Event 2080 in the Application Log contains a wealth of information about how the DSAccess service is interacting with Active Directory. There are different ways to interpret this information as well as other aspects to look for when troubleshooting DSAccess with Exchange Server 2007 and Exchange Server 2003.
After finding out which domain controllers Exchange Server is using and which roles those controllers are performing, look at the Reachability field. Figure 1 shows the Reachability field -- the a single-digit number found in the third field of the data section and to the right of server role codes.
Figure 1. Here's what Event 2080 usually looks like.
The server roles section explains which Active Directory (AD) roles a domain controller should perform; the Reachability field confirms the server's ability to interact with those roles. If you look at the figure above, you'll notice that my server, Tazmania.production.com, has a reachability code of 6.
This means that DSAccess can communicate with the domain controller through port 389 and that it cannot use the server as a global catalog by communicating with it over port 3268. If you look back at the roles for this server, you'll notice that it is not configured as a global catalog server; therefore , the reachability code is consistent with the Roles codes.
Server DNS.production.com has a reachability code of 7, indicating that the server can communicate with the domain controller over the domain controller port (389) and the global catalog port (3268). Again, this behavior is consistent with the server's role codes.
If you look at the server GFI-DC.production.com, you'll notice that it has a reachability code of 0. This means that the DSAccess service cannot communicate with the server at all. This is completely inconsistent with the server's role codes. This would indicate a serious problem had I not taken the server offline intentionally.
Domain controllers should always have a reachability code of either 6 or 7, depending on whether or not they're acting as a global catalog server. Other reachability codes indicate a problem with either the domain controller or with Exchange server's ability to communicate with the domain controller through the DSAccess Service.
Domain controller permissions
I also recommend making sure that Exchange server has permission to read directory information from the domain controller. Normally, all domain controllers listed should have the necessary permissions in place. But it's still important to check since DSAccess won't try to access a domain controller if it doesn't think it has permission to do so.
You can find the permissions field -- technically referred to as the SACL right field -- in the seventh position. A value of 1 indicates that DSAccess has permission to use the domain controller. A value of 0 indicates that DSAccess doesn't have permission.
In order for an Exchange server to access Active Directory, it must have access to all three server roles. These three roles don't need to exist on the same server, but they do need to be defined on domain controllers that are either in the same AD site as Exchange or in a site within close proximity to Exchange.
Having domain controllers host the appropriate roles is not enough. The DSAccess service must be able to not only confirm that the roles exist, but also use them. Using these roles requires that the domain controller hosting them is reachable. It also requires that the DSAccess service has permission to access the role.
These are the most important requirements; however, they're not the only ones. For example, Exchange Server 2003 can only use domain controllers and global catalog servers that are running Windows 2000 SP3 or higher. A pre-SP3 Windows 2000 domain controller might fulfill other requirements, but if the operating system is insufficient, Exchange Server 2003 will disqualify that domain controller.
You can verify that DSAccess detects a domain controller with a sufficient OS by looking in the last data field for each domain controller (10th position). A value of 1 indicates that the domain controller is running an acceptable OS; a value of 0 indicates that DSAccess considers the OS unacceptable.
About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.
Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.