Darrel Winbush
asked on
Missing FQDN in service principal name
I need some advice if you can help that would be great. I don't think we are far off from completing the first step of the migrating mailboxes from our old exchange server 2003 to the new one exchange 2010.
I have created a test account on our old server called "test" and moved the mailbox over to the new server. It was successful with no errors, however I have been unable to send or receive emails to that account either internally or externally.
I have run the "Best Practices Analyzer" on our new exchange server ntserver6 and it points out a critical error on our old exchange server called ntserver3. the error is below.
"The computer account for Exchange server ntserver3.Southeast.Southe ast does not appear to contain the fully-qualified domain name of Exchange SMTP virtual server 'Default SMTP Virtual Server'. This may cause Kerberos authentication to fail when sending messages between servers. The tool expected to find 'SMTPSVC/mail.se-works.org ' in the 'servicePrincipalName'"
I looked into making the recommended change via a Microsoft technet article here
http://technet.microsoft.com/en-us/library/6db21156-a9fc-44d3-8bf8-6a2e035fa7ce.aspx
I attempted to update two missing spn's
Below are the currently configured results from running a list command.
We are missing
C:\Documents and Settings\Administrator.SOU THEAST\Des ktop>setsp n -L ntserver3
Registered ServicePrincipalNames for CN=NTSERVER3,OU=Domain Controllers,DC=South
east,DC=Southeast:
MSSQLSvc/ntserver3.Southea st.Southea st:1311
exchangeMDB/ntserver3.Sout heast.Sout heast
exchangeMDB/NTSERVER3
exchangeRFR/ntserver3.Sout heast.Sout heast
exchangeRFR/NTSERVER3
SMTPSVC/NTSERVER3
SMTPSVC/ntserver3.Southeas t.Southeas t
HOST/NTSERVER3
HOST/ntserver3.Southeast.S outheast
I feel we need to also have
setspn –A SMTP/ntserver3.Southeast.S outheast
setspn –A SMTP/ntserver3
based on the Microsoft article. I tried at length last night but wasn't able to implement the addition command.
Let me know what you think. Do you think that the inability to send or receive emails on the test account is due to the missing spn's?
I have created a test account on our old server called "test" and moved the mailbox over to the new server. It was successful with no errors, however I have been unable to send or receive emails to that account either internally or externally.
I have run the "Best Practices Analyzer" on our new exchange server ntserver6 and it points out a critical error on our old exchange server called ntserver3. the error is below.
"The computer account for Exchange server ntserver3.Southeast.Southe
I looked into making the recommended change via a Microsoft technet article here
http://technet.microsoft.com/en-us/library/6db21156-a9fc-44d3-8bf8-6a2e035fa7ce.aspx
I attempted to update two missing spn's
Below are the currently configured results from running a list command.
We are missing
C:\Documents and Settings\Administrator.SOU
Registered ServicePrincipalNames for CN=NTSERVER3,OU=Domain Controllers,DC=South
east,DC=Southeast:
MSSQLSvc/ntserver3.Southea
exchangeMDB/ntserver3.Sout
exchangeMDB/NTSERVER3
exchangeRFR/ntserver3.Sout
exchangeRFR/NTSERVER3
SMTPSVC/NTSERVER3
SMTPSVC/ntserver3.Southeas
HOST/NTSERVER3
HOST/ntserver3.Southeast.S
I feel we need to also have
setspn –A SMTP/ntserver3.Southeast.S
setspn –A SMTP/ntserver3
based on the Microsoft article. I tried at length last night but wasn't able to implement the addition command.
Let me know what you think. Do you think that the inability to send or receive emails on the test account is due to the missing spn's?
A Way to make sure what / if SPNs are missing, is running Microsft Network Monitor, apply a filter to catch Kerberos, and see if the SPNs shown are registered.
ASKER
I know the SPN's are missing by comparing to the technet article. I just need to figure out how to add them.
