Professional Documents
Culture Documents
The following figure shows the Exchange Server 2003 core services, but there are more
Exchange related services like:
Please note:
The Microsoft Exchange Quota Service, the Microsoft Identity Integration Server and the
Microsoft iSCSI Initiator Service in Figure 1 are not Exchange related.
Service dependencies
Most of the Exchange services have dependencies from other Exchange services. We are
talking here about other services that depend on this specific service and about other
services from which this service is dependent. You can see the dependencies in the
properties of the specific service or in the Registry under
HKEY_LOCAL_MACHINESystemCurrentControlSet\Services\Servicename.
The following figure shows the Dependencies of the Microsoft Exchange System
Attendant Service, one of the Exchange Server core services. The Microsoft Exchange
System Attendant Services depends on the Services shown in Figure 2 and two other
services – Microsoft Exchange Information Store and Microsoft Exchange MTA Stacks.
As you can see in Figure 3, Exchange uses some IIS Application pools and messaging
services like SMTPSVC and IMAPSVC under control of INETINFO.EXE. All services
are controlled by HTTP.SYS, a kernel Mode component which is new for IIS 6.0.
Figure 3: Web Services in Exchange Server 2003 (Source: Microsoft)
As you can see in Figure 4 there are several dependencies between Exchange Services
and Windows Services. As an example, the Microsoft Exchange System Attendant
depends on several Windows Services but also some Exchange Services are dependant on
the Exchange System Attendant Service.
EXIFS
The Exchange Server 2003 installable file system is a kernel-mode driver, implemented
in ExIFS.sys, which IIS can use to read and write items from and to Exchange databases.
The ExIFS file system driver communicates with the Exchange Server store. This is
accomplished through a store extension (ExWin32.Dll) and a user-mode wrapper
(Ifsproxy.dll). The Exchange Server store uses ESE to access the Exchange Database
(ESE and STM files).
Please note:
ExIFS is the only kernel-mode component in Exchange Server 2003.
Figure 6: ExIFS in Exchange 2003 (Source: Microsoft)
System Attendant
The Microsoft Exchange Server System Attendant is the Exchange Server core service
which controls several other Exchange services. These components are:
DSProxy
The Directory Service Proxy (DSProxy) is the Exchange Server 2003 component that
provides an address book service to Microsoft Outlook clients. DSProxy is implemented
in DSProxy.dll. DSProxy has two functions:
DSProxy provides both proxy and referral services. MAPI clients running Outlook 2002
Service Release 1 and earlier versions use the proxy functionality because these clients
were designed to use Exchange Server as its Directory Service. This was true for
Microsoft Exchange Server from 4.0 to 5.5 but beginning with Exchange Server 2000,
Microsoft Active Directory takes the part of the Exchange Directory services. Therefore,
DSProxy emulates a directory service, so that earlier clients can function.
Exchange Server 2003 server forwards the requests to Active Directory.
Later versions of Outlook, such as Outlook 2000 with SR-2 and Outlook 2002/2003, are
designed with the assumption that Exchange Server 2003 does not have its own directory
service. After DSProxy refers one of these later clients to a global catalog server, the
client communicates directly with Active Directory.
DSProxy obtains its list of working global catalog servers from DSAccess. DSAccess
handles only LDAP queries. However, DSProxy fully relies on DSAccess to provide
global catalog failover support.
DSProxy Operations
DSProxy performs the following operations:
It collects a list of working global catalog Servers from DSAccess and selects only global
catalog Servers that are in the Server's local Active Directory site.
It proxies MAPI queries from earlier Outlook clients to the remaining global catalog
Servers. The mechanism used to direct Outlook clients to one of the remaining global
catalog Servers is a round robin mechanism.
DSProxy initially runs single threaded and can support up to 512 client connections.
DSProxy automatically creates an additional thread for every 512 client connections.
Unlike DSAccess, DSProxy has no caching mechanism. Every MAPI query processed
through DSProxy is sent to a Global Catalog Server.
DSAccess
Exchange 2003 services access information that is stored in Active Directory and write
information to Active Directory. If this communication occurred directly between each
service and Active Directory, Exchange 2003 could overwhelm an Active Directory
domain controller with communication requests. DSAccess is the component which
controls the interaction between Exchange requests and Active Directory.
• System Attendant
• Message Transfer Agent (MTA)
• Microsoft Exchange Information Store
• Exchange Management Service
• Internet Information Services (IIS)
• Windows Management Instrumentation (WMI)
DSAccess discovers the Active Directory topology, detects domain controllers and
Global Catalog servers, and maintains a list of valid directory servers that are suitable for
use by Exchange components. In addition, DSAccess maintains a cache that is used to
minimize the load on Active Directory by reducing the number of Lightweight Directory
Access Protocol (LDAP) requests that individual components send to Active Directory
servers. The DSAccess Cache is configurable through several Registry Keys.
The metabase update is a subprocess that is launched when the System Attendant is
started. The operation of SMTP, POP3, IMAP4, Outlook Web Access and OMA are all
dependent on the replication by DS2MB. DS2MB registers with the config domain
controller after startup, enabling the config domain controller to notify DS2MB of any
changes that are made to the Exchange configuration. This notification occurs within 15
seconds of the change.
The executable file of the Microsoft Exchange MTA Stacks service is EMSMTA.exe,
which is located in the \Program Files\Exchsrvr\bin directory. This service depends on
System Attendant and maintains its own specific message queues outside the Exchange
store in the \Program Files\Exchsrvr\Mtadata directory.
• WWW service
• FTP service
• SMTP service
• POP3 service
• IMAP4 service
• NNTP service
The IIS Admin service also provides access to the IIS configuration information to other
applications, such as to the metabase update service, which is an internal component of
System Attendant.
The IIS Admin service depends on the Remote Procedure Call (RPC) service and
Security Accounts Manager (SAM) service.
Conclusion
In this article I have tried to give you some helpful information about the Exchange
Server core services and how they work together. This article can’t give you all
the information about the “Big Picture” from Exchange Server and all its components.
There are quite more dependencies and Services in Exchange Server 2003 and the
dependency from Exchange Server 2003 on Windows Server Active Directory and DNS
(Domain Name System) which I don’t explain in my article.
These security groups are used to perform administrative functions when the Exchange
team members are different from the Windows team member – which is normal in larger
enterprises – but later.
The Exchange 2003 Server CD contains two Setup Switches to accomplish these tasks:
• ForestPrep and
• DomainPrep.
When you use the /ForestPrep option, the Exchange Setup program extends the Active
Directory schema to add Exchange-specific classes and attributes.
ForestPrep also creates the container object for the Exchange 2003 organization in the
domain naming context of Active Directory, and it assigns, to the account that you
specify, Exchange Full Administrative permissions to the organization object.
This account now has the authority to install and manage Exchange 2003 throughout the
forest, along with the authority to assign other administrators Exchange Full
Administrative permissions after the first Exchange server is installed.
Requirements
For organizations that don’t have a structure like this stated, ForestPrep and DomainPrep
separates the Exchange 2003 setup tasks that require high-level network permissions
from those that do not.
For example, Windows 2003 administrators with EnterpriseAdmin and SchemaAdmin
permissions run ForestPrep, during which they designate an account as the Exchange
2003 administrator. This Exchange administrator will have enough rights (after both
utilities are run) to perform the actual Exchange 2003 installation.
Note:
If the user who installs Exchange is a member of the EnterpriseAdmin and
SchemaAdmin groups, Forestprep and Domainprep will be automatically executed.
Most deployment scenarios require you to run ForestPrep for successful Exchange 2003
installation. As a general formula keep in mind that when the administrator doesn’t have
EnterpriseAdmin and SchemaAdmin permissions, you must run ForestPrep.
When you install Exchange 2003 in a child domain, you must first run ForestPrep in the
parent domain. If you don’t do this, Setup will prompt you to do so when you attempt to
install in the child domain.
ForestPrep in detail
ForestPrep performs all Exchange 2003 setup tasks that require EnterpriseAdmin and
SchemaAdmin permissions, as it makes changes in the configuration naming container in
Active Directory. ForestPrep extends your Active Directory schema to include Exchange-
specific information. ForestPrep also creates objects in Active Directory and gives
permissions on those objects to the account designated as the Exchange 2003
administrator. This administrator will have enough permission to install the first
Exchange 2003 server in your organization.
ForestPrep also creates the Exchange organization name and object in Active Directory.
New in Exchange 2003 Forestprep is the creation of a placeholder Organization object.
Setup will create a “temporary” organization with a hard-coded name. (That name is a
GUID: “{335A1087-5131-4D45-BE3E-3C6C7F76F5EC}”.) Setup can delegate the first
Exchange administrator on this object; create the Exchange configuration underneath it,
and so on. Later, when setup is run to install the first server in the organization – by
someone who is an Exchange administrator – setup can rename the existing placeholder
object, either to a user-specified name or to match the name of an Exchange 5.5
organization. The final naming is decided by the answer to the “Installation Type” screen.
You need to run ForestPrep only once per Windows 2003 forest.
Be sure to type the command exactly as in Figure1 because a wrong typed command will
start a normal Exchange setup without the /Forestprep option.
