You have a Microsoft Exchange Server 2007-based cluster
environment. When the Microsoft Exchange System Attendant service comes online
on a cluster node, the following events are logged in the Application log:
Event Type: Error
Event Source: MSExchangeSA
Event Category: General
Event ID: 9317
Date: <date>
Time: <time>
User: N/A
Computer: <computername>
Description:
Failed to register Service Principal Name for
exchangeRFR; error code was c0072098.
Event
Type: Error
Event Source: MSExchangeSA
Event Category: General
Event ID: 9317
Date: <date>
Time: <time>
User:
N/A
Computer: <computername>
Description:
Failed to
register Service Principal Name for exchangeMDB; error code was c0072098.
Back to the top
To work around this problem, use the
Add-ADPermission command to add permissions to an Active Directory object on a
server on which the Exchange Management Shell is installed. To do this, follow
these steps.
Note You must use an account that has permissions to modify computer
account objects in Active Directory.
| 1. | Run the following command in the Exchange Management Shell.
add-ADPermission -Identity "cn=exchange-cms,cn=computers,dc=mydomain,dc=com" -User "node-cl1$" -AccessRights WriteProperty -Properties "Validated-SPN" Note The -Identity parameter specifies the identity of the object to which the
permissions are being granted. The -Identity parameter requires the full name of the user in quotation marks.
The
"cn=exchange-cms,cn=computers,dc=mydomain,dc=com"
placeholder is the clustered Exchange mailbox server distinguished name. The -User parameter specifies the object to which the permissions are being
granted. The "node-cl1$" placeholder is the name of
the cluster node followed by the dollar sign to specify that it is a computer
object. |
| 2. | Replace the value of the -User parameter with the next cluster node, and then run the add-ADPermission command again.
Note You must run the add-ADPermission command one time for each node in the Exchange 2007
cluster. |
Back to the top
Microsoft
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section.
Back to the top
A service principal name (SPN) is a unique name that
identifies an instance of a service. An SPN is associated with the logon
account under which the service instance runs. Kerberos authentication will
fail for Exchange Server services if the SPNs cannot be configured
correctly.
Back to the top