Operating System Services


Topic Last Modified: 2005-05-23

Exchange Server 2003 relies heavily on the operating system for network communication, security, directory services, and so forth. For example, Exchange Server 2003 requires TCP/IP and depends on the TCP/IP protocol stack and related components. These components are implemented in kernel drivers deeply integrated into the Windows I/O subsystem. Exchange Server 2003 uses standard Microsoft Win32 programming interfaces to interact with the kernel.

In addition to the Windows kernel, Exchange Server 2003 has the following Windows services dependencies:

  • Event Log   This service enables event log messages issued by Exchange services and other Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

  • NTLM Security Support Provider   This service provides security for programs that use remote procedure calls (RPCs) and transports other than named pipes to log on to the network using the NTLM authentication protocol.

  • Remote Procedure Call (RPC)   This service enables the RPC endpoint mapper to support RPC connections to the server. This service also serves as the Component Object Model (COM).

    RPCs and lightweight remote procedure calls (LRPCs) are important inter-process communication mechanisms. LRPCs are local versions of RPCs. LRPCs are used between the Exchange store and those server components that depend on MAPI and related APIs for communication, such as messaging connectors to non-Exchange messaging systems. Regular RPCs, however, are used when clients must communicate with server services over the network. Typical RPC clients are MAPI clients, such as Microsoft Outlook and Exchange System Manager, but internal components of System Attendant, such as DSProxy, are also RPC clients. To accept directory requests from MAPI clients and pass them to an address book provider, DSProxy must use RPCs to communicate with Active Directory through the name service provider interface (NSPI). For more information about DSProxy, see Exchange Server 2003 and Active Directory.

    It is important to understand that RPCs are an application-layer communication mechanism, which means that RPCs use other network communication mechanisms, such as NetBIOS, named pipes, or Windows Sockets, to establish the communication path. To create a connection, the RPC endpoint mapper is required, because the client must first determine the endpoint that should be used. RPC server services use dynamic connection endpoints, by default. In a TCP/IP network, the client connects to the RPC endpoint mapper through TCP port 135, queries for the current TCP port of the desired service (for example, the Name Service Provider Interface (NSPI) port of Active Directory), obtains this TCP port from the endpoint mapper, and then uses this TCP port to establish the RPC connection to the actual RPC server. The following figure illustrates the role of the RPC endpoint mapper.

    Establishing an RPC connection to Active Directory

    By default, Exchange services use dynamic TCP ports between 1024 and 5000 for RPC communication. For various services, such as System Attendant and Exchange Information Store service, it is possible to specify static ports using registry parameters. However, the client must contact the RPC endpoint mapper whether the port assignment is dynamic or static.
  • Server   This service enables file and printer sharing and named pipe access to the server through the server message block (SMB) protocol. For example, if you access message tracking log files using the message tracking center in Exchange System Manager, you communicate with the server service because message tracking logs are shared for network access through \\<server name>\<server name>.Log, such as \\Server01\Server01.log. The SMB protocol is also required for remote Windows administration.

    The SCM key for the server service is lanmanserver. Underneath this registry key, you can find an important subkey called Shares. This key contains parameters for all shares on the server. One share that is particularly important for System Attendant is Address, which provides access to the proxy address generation DLLs that the Recipient Update Service uses to assign mailbox-enabled and mail-enabled recipient objects, X.400, SMTP, Lotus Notes, Microsoft Mail, Novell GroupWise, and Lotus cc:Mail addresses according to the settings in recipient policies. Address generation DLLs are accessed over the network, because gateway connectors (and their address generation DLLs) do not necessarily exist on the local server running Exchange Server. Recipient Update Service is part of System Attendant, so the server service must be started before System Attendant can start.

  • Workstation   This service is the counterpart to the server service. It enables the computer to connect to other computers on the network based on the SMB protocol. This service must be started before System Attendant will start.

