In Exchange 2000 Service Pack 2 (SP2) and Exchange 2003, DSAccess (a Directory Service Access component) generates a topology detection event in the Exchange 2000 or the Exchange 2003 server application log. This article describes how you can use the information that is contained in Event ID 2080 to help diagnose Exchange DSAccess issues.
To see this event, you must increase diagnostics logging on the MSExchangeDSAccess category:
- From Exchange 2000 or Exchange 2003, click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
- Expand your organization name, expand Administrative Groups, expand Applicable Administrative Group, and then expand Servers.
- Right-click Applicable Exchange server name, and then click Properties.
- Click the Diagnostics Logging tab, click MSExchangeDSAccess Service in the left pane, and then click Topology in the right pane.
- Set the logging level to Medium or higher, click Apply, and then click OK.
- If possible, restart the Exchange server to see the initial topology detection.
With topology detection increased to the higher diagnostic level, you can see the following event ID in the application log:
Event Type: InformationEvent Source: MSExchangeDSAccessEvent Category: Topology Event ID: 2080Computer: MyComputerDescription:Process MAD.EXE (PID=1808). DSAccess has discovered the following servers with the following characteristics: (Server name | Roles | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) In-site:domaincontroller1.company.com CDG 7 7 1 0 0 1 7 1domaincontroller2.company.com CDG 7 7 1 0 1 1 7 1domaincontroller3.company.com CDG 7 7 1 0 1 1 7 1 Out-of-site:For more information, click http://search.support.microsoft.com/search/?adv=1.
The following list describes the columns in event ID 2080 and their contents:
- Server name: The first column indicates the name of the domain controller that the rest of the data in the row corresponds to.
- Roles: The second column shows whether or not the particular server can be used as a configuration domain controller (column value C), a domain controller (column value D), or a global catalog server (column value G) for this particular Exchange server. A letter in this column means that the server can be used for the designated function, and a hyphen (-) means that the server cannot be used for that function. In the example that is described earlier in this article, the Roles column contains the value CDG to show that the service can use the server for all three functions.
- Reachability: The third column shows whether the server is reachable by a Transmission Control Protocol (TCP) connection. These bit flags are connected by an OR value. 0x1 means the server is reachable as a global catalog server (port 3268), 0x2 means the server is reachable as a domain controller (port 389), and 0x4 means the server is reachable as a configuration domain controller (port 389). In other words, if a server is reachable as a global catalog server and as a domain controller but not as a configuration domain controller, the value is 3. In the example that is described earlier in this article, the value 7 in the third column means that the server is reachable as a global catalog server, as a domain controller, and as a configuration domain controller (0x1 | 0x2 | 0x4 = 0x7).
- Synchronized: The fourth column shows whether the "isSynchronized" flag on the rootDSE of the domain controller is set to TRUE. These values use the same bit flags connected by an OR value as the flags that are used in the Reachability column.
- GC capable: The fifth column is a Boolean expression that states whether the domain controller is a global catalog server.
- PDC: The sixth column is a Boolean expression that states whether the domain controller is a primary domain controller for its domain.
- SACL right: The seventh column is a Boolean expression that states whether DSAccess has the correct permissions to read the SACL (part of nTSecurityDescriptor) against that directory service.
- Critical Data: The eighth column is a Boolean expression that states whether DSAccess found this Exchange server in the configuration container of the domain controller listed in Server name column.
- Netlogon Check: The ninth column (added in Exchange 2000 SP3) states whether DSAccess successfully connected to a domain controller’s Net Logon service. This requires the use of Remote Procedure Call (RPC), and this call may fail for reasons other than a server that is down. For example, firewalls may block this call. So, if there is a 7 in the ninth column, it means that the Net Logon service check was successful for each role (domain controller, configuration domain controller, and global catalog).
- OS Version: The tenth column (added in Exchange 2003) states whether the operating system of the listed domain controller is running at least Microsoft Windows 2000 Service Pack 3 (SP3). Exchange 2003 only uses domain controllers or global catalog servers that are running Windows 2000 SP3 or later. A Boolean expression of 1 means the domain controller satisfied the operating system requirements of Exchange 2003 for use by DSAccess.
How to Use the Information in Event ID 2080 to Diagnose DSAccess Problems
When you review the Event ID 2080 message, look at the Roles
column first. There should be at least one server that can service the C role, at least one server that can service the D role, and at least one server that can service the G role. If there is a hyphen instead of a letter in any of these spaces, review your topology. Confirm that you have at least one domain controller and one global catalog server either in the site that your Exchange server is in or in the closest connected sites with the lowest siteLink cost.
Next, look at the Reachability
column. Generally, you see one of several possible numbers in this column. If the domain controller is a domain controller but not a global catalog server (Roles
column shows CD-
), this number is 6 (0x2 | 0x4) to signify that the server's domain controller port (389) is reachable by a TCP connection. If the domain controller is a global catalog server (Roles
column shows "CDG"), this number is 7 (0x1 | 0x2 | 0x4), which signifies that the server's domain controller port (389) and global catalog server port (3268) are reachable by a TCP connection. If you see other numbers here (especially 0), there may be a problem with the connection from the Exchange server to the directory service.
Next, look at the SACL right
column. DSAccess does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor
attribute in the domain controller. You must have at least one server that satisfies each role (C, D, or G), that is reachable for that role (the appropriate bit flag connected by an OR value in the Reachability
column), and that shows 1
in the SACL right
column. If you do not have these servers, confirm that the domain controller that shows 0
in the SACL right
column has been domain-prepped, and then confirm that your Recipient Update Services are configured properly.
For additional information about SeSecurityPrivilege right and policytest issues, click the article number below to view the article in the Microsoft Knowledge Base:
XADM: Exchange 2000 Error Messages Are Generated Because of SeSecurityPrivilege Right and Policytest Issues
If the troubleshooting steps described in this article do not solve the problem, capture a RegTrace of DSAccess startup and initial topology discovery. To do so:
- Shut down all DSAccess processes.On a functional Exchange 2000 or Exchange 2003 server, the following processes typically have DSAccess loaded:
- Mad.exe (MSExchangeSA)
- Emsmta.exe (MSExchangeMTA)
- Store.exe (MSExchangeIS)
- Winmgmt.exe (WinMgmt)
- Inetinfo.exe (Several Services within)
- Exmgmt.exe (MSExchangeMGMT)
If you cannot restart the server, you can still stop all services that use DSAccess by running the following commands:
- net stop msexchangesa /y
- net stop iisadmin /y
- net stop winmgmt /y
To confirm that all processes using DSAccess have stopped, run the following command:
tlist -m dsaccess.dllWhen you see the following output, you have successfully shut down all processes using DSAccess:
No tasks found using DSACCESS.DLL
- Turn on tracing.For additional information about how to turn on tracing, click the article number below to view the article in the Microsoft Knowledge Base:
XCON: How to Set Up Regtrace for Exchange 2000
- Start Exchange System Attendant (to start Exchange System Attendant from the command line, type net start msexchangesa).
- Wait for the failing DSAccess topology events to go by in Event Viewer, stop the RegTrace procedure, and then contact Microsoft Product Support Services (PSS) to interpret the output.For more information about how to contact PSS, visit the Microsoft Product Services Web site: