Sunday, January 15, 2012

PDC emulator is not excluded from DSAccess topology

When running the Exchange Best Practices Analyzer Tool [ExBPA] you will probably get the following warning:


This is because it is recommended to exclude the Primary Domain Controller [PDC] from the list of DCs available for use by Exchange.

First, let’s clarify what ADAccess and PDC are:
  • The PDC Emulator is an Active Directory [AD] operations master role computer that processes replication requests from Microsoft Windows  NT Server 4.0 backup domain controllers and processes all password updates for clients that are not running AD enabled client software. PDC emulators are also Domain Controllers [DC] and are therefore available for use by applications such as Exchange;
  • Directory Service Access [DSAccess] is an internal component of Exchange that controls how all Exchange Server components access AD. The primary function of DSAccess is to maintain information about various directory-related events and operations. For example, DSAccess discovers the AD topology and detects if DCs and global catalog servers are available and responding to queries.


By default, DSAccess includes the PDC emulator computer in its list of available and usable DCs. If non-Exchange Server programs are making heavy use of the PDC emulator, Exchange can worsen this situation or even suffer from it.

To prevent such performance issues, the MinUserDC registry value can be added to the registry on an Exchange server to force DSAccess to query all other available DCs before querying the domain controller that holds the PDC emulator operations master role.

To create/update MinUserDC registry value:
1. Open the Registry
2. On a computer that is running Exchange Server 2010, locate the following subkey:
   HKLM\System\CurrentControlSet\Services\MSExchange ADAccess\Profiles\Default\MinUserDC

   On a computer that is running Exchange Server 2007, locate the following subkey:
   HKLM\System\CurrentControlSet\Services\MSExchangeDSAccess\Profiles\Default

3. Locate the MinUserDC value and make any required changes. If this DWORD value does not exist, you can manually create it.


Note: The value for the MinUserDC registry entry is the maximum number of DCs to contact before contacting the PDC emulator. For example, setting MinUserDC to 4 configures DSAccess to exclude the PDC emulator only when a total of 4 DCs are available. When this condition is met, the PDC emulator is excluded from use and DSAccess communicates only with the remaining 3 DCs.


Another way to configure the DSAccess component to exclude a particular DC or a list of DCs from use is by using the Set-ExchangeServer cmdlet together with the -StaticExcludedDomainControllers parameter:
Set-ExchangeServer "server" -StaticExcludedDomainControllers "pdc.domain.com"
Get-ExchangeServer "server" -Status | Select Name, StaticExcludedDomainControllers

However, please note that the MinUserDC key will still allow Exchange to use the PDC Emulator if the other DCs/GCs go offline but the static exclude list will not!

Hope this helps!

4 comments:

  1. So really it seems that if you have Exchange in a resource forest with very few enabled accounts, this really isn't a problem?

    ReplyDelete
  2. Hi,
    Yes, that is correct! In small environments this shouldn't be a problem. Simply best practice in bigger ones :)

    Regards,
    Nuno

    ReplyDelete
  3. Hi,
    Its very clear..

    One quick clarification.

    I have a two ADSite (Site-1 and Site-2). it is a one forest and one domain
    Site-1 has three domain controller (one of them PDC) + exchnage 2010 sp2 servers
    Site-2 has 2 Domain controller not owning any roles + Exchange 2010 SP2 servers.

    I believe Site-2 exchange servers queries only the two domain controllers listed in its Site-2.

    So, modification/editing of registry MinUserDC should be performed only in Site-1 Exchange servers to exclude PDC emulator role domain controller.

    Please correct me if my understanding is wrong?



    ReplyDelete
    Replies
    1. Hi,

      Apologies for the long delay in replying to you...
      You are correct. In your case, you just need to use the MinUserDC reg key in Site1 and the servers in Site2 will try to use the DCs in their own site.

      Regards, Nuno

      Delete