Event ID 9317 is logged when the Microsoft Exchange System Attendant service comes online on an Exchange 2007 cluster node

You have a Microsoft Exchange Server 2007-based cluster environment. When the Microsoft Exchange System Attendant service comes online on a cluster node, the following events are logged in the Application log:

Event Type: Error
Event Source: MSExchangeSA
Event Category: General
Event ID: 9317
Date: <date>
Time: <time>
User: N/A
Computer: <computername>
Description:
Failed to register Service Principal Name for exchangeRFR; error code was c0072098.

Event Type: Error
Event Source: MSExchangeSA
Event Category: General
Event ID: 9317
Date: <date>
Time: <time>
User: N/A
Computer: <computername>
Description:
Failed to register Service Principal Name for exchangeMDB; error code was c0072098.

To work around this problem, use the Add-ADPermission command to add permissions to an Active Directory object on a server on which the Exchange Management Shell is installed. To do this, follow these steps.

Note You must use an account that has permissions to modify computer account objects in Active Directory.

1. Run the following command in the Exchange Management Shell.
   add-ADPermission -Identity "cn=exchange-cms,cn=computers,dc=mydomain,dc=com" -User "node-cl1$" -AccessRights WriteProperty -Properties "Validated-SPN"
   Note The -Identity parameter specifies the identity of the object to which the permissions are being granted. The -Identity parameter requires the full name of the user in quotation marks. The "cn=exchange-cms,cn=computers,dc=mydomain,dc=com" placeholder is the clustered Exchange mailbox server distinguished name. The -User parameter specifies the object to which the permissions are being granted. The "node-cl1$" placeholder is the name of the cluster node followed by the dollar sign to specify that it is a computer object.
2. Replace the value of the -User parameter with the next cluster node, and then run the add-ADPermission command again.
   
   Note You must run the add-ADPermission command one time for each node in the Exchange 2007 cluster.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

A service principal name (SPN) is a unique name that identifies an instance of a service. An SPN is associated with the logon account under which the service instance runs. Kerberos authentication will fail for Exchange Server services if the SPNs cannot be configured correctly.