Hi, I have a Windows 2008 domain with Exchange 2007 installed on a Windows 2008 server with CAS, HUB and Mailbox role installed. I have 4 Domain Controllers running Windows 2008, each Domain Controller is a Global Catalog server with the Operations Master roles spread across the servers. We had an issue recently where the DC that holds the PDC Emulator role went offline. This then caused Outlook Web Access and ActiveSnyc to fail until the PDC Emulator DC was started back up again, this was a day later so Exchange should have defaulted over to another DC? Local Outlook clients where able to send and receive with no issues during this time. Is there a dependancy on the PDC Emulator role by Exchange 2007 OWA or ActiveSync that would have caused them to stop working when this DC was off? Thanks, B.

Hi Could you post the output of event 2080 from the application log on one of your Exchange servers? This event shows the results of the AD connectivity test and will indicate if there are any issues with your other DCs. Steve

Hi, Output from 2080 when PDC was down, PDC is DC3 DC1 CDG 177101171 DC2 CDG 177101171 DC3 CDG 10010000 DC4 CDG 177101171 B.

OK, that looks fine. Were there any ADAccess errors during that time? Which DCs are being used as DNS servers on your Exchange machine?

Exchange server uses DC1 and DC2 as DNS so no dependancy there Only error received during downtime was MSExchangeSA error 9385 Microsoft Exchange System Attendant failed to read the membership of the universal security group "<group name/OU=Microsoft Exchange Security Group/cn=Exchange Servers>"; the error code was "<8007203a>". The problem might be that the Microsoft Exchange System Attendant does not have permission to read the membership of the group. If this computer is not a member of the group "<group name>" you should manually stop all Microsoft Exchange services run the task "<task name>" and then restart all Microsoft Exchange services. The error then went away when the PDC came back up.

OK, so restarting the System Attendant service would clear that error and may also restore your ActiveSync and OWA access. As to why Exchange isn't switching to another DC when the PDC is down is a bit odd. What service pack and roll up are you running?

You should exclude the pdc emulator from what i remember, it may get picked up by the exchbpa - kb298879If the PDC emulator iz down then wouldnt you have other AD issue apart from exch, it plays a critical role. bpa recommendation Sukh

Right, you'll start having problems rather soon if the PDC emulator is down for any significant amount of time. But what PDCe role would cause Exchange to malfunction as described? 1. Time synchronization. PDC provides accurate time to other domain controllers and they provide accurate time to clients (or non-DC servers). Important for Kerberos (5 minute difference maximum). Effect on Exchange? 2. Last resort for logon in case of failed authentication (bad password). In case of password change, change is replicated to PDCe first (if possible) so if replication is not complete domain wide, user could still log on, even if authenticated by a DC unaware of the password change (refers to PDCe as last resort). Effect on Exchange here? 3. PDCe also handles lockout (not sure myself what happens then if PDCe is unavailable). There too, I don't see how that would affect Exchange.Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Right, you'll start having problems rather soon if the PDC emulator is down for any significant amount of time. But what PDCe role would cause Exchange to malfunction as described? 1. Time synchronization. PDC provides accurate time to other domain controllers and they provide accurate time to clients (or non-DC servers). Important for Kerberos (5 minute difference maximum). Effect on Exchange? 2. Last resort for logon in case of failed authentication (bad password). In case of password change, change is replicated to PDCe first (if possible) so if replication is not complete domain wide, user could still log on, even if authenticated by a DC unaware of the password change (refers to PDCe as last resort). Effect on Exchange here? 3. PDCe also handles lockout (not sure myself what happens then if PDCe is unavailable). There too, I don't see how that would affect Exchange.Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Hi Maybe you need post IIS log of your issue. MSExchangeSA error 9385 You can restart the System Attendant on that Exchange server.Terence Yu TechNet Community Support

Thanks all for your answers. I understand the error leads to restarting the System Attendant but if there is another global catalog DC available then this shouldn't be the case. Also doesn't answer why only ActiveSync and OWA are not working when the PDC is off??? I will check the IIS logs to see if anything useful there.

Going back to my previous question: >>What service pack and roll up are you running? Steve