Understanding and

troubleshooting DSAccess for

Exchange Server 2003

Salim Shaker and Paul Miner

Support Engineers
Enterprise Messaging Support
Microsoft Corporation
Salim Shaker
Salim Shaker joined Microsoft® in 1998 as a support
professional for Microsoft Windows® NT® 4.0. He
moved on to support Microsoft Windows 2000 Server
and Microsoft Internet Security and Acceleration
Server 2000. He currently works in the Enterprise
Business Application team, where he supports
Microsoft Exchange Server 5.5, Exchange 2000
Server, and Exchange Server 2003. Salim has a
Masters degree in Business Administration and a
Bachelor of Science degree in Computer Engineering.
He is a certified Professional Engineer, and an
Microsoft Certified System Engineer (MCSE):
Messaging. 2
Paul Miner
Paul Miner has worked in the Information Technology
industry for over 25 years. He has worked at Microsoft
for 10 years in technical positions and in leadership
positions. He has been a member of the Exchange
Admin Support team for over three years. Previously,
he was a member of the Platforms Server Networking
team for over five years. He graduated summa cum
laude from DeVry University in Irving, Texas, where
he received a Bachelor of Science degree in Technical
Management. Paul is a certified MCSE: Messaging.

3
Objectives

To enable designers to make the best possible

decisions when they deploy servers.

To help administrators troubleshoot directory

access problems.

4
Agenda
Description of DSAccess
Advantages of DSAccess
How Exchange components access Active
Directory® directory service
Components that depend on DSAccess
DSAccess discovery
Server suitability

5
Agenda (2)

Server role
Troubleshooting DSAccess
Unique situations
Changes to DSAccess in Exchange Server
2003 Service Pack 2 (SP2)

6
Description of DSAccess

Directory Service Access (DSAccess) is a core

component of Exchange 2000 Server and
Exchange Server 2003.
DSAccess runs under the Mad.exe service.
DSAccess is implemented as the Dsaccess.dll
file.
DSAccess performs auto discovery for Active
Directory topology.
DSAccess detects domain controllers and global
catalog servers.
DSAccess updates the list of valid directory
servers that Exchange components can use.
7
Advantages of DSAccess

DSAccess is a centralized mechanism for

Exchange components to receive a list of
valid domain controllers.
DSAccess caches information to reduce
lightweight directory access protocol
(LDAP) requests.
DSAccess provides a dynamic update for
the list of domain controllers on a regular
interval.

8
How Exchange components access
Active Directory

Referral and proxy

Referral only
No referral

9
Components that depend on DSAccess

10
DSAccess discovery

Exchange 2000 Server SP2 and later

versions of Exchange use LDAP
You can disable the discovery process by
statically selecting specific domain
controllers
Active Directory design
Domain Name System (DNS) design
Discovery occurs at the service startup and
then repeats every 15 minutes
11
DSAccess discovery (2)

12
DSAccess discovery (3)

 Initialization
 LDAP search
 Typology discovery
 LDAP search in a remote site
 Compiling the list of domain controllers

13
Server suitability

Reachability
User rights
Domain preparation
Synchronization

14
Server suitability (2)

NetLogon
DNS priority and weight
Owner of the primary domain
controller emulator operations master
role (also known as flexible single
master operations or FSMO)
Residential site

15
Server role

Configuration domain controller

Working domain controllers
Working global catalog servers

16
How to examine the list of available servers

17
Configuration domain controller

The configuration domain controller is a

single domain controller that reads and
writes information in the configuration
naming context in Active Directory.
DSAccess chooses a domain controller or
a global catalog server to act as the
configuration domain controller.
This domain controller is used for eight
hours or until the server is rebooted or is
not available.
A new server is randomly selected that
meets the criteria.
18
Working domain controllers

List of up to ten domain controllers

To load balance requests, use a sequential
round robin process, use the server
request time responses, and use the
number of outstanding requests to the
server
Seldom used because it has limited
information
Cannot process MAPI clients requests
19
Working global catalog server

