• Article

PDC emulator is not excluded from DSAccess topology

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2012-05-23

The Microsoft Exchange Best Practices Analyzer reads the following registry subkey to determine whether the Active Directory domain controller that is acting as the primary domain controller (PDC) emulator has been manually excluded from the list of domain controllers available for use by Microsoft Exchange Server:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeDSAccess\Profiles\Default\MinUserDC

If the Analyzer finds that the domain controller acting as PDC emulator has not been manually excluded from the list of domain controllers available for use by Exchange Server, the Analyzer displays a best practice recommendation.

A PDC emulator is an Active Directory operations master role computer that processes replication requests from Microsoft Windows NT Server 4.0 backup domain controllers and processes all password updates for clients that are not running Active Directory-enabled client software. PDC emulators are also domain controllers. They are, therefore, available for use by applications such as Exchange Server.

Directory Service Access (DSAccess) is an internal component in Exchange 2010 Server, Exchange Server 2007, Exchange Server 2003, and Exchange Server 2000 that controls how all Exchange Server components access Active Directory. The primary function of DSAccess is to maintain information about various directory-related events and operations. For example, DSAccess discovers the Active Directory topology and detects whether domain controllers and global catalog servers are available and responding to queries.

By default, DSAccess includes the PDC emulator computer in its list of available and usable domain controllers. If non-Exchange Server programs are making heavy use of the PDC emulator, use of the PDC emulator by DSAccess could cause performance problems on the PDC emulator computer and also on the Exchange server and on the non-Exchange Server computer.

To prevent such performance issues in Exchange Server 2000 and in Exchange Server 2003 , the MinUserDC registry value can be added to the registry on an Exchange server to force DSAccess to query all other available domain controllers before it queries the domain controller that holds the PDC emulator operations master role.

This topic contains information about editing the registry. Before you edit the registry, make sure you understand how to restore the registry if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.

To examine the MinUserDC registry value in Exchange 2010 and Exchange 2007

  1. Open a registry editor, such as Regedit.exe or Regedt32.exe.

  2. On a computer that is running Exchange 2000 or Exchange 2003, locate the following subkey:

    HKLM\System\CurrentControlSet\Services\MSExchange ADAccess\Profiles\Default\MinUserDC

    On a computer that is running Exchange Server 2007, locate the following subkey:

    HKLM\System\CurrentControlSet\Services\MSExchangeDSAccess\Profiles\Default

  3. The value data that is configured for the MinUserDC registry entry is the maximum number of domain controllers to contact before contacting the PDC emulator. For example, setting MinUserDC to 4 configures DSAccess to exclude the PDC emulator only if a total of four domain controllers are available.

Configure ADAccess by using the StaticExcludedDomainControllers option

In Exchange Server 2010 and in Exchange Server 2007, you can use the Set-ExchangeServer cmdlet to configure the ADAccess component to exclude a particular domain controller or a list of domain controllers from use. You do not have to edit the registry when you use the Set-ExchangeServer cmdlet.

However, you should use caution when you use the Set-ExchangeServer cmdlet to exclude a domain controller from use. For example, if your domain has Domain_Controller_A and Domain_Controller_B, and you use the Set-ExchangeServer cmdlet to exclude Domain_Controller_A from use, Exchange Server stops working if Domain_Controller_B is not available.

The following example shows how to use the Set-ExchangeServer command to exclude one or more domain controllers from use. Additionally, this example shows how to verify the status of the Exchange environment after you run the Set-ExchangeServer command. In this example, you have the following servers.

Hostname

Domain

Role

E2K7-1

contoso.com

Exchange Server 2007

DC-1

contoso.com

domain controller together with PDC operations master

DC-2

contoso.com

domain controller

DC-3

contoso.com

domain controller

To use the Set-ExchangeServer command to exclude the three domain controllers that are listed in this table from use for the DSAccess component, follow these steps:

  1. Start the Exchange Management Shell. To do this, click Start, point to All Programs, point to Microsoft Exchange Server 2007, and then click Exchange Management Shell.

  2. At the command prompt, type the following command, and then press Enter:

    Set-ExchangeServer -identity E2K7-1.contoso.com -StaticExcludedDomainControllers:dc-1.contoso.com,dc-2.contoso.com,dc-3.contoso.com

    This command excludes DC-1, DC-2, and DC-2 from use by the server that is named E2K7-1.

    Note In this command, specify the fully qualified domain names of the individual domain controllers by using a comma-separated list that does not contain spaces between each entry.

  3. To verify the list of excluded domain controllers, type the following command, and then press Enter:

    Get-ExchangeServer -identity E2K7-1.contoso.com -status | fl Name, StaticExcludedDomainControllers

    Note If you want to remove the changes that you have made and revert to the default behavior of Exchange, type the following command at the Exchange Management Shell prompt, and then press Enter:

    Set-ExchangeServer -identity E2K7-1.contoso.com -StaticExcludedDomainControllers:$null

You can also add the MinUserDC registry value to exclude the PDC emulator from use by the ADAccess component. When you use the MinUserDC registry value, you can set a minimum level of domain controller resources before the server that has the PDC Emulator role is enabled to handle Exchange requests. The MinUserDC registry value has the following advantages over use of the Set-ExchangeServer cmdlet:

  • When you use the MinUserDC registry value, the domain controller that has the PDC emulator role is still available for use if all other domain controllers fail. If you use the Set-ExchangeServer cmdlet, the domain controller that has the PDC emulator role is permanently excluded.

  • When you use the MinUserDC registry value, and then you move the PDC Emulator role to a different domain controller, the domain controller that now hosts the PDC Emulator role is automatically excluded from use by the ADAccess component, and the domain controller that previously hosted the PDC Emulator role is available to handle Exchange requests.

  • If you use the Set-ExchangeServer cmdlet, and the PDC Emulator role is moved to another domain controller, you must run the Set-ExchangeServer cmdlet again to update the StaticExcludedDomainControllers list. If you do not run the Set-ExchangeServer cmdlet again, the domain controller that hosts the PDC Emulator role after the move will be available to handle Exchange requests. Additionally, the domain controller that previously hosted the PDC Emulator role will still be excluded.

Before you edit the registry, and for information about how to edit the registry, see Microsoft Knowledge Base article 256986, Windows registry information for advanced users.

For more information about how to use the MinUserDC registry entry, see Microsoft Knowledge Base article 298879, Exchange Server experiences performance issues when a PDC emulator is used for DSAccess or ADAccess.