In this article I am going to show you how to find out which Global Catalog servers your Exchange server is utilising.
How do you know what Global Catalog servers Exchange has found in its Active Directory site?
This can be found in the Application Event Logs under Event ID 2080.
This lists all domain controllers in the environment and which domain controllers are in the same site as the Exchange server.
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1536). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
ANG-PTH-DC1.domain.local CDG 1 7 7 1 0 1 1 7 1
athena.domain.local CDG 1 7 7 1 0 1 1 7 1
ares.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-PTH-DC2.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-BUN-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
Out-of-site:
ANG-JOO-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
joondalupfrcsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-JOO-SVR02.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-KAT-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
kununurrasvr.domain.local CDG 1 7 7 1 0 1 1 7 1
rockinghamsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-MAN-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-MAN-SVR02.domain.local CDG 1 7 7 1 0 1 1 7 1
youthservsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-ALB-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-AWC-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
broomesvr.domain.local CD- 1 6 6 0 0 1 1 6 1
daisyhousesvr.domain.local CDG 1 0 0 1 0 0 0 0 0
Coolbellupsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-BDS-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-GOS-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
What are these numbers next to the server? As per Microsoft KB 316300 these numbers mean the following things:
Server name: The first column indicates the name of the domain controller that the rest of the data in the row corresponds to.
Roles: The second column shows whether or not the particular server can be used as a configuration domain controller (column value C), a domain controller (column value D), or a global catalog server (column value G) for this particular Exchange server. A letter in this column means that the server can be used for the designated function, and a hyphen (-) means that the server cannot be used for that function. In the example that is described earlier in this article, the Roles column contains the value CDG to show that the service can use the server for all three functions.
Reachability: The third column shows whether the server is reachable by a Transmission Control Protocol (TCP) connection. These bit flags are connected by an OR value. 0x1 means the server is reachable as a global catalog server (port 3268), 0x2 means the server is reachable as a domain controller (port 389), and 0x4 means the server is reachable as a configuration domain controller (port 389). In other words, if a server is reachable as a global catalog server and as a domain controller but not as a configuration domain controller, the value is 3. In the example that is described earlier in this article, the value 7 in the third column means that the server is reachable as a global catalog server, as a domain controller, and as a configuration domain controller (0x1 | 0x2 | 0x4 = 0x7).
Synchronized: The fourth column shows whether the "isSynchronized" flag on the rootDSE of the domain controller is set to TRUE. These values use the same bit flags connected by an OR value as the flags that are used in the Reachability column.
GC capable: The fifth column is a Boolean expression that states whether the domain controller is a global catalog server.
PDC: The sixth column is a Boolean expression that states whether the domain controller is a primary domain controller for its domain.
SACL right: The seventh column is a Boolean expression that states whether DSAccess has the correct permissions to read the SACL (part of nTSecurityDescriptor) against that directory service.
Critical Data: The eighth column is a Boolean expression that states whether DSAccess found this Exchange server in the configuration container of the domain controller listed in Server name column.
Netlogon Check: The ninth column (added in Exchange 2000 SP3) states whether DSAccess successfully connected to a domain controller’s Net Logon service. This requires the use of Remote Procedure Call (RPC), and this call may fail for reasons other than a server that is down. For example, firewalls may block this call. So, if there is a 7 in the ninth column, it means that the Net Logon service check was successful for each role (domain controller, configuration domain controller, and global catalog).
OS Version: The tenth column (added in Exchange 2003) states whether the operating system of the listed domain controller is running at least Microsoft Windows 2000 Service Pack 3 (SP3). Exchange 2003 only uses domain controllers or global catalog servers that are running Windows 2000 SP3 or later. A Boolean expression of 1 means the domain controller satisfied the operating system requirements of Exchange 2003 for use by DSAccess.
Which Global Catalog Server are we using?
By default without any configuration, Exchange load balances its Global Catalog requests against all Global Catalog servers in the same Active Directory site as the Exchange server. All domain controllers in the same AD Site will receive an even amount global catalog calls from the Exchange server on TCP3268 unless they have a problem which the Microsoft Exchange AD Topology service has detected. This can be verified using a tool such as Network Monitor:
Can I Manually Exclude or Specify which Domain Controllers Exchange Uses?
The answer to this question is Yes, however I recommend doing so only when troubleshooting. This can be configured with the Set-ExchangeServer powershell cmdlet.
How do you know what Global Catalog servers Exchange has found in its Active Directory site?
This can be found in the Application Event Logs under Event ID 2080.
This lists all domain controllers in the environment and which domain controllers are in the same site as the Exchange server.
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1536). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
ANG-PTH-DC1.domain.local CDG 1 7 7 1 0 1 1 7 1
athena.domain.local CDG 1 7 7 1 0 1 1 7 1
ares.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-PTH-DC2.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-BUN-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
Out-of-site:
ANG-JOO-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
joondalupfrcsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-JOO-SVR02.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-KAT-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
kununurrasvr.domain.local CDG 1 7 7 1 0 1 1 7 1
rockinghamsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-MAN-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-MAN-SVR02.domain.local CDG 1 7 7 1 0 1 1 7 1
youthservsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-ALB-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-AWC-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
broomesvr.domain.local CD- 1 6 6 0 0 1 1 6 1
daisyhousesvr.domain.local CDG 1 0 0 1 0 0 0 0 0
Coolbellupsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-BDS-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-GOS-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
What are these numbers next to the server? As per Microsoft KB 316300 these numbers mean the following things:
Server name: The first column indicates the name of the domain controller that the rest of the data in the row corresponds to.
Roles: The second column shows whether or not the particular server can be used as a configuration domain controller (column value C), a domain controller (column value D), or a global catalog server (column value G) for this particular Exchange server. A letter in this column means that the server can be used for the designated function, and a hyphen (-) means that the server cannot be used for that function. In the example that is described earlier in this article, the Roles column contains the value CDG to show that the service can use the server for all three functions.
Reachability: The third column shows whether the server is reachable by a Transmission Control Protocol (TCP) connection. These bit flags are connected by an OR value. 0x1 means the server is reachable as a global catalog server (port 3268), 0x2 means the server is reachable as a domain controller (port 389), and 0x4 means the server is reachable as a configuration domain controller (port 389). In other words, if a server is reachable as a global catalog server and as a domain controller but not as a configuration domain controller, the value is 3. In the example that is described earlier in this article, the value 7 in the third column means that the server is reachable as a global catalog server, as a domain controller, and as a configuration domain controller (0x1 | 0x2 | 0x4 = 0x7).
Synchronized: The fourth column shows whether the "isSynchronized" flag on the rootDSE of the domain controller is set to TRUE. These values use the same bit flags connected by an OR value as the flags that are used in the Reachability column.
GC capable: The fifth column is a Boolean expression that states whether the domain controller is a global catalog server.
PDC: The sixth column is a Boolean expression that states whether the domain controller is a primary domain controller for its domain.
SACL right: The seventh column is a Boolean expression that states whether DSAccess has the correct permissions to read the SACL (part of nTSecurityDescriptor) against that directory service.
Critical Data: The eighth column is a Boolean expression that states whether DSAccess found this Exchange server in the configuration container of the domain controller listed in Server name column.
Netlogon Check: The ninth column (added in Exchange 2000 SP3) states whether DSAccess successfully connected to a domain controller’s Net Logon service. This requires the use of Remote Procedure Call (RPC), and this call may fail for reasons other than a server that is down. For example, firewalls may block this call. So, if there is a 7 in the ninth column, it means that the Net Logon service check was successful for each role (domain controller, configuration domain controller, and global catalog).
OS Version: The tenth column (added in Exchange 2003) states whether the operating system of the listed domain controller is running at least Microsoft Windows 2000 Service Pack 3 (SP3). Exchange 2003 only uses domain controllers or global catalog servers that are running Windows 2000 SP3 or later. A Boolean expression of 1 means the domain controller satisfied the operating system requirements of Exchange 2003 for use by DSAccess.
Which Global Catalog Server are we using?
By default without any configuration, Exchange load balances its Global Catalog requests against all Global Catalog servers in the same Active Directory site as the Exchange server. All domain controllers in the same AD Site will receive an even amount global catalog calls from the Exchange server on TCP3268 unless they have a problem which the Microsoft Exchange AD Topology service has detected. This can be verified using a tool such as Network Monitor:
Can I Manually Exclude or Specify which Domain Controllers Exchange Uses?
The answer to this question is Yes, however I recommend doing so only when troubleshooting. This can be configured with the Set-ExchangeServer powershell cmdlet.