Kerberos enabled on Network Name resource
Topic Last Modified: 2005-11-18
The Microsoft® Exchange Server Analyzer Tool reads the following registry entry to determine the version of the Microsoft Windows® operating system that is running on the server:
A CurrentVersion value of 4.0 indicates the computer is running Windows NT® Server 4.0. A value of 5.0 indicates the computer is running a Windows 2000 Server operating system, and a value of 5.2 indicates the computer is running a Windows Server™ 2003 operating system.
The Exchange Server Analyzer also queries the Active Directory® directory service to determine the value of the serialNumber attribute for all objects with an object class of msExchExchangeServer. If the string value includes "Version 5.5," the computer is running Exchange Server 5.5. If the string value includes "Version 6.0," the computer is running Exchange 2000 Server. If the string value includes "Version 6.5," the computer is running Exchange Server 2003.
Finally, the Exchange Server Analyzer reads the following registry value to determine whether Exchange is running in a cluster with a Kerberos-enabled Network Name cluster resource:
HKLM\Cluster\Resources\<Resource GUID for Network Name resource>\RequireKerberos
A value of 0 for RequireKerberos indicates that the Network Name resource is not enabled for Kerberos and a value of 1 indicates that the Network Name resource is enabled for Kerberos.
If the Exchange Server Analyzer finds the value for RequireKerberos set to 1 on an Exchange 2000 Server virtual server that is running in a Windows 2000 Server server-based cluster, a warning is displayed.
This warning indicates that a Kerberos-enabled Network Name cluster resource is being used for an Exchange 2000 Server virtual server. This is not a supported configuration, and should be corrected as soon as possible. As stated in the Microsoft Knowledge Base article 235529, "Kerberos support on Windows 2000-based server clusters" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=235529), Kerberos authentication for an Exchange 2000 Server Network Name resource is not supported. Exchange 2000 Server has not been tested to ensure that a clustered Exchange 2000 Server virtual server supports Kerberos authentication.
Open a command prompt on any node in the cluster.
Run the following command: cluster res "Name of Network Name Resource" /priv requirekerberos=0:dword
Note: The resource name should be enclosed in quotation marks.
Take the Network Name resource offline and delete it.
Open Active Directory Users and Computers.
Locate the computer account object for the deleted Network Name resource and delete it from Active Directory.
Create a new Network Name resource for this Exchange Virtual Server (EVS) and do not make it Kerberos-enabled. You can use the same name and configuration as the Network Name resource that you deleted in step 3.
Bring the new Network Name resource online, and then bring the remaining resources in the EVS online.
For more information about using Kerberos-enabled Network Name resources on a Windows 2000 Server cluster, see the Microsoft Knowledge Base article 235529, "Kerberos support on Windows 2000-based server clusters" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=235529).