Up to ten global catalog servers that perform

forest wide queries
To load balance requests, use a sequential
round robin process, use the server request time
responses, and use the number of outstanding
requests to the server
Handles most requests for searches and lookups
The only server that can support Name Service
Provider Interface (NSPI)
( requests in native
mode

20
Troubleshooting DSAccess

Enable logging
Monitor performance counters
Examine DNS configuration
Examine Active Directory site configuration
Verify the domain operation
Partial failure and complete failure

21
DSAccess logging

Enable logging and then search for errors

in the Application log.
Logging is enabled through the
Diagnostics logging tab for the server in
Enterprise System Manager (ESM).
(
Examine the characteristics of the servers
in Event ID 2080.

22
Event ID 2080

23
Event ID 2080 (2)

Characteristics Description
Server name Name of the server

Roles (C) configuration, (D) domain controller, (G) global

catalog, and (-) cannot be used
Reachability Can the server be reached on port 389 (DC) or
3268 (GC)
Synchronized Whether the isSynchronized
flag set on the rootDSE of the server is true
Global catalog Boolean (1 or 0)

cable
Primary domain Boolean (1 or 0)

controller
24
Event ID 2080 (3)

Characteristics Description
Security Access Boolean. Specifies whether DSAccess has
the necessary permissions to read the
Control List SACL.
(SACL) right

Critical Data Boolean. Specifies whether DSAccess found this

Exchange server in the Exchange configuration
container.

NetLogon Specifies whether the server is running the

NetLogon service.

25
Performance counters

DSAccess has the Ldap Search Time performance

counter and the Ldap Read Time performance
counter under the
MSExchangeDsaccessProcesses performance
object.
You could increase mail delivery if you increase the
DSAccess cache.
The counters for DSAccess cache hits and misses
can help find the optimum cache size.
The performance counters that are mentioned in the
following slides have the following format:
Performance Object\Counter
26
Performance counters on the
Exchange server
SMTP Server\Categorizer Queue Length
Value should be less than 10
MSExchangeDSAccess Process\LDAP Read
Time (for all processes)
Average value should be less than 50 milliseconds
(ms)
Spikes (maximum values) should not be greater than
100 ms
MSExchangeDSAccess Process\LDAP Search
Time (for all processes)
Use the same average value and spike value as
LDAP Read Time counter 27
Performance counters on the global
catalogs
Processor\% Processor time (_Total)
CPU utilization should be less than 90 percent
System\Processor Queue Length
Value should be less than 2
Network Interface\Bytes Total/sec
For a 100-megabits per second (Mbps) network
interface card (NIC), value should be less than 6
MB/sec
For a 1000-Mbps NIC, value should be less than 60
MB/sec

28
Performance counters on the global
catalogs (2)

Network Interface\Packets Outbound Errors

Counter should be zero (0) at all times
PhysicalDisk(NTDS Database Disk)\Average
Disk sec/Read
Average value should be less than 20 ms
Spikes should not be greater than 50 ms
PhysicalDisk(NTDS Database Disk)\Average
Disk sec/Write
Average value should be less than 20 ms
Spikes should not be greater than 50 ms
29
Performance counters on the global
catalogs (3)
PhysicalDisk(NTDS Log Disk)\Average
Disk sec/Read
Value should be less than 10 ms
PhysicalDisk(NTDS Log Disk)\Average
Disk sec/Write
Value should be less than 10 ms
PhysicalDisk(NTDS Database or Log
Disks)\Average Disk Queue Length
(<spindles –ignore if on a SAN)
Memory\Available Mbytes (MB) (>50)
Memory\Pages/sec (<1000) 30
Performance counters on the global
catalogs (4)

