Exchange DSAccess Event Analysis

Source: Internet
Author: User
Tags log log server port

This article describes how to use event ID 2080来 to help diagnose the information that is contained in Exchange DSAccess issues.

Many friends often experience communication problems with active Directory domains and Exchange servers. Then how to troubleshoot it. The simplest and easiest way to see the relevant error log in Event Viewer. Today I understand event ID 2080 events to help diagnose Exchange DSAccess issues. Start the mail server when the Microsoft Exchange Active Directory Topology service starts, the list of available and accessible domain controllers is created through DNS resolution, SRV records, and in both local and remote Active Directory sites.

As the following

In an earlier Exchange version (in Exchange 2000 or Exchange 2003), to view the event, you must increase the diagnostic logging in the MSExchangeDSAccess category and restart the related service;

Event ID2080 in the Application log:

Event type:information

Event source:msexchangedsaccess

Event category:topology

Event id:2080

Computer:mycomputer

Description:

Process MAD. EXE (pid=1808). DSAccess have discovered the following servers with the following characteristics:

(Server name | Roles | reachability | Synchronized | GC Capable | PDC | SACL Right | Critical Data | Netlogon | OS Version)

In-site:

Domaincontroller1.company.com CDG 7 7 1 0 0 1 7 1

Domaincontroller2.company.com CDG 7 7 1 0 1 1 7 1

Domaincontroller3.company.com CDG 7 7 1 0 1 1 7 1

Out-of-site:

Let's look at the columns of event ID 2080 and its contents together:

  • Server name: The first column indicates the name of the domain controller that the data in the row lists.
  • Role (Roles): Whether this particular server can be used as a domain controller (column C value) for the configuration domain controller (column value d), or as a global catalog server (column G value) for this particular Exchange server's second column display. In the example described earlier in this article, the role column contains a value of CDG to show all three features that the service can use for the server.
  • Accessibility (reachability): The third column shows whether a server that has a Transmission Control Protocol (TCP) connection is reached. These bit flags are connected by an OR value. 0x1 indicates that the server can access the global catalog server (port 3268), 0x2 indicates that the server is acting as a domain controller (port 389), and reachable 0x4 indicates that the server is reachable by the configuration domain controller (port 389). In other words, if the server is reachable as a global catalog server and as a domain controller instead of as a configuration domain controller, the value is 3. In the example described earlier in this article, the value 7 in the third column means that the server is accessible as a global catalog server, a domain controller, and a configuration domain controller (0x1 | 0x2 | 0x4 = 0x7).
  • Synchronized (Synchronized): The fourth column shows whether the "issynchronized" flag on RootDSE's domain controller is set to TRUE. These values use the same connected OR values as the bit flags for the flags used in the arrival column.
  • Gc: The Fifth column is a Boolean expression that indicates whether the domain controller is a global catalog server.
  • Pdc: The Sixth column is a Boolean expression that describes the domain controller that is the primary domain controller for its domain. The value (0) is not correct.
  • SACL permissions: The seventh column is a Boolean expression that indicates whether DSAccess has the correct permissions to read the SACL of the directory service.
  • Key data: The eighth column is a Boolean expression that indicates whether DSAccess finds the Exchange server in the configuration container of the domain controller listed in the Server Name column.
  • Netlogon check: The nineth column describes whether DSAccess has successfully connected to the domain controller's network logon service. This call may fail because of a remote procedure call (RPC) that is used, and other reasons other than the server that has been shut down. For example, a firewall might block this call. Therefore, if the Nineth column has 7, this means that the Net Logon service examines each role (domain controller, configuration domain controller, and global catalog) successfully.
  • Operating system version: The tenth column specifies whether the operating system of the domain controller listed is running at least Microsoft Windows Service Pack 3 (SP3). Exchange 2003 will use only domain controllers or global catalog servers that are running Windows version SP3 or later. A Boolean expression of 1 indicates that the domain controller meets the requirements of the operating system that DSAccess uses.

How to use the information in event ID 2080 to diagnose DSAccess problems

1. Confirm server roles and types in the current environment

When you view the event ID 2080 message, take a look at the role column. There should be at least one server, a C role that can provide services, at least one server, a D role that can provide the service, and at least one server that can provide the G role of the service. If you have a hyphen, instead of any of these space numbers, view your topology. Make sure that you have at least one domain controller and one global catalog server in your Exchange server that is the lowest cost site link or site in a connected site.

2. Next I'll judge the Exchange and AD domain Active Directory connectivity

View accessibility in a column. Typically, you will also see one of several possible numbers in this column. If the domain controller is a domain controller but not a global catalog server (the Role column displays the disc), this number is 6 (0x2 | 0x4) to indicate that the server's domain controller port (389) is a reachable TCP connection. If the domain controller is a global catalog server (the Role column displays "CDG"), this number is 7 (0x1 | 0x2 | 0x4), which represents the TCP connection to which the server's domain controller port (389) and the global Catalog server port (3268) are reached. If you see other numbers here (especially 0), there may be a problem with the connection to the directory service from the Exchange server.

3. Confirm Exchange Server domain readiness conditions

Next, take a look at the SACL right column. DSAccess does not use any domain controller that does not have permission to read the ntSecurityDescriptor property on a SACL on a domain controller. There must be at least one server that satisfies each role (C, D, or G) (the appropriate bit flags the accessibility column or value in the connection), and the role can be accessed and displayed in the right column of the SACL 1. If you do not have these servers, confirm that the domain preparation for the domain controller in the right column of the 0 SACL is displayed, and verify that your Recipient Update service is configured correctly.

These parameters allow us to clearly determine that the message is capable of communicating with Active Directory. If there are no available domain-managed servers in your environment, common symptoms include:

1.Exchange Server service startup exception;

2. The Exchange Management Console and Exchange Powershel commands cannot be opened;

3. Enter the correct account password, the user cannot log on to OWA;

4. The ad domain error log log can be found in Event Viewer;

If you find that Exchange and domain control cannot communicate, first check the firewall settings and remove the antivirus scan. Verify that Group Policy does not have a corresponding limit.

Instance:

Judging from the above parameters, we can see that an Active Directory server has been detected in the site. The connection status with the dj-ad01.djclouds.com server is normal;

Exchange DSAccess Event Analysis

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.