Figure 1: SETUP /FORESTPREP
Important
After ForestPrep and DomainPrep are run, the designated Exchange administrator has
only enough permission to install Exchange. By default, this account is not able to create
accounts or give users mailboxes unless this account is also a member of the Account
Operators group.
You can grant administrators permissions to create and administer Windows accounts
within your Exchange organization by making them Account Operators or by using the
following two methods. Both methods use the Active Directory Users and Computers
snap-in. The first is to run the Windows 2003 Delegation of Control Wizard and grant
your Exchange administrator control of the Users container. The second is to create a
new group specifically for Exchange users within the Users container and grant the
Exchange administrator full control of that new group.
You need to gather the following information before running this utility. ForestPrep
prompts for different information depending on whether you are installing a new
Exchange 2003 organization or joining an existing Exchange 5.5 organization.
New Installation
For a new installation of Exchange 2003 Server, the network administrator needs to have
the following information before running ForestPrep:
Note:
Once Exchange is installed, this person or group is able to create other Exchange
administrators by using the Exchange Administration Delegation Wizard.
You should run ForestPrep before installing your first Exchange 2003 server—regardless
of your organization’s topology. However, there are some scenarios (such as in a small
business) in which ForestPrep might not be required.
ForestPrep and DomainPrep both run automatically during Setup, but only if the
Exchange administrator account is a member of the SchemaAdmin and EnterpriseAdmin
groups and if the first Exchange 2003 server installation takes place in the same domain
as the Schema Master.
When this is the case, you do not need to manually execute either utility. By default, the
account with which you have logged on becomes the designated Exchange 2003
administrator.
After you run ForestPrep, be sure to allow enough time for the schema extensions to
replicate throughout all the domains and sub-domains in your organization. Depending on
the geography of your organization and the speed of your network connections between
Windows 2003 sites or domains, this could take some time. You should run DomainPrep
only after you’re sure that the Exchange-specific information has been replicated across
your organization.
DomainPrep in detail
The DomainPrep utility performs the Exchange setup tasks that require DomainAdmin
permissions; it should be run by a member of the DomainAdmin group. You need to run
DomainPrep once in each domain that contains an Exchange 2003 server and in any
domain that hosts Exchange users. These are domains without Exchange servers but with
mail enabled users. Domainprep is necessary for the recipient update service (RUS) and
to create the groups and permissions necessary for Exchange servers to read and modify
user attributes.
DomainPrep creates two new domain groups: Exchange Domain Servers (a Windows
2003 global security group) and Exchange Enterprise Servers (a Windows 2003 domain
local security group).
DomainPrep also creates the Public Folder proxy container in Active Directory. While
ForestPrep works in the forest-wide configuration naming container, the Public Folder
object (a Microsoft Exchange System Object) exists outside this container (this is the
reason why you can’t see public folders with ADSIEDIT, LDP or other LDAP tools).
DomainPrep creates this object on a per-domain basis, under the domain container.
The Exchange Domain Servers global security group contains the computer accounts of
all Exchange servers in the domain. Though it is created by DomainPrep, the Exchange
Domain Servers group is not populated until the actual installation of Exchange 2003.
The Exchange Domain Servers group is necessary for the Recipient Update Service,
which is needed in every domain of your Exchange organization. This includes user
domains, which do not contain Exchange servers but do have mail-enabled users.
Recipient Update Service is used by Exchange to generate and update default and
customized address lists and to process changes made to recipient policies.
The Exchange Enterprise Servers group (a domain local group type) contains every
Exchange Domain Servers group (a domain local group type) in your organization. In
other words, every domain with an Exchange server, along with every domain in which
DomainPrep has been run and that has an active Recipient Update Service, belongs to the
Exchange Enterprise Servers group.
This group is populated immediately when DomainPrep adds the Exchange Domain
Servers group from the current domain to it. Recipient Update Service adds the Exchange
Domain Servers groups from all other domains that have an active Recipient Update
Service.
You must meet the following requirements before you run DomainPrep:
• The account that runs DomainPrep must belong to the domain’s DomainAdmin
group.
• ForestPrep must have already been run in your Windows 2003 forest.
• The schema extensions made by ForestPrep to Active Directory must have
already replicated throughout your organization.
DomainPrep should be executed before installing the first Exchange 2003 server.
DomainPrep is not necessary when:
• The account that is installing the first Exchange 2003 server in the domain is an
Exchange Full Administrator and a member of the DomainAdmins group
• The person who is installing Exchange has EnterpriseAdmin permissions.
• After running ForestPrep, and after all ForestPrep changes are replicated
throughout the forest.
• Before the through Forestprep designated Exchange 2003 administrator can install
the first Exchange 2003 server in the domain.
• Whenever you must create a Recipient Update Service (RUS) for a domain with
mail-enabled users.
