Exchange 2007 OWA and ActiveSync fails when PDC Emulator is offline
Hi,
I have a Windows 2008 domain with Exchange 2007 installed on a Windows 2008 server with CAS, HUB and Mailbox role installed. I have 4 Domain Controllers running Windows 2008, each Domain Controller is a Global Catalog server with the Operations Master
roles spread across the servers.
We had an issue recently where the DC that holds the PDC Emulator role went offline. This then caused Outlook Web Access and ActiveSnyc to fail until the PDC Emulator DC was started back up again, this was a day later so Exchange should have defaulted
over to another DC? Local Outlook clients where able to send and receive with no issues during this time.
Is there a dependancy on the PDC Emulator role by Exchange 2007 OWA or ActiveSync that would have caused them to stop working when this DC was off?
Thanks,
B.
July 25th, 2012 8:15am
Hi
Could you post the output of event 2080 from the application log on one of your Exchange servers? This event shows the results of the AD connectivity test and will indicate if there are any issues with your other DCs.
Steve
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2012 8:18am
Hi,
Output from 2080 when PDC was down, PDC is DC3
DC1 CDG 177101171
DC2 CDG 177101171
DC3 CDG 10010000
DC4 CDG 177101171
B.
July 25th, 2012 8:26am
OK, that looks fine. Were there any ADAccess errors during that time? Which DCs are being used as DNS servers on your Exchange machine?
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2012 9:19am
Exchange server uses DC1 and DC2 as DNS so no dependancy there
Only error received during downtime was MSExchangeSA error 9385
Microsoft Exchange System Attendant failed to read the membership of the universal security group "<group name/OU=Microsoft Exchange Security Group/cn=Exchange Servers>"; the error code was "<8007203a>". The problem might be that the Microsoft
Exchange System Attendant does not have permission to read the membership of the group. If this computer is not a member of the group "<group name>" you should manually stop all Microsoft Exchange services run the task "<task name>" and then restart
all Microsoft Exchange services.
The error then went away when the PDC came back up.
July 25th, 2012 9:36am
OK, so restarting the System Attendant service would clear that error and may also restore your ActiveSync and OWA access. As to why Exchange isn't switching to another DC when the PDC is down is a bit odd.
What service pack and roll up are you running?
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2012 10:02am
You should exclude the pdc emulator from what i remember, it may get picked up by the exchbpa - kb298879If the PDC emulator iz down then wouldnt you have other AD issue apart from exch, it plays a critical role.
bpa recommendation
Sukh
July 25th, 2012 6:54pm
Right, you'll start having problems rather soon if the PDC emulator is down for any significant amount of time.
But what PDCe role would cause Exchange to malfunction as described?
1. Time synchronization. PDC provides accurate time to other domain controllers and they provide accurate time to clients (or non-DC servers). Important for Kerberos (5 minute difference maximum).
Effect on Exchange?
2. Last resort for logon in case of failed authentication (bad password). In case of password change, change is replicated to PDCe first (if possible) so if replication is not complete domain wide, user could still log on, even if authenticated by a DC unaware
of the password change (refers to PDCe as last resort).
Effect on Exchange here?
3. PDCe also handles lockout (not sure myself what happens then if PDCe is unavailable).
There too, I don't see how that would affect Exchange.Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2012 11:33pm
Right, you'll start having problems rather soon if the PDC emulator is down for any significant amount of time.
But what PDCe role would cause Exchange to malfunction as described?
1. Time synchronization. PDC provides accurate time to other domain controllers and they provide accurate time to clients (or non-DC servers). Important for Kerberos (5 minute difference maximum).
Effect on Exchange?
2. Last resort for logon in case of failed authentication (bad password). In case of password change, change is replicated to PDCe first (if possible) so if replication is not complete domain wide, user could still log on, even if authenticated by a DC unaware
of the password change (refers to PDCe as last resort).
Effect on Exchange here?
3. PDCe also handles lockout (not sure myself what happens then if PDCe is unavailable).
There too, I don't see how that would affect Exchange.Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
July 25th, 2012 11:41pm
Hi
Maybe you need post IIS log of your issue.
MSExchangeSA error 9385
You can restart the System Attendant on that Exchange server.Terence Yu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2012 1:14am
Thanks all for your answers. I understand the error leads to restarting the System Attendant but if there is another global catalog DC available then this shouldn't be the case. Also doesn't answer why only ActiveSync and OWA are not working
when the PDC is off???
I will check the IIS logs to see if anything useful there.
July 26th, 2012 5:06am
Going back to my previous question:
>>What service pack and roll up are you running?
Steve
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2012 5:31am