Cannot send email to/from exchange 2003
		
	Hi there,
We have an exchange organization with one Exchange 2007 server and a Exchange 2003 server. The emails do not get routed to/from exchange 2003 server, and they get stacked up in the queue. The exchange 2007 server is able to send emails to external recipients,
 but its queue is full of emails directed to mailboxes on exchange 2003 server. The following error shows up on the exchange 2007 queue:
"451 4.4.0 Primary target IP address responded with: "535 5.7.3 Authentication unsuccessful.."Attempted failover to alternate host, but that did not succeed. Either there is no alternate hosts, or delivery failed to all alternate hosts.""
I have deleted the default routing connectors and re-created them, and now in the system manager in exchange 2003 I get the following:
Name Admin Group
Status
2003 -> 2007  First Admin Group
Unavailable
2007 -> 2003 Exchange Admin Group
Available
Exchange 2003 First Admin Group
Available
Exchange 2007 Exchange Admin Group
Unreachable 
Probably I am missing something in the routing connector settings? I would appreciate you quick response.
Thanks,
Ojas		
				June 26th, 2011 1:43pm
			How did you create the routing group connectors?  Try removing them and creating them with the Exchange 2007 Management Shell using the New-RoutingGroupConnector cmdlet.  Let us know how that works and if it doesn't the exact commands you tried.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."		
				Free Windows Admin Tool Kit Click here and download it now
					June 26th, 2011 7:47pm
			On Sun, 26 Jun 2011 17:34:50 +0000, ojas.panwar wrote:
 
>We have an exchange organization with one Exchange 2007 server and a Exchange 2003 server. The emails do not get routed to/from exchange 2003 server, and they get stacked up in the queue. The exchange 2007 server is able to send emails to external recipients,
 but its queue is full of emails directed to mailboxes on exchange 2003 server. The following error shows up on the exchange 2007 queue:
>
>"451 4.4.0 Primary target IP address responded with: "535 5.7.3 Authentication unsuccessful.."Attempted failover to alternate host, but that did not succeed. Either there is no alternate hosts, or delivery failed to all alternate hosts.""
>
>I have deleted the default routing connectors and re-created them, and now in the system manager in exchange 2003 I get the following: Name Admin Group Status 2003 -> 2007 First Admin Group Unavailable 2007 -> 2003 Exchange Admin Group Available Exchange
 2003 First Admin Group Available Exchange 2007 Exchange Admin Group Unreachable 
>
>Probably I am missing something in the routing connector settings? I would appreciate you quick response. Thanks, Ojas
 
Is there a firewall between the two machines? Authentication between
the two servers will use Kerberos and ports 88/tcp and 88/udp must be
open. In fact, to be supported, there can be no firewall between the
Exchange servers (or, if there is one, it must be working in
any-to-any mode).
 
Removing and recreating the RGC should have produced the same error,
not some other one. So, yes, I think you're missing something but you
haven't shown how you removed the original RGCs nor how you created to
two additional RGCs. Without that information, who knows what to tell
you>
 
---
Rich Matheisen
MCSE+I, Exchange MVP
 --- Rich Matheisen MCSE+I, Exchange MVP		
				June 26th, 2011 10:48pm
			Thanks for the response Ed and Rich, we don't have a firewall between the two servers that could be blocking ports. I used the following commands to remove and create the routing group connectors:
Remove-RoutingGroupConnector -Identity ConnectorId
New-RoutingGroupConnector -Name "2003-2007" -SourceTransportServers 2003Server
-TargetTransportServers 2007Server -Cost 10 -Bidirectional $false -PublicFolderReferralsEnabled $true
New-RoutingGroupConnector -Name "2007-2003" -SourceTransportServers 2007Server
-TargetTransportServers 2003Server -Cost 10 -Bidirectional $false -PublicFolderReferralsEnabled $true
After restarting the both the servers now the connectors show available, but the Exchange 2007 server still shows unreachable. After some googling around I found that on Exchange 2003 machine the FQDN under Default SMTP server -> Properties -> Delivery
 -> Advanced should be teh FQDN of Exchange 2007 machine, which I changed but it didn't do anything. Is there anything else that I should be looking at?
Thanks,
Ojas		
				Free Windows Admin Tool Kit Click here and download it now
					June 27th, 2011 5:00pm
			Check the properties of the Exchange 2007 server's receive connector and see if the authentication settings have been screwed up.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."		
				June 27th, 2011 6:34pm
			The authentication tab has the following options checked: Transport Layer Security (TLS), Basic Authentication, Exchange Server Authentication, and Integrated Windows Authentication. 
Is it supposed to be the same as default SMTP server on 2003 server?		
				Free Windows Admin Tool Kit Click here and download it now
					June 27th, 2011 8:39pm
			On Mon, 27 Jun 2011 14:00:23 +0000, ojas.panwar wrote:
 
