Assume that you install Microsoft Exchange Server 2007 Hub Transport servers in multiple domain trees. You try to run the Exchange Mail Flow Analyzer (ExMFA) in the Exchange Management Console (EMC). In this situation, you receive the following error message:
Computer account for "SMTPSVC/<FQDN of Hub/Transport-Server>" not found in Active Directory. No computer account in Active Directory has "ServicePrincipalName" set to "SMTPSVC/<FQDN of Hub/Transport-Server>". This will result in Kerberos authentication failures when server <Servername> attempts to create an SMTP connection to another Hub Transport server.
However, when you run the ldifde -t <PortNumber>-d "" -r (servicePrincipalName=SMTPSVC/<FQDN>) -p <scope>-f <filename> command, the result indicates that all the Service Principal Names (SPNs) for SMTPSVC are set correctly in the Active Directory directory service.
This issue occurs because the ExMFA searches the computer object of the Hub Transport server in an incorrect domain. Therefore, ExMFA cannot read the ServicePrincipalName attribute of the computer object.
To resolve this issue, install the following update rollup:
2530488 Description of Update Rollup 3 for Exchange Server 2007 Service Pack 3
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.