On a DirSync client, when you try to perform an incremental synchronize together with an existing cookie, the Lightweight Directory Access Protocol (LDAP) Server returns the following errors messages and events.
From the Directory Services Event Log:
Log Name: Directory Service
Event ID: 1173
Task Category: Internal Processing
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
LDAP client log:
9876 04E0.1C88::02/05/18-14:47:45.8215896 [Microsoft-Windows-LDAP-Client/Debug] Message=ldap_search returned 0x35 for connection 0x1b053498: DN was DC=Contoso,DC=com. SearchScope was 0x2.
LdapErr:.DSID-0C090974,.comment:.Error.processing.control,.date0010004 = DSA_DB_EXCEPTION
0x35 = LDAP_UNWILLING_TO_PERFORM
This issue occurs because the filter that you are using for your DirSync request includes a linked value to be evaluated, and the replication update lands on a link value update. This exposes a known code defect in Windows Server 2008 R2, which was fixed in later versions of Windows.
When you encounter this issue, perform a Full Sync.
To fix this issue, upgrade the domain controllers to Windows Server 2012 R2 or a later version of Windows Server.