• It is also necessary to run Domainprep in an empty Forest Root Domain because
RUS must use it.
The Exchange 2003 version of ADC uses the same schema extensions as Exchange 2003.
So if you install ADC, the setup process updates the Active Directory Schema so you
don’t need to update the Schema with Exchange 2003 Forestprep and vica verse.
With Exchange 2003 you can use the ORGPREPCHECK switch from the EXDEPLOY
tools.
ORGPREPCHECK
View the EXDEPLOY.LOG file in C:\EXDEPLOY LOGS to see if the setup /forestprep
command and the setup /domainprep command have completed successfully.
ORGPREPCHECK verifies the Exchange extensions to the Active Directory Schema, the
existence and membership of the Exchange Domain Servers group and Exchange
Enterprise Servers Group and checks that a global catalog Server is available in a domain
in which DOMAINPREP has been run. The result is displayed in the EXDEPLOY.LOG
file.
Figure 4: EXDEPLOY.LOG file
Conclusion
As you have seen in this article, FORESTPREP and DOMAINPREP are not so mystical
when you understand the basics. FORESTPREP and DOMAINPREP are necessary
components to update the Active Directory Schema to support Exchange 2000 / 2003.
Please keep in mind that Forestprep updates the Windows 2003 Active Directory Schema
and ALL this information must be replicated to all Domain Controllers in the Forest.
The ADC service itself relies on the administrator to define connection agreements.
These agreements name the servers involved in the replication cycle, which direction to
replicate, which objects to replicate, and when to replicate the data.
The ADC uses LDAP to contact both the Exchange 5.5 and Active Directory. LDAP
works efficiently over all types of network links, regardless of whether the connection is
fast, slow, or high latency.
Figure 1: ADC wizard
With the help of the ADC, you can create the following CA (Connection Agreement):
The Public Folder Connection Agreement creates a connector to replicate Public Folder
information (not the content of Public Folders) from Exchange 5.5 to Active Directory.
It is important to know that the Recipient Connection Agreement and Public Folder
Connection Agreement don’t replicate the content of Public Folders and Mailboxes.
Organizations deploy Active Directory Connector (ADC) for four main reasons:
Versions of ADC
The basic replication functionality of ADC is included with Windows 2000. However,
when you install Exchange 2000, an update is installed.
The Windows 2000 ADC, which is included with Windows 2000, replicates directory
information in Exchange 5.5 to Active Directory and vice versa. Through
synchronization, the administrator can perform basic management functions for
Exchange 5.5 users. The Windows 2000 ADC can only replicate the site naming context.
It will synchronize additions or modifications on Exchange 5.5 mailboxes, distributions
lists, and custom recipients.
The Exchange 2000 Server ADC update is an enhanced connector included with
Exchange 2000. The Windows 2000 ADC replicates objects in the Exchange site-naming
context to Active Directory, the Exchange 2000 ADC also replicates data from the
configuration naming context,
Exchange 2000 Service Pack 1 and Service Pack 2 include an update to Active Directory
Connector. Both Updates includes basic functionality as the RTM version but have some
additional features.
The Exchange 2003 ADC is included on the Exchange 2003 CD. It has many
improvments from his predecessor. The most used features are the ADC tools which
gives an Administrator a grahically Wizard for every Step in the ADC deployment
process. I will explain the ADC tools later in this article.
Microsoft Exchange Server 2003 Service Pack 1 (SP1) introduces changes to ADC
Tools. These changes provide better control over the Connection Agreements. These
changes include the ability to start initial replication after you have reviewed the
Connection Agreements.
In the updated ADC Tools, there are two new files that you can use to control Connection
Agreement settings. The files are named …
• Ca_defaults.xml and
• Activate_cas.vbs.
The new ADC Tools functionality is especially useful for large, complicated Exchange
environments. With the Ca_defaults.xml file, you can configure the default settings that
the Connection Agreement Wizard will use when it creates the Connection Agreements.
This gives you the chance to review the new Connection Agreements before they are in
use. After you confirm that the settings are correct, you can use the Activate_cas.vbs file
to change the Connection Agreement schedule to "Always."
The Ca_defaults.xml file and the Activate_cas.vbs file are located in the folder where you
installed the Exchange Server 2003 SP1 ADC.
To do this, the account that you are running Setup from must belong to a member of the
Schema Administrators group or otherwise have permissions to extend the schema.
Note:
Microsoft has changed the Active Directory Schema expansion in Exchange 2003 / ADC
so that both versions use the same Schema. This reduces the replication workload
because the schema has to be extended once.