>
>
>Thanks for the response Ed and Rich, we don't have a firewall between the two servers that could be blocking ports. I used the following commands to remove and create the routing group connectors:
>
>Remove-RoutingGroupConnector -Identity ConnectorId 
 
Hmmm . . . try using this instead:
 
get-routinggroupconnector | remove-routinggroupconnector
 
>New-RoutingGroupConnector -Name "2003-2007" -SourceTransportServers 2003Server -TargetTransportServers 2007Server -Cost 10 -Bidirectional $false -PublicFolderReferralsEnabled $true
>
>New-RoutingGroupConnector -Name "2007-2003" -SourceTransportServers 2007Server -TargetTransportServers 2003Server -Cost 10 -Bidirectional $false -PublicFolderReferralsEnabled $true
 
Then create the RGC like this (omit the "-cost" parameter, you don't
need it):
 
new-routinggroupconnector -name "InterOp RGC" -sourcetransportservers
2007server -targettransportservers 2003server -bidirectional:$true
-publicfolderreferralenabled:$true
 
>After restarting the both the servers now the connectors show available, but the Exchange 2007 server still shows unreachable. After some googling around I found that on Exchange 2003 machine the FQDN under Default SMTP server -> Properties -> Delivery
 -> Advanced should be teh FQDN of Exchange 2007 machine, which I changed but it didn't do anything. Is there anything else that I should be looking at?
 
The FQDN of the virtual machine should be name of the machine.
 
Since authentication is failing, run "setspn -L 2003server". There
should be two SPNs for whatever FQDN you have set on the E2K3 SMTP
virtual server that's used in that "InterOP RGC". For example:
 
SMTPSVC/2003Server
SMTPSVC/2003Server.domain.com
SMTP/2003Server
SMTP/2003Servern.domain.com
 
Perform the same action using "setspn -L 2007Server". If the FQDN
isn't present in the set of SPNs for the machine you can add them
using "setspn -A FQDN 200xServer".
 
With the correct SPNs assigned to the machine account, Kerberos should
authenticate.
 
---
Rich Matheisen
MCSE+I, Exchange MVP
 --- Rich Matheisen MCSE+I, Exchange MVP		
				June 28th, 2011 1:04am
			Hi Rich I deleted and re-created the RGCs without the cost parameter, but still no progress. When I run setspn -L exchange2003, I just get two SMTPSVC connectors, the output is as follows:
 
exchangeRFR/exchange2003.domain
exchangeRFR/EXCHANGE2003
exchangeMDB/EXCHANGE2003
exchangeMDB/exchange2003.domain
SMTPSVC/EXCHANGE2003
SMTPSVC/exchange2003.domain
HOST/EXCHANGE2003
HOST/exchange2003.domain
While if I run it for exchange 2007 machine I get all four SMTP connectors as you mentioned above. Is there a way to add just the two SMTP connectors for 2003 server? Also, are the authentication settings under receive connector supposed
 to be the same as they are on the SMTP virtual server on 2003 machine?
 
Thanks,
Ojas
 
Edit: I added SMTP/Exchange2003 and SMTP/Exchange2003.domain by using setspn -A SMTP/Exchange2003 Exchange2003 and setspn -A SMTP/Exchange2003.domain. The error still persists.		
				Free Windows Admin Tool Kit Click here and download it now
					June 28th, 2011 9:50am
			Hi,
1. Run the BPA to see if there are any errors.
2. Check if 2003Server is a member of "ExchangeLegacyInterop" group.
3. FQDN is correct or not?
 Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.		
				June 28th, 2011 10:02am
			Hi Jason,
1. Run the BPA to see if there are any errors.
When I run the BPA health check I get an error Missing FQDN in service principal name:
The computer account for Exchange server exchange2003.domain does not appear to contain the fully-qualified domain name of Exchange SMTP virtual server 'Default SMTP Virtual Server'. This may cause Kerberos authentication to fail when sending messages between
 servers. The tool expected to find 'SMTPSVC/exchange2007.domain' in the 'servicePrincipalName'.
I'm confused by the message, does it mean that I have to add a new SPN "SMTPSVC/exchange2007.domain" within exchange 2003 by using setspn?
2. Check if 2003Server is a member of "ExchangeLegacyInterop" group.
Where do I check it? I didnt find the group under local groups as well as Active directory.
3. FQDN is correct or not?
FQDN in exchange 2003 default virtual server(Default
 SMTP server -> Properties -> Delivery -> Advanced) is exchange2007.domain. Is there anywhere else I should
 be checking for FQDN settings?
Thanks,
Ojas		
				Free Windows Admin Tool Kit Click here and download it now
					June 28th, 2011 10:13am
			On Tue, 28 Jun 2011 14:03:00 +0000, ojas.panwar wrote:
 
>
>
>Hi Jason, 
>
>1. Run the BPA to see if there are any errors. 
>
>When I run the BPA health check I get an error Missing FQDN in service principal name:
 
Well, there you go! If the FQDN isn't a SPN on the computer account
Kerberos won't authenticate the connection.
 
>The computer account for Exchange server exchange2003.domain does not appear to contain the fully-qualified domain name of Exchange SMTP virtual server 'Default SMTP Virtual Server'. This may cause Kerberos authentication to fail when sending messages
 between servers. The tool expected to find 'SMTPSVC/exchange2007.domain' in the 'servicePrincipalName'.
>
>I'm confused by the message, does it mean that I have to add a new SPN "SMTPSVC/exchange2007.domain" within exchange 2003 by using setspn?
>2. Check if 2003Server is a member of "ExchangeLegacyInterop" group. 
 
Yes, you do.
 
>Where do I check it? I didnt find the group under local groups as well as Active directory.
 
It's not a group. Use either ADSIEDIT of LDP to see the
servicePrincipalName property value on the computer account.
 
>3. FQDN is correct or not? 
>
>FQDN in exchange 2003 default virtual server(Default SMTP server -> Properties -> Delivery -> Advanced) is exchange2007.domain. Is there anywhere else I should be checking for FQDN settings?
 
Is "exchange2007.domain" the FQDN of the server or the one you
assigned to the SMTP Virtual Server? If it's the name of the server
the SPN should already have been there. If not, then this should do
it:
 
setspn -A SMTPSVC/exchange2007.domain <whatever-is-the-server-name>
setspn -A SMTPSVC/exchange2007 <whatever-is-the-server-name>
setspn -A SMTP/exchange2007.domain <whatever-is-the-server-name>
setspn -A SMTP/exchange2007 <whatever-is-the-server-name>
 
---
Rich Matheisen
MCSE+I, Exchange MVP
 --- Rich Matheisen MCSE+I, Exchange MVP		
				June 28th, 2011 9:06pm
			On Tue, 28 Jun 2011 13:39:11 +0000, ojas.panwar wrote:
 
>Hi Rich I deleted and re-created the RGCs without the cost parameter, but still no progress. When I run setspn -L exchange2003, I just get two SMTPSVC connectors, the output is as follows:
 
The "cost" isn't part of your problem. It's just unnecessary since you
have only one RGC. Keep things simple. :-) 
 
>exchangeRFR/exchange2003.domain 
>exchangeRFR/EXCHANGE2003 
>exchangeMDB/EXCHANGE2003 
>exchangeMDB/exchange2003.domain 
>SMTPSVC/EXCHANGE2003 
>SMTPSVC/exchange2003.domain 
>HOST/EXCHANGE2003 
>HOST/exchange2003.domain 
 
>While if I run it for exchange 2007 machine I get all four SMTP connectors as you mentioned above. Is there a way to add just the two SMTP connectors for 2003 server?
 
Unless I'm misremembering things, there's no place to specify a FQDN
on a SMTP Connector, only on a SMTP Virtual Server.
 
>Also, are the authentication settings under receive connector supposed to be the same as they are on the SMTP virtual server on 2003 machine?
 
The Routing Group Connector doesn't really use the any of those.
 
>Thanks, Ojas 
>
> Edit: I added SMTP/Exchange2003 and SMTP/Exchange2003.domain by using setspn -A SMTP/Exchange2003 Exchange2003 and setspn -A SMTP/Exchange2003.domain. The error still persists.
 
"exchange2003.domain" is the name of the server, according to the HOST
SPN. What's the FQDN on the 2003 SMTP virtual servers (all of them if
you have more than one)? You want SPNs for all of them.
 
If you look at the SMTP send protocol log on your Exchange 2007 server
you should see that it sends X-EXPS GSSAPI to the Exchange 2003
server. The Exchange 2003 server expects to find whatever name the
2007 server used in the EHLO command in a SPN on the 2007 server's
computer account.
 
On the 2003 server, when it sends to the 2007 server, you should see
the EHLO and then a couple of 334 status codes and a 235 status code
(authentication successful). The Exchange 2007 server expects to find
whatever the 2003 server used in its EHLO command in a SPN on the
computer account of the 2003 server.
 
If the SPNs are wrong or incomplete authentication fails.
 
---
Rich Matheisen
MCSE+I, Exchange MVP
 --- Rich Matheisen MCSE+I, Exchange MVP		
				Free Windows Admin Tool Kit Click here and download it now
					June 28th, 2011 9:34pm
			Hi,
1. I'm confused by the message, does it mean that I have to add a new SPN "SMTPSVC/exchange2007.domain" within exchange 2003 by using setspn?
You also need to check if  SMTPSVC/exchange2007.domain and  SMTPSVC/exchange2007 in Exchange 2007 Server.
http://technet.microsoft.com/en-us/library/aa996905(EXCHG.80).aspx
2. 
Where do I check it? I didnt find the group under local groups as well as Active directory.
 ADUC -> Microsoft Exchange Security Groups -> ExchangeLegacyInterop -> right click -> properties -> members -> Exchange2003 should be in the list.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.		
				June 28th, 2011 9:52pm
			Thanks for your replies Rich and Jason, I think I am getting closer to fixing the issue. I added SMTPSVC\exchange2007.domain to the service principal names for exchange2003 server and now I don't get the SMTP error anymore. When I look at the event viewer
 for exchange2007, I see the following warning every 15 minutes:
Inbound authentication failed with error LogonDenied for Receive connector Default EXCHANGE2007. The authentication mechanism is Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is [x.x.x.x].
The IP address is that of exchange 2003 server. On the exchange 2003 machine there are warnings about every hour indicating EXPS is temporarily unable to provide protocol security. The full error is as follows:
EXPS is temporarily unable to provide protocol security with "EXCHANGE2007.domain".  "CSessionContext::OnEXPSInNegotiate" called "HrServerNegotiateAuth" which failed with error code 0x8009030c ( f:\tisp2\transmt\src\smtpsink\exps\expslib\context.cpp@1799
 ).
After some digging around I found that it is due to kerberos authentication failing. I have checked that the time on both exchange servers are synchronized. Does the FQDN in default virtual server on Exchange 2003 server be exchange2003.domain or
 exchange2007.domain?
Thanks,
Ojas		
				Free Windows Admin Tool Kit Click here and download it now
					June 30th, 2011 11:50am
			On Thu, 30 Jun 2011 15:40:19 +0000, ojas.panwar wrote:
 
>
>
>Thanks for your replies Rich and Jason, I think I am getting closer to fixing the issue. I added SMTPSVC\exchange2007.domain to the service principal names for exchange2003 server and now I don't get the SMTP error anymore.
 
If the name used in the EHLO command from Exchange 2007 is
"exchange2007.domain" then the SPNs SMTPSVC\exchange2007.domain,
SMTPSVC/exchange2007, SMTP/exchange2007.domain and SMTP/exchange2007
should be on the computer account for the Exchange 2007 server, not
the Exchange 2003 server.
 
>When I look at the event viewer for exchange2007, I see the following warning every 15 minutes:
 
>Inbound authentication failed with error LogonDenied for Receive connector Default EXCHANGE2007. The authentication mechanism is Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is [x.x.x.x].
>
>The IP address is that of exchange 2003 server. On the exchange 2003 machine there are warnings about every hour indicating EXPS is temporarily unable to provide protocol security. The full error is as follows:
>
>
>
>EXPS is temporarily unable to provide protocol security with "EXCHANGE2007.domain". "CSessionContext::OnEXPSInNegotiate" called "HrServerNegotiateAuth" which failed with error code 0x8009030c ( f:\tisp2\transmt\src\smtpsink\exps\expslib\context.cpp@1799
 ). After some digging around I found that it is due to kerberos authentication failing. I have checked that the time on both exchange servers are synchronized. Does the FQDN in default virtual server on Exchange 2003 server be exchange2003.domain or exchange2007.domain?
 Thanks, Ojas 
 
It seems that exchange2003.domain would be correct. There should be
SPNs on the Exchange 2003 server's computer account for
SMTP/exchange2003.domain, SMTP/exchange2003,
SMTPSVC/exchange2003.domain, and SMTPSCV/exchange2003.
 
---
Rich Matheisen
MCSE+I, Exchange MVP
 --- Rich Matheisen MCSE+I, Exchange MVP		
				June 30th, 2011 8:44pm
			So it seems like my problem is partially solved. I didn't have SMTP/exchange2003 and SMTP/exchange2003.domain in the service principle name for exchange 2003 which I added. Also I changed the authentication on Exchange 2007 receive connector to be same as
 authentication options on Default SMTP server on Exchange 2003 (Basic Authentication and Integration Windows authentication checked). Now the mails are flowing from Exchange 2003 to 2007 box, but:
i. The mails are not flowing from Exchange 2007 to 2003, and are getting stacked up in the queue.
ii. The mails delivered to external recipient from exchange 2003 are bouncing back to the sender with a message:  
Your message did not reach some or all of the intended recipients. 
Subject:
Test
Sent:
7/1/2011 10:33 AM
The following recipient(s) could not be reached: 
  valid-email@address on 7/1/2011 10:34 AM
  You do not have permission to send to this recipient. For assistance, contact your system administrator.
  <exchange2003.domain #5.7.1 smtp;550 5.7.1 Unable to relay> 
The relay settings on exchange 2003 allow our local domain and the "Allow all computers which successfully authenticate to relay, regardless of the list above" is checked. The queue on exchange 2007 still shows 535 5.7.3 Authentication unsuccessful. 
 
Thanks,
Ojas		
				Free Windows Admin Tool Kit Click here and download it now
					July 1st, 2011 11:50am
			On Fri, 1 Jul 2011 15:42:11 +0000, ojas.panwar wrote:
 
>So it seems like my problem is partially solved. I didn't have SMTP/exchange2003 and SMTP/exchange2003.domain in the service principle name for exchange 2003 which I added.
 
Did you also remove the SPNs for the Exchange 2007 server from the
Exchange 2003 server's computer account? Having the same SPN on
multiple computer accounts can be a problem unless they're load
balanced and both use the same FQDN in the EHLO commands they send.
 
>Also I changed the authentication on Exchange 2007 receive connector to be same as authentication options on Default SMTP server on Exchange 2003 (Basic Authentication and Integration Windows authentication checked). Now the mails are flowing from Exchange
 2003 to 2007 box, but: 
>
>i. The mails are not flowing from Exchange 2007 to 2003, and are getting stacked up in the queue.
 
So what's the reason they're not being delivered? Knowing they're
there is one thing, knowing *why* they're there is another.
 
>ii. The mails delivered to external recipient from exchange 2003 are bouncing back to the sender with a message:
>
>Your message did not reach some or all of the intended recipients. Subject: Test
>Sent: 7/1/2011 10:33 AM 
>
>
>The following recipient(s) could not be reached: valid-email@address on 7/1/2011 10:34 AM You do not have permission to send to this recipient. For assistance, contact your system administrator. <exchange2003.domain #5.7.1 smtp;550 5.7.1 Unable to relay>
 
>The relay settings on exchange 2003 allow our local domain and the "Allow all computers which successfully authenticate to relay, regardless of the list above" is checked. The queue on exchange 2007 still shows 535 5.7.3 Authentication unsuccessful.
 
Did you remove the SPNs for the Exchange 2007 server from the Exchange
2003 server's computer account?
 
---
Rich Matheisen
MCSE+I, Exchange MVP
 --- Rich Matheisen MCSE+I, Exchange MVP		
				July 1st, 2011 2:16pm
			>Did you also remove the SPNs for the Exchange 2007 server from the
Exchange 2003 server's computer account? Having the same SPN on
multiple computer accounts can be a problem unless they're load
balanced and both use the same FQDN in the EHLO commands they send.
 
Yes, the service principle names in Exchange 2003 and 2007 only have their respective records. The output of setspn for both is as follows: 
Exchange 2003:
SMTP/exchange2003.domain
SMTP/exchange2003
exchangeMDB/exchange2003.domain
exchangeMDB/EXCHANGE2003
exchangeRFR/exchange2003.domain
exchangeRFR/EXCHANGE2003
SMTPSVC/exchange2003.domain
SMTPSVC/EXCHANGE2003
HOST/EXCHANGE2003
HOST/exchange2003.domain
Exchange 2007:
IMAP4/exchange2007.domain
IMAP4/exchange2007
IMAP/exchange2007.domain
IMAP/exchange2007
exchangeRFR/exchange2007
exchangeRFR/exchange2007.domain
exchangeMDB/exchange2007
exchangeMDB/exchange2007.domain
SmtpSvc/exchange2007.domain
SmtpSvc/exchange2007
SMTP/exchange2007.domain
SMTP/exchange2007
WSMAN/exchange2007
WSMAN/exchange2007.domain
TERMSRV/exchange2007
TERMSRV/exchange2007.domain
RestrictedKrbHost/exchange2007
HOST/exchange2007
RestrictedKrbHost/exchange2007.domain
HOST/exchange2007.domain
>Did you remove the SPNs for the Exchange 2007 server from the Exchange
2003 server's computer account?
Yes
When I check the status under Monitoring and Status in Exchange 2003 system manager, I see exchange 2007 as unreachable. When I try to see properties, I get an error "unable to connect to WMI service". I checked on exchange 2007 server that WMI service
 is running, and I am able to remotely connect to Exchange 2007 via wmimgmt.msc from exchange 2003. Could this be causing an issue?
Thanks,
Ojas		
				Free Windows Admin Tool Kit Click here and download it now
					July 6th, 2011 11:01am
			On Wed, 6 Jul 2011 14:52:20 +0000, ojas.panwar wrote:
 
