Understanding DSAccess
Hi Readers,
It’s been a long time that I have posted any article. I decided to say …..”I’m back”.
To encourage myself, I’m starting my second session of technical blogs with some basic topics. I would say this article on DSAccess can be considered anything between Level 100 and Level 200. Here are the topics we are going to discuss on DSAccess:
Topic 1: Understanding DSAcess.
Topic 2: How DSAccess works?
Topic 3: Troubleshooting DSAccess.
Topic 2: How DSAccess works?
Topic 3: Troubleshooting DSAccess.
TOPIC 1: UNDERSTANDING DSACCESS:
Directory Service Access (DSAccess) is a core component of Exchange 2000 Server and Exchange Server 2003.
Exchange needs access to Active Directory for a variety of reasons:
Exchange stores server parameters
Mailbox parameters
Public folder parameters
Public folder hierarchy and much more
in the configuration naming context of Active Directory.
Exchange needs access to Active Directory for a variety of reasons:
Exchange stores server parameters
Mailbox parameters
Public folder parameters
Public folder hierarchy and much more
in the configuration naming context of Active Directory.
Exchange and Outlook need access to Global Catalog servers to obtain GAL and to expand group-memberships for mail-enabled groups.
DSAccess detects domain controllers and global catalog servers. DSAccess updates the list of valid directory servers that Exchange components can use.
DSAccess detects domain controllers and global catalog servers. DSAccess updates the list of valid directory servers that Exchange components can use.
DSAccess has the task of finding DCs and GCs suitable for use by Exchange. DSAccess selects upto 10 domain controllers, 10 global catalog servers and puts them in a local DSAccess profile.
Local Domain Config DC Remote Domain
Exchange server looks for DCs and GCs in the local domain before searching them in the remote domain.It also selects one domain controller to use for a configuration server. This avoids replication latency issues.
Exchange server looks for DCs and GCs in the local domain before searching them in the remote domain.It also selects one domain controller to use for a configuration server. This avoids replication latency issues.
Configuration Domain controller: This is the single, high-performance DC used as reference point for AD configuration information. This DC is used for upto 8 hours before DSAccess chooses another random server.
DSAccess implements a directory access cache that stores recently accessed information for a configurable length of time. This reduces the number of queries made to global catalog servers.
TOPIC 2: HOW DSACCESS WORKS:
-- DSAccess runs under the Mad.exe service.
-- DSAccess is implemented as the Dsaccess.dll file.
-- DSAccess detects domain controllers and global catalog servers and performs auto discovery for AD topology.
-- DSAccess updates the list of valid directory servers that Exchange components can use.
-- DSAccess caches information to reduce lightweight directory access protocol (LDAP) requests.
-- DSAccess provides a dynamic update for the list of domain controllers on a regular interval.
-- DSAccess uses DNS to locate domain controllers and global catalog servers.
DSAccess performs a series of tests to determine the suitability of a domain controller or a global catalog server:
1. Reachability: The server must respond to an LDP bind request on
TCP port 389 for DCs.
TCP port 3268 for GCs.
TCP port 389 for DCs.
TCP port 3268 for GCs.
2. FLAG tests: DSAccess checks "RootDSE" on the DC to verify that the "isSynchronized" attribute shows true. It checks the "RootDSE" on the GC to verify that the "isGlobalCatalogReady" attribute shows true.
NOTE: This can be seen using LDP or nltest
NOTE: This can be seen using LDP or nltest
3. Server Functional test: DSAccess makes an RPC connection to the Netlogon service eat the DC and checks
---> Available disk space
---> Time Synchronization
---> Server participation in replication
---> Available disk space
---> Time Synchronization
---> Server participation in replication
4. The Version of server: Exchange 2003 server requires that all domain controllers used by DSAccess use atleast Windows 2000 with SP3 or higher.
5. Manage Auditing and Security Logs permissions: DSAccess looks to see if the Exchange Enterprise servers group in ADUC has Manage Auditing and Security Logs permissions on the DC. If the domainprep has been run.
NOTE: This can be seen by running policytest.exe.
NOTE: This can be seen by running policytest.exe.
6. Things like DNS Priority and weight, residential site, domain preparation, synchronization, initialization, etc involves in the series of tests for discovering a DSAccess topology.
