Exchange has a few black holes—tricky features that result from incomplete product design—that can cause problems for systems administrators. One black hole is Exchange's Directory Service/Information Store (DS/IS) consistency adjuster. The DS/IS consistency adjuster verifies that every object (e.g., mailbox or public folder) in the IS has a matching entry in the DS and fixes minor inconsistencies that arise over time in the Exchange databases.
Microsoft has improved the design and users interface of the adjuster in the last two versions of Exchange, but many systems administrators still don't fully understand what happens when the adjuster swings into action. Let's look at this feature and how to avoid some common pitfalls in using it.
Running the Consistency Adjuster
You run the consistency adjuster after you make major changes to Exchange Server, such as moving the Exchange database to another server or recovering from a disaster. To run the consistency adjuster, go to the Advanced tab of the server's Properties page and click Consistency Adjuster. Screen 1, page 2, shows the Advanced tab for Exchange Server 5.5; earlier versions of Exchange let you select Adjust on the Advanced tab, but you can't control the adjusters actions. The consistency adjuster reconciles four types of inconsistencies:
- A mailbox entry in the Private Information Store with no matching entry in the directory. The adjuster creates an appropriate directory entry for the missing mailbox. However, Exchange doesn't remove existing mailboxes registered in the DS, even if it can't find an entry for them in the IS.
- Mailboxes not listed in the directory but listed in the permissions for mailboxes. The adjuster removes the permissions.
- Unknown accounts in the access control list (ACL) for public folders. The adjuster removes the accounts from the ACL.
- Missing home server for a public folder. The adjuster rehomes the public folder to the server where you're running the adjuster.
Rehoming Causes Problems
Automatically adjusting the first three consistencies usually doesn't cause any problems. However, rehoming (automatically moving a folder from one site to another) a set of public folders away from their original server can cause confusion because you can administer a public folder only at its home site. You can't, for instance, use Exchange Administrator to change the ACL for a public folder if you can't connect to a server in its home site.
One company that experienced the effects of an unwanted consistency check called the rehoming of public folders a "complete meltdown of the public folder hierarchy." Another company took nearly a week to rehome public folders from Australia back to New York after a novice systems administrator had practiced deleting replication connectors.
The Microsoft Knowledge Base article "XADM: How to Rehome Public Folders in Exchange" (http://support.microsoft.com/support/kb/articles/ q178/9/27.asp) describes two methods for rehoming public folders in Exchange 4.0 and 5.0. One method uses the PFADMIN utility 1.1.1 in the Pftools folder in the Microsoft BackOffice Resource Kit; the other method uses .pst files.
In Exchange 5.5, you can use Exchange Administrator to look at and change the home server property for public folders, as Screen 2 shows. Thus, even if a public folder is homed to another server, you can rehome the folder to its original server by setting the home server property to its correct value.
Some Pitfalls to Avoid
The usual cause of problems with the consistency adjuster is running it soon after you remove a directory replication connector. Exchange uses directory replication connectors to transfer directory information between sites. Unlike traffic over messaging connectors (the Site, X.400, or Simple Mail Transfer Protocol—SMTP—connectors), directory entries can flow brtween one sites over only route. Exchange prohibits multiple directory replication connectors to avoid potential replication conflicts within the directory.
If you remove one of several messaging connectors between sites, Exchange simply recalculates all possible routes, updates the Gateway Address Routing Table (GWART), and continues to process messages. But because Exchange uses only one connector for directory information, removing a connector can affect an organization dramatically. Deleting a directory replication connector instantly halts the flow of directory information between sites and can affect several sites if you use a directory replication connector to link to downstream sites. For example, if one directory replication connector connects sites in London and Dublin, and another links London and Paris, Dublin receives directory updates for both the London and Paris sites across the connector between Dublin and London. If you remove this connector, the Dublin site can no longer see the London and Paris sites.
You can delete a directory replication connector and then re-create it immediately. However, this action causes Exchange to generate a large amount of replication traffic within the network. You might not notice the effect in a small Exchange organization, but you definitely will notice the effect in an organization of 10 or more sites, especially if some sites are connected across low-bandwidth links. If you remove a connector to permanently disconnect a site, you can run the adjuster to reconcile the many inconsistencies that probably exist between the DS and the IS.
However, don't run the DS/IS consistency adjuster immediately after you've added a new directory replication connector. When you add the connector, the DS inserts stub entries into the directory for sites that the connector reaches. These stubs are placeholders to show that a connection exists, but Exchange must replicate most of the directory entries through backfilling. Backfilling is the process by which the DS fetches directory entries from other sites to complete the copy held in its site. The Directory Service Agents (DSAs) in the relevant sites replicate directory entries by exchanging mail messages. After the DSA has received all the backfill messages, the directory will contain read-only copies of all the entries for the configuration, mailboxes, custom recipients, and distribution lists for remote sites. During the backfill process, you can expect some of inconsistencies, so you must let backfilling finish before you run the DS/IS consistency adjuster. One indication that replication is active is a large number of DSA-generated messages in the Message Transfer Agent (MTA) queues.
Microsoft's Exchange developers didn't to create an appropriate user interface for the DS/IS consistency adjuster during the Exchange 5.0 development cycle. But to alert unsuspecting systems administrators, in Exchange 4.0, Service Pack 3 (SP3) and higher, the developers inserted a warning flag about the effects of running the DS/IS consistency adjuster after you remove a directory replication connector. Screen 3 shows the warning.
Changes in Exchange 5.5
Exchange 5.5 makes the consistency adjuster easier to use through a combination of three new features:
- The DS/IS consistency adjuster has a new user interface, as Screen 4 shows. Not only does the new interface make clear what the tool does, but it lets you decide exactly which of the four possible adjustments to make.
- Exchange 5.5 lets you rehome public folders from a display on the server properties page.
- You can limit administrative access to a public folder to its home site by setting the appropriate property on the public folder; with this restriction, folder properties can originate only in the owning site. Exchange will reject attempts to execute an administrative operation (e.g., rehoming or creating a new replica by pulling it from the home server) from a remote server. This feature is completely effective only in Exchange 5.5. Exchange 4.0 and 5.0 servers have no knowledge of restricted administrative access and will continue to send changes to the home server through usual public folder and directory replication channels.
Even with the improvements in Exchange 5.5, you must still take great care with the DS/IS consistency adjuster. All systems administrators must be aware of the link between the DS and the IS and must understand how the consistency adjuster works. Always take care when deleting directory replication connectors in a production environment, and make sure that you understand what will happen before you click the button.