Service Principal Name Missing from Global Catalog Server
[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]
Topic Last Modified: 2006-05-12
The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service global catalog server to find the values returned for the Fully Qualified Domain Name (FQDN) and NetBIOS name for the servicePrincipalName attribute of the exchangeAB and HOST resources.
The Exchange Server Analyzer displays an error if either of the following conditions is true:
The servicePrincipalName attribute for the exchangeAB resource is missing one of the expected FQDN or NetBIOS name values.
The servicePrincipalName attribute for the HOST Exchange resource is missing one of the expected FQDN or NetBIOS name values.
A Service Principal Name (SPN) is a unique name that identifies an instance of a service and is associated with the logon account under which the service instance runs. Kerberos authentication is not possible for Exchange services without correctly set SPNs.
If clients that run Microsoft Outlook® 2003 or a later version have Active Directory authentication issues, these issues may indicate the lack of a valid SPN for the exchangeAB resource.
Authentication failures between servers may indicate the lack of a valid SPN for the HOST resource.
To resolve this issue, follow these steps to add the missing values for the servicePrincipalName attribute.
Use the SETSPN.exe tool to add an SPN with the missing values
Install the Setspn.exe tool. To obtain the Setspn.exe tool, see "Windows 2000 Resource Kit Tool : Setspn.exe" (https://go.microsoft.com/fwlink/?LinkId=28103).
The Windows Server 2003 version of the Setspn.exe command-line tool is available in the Windows Server 2003 Support Tools that are included on the Windows Server 2003 CD. To install the Server 2003 Support Tools, double-click the Suptools.msi file in the Support/Tools folder.
Follow the guidance in the SETSPN.EXE Setspn_d.txt file to add the missing value to the Active Directory object for your Exchange server. The following example demonstrates adding the FQDN value for a virtual SMTP server SPN:
Start a command prompt, and then change to the directory where you installed Setspn.exe.
At the command prompt, type the following command:
**setspn.exe-a SMTPSVC/**mail.yourdomain.com YOURSERVERNAME
Note
Replace mail.yourdomain.com with your SMTP virtual server FQDN and YOURSERVERNAME with the name of the Exchange server.
Then press Enter.