Active Directory site mismatch

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2010-05-24

In Exchange environments earlier than Exchange Server 2007, the Microsoft® Exchange Server Analyzer Tool implements the Win32 API DsGetSiteName function to query for the Active Directory® directory service site name of the domain controller and the Active Directory site name of the local Exchange Server.

In an Exchange Server 2007 environment or in an Exchange Server 2010 environment, the Microsoft Exchange Server Analyzer Tool runs the Get-ExchangeServer -Identity “%SRVNAME%” -Status cmdlet in Windows PowerShell to determine the site name of the domain controller and the Active Directory site name of the local Exchange Server.

If the Exchange Server Analyzer determines that the Active Directory site name of the domain controller and the Active Directory site name of the local Exchange Server do not match, the Exchange Server Analyzer displays a warning.

This warning indicates that the Directory Service Access (DSAccess) process is going out of the local Active Directory site for its Lightweight Directory Access protocol (LDAP) requests which can cause a severe degradation in Exchange Server performance.

This situation can be caused by the static configuration of an off-site domain controller, a network or domain controller computer outage that makes the site resident domain controller unreachable, or an incorrectly designed Active Directory topology that does not include an Active Directory domain controller in the same site as the Exchange Server.

DSAccess is a shared Exchange Server component that accesses and stores directory information in a cache. DSAccess dynamically detects the directory servers that other Exchange components should contact, based on criteria such as Active Directory site configuration and Active Directory server availability. Exchange front-end servers use DSAccess to determine which server contains a particular user's mailbox, the Simple Mail Transfer Protocol (SMTP) addresses that exist for a user object, and the servers that contain public folder stores.

Upon initialization, if DSAccess does not find a set of statically configured domain controllers or global catalogs in the registry, DSAccess uses a discovery process to identify the network topology and assess the availability and suitability of directory servers. Part of the determination of a domain controllers' suitability is whether the domain controller is in the same Active Directory site as the Exchange Server.

To reduce latency that may be introduced by cross-site LDAP requests, Exchange Servers should be located in an Active Directory site that has a resident domain controller.

To address this issue:

  • Evaluate the site definitions for the Active Directory topology to verify that each Exchange Server has access to a domain controller in the same Active Directory site.

  • Verify that any statically configured domain controllers reside in the same Active Directory site as the Exchange Server.

For More Information

For more information about how to configure and troubleshoot DSAccess, see the following Exchange resources: