Link to home
Create AccountLog in
Avatar of Darrel Winbush
Darrel WinbushFlag for United States of America

asked on

Missing FQDN in service principal name

I need some advice if you can help that would be great.  I don't think we are far off from completing the first step of the migrating mailboxes from our old exchange server 2003 to the new one exchange 2010.

I have created a test account on our old server called "test" and moved the mailbox over to the new server.  It was successful with no errors, however I have been unable to send or receive emails to that account either internally or externally.

I have run the "Best Practices Analyzer" on our new exchange server ntserver6 and it points out a critical error on our old exchange server called ntserver3.  the error is below.

"The computer account for Exchange server ntserver3.Southeast.Southeast does not appear to contain the fully-qualified domain name of Exchange SMTP virtual server 'Default SMTP Virtual Server'. This may cause Kerberos authentication to fail when sending messages between servers. The tool expected to find 'SMTPSVC/mail.se-works.org' in the 'servicePrincipalName'"

I looked into making the recommended change via a Microsoft technet article here
http://technet.microsoft.com/en-us/library/6db21156-a9fc-44d3-8bf8-6a2e035fa7ce.aspx

I attempted to update two missing spn's
Below are the currently configured results from running a list command.
We are missing

C:\Documents and Settings\Administrator.SOUTHEAST\Desktop>setspn -L ntserver3
Registered ServicePrincipalNames for CN=NTSERVER3,OU=Domain Controllers,DC=South
east,DC=Southeast:
   MSSQLSvc/ntserver3.Southeast.Southeast:1311
   exchangeMDB/ntserver3.Southeast.Southeast
   exchangeMDB/NTSERVER3
   exchangeRFR/ntserver3.Southeast.Southeast
   exchangeRFR/NTSERVER3
   SMTPSVC/NTSERVER3
   SMTPSVC/ntserver3.Southeast.Southeast
   HOST/NTSERVER3
   HOST/ntserver3.Southeast.Southeast

I feel we need to also have
setspn –A SMTP/ntserver3.Southeast.Southeast
setspn –A SMTP/ntserver3

based on the Microsoft article.  I tried at length last night but wasn't able to implement the addition command.  

Let me know what you think.  Do you think that the inability to send or receive emails on the test account is due to the missing spn's?
Avatar of x-men
x-men
Flag of Portugal image

A Way to make sure what / if SPNs are missing, is running Microsft Network Monitor, apply a filter to catch Kerberos, and see if the SPNs shown are registered.
Avatar of Darrel Winbush

ASKER

I know the SPN's are missing by comparing to the technet article.  I just need to figure out how to add them.
anyone have thoughts on this?
to add, run setspn.exe -S SMTP/ntserver3.Southeast.Southeast MyDomain\MyserviceAccount
thanks x-men.

I added the following:
setspn.exe -S SMTP/ntserver3.Southeast.Southeast administrator\southeast
setspn.exe -S SMTP/ntserver3 administrator\southeast

but when i run the -L command they are not listed? results are below.
Does this take some time to register?  
I am still NOT seeing mail flow through the new exchange server via the test account

C:\Documents and Settings\Administrator.SOUTHEAST\Desktop>setspn.exe -l ntserver
3
Registered ServicePrincipalNames for CN=NTSERVER3,OU=Domain Controllers,DC=South
east,DC=Southeast:
    SMTPSVC/mail.se-works.org
    MSSQLSvc/ntserver3.Southeast.Southeast:1311
    exchangeMDB/ntserver3.Southeast.Southeast
    exchangeMDB/NTSERVER3
    exchangeRFR/ntserver3.Southeast.Southeast
    exchangeRFR/NTSERVER3
    SMTPSVC/NTSERVER3
    SMTPSVC/ntserver3.Southeast.Southeast
    HOST/NTSERVER3
    HOST/ntserver3.Southeast.Southeast
setspn.exe -L administrator\southeast
so when i run the setspn.exe -L administrator\southeast command here are my results:

These are drastically different than the ones i get for for setspn.exe -L ntserver3.  Am i missing something?

C:\Documents and Settings\Administrator.SOUTHEAST\Desktop>setspn.exe -L southeas
t\administrator
Registered ServicePrincipalNames for CN=Administrator,OU=Technology,OU=Active Us
ers,OU=Southeast Works,DC=Southeast,DC=Southeast:
    SMTP/ntserver3
    SMTP/ntserver3.Southeast.Southeast
    ldap/ntserver5.Southeast.Southeast:50000
    ldap/NTSERVER5:50000
    E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/ntserver5.Southeast.Southeast:5000
0
    E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/NTSERVER5:50000
SPN is mapped to the account running the service.
here:http://msdn.microsoft.com/en-us/library/windows/desktop/ms677949(v=vs.85).aspx
ASKER CERTIFIED SOLUTION
Avatar of Darrel Winbush
Darrel Winbush
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
needed to go into a different direction than what was offered