Event ID 2116 is logged when a domain controller is not running Windows 2000 Service Pack 3 (818481)


The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition

SYMPTOMS

MSExchangeDSAccess on your Microsoft Exchange Server 2003 computer has stopped, and an event ID error message similar to the following is logged in the application log of Event Viewer:

Event Type: Warning
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2116
Description: The Domain Controller DomainControllerName is running Windows 2000 Service Pack Version Number. DSAccess requires that Domain Controllers that run Windows 2000 have at least Service Pack 3 installed.

Note If the Windows version or the service pack version cannot be determined, this event states that the domain controller is running an unknown operating system or an unknown service pack.
This behavior occurs when one of the domain controllers or the global catalog servers does not have Microsoft Windows 2000 Service Pack 3 installed.

WORKAROUND

To work around this behavior, note the content in the "Description" section of the event ID error message that is described in the "Symptoms" section of this article, and then follow the appropriate procedure below.
  • If the event lists a Windows 2000 installation earlier than Windows 2000 Service Pack 3, upgrade the domain controller that is listed in the event to Windows 2000 Service Pack 3.
  • If the event lists an unknown operating system and service pack combination (unknown OS/SP), make sure that the server that is listed is available on the network and that the Exchange Server 2003 computer account has the rights to read the operatingSystem and the operatingSystemServicePack attributes from the domain controller's computer object in the Active Directory directory service.

STATUS

This behavior is by design.

MORE INFORMATION

Exchange Server 2003 requires a domain controller or global catalog server that is running Windows 2000 Service Pack 3 or later. This requirement applies to Exchange 2003 computers and to the Exchange 2003 version of the Active Directory Connector (ADC). ADC does not work with domain controllers or with global catalog servers that are running a version of Windows 2000 that is earlier than Service Pack 3.

Exchange System Manager does not require that the domain controller or global catalog server in the domain be a server that runs Windows 2000 Service Pack 3. However, Windows 2000 Service Pack 3 implemented changes to the implementation of LDAP packet encryption, and LDAP packets that are sent between certain Exchange components and Windows 2000 domain controllers or global catalog servers are only signed when those servers are running Windows 2000 Service Pack 3 or later. All directory components that use LDAP encryption, including the Recipient Update Service, the Active Directory Connector, and DSAccess require that domain controllers and global catalog servers run Windows 2000 Service Pack 3 or later. All Exchange components that use DSAccess also require a server that is running Windows 2000 Service Pack 3 or later to support LDAP signing. Exchange administration does not use DSAccess, and includes its own server-less binding and therefore can use LDAP encryption with servers that are running versions of Windows earlier than Windows 2000 Service Pack 3.

If you manually configure a domain controller or a global catalog server on the Directory Access tab in Exchange System Manager that is not running Windows 2000 Service Pack 3 or later, MSExchangeDSAccess will log a failure. The event noted in the "Symptoms" section is logged. It states that the domain controllers require Windows 2000 Service Pack 3. Exchange Server 2003 will not use a Windows 2000 domain controller or global catalog server that is not running Windows 2000 Service Pack 3 or later.

To make sure that Exchange System Manager LDAP traffic is signed and sealed, Windows 2000 Service Pack 3 or later must be installed on all domain controllers and global catalog servers in the Active Directory domain. Kerberos authentication will try to sign and seal the traffic; NTLM authentication is used if Kerberos is unavailable. NTLM does not support the signing and sealing of traffic on servers without Windows 2000 Service Pack 3.

For additional information about LDAP encryption in Windows 2000 Service Pack 3, click the following article numbers to view the articles in the Microsoft Knowledge Base:

325465 Windows 2000 Domain Controllers Require Service Pack 3 or Later When Using Windows Server 2003 Administration Tools

299687 MS01-036: Function Exposed By Using LDAP over SSL Could Enable Passwords to Be Changed

Modification Type:MinorLast Reviewed:11/8/2005
Keywords:kbQFE kbbug KB818481 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.