAPDisplayName=user))

When Next Generation firewall is installed, it adds a new schema class of fw1person together with a new object class to the schema. This object class has an adminDisplayName property set to user. Therefore, when Exchange 2000 queries Active Directory during the mailbox creation process, two objects are returned instead of one object as Exchange 2000 expects. Because of this behavior, the mailbox is not created successfully. If you run a similar query by using the Ldp.exe command, two objects that are similar to the following objects are returned:

CN=fw1person,CN=Schema,CN=Configuration,DC=example,DC=com

CN=User,CN=Configuration,DC=example,DC=com

RESOLUTION

To resolve this issue, configure the schema to permit modifications, and then modify the AdminDisplayName of the fw1person object in the Active Directory schema. To do this, follow these steps.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  1. Configure the schema to permit modification. For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

    261231 XADM: Unable to Update the Schema on the Schema Owner

  2. Start the ADSI Edit snap-in. To do this, click Start, click Run, type adsiedit.msc in the Open box, and then click OK.

    Note ADSI Edit is included with the Microsoft Windows 2000 Support Tools. For additional information about how to install the Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:

    301423 How to Install the Windows 2000 Support Tools

  3. Expand Schema [servername.example.com] (where servername is the name of your domain controller, and where example.com is the name of your domain), and then click CN=Schema,CN=Configuration,DC=example,DC=com.
  4. In the right pane, right-click CN=fw1person, and then click Properties.
  5. In the Select which properties to view list, click Both.
  6. In the Select a property to view list, click adminDisplayName.
  7. In the Edit Attribute box, type fw1person, and then click Set.
  8. Click OK, and then exit ADSI Edit.
After you modify the adminDisplayName property, you can successfully create an Exchange mailbox for a new user by using Active Directory Users and Computers.

MORE INFORMATION

For additional information about an issue that may occur when the Check Point Next Generation firewall program is installed, click the following article number to view the article in the Microsoft Knowledge Base:

322944 XADM: "0XC0072038 (8248): The Result Set Is Too Large" Error Message When You Run Setup with /domainprep Switch



The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Modification Type:MajorLast Reviewed:12/9/2003
Keywords:kbFirewall kbprb KB831605 kbAudITPRO