Exchange Server

Philip Colmer · Guest

I've run ExBPA 1.1 on my two-node cluster and it is reporting that Kerberos
is disabled on the network name. Clicking on "Tell me more about this issue
and how to resolve it" doesn't work - it takes me to the Exchange TechCenter
page.

I've checked the configuration for the network name defined in the Exchange
cluster group and Kerberos is definnitely enabled.

Any suggestions?

--Philip

Scott Schnoll [MSFT] · Guest

Hi Philip,

Is it taking you to the TechCenter home page, or to an ExBPA article at the
TechCenter? You should be seeing an article that says the following:

The Microsoft® Exchange Server Best Practices Analyzer Tool reads the
following registry entry to determine the version of Windows® that is
running on the server:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\CurrentVersion

A CurrentVersion value of 4.0 indicates the computer is running Microsoft
Windows NT® 4.0. A value of 5.0 indicates the computer is running a
Microsoft Windows 2000 Server family product, and a value of 5.2 indicates
the computer is running a Microsoft Windows Server™ 2003 family product.

The Exchange Server Best Practices Analyzer also queries the Active
Directory® directory service to determine the value of the serialNumber
attribute for all objects with an object class of msExchExchangeServer. If
the string value includes "Version 5.5," the computer is running Microsoft
Exchange Server 5.5. If the string value includes "Version 6.0," the
computer is running Microsoft Exchange 2000 Server. If the string value
includes "Version 6.5," the computer is running Microsoft Exchange Server
2003.

Finally, the Exchange Server Best Practices Analyzer reads the following
registry value to determine whether Exchange Server is running in a cluster
with a Kerberos-enabled Network Name cluster resource:

HKLM\Cluster\Resources\<Resource GUID for Network Name
resource>\Parameters\RequireKerberos

A value of 0 for RequireKerberos indicates that the Network Name resource is
not enabled for Kerberos, and a value of 1 indicates that the Network Name
resource is enabled for Kerberos.

If the Exchange Server Best Practices Analyzer finds the value for
RequireKerberos set to 0 on an Exchange Server 2003 virtual server that is
running in a Windows Server 2003 server-based cluster, a warning is
displayed.

This warning indicates that a Kerberos-enabled Network Name cluster resource
is not being used for an Exchange Server 2003 virtual server. This is not a
supported configuration, and should be corrected as soon as possible.

To correct this warning

1. Open the Cluster Administrator program.

2. Take the Network Name resource offline. This will also take
all resources offline that depend on the Network Name resource, including
the Microsoft Exchange System Attendant resource.

3. Right-click the Network Name resource, and then click
Properties.

4. On the Parameters tab, click the Enable Kerberos
Authentication option, and then click OK.

5. Bring the Network Name resource online, and then bring the
remaining offline resources online.

For more information about using Kerberos-enabled Network Name resources on
a Windows Server 2003 cluster, see Microsoft Knowledge Base article 302389,
" Description of the Properties of the Cluster Network Name Resource in
Windows Server 2003,"
(http://go.microsoft.com/fwlink/?linkid=3052&kbid=302389).

See also,

· The topic "Deploying Exchange Server 2003 in a Cluster" in the
Exchange Server 2003 Deployment Guide at
http://go.microsoft.com/fwlink/?linkid=21768.

· The topic "Planning for Exchange Clustering" in the Exchange
Server 2003 High Availability Guide at
http://go.microsoft.com/fwlink/?linkid=30251.

--
Scott Schnoll
This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup
purposes only.

"Philip Colmer" <pcolmer@newsgroups.nospam> wrote in message
news:uR81Se24EHA.1404@TK2MSFTNGP11.phx.gbl...

Paul Bowden [MSFT] · Guest

Hi Philip,

I've placed a little more conditioning on this rule to double-check that the
network name it's comparing matches the Exchange virtual server name. If you
have the time, grab the modified XML from
http://www.exbpa.com/buddies/kerberos/exbpa.config.xml and place it in your
C:\Program Files\ExBPA\en folder (assuming you used the default installation
path).

Now, start ExBPA again, click on the "About..." link in the left hand nav
and verify that the Configuration Version reads 1.6.3.2 ....if it does,
open up the previous scan (which will cause reanalysis of the data file to
take place) and verify that the Kerberos warning has now disappeared.

If you still see the warning after this, let me know and we can investigate
further.

Thanks!

--
Paul Bowden
Program Manager
Exchange Server Best Practices Analyzer
http://www.microsoft.com/exchange/exbpa

This posting is provided "AS IS" with no warranties, and confers no rights.

"Philip Colmer" <pcolmer@newsgroups.nospam> wrote in message
news:uR81Se24EHA.1404@TK2MSFTNGP11.phx.gbl...

Korbyn · Guest

I was getting the same error message as well. I pulled down your updated xml
file and the error has cleared off.

Thanks.
K.

Paul Bowden [MSFT] · Guest

Great, thanks for the verification Korbyn. I'll look to making this change
permanent in the next drop of the XML (ETA: next week).

Kind regards,

--
Paul Bowden
Program Manager
Exchange Server Best Practices Analyzer
http://www.microsoft.com/exchange/exbpa

This posting is provided "AS IS" with no warranties, and confers no rights.

"Korbyn" <Korbyn@discussions.microsoft.com> wrote in message
news:B79DCD1B-4358-4DA1-91F9-85B4CCA5458A@microsoft.com...

	Exchange Server Forum Index -> Clients	All times are GMT
Page 1 of 1