ASKER
anyone have thoughts on this?
to add, run setspn.exe -S SMTP/ntserver3.Southeast.S outheast MyDomain\MyserviceAccount
ASKER
thanks x-men.
I added the following:
setspn.exe -S SMTP/ntserver3.Southeast.S outheast administrator\southeast
setspn.exe -S SMTP/ntserver3 administrator\southeast
but when i run the -L command they are not listed? results are below.
Does this take some time to register?
I am still NOT seeing mail flow through the new exchange server via the test account
C:\Documents and Settings\Administrator.SOU THEAST\Des ktop>setsp n.exe -l ntserver
3
Registered ServicePrincipalNames for CN=NTSERVER3,OU=Domain Controllers,DC=South
east,DC=Southeast:
SMTPSVC/mail.se-works.org
MSSQLSvc/ntserver3.Southea st.Southea st:1311
exchangeMDB/ntserver3.Sout heast.Sout heast
exchangeMDB/NTSERVER3
exchangeRFR/ntserver3.Sout heast.Sout heast
exchangeRFR/NTSERVER3
SMTPSVC/NTSERVER3
SMTPSVC/ntserver3.Southeas t.Southeas t
HOST/NTSERVER3
HOST/ntserver3.Southeast.S outheast
I added the following:
setspn.exe -S SMTP/ntserver3.Southeast.S
setspn.exe -S SMTP/ntserver3 administrator\southeast
but when i run the -L command they are not listed? results are below.
Does this take some time to register?
I am still NOT seeing mail flow through the new exchange server via the test account
C:\Documents and Settings\Administrator.SOU
3
Registered ServicePrincipalNames for CN=NTSERVER3,OU=Domain Controllers,DC=South
east,DC=Southeast:
SMTPSVC/mail.se-works.org
MSSQLSvc/ntserver3.Southea
exchangeMDB/ntserver3.Sout
exchangeMDB/NTSERVER3
exchangeRFR/ntserver3.Sout
exchangeRFR/NTSERVER3
SMTPSVC/NTSERVER3
SMTPSVC/ntserver3.Southeas
HOST/NTSERVER3
HOST/ntserver3.Southeast.S
setspn.exe -L administrator\southeast
ASKER
so when i run the setspn.exe -L administrator\southeast command here are my results:
These are drastically different than the ones i get for for setspn.exe -L ntserver3. Am i missing something?
C:\Documents and Settings\Administrator.SOU THEAST\Des ktop>setsp n.exe -L southeas
t\administrator
Registered ServicePrincipalNames for CN=Administrator,OU=Techno logy,OU=Ac tive Us
ers,OU=Southeast Works,DC=Southeast,DC=Sout heast:
SMTP/ntserver3
SMTP/ntserver3.Southeast.S outheast
ldap/ntserver5.Southeast.S outheast:5 0000
ldap/NTSERVER5:50000
E3514235-4B06-11D1-AB04-00 C04FC2DCD2 -ADAM/ntse rver5.Sout heast.Sout heast:5000
0
E3514235-4B06-11D1-AB04-00 C04FC2DCD2 -ADAM/NTSE RVER5:5000 0
These are drastically different than the ones i get for for setspn.exe -L ntserver3. Am i missing something?
C:\Documents and Settings\Administrator.SOU
t\administrator
Registered ServicePrincipalNames for CN=Administrator,OU=Techno
ers,OU=Southeast Works,DC=Southeast,DC=Sout
SMTP/ntserver3
SMTP/ntserver3.Southeast.S
ldap/ntserver5.Southeast.S
ldap/NTSERVER5:50000
E3514235-4B06-11D1-AB04-00
0
E3514235-4B06-11D1-AB04-00
SPN is mapped to the account running the service.
here:http://msdn.microsoft.com/en-us/library/windows/desktop/ms677949(v=vs.85).aspx
here:http://msdn.microsoft.com/en-us/library/windows/desktop/ms677949(v=vs.85).aspx
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
needed to go into a different direction than what was offered