The ADC Setup creates objects in the Active Directory Configuration container. This
requires that the Administrator who installs ADC belongs to the Enterprise
Administrators group. This permission is a prerequisite of the ADC installation process
and Setup cannot succeed without it.
ADC Setup creates two security groups in the local domain called "Exchange Services".
This requires that the account you are running Setup from belongs to a member of the
Domain Administrators Group or has permissions to create objects in the Users container.
If you delete these groups, you have to reinstall ADC.
If you install additional ADC instances, the schema doesn’t need to be extended and so
the account must not be a member of the Schema Administrator group.
Additional installations in the same domain do not require the creation of either the
Exchange Services or the Exchange Administrators groups. The first ADC installation
into any other Windows 2003 Server domain requires the creation of these groups and
subsequently the proper permissions.
ADC Tools
ADC Tools are available in the Active Directory Connector Services console. ADC Tools
help you correct resource mailbox problems, create connection agreements, and verify
replication between the Exchange 5.5 directory and Active Directory. ADC Tools consist
of the following tools and wizards:
Step 1:
Tool Settings allows you to set the Exchange 5.5 server, LDAP port, and log file path for
ADC Tools. The account you use to run this step must have the View Only Admin role
assigned at the local Exchange 5.5 site level.
Step 2:
Data Collection scans your Exchange 5.5 directory and Active Directory and gathers data
for use in subsequent steps. The account you use to run this step must be a member of the
Domain Administrators group in Active Directory. In addition, the account must have the
View Only Admin role assigned at the local Exchange 5.5 site level.
Step 3:
Resource Mailbox Wizard allows you to match Active Directory accounts to the
appropriate primary mailboxes and stamp other mailboxes with the NTDSNoMatch
attribute, which designates the mailboxes as resource mailboxes. The account you use to
run this step must have the Admin role assigned at the Exchange 5.5 site level for all
Exchange 5.5 sites that contain resource mailboxes.
Step 4:
Connection Agreement Wizard recommends connection agreements based on object
matching data collected in step 1. You can review the list of recommended connection
agreements and select those you want the wizard to create. The account you use to run
this step must be a member of the Domain Administrators group in Active Directory.
Figure 2: ADC Tools
Important
To check the version of your ADC server, open the Active Directory Connector
Microsoft Management Console MMC. Click 'About Active Directory Connector' under
the Help menu on each Active Directory Connector Management Console. This will
show you the version of the ADC on the machine.
To check the version of all the Active Directory Connectors (ADC) in your organization,
use either the LDP tool or the ADSI tool to find the "versionNumber" attribute on the
ADC servers in Active Directory. The versionNumber attribute should be 16973843 or
greater for Exchange 2003 Service Pack 1.
The ADCTOOLS.LOG file is generated when you run ADC Tools in Active Directory
Connector. The ADCTOOLS.LOG file is saved in the directory you specify when you
run the ADC Tools.
Most of the messages that appear in the ADCTOOLS.LOG file also displays in the
Information box in ADC Tools.
Connection Agreements
Installing ADC on a server defines a service within Windows 2003. To create a
replication agreement between an existing Exchange 5.5 site (named Routing Group in
Exchange 2000/2003) and Active Directory, you must configure a connection agreement.
The connection agreement holds information, such as the server names to contact for
replication (Windows 2003 and Exchnage 5.5), object classes to replicate, target
containers in Active Directory, and the replication schedule.
Sometimes when users are unable to get into their mailboxes after their mailboxes have
been migrated, administrators will notice that there is a disabled mailbox-enabled user in
the Active Directory. When they activate this account the
msExchangeUserAccountControl value will be set to 0, which means that that user has
been enabled, and that it should not look at the msExchangeMasterAccountSid - it looks
for an Active Directory SID. Because this users belong to an NT4 domain (the object in
AD is only a place holder object), they don't have an Active Directory SID. Therefore,
when they try to access their mailbox on Exchange 5.5 the access will be denied.
ADCGlobalName and msExchADCGlobalNames
The ADC uses the ADCGlobalName mechanism to keep track of which objects in
Microsoft Exchange Server 5.5 are matched to which objects in Active Directory. The
ADC marks objects with ADCGlobalNames so that when the ADC wants to replicate
changes from a source object to its target object, it can faster determine which object
should be replicated to the target directory.
The ADCGlobalNames attribute has multiple values and contains a unique name for the
object in each directory. For Exchange Server 5.5 directory, this name is the DN of the
object combined with the object's objectclass attribute. For Active Directory, ADC uses
the ObjectGUID attribute. The ADCGlobalNames attribute also contains a value that
uniquely identifies the Exchange organization or Active Directory Forest that the object
comes from.