>>Did you also remove the SPNs for the Exchange 2007 server from the Exchange 2003 server's computer account? Having the same SPN on multiple computer accounts can be a problem unless they're load balanced and both use the same FQDN in the EHLO commands
 they send. Yes, the service principle names in Exchange 2003 and 2007 only have their respective records. The output of setspn for both is as follows: Exchange 2003: SMTP/exchange2003.domain SMTP/exchange2003 exchangeMDB/exchange2003.domain exchangeMDB/EXCHANGE2003
 exchangeRFR/exchange2003.domain exchangeRFR/EXCHANGE2003 SMTPSVC/exchange2003.domain SMTPSVC/EXCHANGE2003 HOST/EXCHANGE2003 HOST/exchange2003.domain Exchange 2007: IMAP4/exchange2007.domain IMAP4/exchange2007 IMAP/exchange2007.domain IMAP/exchange2007 exchangeRFR/exchange2007
 exchangeRFR/exchange2007.domain exchangeMDB/exchange2007 exchangeMDB/exchange2007.domain SmtpSvc/exchange2007.domain SmtpSvc/exchange2007 SMTP/exchange2007.domain SMTP/exchange2007
WSMAN/exchange2007
>WSMAN/exchange2007.domain TERMSRV/exchange2007 TERMSRV/exchange2007.domain RestrictedKrbHost/exchange2007 HOST/exchange2007 RestrictedKrbHost/exchange2007.domain HOST/exchange2007.domain >Did you remove the SPNs for the Exchange 2007 server from the Exchange
 2003 server's computer account? Yes When I check the status under Monitoring and Status in Exchange 2003 system manager, I see exchange 2007 as unreachable. When I try to see properties, I get an error "unable to connect to WMI service". I checked on exchange
 2007 server that WMI service is running, and I am able to remotely connect to Exchange 2007 via wmimgmt.msc from exchange 2003. Could this be causing an issue? Thanks, Ojas
 
If Exchange 2007 says "535 5.7.3 Authentication unsuccessful" then
you're probably having a problem with Kerberos.
 
Is port 88/tcp and 88/udp open in both directions between the machines
and your DCs?
 
---
Rich Matheisen
MCSE+I, Exchange MVP
 --- Rich Matheisen MCSE+I, Exchange MVP		
				July 6th, 2011 6:04pm
			Hi Rich,
The firewalls are disabled on both the hosts. I enabled Kerberos logging, and found the following errors on exchange 2007:
 
Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          7/7/2011 10:25:00 AM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      exchange2007.domain
Description:
A Kerberos Error Message was received:
 on logon session 
 Client Time: 
 Server Time: 14:25:0.0000 7/7/2011 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm: 
 Client Name: 
 Server Realm: domain
 Server Name: exchange2007$@domain
 Target Name: ow-exchange2007$@domain@domain
 Error Text: 
 File: 9
 Line: f09
 Error Data is in record data.
 
Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          7/7/2011 10:49:41 AM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      exchange2007.domain
Description:
A Kerberos Error Message was received:
 on logon session 2007test@domain
 Client Time: 
 Server Time: 14:49:41.0000 7/7/2011 Z
 Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
 Extended Error: 
 Client Realm: 
 Client Name: 
 Server Realm: NY.FSVS.COM
 Server Name: krbtgt/domain
 Target Name: krbtgt/domain@domain
 Error Text: 
 File: e
 Line: 9fe
 Error Data is in record data.
I am also getting KDC_ERR_BADOPTION errors on Exchange 2003 every 15-odd minutes after enabling kerberos authentication.
Do I have to change something on the servers?
 
Thanks,
Ojas		
				Free Windows Admin Tool Kit Click here and download it now
					July 7th, 2011 11:45am
			On Thu, 7 Jul 2011 15:36:59 +0000, ojas.panwar wrote:
 
>Hi Rich, 
>
>The firewalls are disabled on both the hosts. I enabled Kerberos logging, and found the following errors on exchange 2007:
 
Start here:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21820
 
 
> Target Name: ow-exchange2007$@domain@domain 
 
Is OW-exchange2007$ the name of some machine in your organization?
 
---
Rich Matheisen
MCSE+I, Exchange MVP
 --- Rich Matheisen MCSE+I, Exchange MVP		
				July 7th, 2011 10:44pm
			 Other recent topics
			Other recent topics
		