  • Security Accounts Manager   The Security Accounts Manager (SAM) service stores security information for local user accounts and is required for local accounts to log on to the server. Because all Exchange services must log on to the local computer using the LocalSystem account, Exchange Server 2003 cannot function if this component is unavailable.

  • Windows Management Instrumentation   This service provides a standard interface and object model for accessing management information about the computer hardware and software. System Attendant is the component in Exchange Server 2003 that is responsible for server monitoring and status. Exchange Server 2003 adds additional Windows Management Instrumentation (WMI) providers to the WMI service, so that you can access Exchange status information through WMI. The WMI service is required for the Microsoft Exchange Management service to start.

In addition, there are also several Windows services that Exchange Server 2003 requires in specific situations:

  • COM+ Event System   This service supports system event notification for COM+ components, which provide automatic distribution of events to subscribing COM components. You should not disable this service on servers running Exchange Server 2003, because event sinks wrapped in a COM+ component application that run out-of-process on the server will not function properly.

  • COM+ System Application   This service manages the configuration and tracking of COM+-based components. If the service is stopped, most COM+-based components in Exchange Server 2003 will not function properly.

  • Error Reporting Service   This is an optional service that enables automatic reporting of errors. Servers running Exchange Server can use this service to automatically send fatal service error information to Microsoft.

  • HTTP SSL   This service implements the secure HTTP (HTTPS) for the HTTP service, using Secure Socket Layer (SSL). If you want to use HTTPS to secure Outlook Web Access or RPC over HTTP connections, you must enable this service.

  • IPSec Services   This service enables Internet Protocol security (IPSec), which provides end-to-end security between clients and servers on TCP/IP networks. This service must be enabled if you want to use IPSec to secure network traffic between a server running Exchange Server and other computers on the network, such as a front-end server running Exchange Server or domain controller.

  • Microsoft Search   This service enables the indexing of information stored on the server. This service is required if you want to enable full-text indexing on a mailbox or public folder store on the server running Exchange Server.

  • Microsoft Software Shadow Copy Provider   This service manages software-based volume shadow copies taken by the Microsoft Volume Shadow Copy service. If you are using the Windows Backup tool to backup Exchange Server 2003 messaging databases, you can stop this service, because the Windows Backup tool does not rely on the Volume Shadow Copy service. If you are using a non-Microsoft backup solution, on the other hand, which does use the Volume Shadow Copy service, you must enable this service. In general, this service should have the same startup type as the Volume Shadow Copy service.

  • Net Logon   This service enables a secure channel between the server running Exchange Server and a domain controller. This service is required for users to access mailboxes on the server running Exchange Server and for any service that is using a domain account to start.

  • Performance Logs and Alerts   This service collects performance data from local or remote computers based on preconfigured schedule parameters, and then writes the data to a log or triggers an alert. If you stop this service, you cannot collect performance information using the Performance Logs and Alerts snap-in, which is available in the Performance tool.

  • Remote Registry   This service enables users to modify registry settings remotely. Exchange System Manager requires access to the registry, for example, if you want to configure diagnostics logging for Exchange services. This service must be available if you run Exchange System Manager on a management workstation. If this service is stopped, the registry can only be modified on the local server.

  • System Event Notification   This service monitors system events and notifies subscribers to COM+ Event System of these events. If this service is stopped, COM+ Event System subscribers do not receive Exchange system event notifications. The following table lists the system events provided by Exchange Server 2003.

    System events in Exchange Server 2003

    Event Description


    Called at a specified interval.


    Called when a store is started.


    Called when a store is stopped.

  • Volume Shadow Copy   This service manages and implements Volume Shadow Copies used for backup and other purposes. This service must be running if your backup solution uses an Exchange Server 2003 Volume Shadow Copy service requestor to create shadow copies of messaging databases. If this service is disabled, your backup processes could fail.

The services listed above are configured to start automatically on Windows Server 2003. They run within the security context of the LocalSystem account.