PhysicalDisk(NTDS Database or Log

Disks)\Average Disk Queue Length
Average value should be less than the number
of spindles
Ignore this counter if a Storage Area Network
(SAN) is being used
Memory\Available Mbytes (MB)
Must be more than 50 MB of memory available
Memory\Pages/sec
Value should be less than 1000 31
Examine DNS configuration

Examine Exchange Internet Protocol (IP)

address
Status of DNS server
Examine host record for Exchange
Verify that the _msdcs key, the _sites key,
the _tcp key, and the _udp key exist in the
DNS database
Use the Netdiag tool

32
Examine Active Directory site
configuration

Run the following commands:

nltest.exe /dsgetsitename
nltest.exe /dsgetdc:Domain Name
Dcdiag.exe
Policytest.exe
You may have to run setup.exe /domainprep
again

33
Verify the health of Active Directory
servers

Get the list of detected domain

controllers and global catalog servers
that is reported in Event ID 2080
Examine DNS
LDP tool

34
Verify the health of Active Directory
servers (2)

CPU use
Memory in each Active Directory server
Matching date and time on each reported
Active Directory server
Application log and System log

35
Partial failure and complete failure

Complete failure is handled well. DSAccess

fails over to other available global catalogs.
Partial failure does not force DSAccess to
fail to other available global catalogs.
However, it might report errors.
Microsoft Outlook® 2000 clients must be
restarted to clear the universally unique
identifier (UUID) cache.

36
Unique situations

Promote/demote domain controller to

member server
Promote/demote global catalog to member
server
Change the role from domain controller to
global catalog or visa versa

37
Changes to DSAccess in Exchange
Server 2003 SP2
Changes to DSAccess affect situations where Exchange
server and clients are in different domains.
In versions of Exchange earlier than Exchange Server
2003 SP2, clients were referred to global catalogs in the
domain of the Exchange server.
Clients could not configure delegates or distribution
lists.
Clients are now referred to a global catalog in their own
domain.
This change could increase the global catalog load in the
user account domain.
Monitor the load before and after Exchange Server
2003 SP2.
A new event exists for LDAP referral.
38
Additional resources
Understanding and troubleshooting Directory Access
white paper
http://www.microsoft.com/technet/prodtechnol
/exchange/2000/library/utda.mspx
Exchange Server 2003 deployment guide
http://www.microsoft.com/technet/prodtechnol
/exchange/2003/library/depguide.mspx
Ruling out Active Directory-bound problems
http://www.microsoft.com/technet/prodtechnol
/exchange/guides/TrblshtE2k3Perf/8d4b5381
-bdab-44bc-9df4-35e9d6192b86.mspx

Note The URLs in this presentation should be entered all on one line. They are
wrapped here for readability. 39
Additional resources (2)

Troubleshooting Exchange Server 2003 performance

http://www.microsoft.com/technet/prodtechnol
/exchange/2003/library/e2k3perf.mspx
Troubleshooting Exchange 2000 performance
http://www.microsoft.com/technet/prodtechnol/exchange
/2000/library/te2kperf.mspx
The new Directory Service Access algorithm may cause
a larger load on global catalog servers in Exchange
Server 2003 Service Pack 2
http://support.microsoft.com/kb/908443

40
Additional resources (3)

Description of the DNS SRV resource record type

http://support.microsoft.com/kb/232025
XADM: Exchange Considerations for promoting a domain
controller to a global catalog server
http://support.microsoft.com/kb/304403
XGEN: Useful Windows 2000 performance monitor
counters to analyze DSAccess behavior
http://support.microsoft.com/kb/246281

41
Thank you for joining us for today’s event.

For information about all upcoming Support WebCasts, and access

to the archived content (streaming media files, PowerPoint® slides,
and transcripts), visit the Support WebCast site at
http://support.microsoft.com/WebCasts/

We sincerely appreciate your feedback. Please submit any comments

or suggestions about the Support WebCasts on the “Contact Us”
page of the Support Web site at
http://support.microsoft.com/servicedesks/webcasts/feedback.asp.

© 2005 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.