TOPIC 3: TROUBLESHOOTING DSACCESS
Processes that have DSAccess loaded:
-- Mad.exe (MSExchangeSA)
-- Emsmta.exe (MSExchangeMTA)
-- Store.exe (MSExchangeIS)
-- Winmgmt.exe (WinMgmt)
-- Inetinfo.exe (Several Services within)
-- Exmgmt.exe (MSExchangeMGMT)
-- Emsmta.exe (MSExchangeMTA)
-- Store.exe (MSExchangeIS)
-- Winmgmt.exe (WinMgmt)
-- Inetinfo.exe (Several Services within)
-- Exmgmt.exe (MSExchangeMGMT)
Components that depend on DSAccess:
-- Exchange Metabase Update (DS2M
-- Exchange Routing (RESVC)
-- SMTP Categorizer
-- DSProxy
-- Exchange Information Store
-- WebDav
-- Message transfer agent (MTA)
-- Instant Messenger
-- Exchange Routing (RESVC)
-- SMTP Categorizer
-- DSProxy
-- Exchange Information Store
-- WebDav
-- Message transfer agent (MTA)
-- Instant Messenger
DSAccess Failure
Hard Failure Soft Failure
à When a server is taken offline à Not responding to Requests in a timely fashion
à Consistently unresponsive
à Catastrophic failures
à Consistently unresponsive
à Catastrophic failures
DSAccess handles soft failures efficiently with built-in failover functionality.
Troubleshooting involves when it is a hard failure of DSAccess.
Complete functionality of the DSAccess tab is only available when you use an Exchange 2000 server with SP2.
Complete functionality of the DSAccess tab is only available when you use an Exchange 2000 server with SP2.
STEPS to perform:
Step 1: Increase diagnostics logging
Server properties -à MSEXchangeDSAccess
Look for DSAccess topology discovery errors: Event ID: 2080
Events 2120 and 2105 are generally DNS issues…Can be made out by description.
Look for DSAccess topology discovery errors: Event ID: 2080
Events 2120 and 2105 are generally DNS issues…Can be made out by description.
Always look for Event ID: 2080
Event Type: Information
Event Type: Information
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2080
Computer: AshwinPC1
Description:
Process MAD.EXE (PID=1808). DSAccess has discovered the following servers with the following characteristics:
(Server name | Roles | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DC1.ashwindomainorg.com CDG 7 7 1 0 0 1 7 1
DC2.ashwindomainorg.com CDG 7 7 1 0 1 1 7 1
DC3.ashwindomainorg.com CDG 7 7 1 0 1 1 7 1
Out-of-site:
Step 2: SACL right for the configuration naming context. Run Policytest.exe. Ensure that the Exchange Enterprise servers group has Manage Auditing and Security logs permissions.
Step 2: SACL right for the configuration naming context. Run Policytest.exe. Ensure that the Exchange Enterprise servers group has Manage Auditing and Security logs permissions.
Step 3: Examine the health of the Active Directory servers:
-- Ping by FQDN
-- Use LDP, GC response.
-- Check if DC knows its site by running nltest /dsgetsitename & nltest /dsgetdc:<domainname>
-- Check the CPU Utilization
-- RAM usage
-- Check for Network bandwidth.
-- Clocks should be synchronized between DCs (within 60 seconds)
-- Check for Netlogon events
-- Run DCDIAG or NETDIAG. Look for DNS errors.
-- Use Perfmon to troubleshoot DSAccess
MSExchangeDSAccessProcesses
-- Ldap SearchTime
-- Ldap ReadTime
DSADiag and DSCFlush: These were the tools used to determine and discover the DSAccess topology in Exchange 2000. These tools are no more supported in Exchange 2003.
If after performing all the above steps and still DSAccess fails, we can take a regtrace and dispatch to the appropriate team to interpret the output.
Few Relevant KB articles on DSaccess:
-- Use LDP, GC response.
-- Check if DC knows its site by running nltest /dsgetsitename & nltest /dsgetdc:<domainname>
-- Check the CPU Utilization
-- RAM usage
-- Check for Network bandwidth.
-- Clocks should be synchronized between DCs (within 60 seconds)
-- Check for Netlogon events
-- Run DCDIAG or NETDIAG. Look for DNS errors.
-- Use Perfmon to troubleshoot DSAccess
MSExchangeDSAccessProcesses
-- Ldap SearchTime
-- Ldap ReadTime
DSADiag and DSCFlush: These were the tools used to determine and discover the DSAccess topology in Exchange 2000. These tools are no more supported in Exchange 2003.
If after performing all the above steps and still DSAccess fails, we can take a regtrace and dispatch to the appropriate team to interpret the output.
Few Relevant KB articles on DSaccess:
Event ID 2080 from MSExchangeDSAccess
http://support.microsoft.com/kb/316300/en-us
http://support.microsoft.com/kb/316300/en-us
The "Exchange Server 2003 Performance and Scalability Guide" is available
http://support.microsoft.com/kb/867706/en-us
TechNet Support WebCast: Understanding and troubleshooting DSAccess for Exchange Server 2003.
http://support.microsoft.com/default.aspx?kbid=910999
Regards,
Ashwin Kumar.
Ashwin Kumar.
Hi,
Very good exchange support site . Pls add me to this blog.
Reply to this
Nice & Usefull article,
Thnk You very much
Reply to this
Nice & Usefull,Thank You!
Reply to this