The LDAP attribute that is used in the Exchange Server 5.5 directory and Active
Directory is the msExchADCGlobalNames attribute. If you use the Exchange 5.5
Administrator program in Raw mode (Admin.exe /r) to view the Exchange Server 5.5
directory, the attribute is displayed as ADC-Global-Names.
When the ADC is working the Threads consume roughly 50 percent of the CPU. This
consumption level is constant until all replication is complete. However, the load placed
on the CPUs of the computers running the directories is relatively low by comparison.
Conclusion
The ADC is a powerful tool to implement a directory connector to replicate directory
information between Exchange 5.5 and Exchange 2003. The ADC is a must have when
you want to migrate from Exchange 5.5 to Exchange 2003.
The ADC is a complex process that requires a deep knowledge of the functions by the
Exchange and Windows administrators.
Exchange Server 2003 Active Directory Integration
The Active Directory schema defines the object classes that can be created in the
directory and the attributes that can be assigned to each instantiation of an object. During
installation of the first server running Exchange Server 2003 in an Active Directory
forest, Exchange must modify this schema so that Active Directory can store Exchange-
specific recipient and configuration information. The ForestPrep process in the Exchange
Setup program extends the Active Directory schema. You can also run this process
explicitly by typing Setup /ForestPrep at a command prompt to add Exchange-specific
classes and attributes to the Active Directory schema, without actually installing a server.
This extra step is required if the person installing Exchange Server 2003 does not have
schema administrator rights.
The Exchange Server 2003 Setup program extends the Active Directory schema by
importing a series of .ldf files into Active Directory. With the exception of Exschema.ldf,
all .ldf files are in the \Setup\i386\Exchange directory on the product CD. Exschema.ldf
is in the \Setup\i386\Exchange\Bin directory.
The following table lists the Exchange Server 2003 installation files with Active
Directory schema extensions with their descriptions.
Schema9.ldf Note:
Schema1.ldf through Schema8.ldf are identical for Exchange Server 2003
and Exchange 2000 Server. Schema9.ldf contains the schema extensions
that are new in Exchange Server 2003.
Adds the Object-GUID, Replication-Signature, Unmerged-Attributes, and
ADC-Global-Names attributes to the schema to update a schema for
Exschema.ldf
versions of Exchange earlier than Exchange 2000 Server Service Pack 1
with the information required for Exchange Server 2003.
Directory Service Access
Exchange Server 2003 services access information that is stored in Active Directory and
write information to Active Directory. If this communication occurred directly between
each service and Active Directory, Exchange Server 2003 could overwhelm an Active
Directory domain controller with communication requests. A central component is
required to streamline communication with Active Directory. This component is the
Directory Service Access (DSAccess) module.
DSAccess is a shared API that is used by multiple components in Exchange Server 2003
to query Active Directory and obtain both configuration and recipient information.
DSAccess is implemented in DSAccess.dll, which is loaded by both Exchange and non-
Exchange components, including system attendant, message transfer agent, Microsoft
Exchange Information Store service, Exchange Management Service, Internet
Information Services (IIS) and Microsoft Windows® Management Instrumentation
(WMI). DSAccess discovers the Active Directory topology, detects domain controllers
and global catalog servers, and maintains a list of valid directory servers that are suitable
for use by Exchange components. In addition, DSAccess maintains a cache that is used to
minimize the load on Active Directory by reducing the number of Lightweight Directory
Access Protocol (LDAP) requests that individual components send to Active Directory
servers.
Important:
DSAccess.dll is the primary DLL that implements DSAccess. To operate properly, the
DSAccess.dll version must match the version of its companion DLLs. The companion
DLLs, Dscmgs.dll and Dscperf.dll, store event log message strings and performance
object providers, respectively.
DSAccess partitions the available directory service servers into the following three
(possibly overlapping) categories:
• Global catalog servers Exchange Server 2003 must access global catalog
servers to obtain complete address information for all recipient objects in the
forest. Only global catalog servers contain a complete replica of all objects in the
domain and a partial replica of all objects in the forest. Global catalog servers that
an Exchange server currently uses are called working global catalog servers.
Almost all Exchange Server 2003 user-context directory service transactions
target global catalogs. Regardless of how many global catalog servers are located
in the local Active Directory site, a maximum of 10 global catalog servers can be
added to the working global catalog list. If there are no global catalog servers in
the local site, or if none of the global catalog servers in the local site pass the
suitability tests, DSAccess uses a maximum of 200 offsite global catalog servers
with the lowest costs. Because the directory service server used for a global
catalog is also itself a domain controller, this server may be used as both types of
directories.
