none
Exchange 2007 OWA and ActiveSync fails when PDC Emulator is offline RRS feed

  • Question

  • Hi,

    I have a Windows 2008 domain with Exchange 2007 installed on a Windows 2008 server with CAS, HUB and Mailbox role installed.  I have 4 Domain Controllers running Windows 2008, each Domain Controller is a Global Catalog server with the Operations Master roles spread across the servers.

    We had an issue recently where the DC that holds the PDC Emulator role went offline.  This then caused Outlook Web Access and ActiveSnyc to fail until the PDC Emulator DC was started back up again, this was a day later so Exchange should have defaulted over to another DC?  Local Outlook clients where able to send and receive with no issues during this time.

    Is there a dependancy on the PDC Emulator role by Exchange 2007 OWA or ActiveSync that would have caused them to stop working when this DC was off?

    Thanks,

    B.

    Wednesday, July 25, 2012 12:07 PM

Answers

  • Right, you'll start having problems rather soon if the PDC emulator is down for any significant amount of time.

    But what PDCe role would cause Exchange to malfunction as described?

    1. Time synchronization. PDC provides accurate time to other domain controllers and they provide accurate time to clients (or non-DC servers). Important for Kerberos (5 minute difference maximum).

    Effect on Exchange?

    2. Last resort for logon in case of failed authentication (bad password). In case of password change, change is replicated to PDCe first (if possible) so if replication is not complete domain wide, user could still log on, even if authenticated by a DC unaware of the password change (refers to PDCe as last resort).

    Effect on Exchange here?

    3. PDCe also handles lockout (not sure myself what happens then if PDCe is unavailable).

    There too, I don't see how that would affect Exchange.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, July 26, 2012 3:33 AM

All replies

  • Hi

    Could you post the output of event 2080 from the application log on one of your Exchange servers?  This event shows the results of the AD connectivity test and will indicate if there are any issues with your other DCs.

    Steve


    Wednesday, July 25, 2012 12:10 PM
  • Hi,

    Output from 2080 when PDC was down, PDC is DC3

    DC1  CDG 177101171

    DC2  CDG 177101171

    DC3  CDG 10010000

    DC4  CDG 177101171

    B.

    Wednesday, July 25, 2012 12:18 PM
  • OK, that looks fine.  Were there any ADAccess errors during that time?  Which DCs are being used as DNS servers on your Exchange machine?
    Wednesday, July 25, 2012 1:11 PM
  • Exchange server uses DC1 and DC2 as DNS so no dependancy there

    Only error received during downtime was MSExchangeSA error 9385

    Microsoft Exchange System Attendant failed to read the membership of the universal security group "<group name/OU=Microsoft Exchange Security Group/cn=Exchange Servers>"; the error code was "<8007203a>". The problem might be that the Microsoft Exchange System Attendant does not have permission to read the membership of the group. If this computer is not a member of the group "<group name>" you should manually stop all Microsoft Exchange services run the task "<task name>" and then restart all Microsoft Exchange services.

    The error then went away when the PDC came back up.

    Wednesday, July 25, 2012 1:28 PM
  • OK, so restarting the System Attendant service would clear that error and may also restore your ActiveSync and OWA access.  As to why Exchange isn't switching to another DC when the PDC is down is a bit odd. 

    What service pack and roll up are you running?

    Wednesday, July 25, 2012 1:54 PM
  • You should exclude the pdc emulator from what i remember, it may get picked up by the exchbpa - kb298879If the PDC emulator iz down then wouldnt you have other AD issue apart from exch, it plays a critical role.

    bpa recommendation


    Sukh

    Wednesday, July 25, 2012 10:46 PM
  • Right, you'll start having problems rather soon if the PDC emulator is down for any significant amount of time.

    But what PDCe role would cause Exchange to malfunction as described?

    1. Time synchronization. PDC provides accurate time to other domain controllers and they provide accurate time to clients (or non-DC servers). Important for Kerberos (5 minute difference maximum).

    Effect on Exchange?

    2. Last resort for logon in case of failed authentication (bad password). In case of password change, change is replicated to PDCe first (if possible) so if replication is not complete domain wide, user could still log on, even if authenticated by a DC unaware of the password change (refers to PDCe as last resort).

    Effect on Exchange here?

    3. PDCe also handles lockout (not sure myself what happens then if PDCe is unavailable).

    There too, I don't see how that would affect Exchange.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, July 26, 2012 3:33 AM
  • Hi  
       Maybe you need post IIS log of your issue.
       MSExchangeSA error 9385
       You can restart the System Attendant on that Exchange server.

    Terence Yu

    TechNet Community Support

    Thursday, July 26, 2012 5:14 AM
    Moderator
  • Thanks all for your answers.  I understand the error leads to restarting the System Attendant but if there is another global catalog DC available then this shouldn't be the case.  Also doesn't answer why only ActiveSync and OWA are not working when the PDC is off???

    I will check the IIS logs to see if anything useful there.

    Thursday, July 26, 2012 9:06 AM
  • Going back to my previous question:

    >>What service pack and roll up are you running?

    Steve

    Thursday, July 26, 2012 9:31 AM