The
relationship that Exchange Server 2010 has with Active Directory is
complex and often misunderstood. Because the directory is no longer
local, special services were written for Exchange Server to access and
process information in AD. Understanding how these systems work is
critical for understanding how Exchange Server interacts with AD.
Understanding DSAccess
DSAccess is one of the most critical services for Exchange Server 2010. DSAccess, via the dsacccess.dll
file, is used to discover current Active Directory topology and direct
Exchange Server to various AD components. DSAccess dynamically produces a
list of published AD domain controllers and global catalog servers and
directs Exchange Server resources to the appropriate AD resources.
In addition to
simple referrals from Exchange Server to AD, DSAccess intelligently
detects global catalog and domain controller failures, and directs
Exchange Server to failover systems dynamically, reducing the potential
for downtime caused by a failed global catalog server. DSAccess also
caches LDAP queries made from Exchange Server to AD, speeding up query
response time in the process.
On start of the
Exchange Server 2010 services, the DSAccess queries Active Directory and
determines which domain controllers and global catalogs are available.
It also chooses one as the Configuration Domain Controller. A 2081 event
in the Application event log is generated. DSAccess then polls the
Active Directory every 15 minutes to identify changes to site structure,
domain controller placement, or other structural changes to Active
Directory. A 2080 event in the Application event log is generated each
time. By making effective use of LDAP searches and global catalog port
queries, domain controller and global catalog server suitability is
determined. Through this mechanism, a single point of contact for the
Active Directory is chosen and maintained, which is known as the
configuration domain controller.
Determining the DSAccess Roles
DSAccess lists
identified domain controllers on the Exchange server properties page and
identifies servers belonging to either of two groups, as shown in Figure 1:
Domain Controller Servers Being Used by Exchange— Domain controllers that have been identified by DSAccess to be fully operational are shown here.
Global Catalog Servers Being Used by Exchange— Global catalog servers are shown here.
A
third role, known as the configuration domain controller, was visible
on the properties page in Exchange Server 2003; however, it is not in
the same location in Exchange Server 2010:
Configuration domain controller—
A single AD domain controller is chosen as the configuration domain
controller to reduce the problems associated with replication latency
among AD domain controllers. In other words, if multiple domain
controllers were chosen to act as the configuration domain controller,
changes Exchange Server makes to the directory could conflict with each
other. The configuration domain controller role is transferred to other
local domain controllers in a site every eight hours.
To determine
the default configuration domain controller, view the Event Viewer
application log and search for Event ID 2081. The results of the dsaccess query are listed here as well, as shown in Figure 2.
In addition, the default configuration domain controller can be changed to one of your choice by performing the following steps:
1. | In the Exchange Management Console, select Server Configuration.
|
2. | In the action pane on the right side, click Modify Configuration Domain Controller.
|
3. | Select
the Specify a Domain Controller radio button. You can then click Browse
in the Domain section to select the appropriate domain. Then, you can
then click Browse in the Configuration domain controller section, shown in Figure 3, to manually select the configuration domain controller.
|
Understanding DSProxy
DSProxy is a component
of Exchange Server that parses Active Directory and creates an address
book for down-level Outlook (pre–Outlook 2000 SR2) clients. These
clients assume that Exchange Server uses its own directory, as opposed
to directly using the Active Directory by itself, as Outlook 2000 SR2
and greater clients do. The DSProxy service provides these higher-level
clients with a referral to CAS server for directory lookups. This
enables Exchange Server 2010 clients to obtain all their directory
information from the Exchange Server 2010 CAS server role and eliminates
the need for them to contact an Active Directory global catalog server
directly.
Note
DSProxy uses
Name Service Provider Interface (NSPI) instead of LDAP for address list
lookups, because NSPI is a more efficient interface for that type of
lookup. Only global catalog servers support NSPI, so they are necessary
for all client address list lookups.
Outlining the Role of the Categorizer
The SMTP Categorizer
is a component of Exchange Server that is used to submit mail messages
to their proper destination. When a mail message is sent, the
Categorizer queries the DSAccess component to locate an Active Directory
server list, which is then directly queried for information that can be
used to deliver the message.
Although the Categorizer in
Exchange Server gets a list of all global catalog servers from
DSAccess, it normally opens only a single LDAP connection to a GC server
to send mail, unless a large number of messages are queued for
delivery.
Tip
Problems
with the Categorizer are often the cause of DNS or AD lookup issues.
When troubleshooting mail-flow problems, use message tracking in
Exchange Server 2010 to follow the course of a message. If the message
stops at the Categorizer, it is often wise to start troubleshooting the
issue from a directory access perspective.