• Domain controllers Domain controllers are used for user-context requests when
the requesting service has sufficient knowledge of the location of the requested
user object in the issued search. These domain controllers are also called working
domain controllers. Working domain controllers are domain controllers in the
local domain that can accept domain naming-context queries. Regardless of how
many domain controllers are located in the local Active Directory site, a
maximum of 10 domain controllers can be added to the working domain
controller list. If there are no domain controllers in the local site, or if none of the
domain controllers in the local site pass the suitability tests, DSAccess uses offsite
domain controllers with the lowest costs.
Queries to working domain controllers are load balanced on a round robin basis to
avoid overloading a single domain controller. If the working domain controllers
are not hard-coded in the registry, the list of working domain controllers is re-
evaluated and regenerated every 15 minutes using the topology discovery process
and suitability tests.
• Configuration domain controllers Exchange Server 2003 can read from
multiple domain controllers. To avoid conflicts when applying configuration
changes to Active Directory, Exchange Server 2003 writes its configuration
information to a single domain controller, called the config domain controller.
When selecting a config domain controller from the list of working domain
controllers, DSAccess gives preference to a domain controller over a global
catalog server. In addition, DSAccess gives preference to a directory server in the
local site before using a directory server in a secondary site.
If the config domain controller becomes unavailable to Exchange Server 2003 for
any reason, DSAccess selects another working domain controller as its config
domain controller. Every eight hours, DSAccess re-evaluates the config domain
controller role by running a set of suitability tests. If the tests are successful,
DSAccess continues to use the same config domain controller. If the tests fail,
DSAccess chooses another domain controller from the list of working domain
controllers as the config domain controller.
The core components of Exchange Server 2003 rely on DSAccess to provide a current list
of Active Directory servers. For example, the MTA routes LDAP queries through the
DSAccess layer to Active Directory. To connect to databases, the store process uses
DSAccess to obtain configuration information from Active Directory. To route messages,
the transport process uses DSAccess to obtain information about the connector
arrangement.
DSAccess updates the list of available global catalogs and domain controllers as changes
in the state of the directory service are detected. This list can be shared with other
directory consumers that do not use DSAccess as their gateway for accessing the
directory service, for example, DSProxy and other components in system attendant. The
service that is requesting this list is responsible for the detection of subsequent directory
service state changes.
Note:
Unless domain controllers and global catalog servers are hard-coded in the registry, the
list of global catalog servers and domain controllers is re-evaluated and regenerated every
15 minutes using a topology discovery process and suitability tests.
LDAP Connection Load Balancing and Failover
In Exchange Server 2003, DSAccess determines the Active Directory topology, opens the
appropriate LDAP connections, and works around server failures. For each available
directory service server, DSAccess opens LDAP connections solely dedicated to each
process that uses DSAccess. DSAccess updates these LDAP connections with directory
service state information (Up, Slow, or Down) that it detects. DSAccess uses this state
information to decide which LDAP connection to use to forward requests to Active
Directory. The set of LDAP connections to available domain controllers and global
catalog servers and their associated states forms the DSAccess profile.
Note:
Because all Exchange Server 2003 and IIS services use the same security context (the
LocalSystem account), it is possible for DSAccess to reuse the LDAP connections from
one request to another. At startup or a topology change, DSAccess opens LDAP
connections to all suitable domain controllers and global catalog servers in the topology.
Note:
To obtain suitability reports in the application event log, you can enable diagnostics
logging for the topology category of the DSAccess service in Exchange System Manager.
The DSAccess topology always contains two lists, the in-site list and the out-of-site list.
The in-site list contains servers from the local Active Directory site of the Exchange
server. The out-of-site list contains servers from other Active Directory sites. Initially,
DSAccess uses only servers from the local site, but when all local servers from a certain
category, for example, global catalog servers, are not suitable, DSAccess immediately
starts using the out-of-site list. DSAccess then keeps checking the local site every five
minutes and fails back as soon as it is possible. User requests are retried on the out-of-site
servers immediately and seamlessly for users.
Some Exchange Server 2003 components, such as the Microsoft Exchange Routing
Engine service, also register with Active Directory to be automatically informed by
Active Directory of any changes to configuration information. This notification
mechanism eliminates polling, but the event registration is per target server. If DSAccess
marks the target server as down, it reissues the event registration and informs the client
process, such as the Routing Engine service, of a change, because the monitored values
could have changed during the process of selecting a new domain controller or global
catalog server.
At startup, DSAccess uses a discovery process to identify the Active Directory topology
and assess the availability of domain controllers and global catalog servers. After startup
is complete, and every 15 minutes thereafter, DSAccess uses an almost identical process
to rediscover the topology and to check for any changes in server availability.
Note:
If you hard code the directory servers that are used by DSAccess, DSAccess bypasses the
discovery process and checks for server suitability only.
