You receive a “The server was unable to decode a search request filter” error message when you run an LDAP query that uses the extensibleMatch search filter in Windows Server 2003 and Windows 2000 Server

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
When you perform an LDAP search that uses the extensibleMatch search filter to search the Active Directory objects of a Microsoft Windows Server 2003 or Windows 2000 Server-based computer, you may receive the following error message:
The server was unable to decode a search request filter.
CAUSE
This problem occurs when Active Directory processes an LDAP search request that does not explicitly specify the dnAttributes of the extensibleMatch filter. If you use the default value in the dnAttributes field, you do not have to explicitly specify the dnAttributes value in the search request. The default value for the dnAttributes field is set as FALSE. Active Directory omits the dnAttributes field when processing an LDAP search request if the dnAttributes field is not specified explicitly.
RESOLUTION

Windows Server 2003 hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

No prerequisites are required.

Restart Requirement

You do not have to restart your computer after you apply this hotfix.

Hotfix Replacement Information

This hotfix does not replace any other hotfixes.

File Information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows Server 2003, 32-Bit editions
   Date         Time   Version             Size  File name   ---------------------------------------------------------   11-Aug-2004  00:34  5.2.3790.198   1,531,904  Ntdsa.dll           11-Aug-2004  00:34  5.2.3790.196      32,768  Ntdsatq.dll         05-Aug-2004  18:26  5.2.3790.197      59,392  Ws03res.dll
Windows Server 2003, 64-Bit editions
   Date         Time   Version             Size  File name     Platform   --------------------------------------------------------------------   10-Aug-2004  11:37  5.2.3790.198   4,055,552  Ntdsa.dll     IA-64   10-Aug-2004  11:37  5.2.3790.196      82,432  Ntdsatq.dll   IA-64   05-Aug-2004  05:57  5.2.3790.197      58,880  Ws03res.dll   IA-64   05-Aug-2004  05:56  5.2.3790.197      59,392  Wws03res.dll  x86

Windows 2000 hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

This hotfix requires Windows 2000 Service Pack 4 (SP4).

Restart Requirement

You have to restart the DNS Server service after you apply this hotfix.

Hotfix Replacement Information

This hotfix does not replace any other hotfixes.

File Information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version             Size  File name   ----------------------------------------------------------   24-Mar-2004  02:17  5.0.2195.6876    388,368  Advapi32.dll        24-Mar-2004  02:17  5.0.2195.6866     69,904  Browser.dll         24-Mar-2004  02:17  5.0.2195.6824    134,928  Dnsapi.dll          24-Mar-2004  02:17  5.0.2195.6876     92,432  Dnsrslvr.dll        24-Mar-2004  02:17  5.0.2195.6883     47,888  Eventlog.dll        24-Mar-2004  02:17  5.0.2195.6890    143,632  Kdcsvc.dll          11-Mar-2004  02:37  5.0.2195.6903    210,192  Kerberos.dll        21-Sep-2003  00:32  5.0.2195.6824     71,888  Ksecdd.sys   11-Mar-2004  02:37  5.0.2195.6902    520,976  Lsasrv.dll          25-Feb-2004  23:59  5.0.2195.6902     33,552  Lsass.exe           19-Jun-2003  20:05  5.0.2195.6680    117,520  Msv1_0.dll          24-Mar-2004  02:17  5.0.2195.6897    312,592  Netapi32.dll        19-Jun-2003  20:05  5.0.2195.6695    371,984  Netlogon.dll        11-Aug-2004  00:21  5.0.2195.6967    933,648  Ntdsa.dll           24-Mar-2004  02:17  5.0.2195.6897    388,368  Samsrv.dll          24-Mar-2004  02:17  5.0.2195.6893    111,376  Scecli.dll          24-Mar-2004  02:17  5.0.2195.6903    253,200  Scesrv.dll          04-Jun-2004  23:13  5.0.2195.6935  5,887,488  Sp3res.dll          24-Mar-2004  02:17  5.0.2195.6824     50,960  W32time.dll         21-Sep-2003  00:32  5.0.2195.6824     57,104  W32tm.exe
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
The extensibleMatch search filter is a new search filter that is included in LDAP version 3. The extensibleMatch search filter uses four fields. Two of the fields are optional and one field is a BOOLEAN field that has a default value. The extensibleMatch search filter fields are defined as follows:
  • type - An optional field that is used to specify an attribute.
  • matchingRule - An optional field that is used to specify a matching rule.
  • matchValue - A field that is used to specify the value that is to be searched.
  • dnAttributes - A BOOLEAN field that returns the status of an LDAP search. If the LDAP search is successful, the dnAttributes field returns TRUE. If the LDAP search fails, the dnAttributes field returns FALSE. The default value for this field is set as FALSE.

For example, consider the following text string:
:dn:2.4.6.8.10:=Sample Entry
In this sample, :dn is the attribute name, 2.4.6.8.10 is the matching rule, and Sample Entry is the name of the value that is to be searched in Active Directory.

For additional information about LDAP search filters, see the following Computer Science and Engineering (CSE) Web site:
http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc2254.html
For additional information about how hotfix packages are named, click the following article number to view the article in the Microsoft Knowledge Base:
816915 New file naming schema for Microsoft Windows software update packages
For additional information about the standard terminology that is used to describe Microsoft software updates, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Properties

Article ID: 872957 - Last Review: 01/16/2015 01:35:05 - Revision: 1.10

  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • kbnosurvey kbarchive kbautohotfix kbqfe kbhotfixserver kbwinserv2003presp1fix KB872957
Feedback