The relationship that Exchange Server 2007
has with Active Directory is complex and often misunderstood. Because
the directory is no longer local, special services were written for
Exchange to access and process information in AD. Understanding how
these systems work is critical for understanding how Exchange interacts
with AD.
Understanding DSAccess
DSAccess is one of the most critical services for Exchange Server 2007. DSAccess, via the dsacccess.dll
file, is used to discover current Active Directory topology and direct
Exchange to various AD components. DSAccess dynamically produces a list
of published AD domain controllers and global catalog servers and
directs Exchange resources to the appropriate AD resources.
In addition to simple referrals from Exchange to
AD, DSAccess intelligently detects global catalog and domain controller
failures, and directs Exchange to failover systems dynamically,
reducing the potential for downtime caused by a failed global catalog
server. DSAccess also caches LDAP queries made from Exchange to AD,
speeding up query response time in the process.
DSAccess polls the Active Directory
every 15 minutes to identify changes to site structure, domain
controller placement, or other structural changes to Active Directory.
By making effective use of LDAP searches and global catalog port
queries, domain controller and global catalog server suitability is
determined. Through this mechanism, a single point of contact for the
Active Directory is chosen, which is known as the configuration domain
controller.
Determining the DSAccess Roles
DSAccess lists identified domain controllers on
the Exchange server properties page and identifies servers belonging to
either of two groups, as shown in Figure 1.
Domain Controller Servers Being Used by Exchange— Domain controllers that have been identified by DSAccess to be fully operational are shown here.
Global Catalog Servers Being Used by Exchange— Global catalog servers are shown here.
A third role, known as the configuration domain
controller, was visible on the properties page in Exchange 2003,
however, it is not in the same location in Exchange 2007.
Configuration domain controller—
A single AD domain controller is chosen as the configuration domain
controller to reduce the problems associated with replication latency
among AD domain controllers. In other words, if multiple domain
controllers were chosen to act as the configuration domain controller,
changes Exchange makes to the directory could conflict with each other.
The configuration domain controller role is transferred to other local
domain controllers in a site every 8 hours.
To determine the default configuration domain
controller, view the Event Viewer application log and search for Event
ID 2150. The results of the dsaccess query are listed here as well, as shown in Figure 2.
In addition, the default configuration domain controller can be changed to one of your choice by performing the following steps:
1. | In the Exchange Management Console, select Server Configuration.
|
2. | In the action pane on the right side, click Modify Configuration Domain Controller.
|
3. | You
can click Browse to select the appropriate domain, and then place a
check in the Configuration Domain Controller check box. Then, you can
then click Browse, shown in Figure 3, to manually select the configuration domain controller.
|
Understanding DSProxy
DSProxy
is a component of Exchange that parses Active Directory and creates an
address book for down-level Outlook (pre–Outlook 2000 SR2) clients.
These clients assume that Exchange uses its own directory, as opposed to
directly using the Active Directory by itself, as Outlook 2000 SR2 and
greater clients do. The DSProxy service provides these higher-level
clients with a referral to an Active Directory global catalog server,
which they then use without accessing the Exchange servers directly. The
newer Outlook clients do not refresh this information unless a server
failure has occurred or the client is restarted.
Note
DSProxy uses Name Service Provider Interface
(NSPI) instead of LDAP for address list lookups, because NSPI is a more
efficient interface for that type of lookup. Only global catalog servers
support NSPI, so they are necessary for all client address list
lookups.
Outlining the Role of the Categorizer
The
SMTP Categorizer is a component of Exchange that is used to submit mail
messages to their proper destination. When a mail message is sent, the
Categorizer queries the DSAccess component to locate an Active Directory
server list, which is then directly queried for information that can be
used to deliver the message.
Although the Categorizer in Exchange gets a list
of all global catalog servers from DSAccess, it normally opens only a
single LDAP connection to a GC server to send mail, unless a large
number of messages are queued for delivery.
Tip
Problems with the Categorizer are
often the cause of DNS or AD lookup issues. When troubleshooting
mail-flow problems, use message tracking in Exchange Server 2007 to
follow the course of a message. If the message stops at the Categorizer,
it is often wise to start troubleshooting the issue from a directory
access perspective.