The following sequential list outlines the discovery process and indicates differences
between initial discovery and rediscovery:
By default, DSAccess initialization during startup must finish within one minute.
Otherwise, DSAccess stops. One minute is usually long enough for DSAccess to
initialize. If initialization takes longer than one minute, this might indicate a problem
with the network or topology configuration. Although you can extend the time-out
parameter by setting a registry key, you should first determine why initialization takes
longer than expected. To configure the time-out, use the registry setting shown in the
following table.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
Location
\Services\MSExchangeDSAccess
Value TopoCreateTimeoutSecs
Type REG_DWORD
Sets the time-out value for DSAccess initialization in seconds, such as
Description
0x200. The default is 0x3C seconds (1 minute).
Note:
If you set the diagnostics logging level for all categories of the MSExchangeDSAccess
service to Maximum, Exchange System Manager automatically obtains detailed
information about the initialization of DSAccess and places that information in the
application event log.
After DSAccess discovers the Active Directory topology, it determines whether the
discovered list of working domain controllers and global catalog servers is suitable for
use. During initial discovery and ongoing rediscovery, DSAccess determines server
suitability by running a series of suitability tests. Suitability tests fall into two categories:
hard tests and soft tests. Hard tests determine whether the domain controller or global
catalog is a viable candidate for use. If the server fails the hard tests, it is considered
unusable, removed from the list of discovered servers, and the soft tests are not run.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
Location
\Services\MSExchangeDSAccess
Value LdapKeepAliveSecs
Type REG_DWORD
Value Data 0x0
If the registry key does not exist or is not set to 0, DSAccess uses the PING
Description
protocol.
• For more information about the LdapKeepAliveSecs registry key, see Microsoft
Knowledge Base article 320529, "XADM: Using DSAccess in a Perimeter
Network Firewall Scenario Requires a Registry Key Setting."
• Group policy SACL permission Together with the regular access control list
(ACL) permissions, Setup grants all servers running Exchange Server 2003
security access control list (SACL) permission to view ntSecurityDescriptor
attributes. Permission is granted through the SeSecurityPrivilege privilege.
DSAccess reads the security descriptor of the configuration directory partition
object on the server, to verify that the SACL is readable. If the SACL cannot be
read, DSAccess considers the server not suitable.
• Critical data The directory server must be located in a domain in which
DomainPrep was run. The domain must contain the Exchange Server 2003 server
object in the Exchange configuration container.
• Synchronization DSAccess verifies that the server is synchronized by
determining if the isSynchronized attribute on the rootDSE object of the server
is set to TRUE.
• Netlogon DSAccess sends a DSGetDcName remote procedure call (RPC) to the
directory server to test its general suitability. If the directory server is not
synchronized, is out of disk space, or is experiencing other problems, it will not
identify itself as a directory server.
In a perimeter network, in which RPC traffic is not allowed, the Netlogon check
cannot occur. However, the Netlogon check continues to issue RPCs until it fails,
which can take a long time. Because repeated Netlogon checks decrease
performance, you should stop DSAccess from issuing Netlogon checks by
creating the following registry key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
Location
\Services\MSExchangeDSAccess
Value DisableNetLogonCheck
Type REG_DWORD
Value Data 0x0
If the registry key does not exist or is not set to 0, DSAccess performs the
Description
Netlogon check.
For more information, see Microsoft Knowledge Base article 320228, "XGEN: The
"DisableNetLogonCheck" Registry Value and How to Use It."
• Version of the operating system Exchange Server 2003 can use only domain
controllers and global catalog servers running Microsoft Windows Server™ 2003
or Windows 2000 Server Service Pack 3 or later. DSAccess determines whether
the directory server meets these requirements.
After hard tests are complete, DSAccess runs a series of soft tests to determine
which directory servers can accommodate the additional load placed on them by
Exchange Server 2003. To make this determination, DSAccess runs the following
soft suitability tests:
o DNS weight DSAccess uses the weight value of the domain controllers
and global catalog servers, as specified in each server's (SRV) resource
records in Domain Name System (DNS) to determine which server the
client should prefer. A higher weight results in a higher probability that
DSAccess will choose a server. If DSAccess cannot read the weight, it
uses a default weight of 100.
o FSMO primary domain controller role owner If your topology
contains servers running Windows NT® Server 4.0, the directory server
with the Flexible Single Master Operations (FSMO) primary domain
controller (PDC) role will experience heavy loads, making it a less than
ideal candidate for use by Exchange Server 2003. For this reason,
DSAccess performs a soft suitability test to locate the PDC FSMO role
owner, so that it can remove it from the list of suitable directory servers.
o Response time DSAccess performs an LDAP query against the directory
server to check its response time. Response time greater than two seconds
is considered a soft suitability test failure.