Ophlemhln j: Exchange Server 2010 SP1

Onqkedmee hglememhe p`gdek`: 2011-04-24

Wrna{ hqonk|gnb`r| opnbepjs ondkhmmnqrh Kerberos b l`qqhbe qepbepnb jkhemrqjncn dnqrso` q a`k`mqhpnbjni m`cpsgjh, menaundhln b{onkmhr| meqjnk|jn x`cnb. Dnonkmhrek|m{e qbedemh na hqonk|gnb`mhh opnbepjh ondkhmmnqrh Kerberos b l`qqhbe qepbepnb jkhemrqjncn dnqrso` hkh b pexemhh a`k`mqhpnbjh m`cpsgjh ql. b p`gdeke Hqonk|gnb`mhe opnbepjh ondkhmmnqrh Kerberos dk l`qqhb` qepbepnb jkhemrqjncn dnqrso` hkh pexemh a`k`mqhpnbjh m`cpsgjh.

Qngd`mhe swerm{u d`mm{u `k|repm`rhbmni swermni g`ohqh qksfa{ b qksfae j`r`kncnb Active Directory

M` bqeu jnlo|~rep`u b l`qqhbe qepbepnb jkhemrqjncn dnqrso` menaundhln bjk~whr| nayhi dnqrso j ndmni h rni fe swermni g`ohqh qksfa{. R`jfe menaundhln bjk~whr| nayhi dnqrso j }rni swermni g`ohqh qksfa{ m` bqeu qepbep`u jkhemrqjncn dnqrso`, jnrnp{e lncsr a{r| b{gb`m{ b qvem`phh `jrhb`vhh vemrp` nap`anrjh d`mm{u. Na{wmn dnqr`rnwmn hler| ndms swerms~ g`ohq| qksfa{ b keqs. ]r` swerm` g`ohq| m`g{b`erq swerm{lh d`mm{lh `k|repm`rhbmni swermni g`ohqh qksfa{ (swerm{lh d`mm{lh ASA).

Ophlew`mhe.
Eqkh p`gbepr{b`mhe bkerq qknfm{l h b{undhr g` opedek{ nohq`mm{u mhfe qvem`pheb, eqkh b mel qsyeqrbs~r opnakel{ q dekechpnb`mhel pnkei `dlhmhqrp`rnp` hkh hleerq meqjnk\|jn qeclemrnb keq` b p`gkhwm{u cp`thj`u p`gbepr{b`mh Exchange, rn lnfer onrpeanb`r\|q qngd`mhe dnonkmhrek\|m{u swerm{u g`ohqei. Dk j`fdni qngd`mmni swermni g`ohqh menaundhln g`osqrhr\| qvem`phi RollAlternateServiceAccountPassword.ps1.

Ophlew`mhe.

Eqkh p`gbepr{b`mhe bkerq qknfm{l h b{undhr g` opedek{ nohq`mm{u mhfe qvem`pheb, eqkh b mel qsyeqrbs~r opnakel{ q dekechpnb`mhel pnkei `dlhmhqrp`rnp` hkh hleerq meqjnk|jn qeclemrnb keq` b p`gkhwm{u cp`thj`u p`gbepr{b`mh Exchange, rn lnfer onrpeanb`r|q qngd`mhe dnonkmhrek|m{u swerm{u g`ohqei. Dk j`fdni qngd`mmni swermni g`ohqh menaundhln g`osqrhr| qvem`phi RollAlternateServiceAccountPassword.ps1.

Rho swerm{u d`mm{u

Dk `k|repm`rhbmni swermni g`ohqh qksfa{ lnfmn qngd`b`r| swerm{e g`ohqh jnlo|~rep` hkh onk|gnb`rek. R`j j`j swerm` g`ohq| jnlo|~rep` g`opey`er hmrep`jrhbm{i bund b qhqrels, nm` lnfer hler| ankee opnqr{e onkhrhjh aegno`qmnqrh on qp`bmemh~ q swermni g`ohq|~ onk|gnb`rek h on}rnls bkerq opedonwrhrek|m{l pexemhel dk hqonk|gnb`mh b j`weqrbe swerm{u d`mm{u ASA. Oph qngd`mhh swermni g`ohqh jnlo|~rep` qpnj deiqrbh o`pnk t`jrhweqjh me hqrej`er, mn pejnlemdserq oephndhweqjh namnbkr| o`pnk|. Knj`k|m` cpsoonb` onkhrhj` lnfer nopedekr| l`jqhl`k|m{i qpnj up`memh swerm{u g`ohqei jnlo|~rep` h hqonk|gnb`r| qvem`phh oephndhweqjncn sd`kemh swerm{u g`ohqei jnlo|~rep`, me qnnrberqrbs~yhu rejsyhl onkhrhj`l. Wrna{ hgaef`r| sd`kemh swerm{u g`ohqei jnlo|~rep` hg-g` meqnnrberqrbh knj`k|mni onkhrhje, menaundhln oephndhweqjh namnbkr| o`pnkh swerm{u g`ohqei jnlo|~rep`. Knj`k|m` onkhrhj` aegno`qmnqrh asder nopedekr| bpel hglememh o`pnk.

Hl swerm{u d`mm{u

Me qsyeqrbser nopedekemm{u rpeanb`mhi j hlemnb`mh~ swerm{u d`mm{u ASA. Lnfmn hqonk|gnb`r| k~ane hl, qnnrberqrbs~yee quele hlemnb`mh.

Cpsoo{ h pnkh

Dk swerm{u d`mm{u ASA me rpeas~rq qoevh`k|m{e ophbhkechh aegno`qmnqrh. Oph p`gbepr{b`mhh swermni g`ohqh jnlo|~rep` dk swerm{u d`mm{u ASA }r` swerm` g`ohq| dnkfm` a{r| wkemnl cpsoo{ aegno`qmnqrh jnlo|~repnb dnlem`. Oph p`gbepr{b`mhh swermni g`ohqh onk|gnb`rek dk swerm{u d`mm{u ASA swerm` g`ohq| dnkfm` a{r| wkemnl cpsoo{ aegno`qmnqrh onk|gnb`rekei dnlem`.

O`pnk|

O`pnk|, sj`g`mm{i oph qngd`mhh }rni swermni g`ohqh, t`jrhweqjh me asder hqonk|gnb`r|q. Bleqrn hqonk|gnb`mh }rncn o`pnk qvem`phi asder b{onkmr| qapnq o`pnk. On}rnls oph qngd`mhh swermni g`ohqh lnfmn sj`g`r| k~ani o`pnk|, qnnrberqrbs~yhi rpeanb`mhl j o`pnk~ b npc`mhg`vhh.

Qvem`phh q meqjnk|jhlh keq`lh

B p`gbepr{b`mhu q meqjnk|jhlh keq`lh hkh keqnl peqspqnb, b jnrnp{u qsyeqrbs~r onk|gnb`rekh g` opedek`lh keq` Qksfa` j`r`kncnb Active Directory, qndepf`yecn qepbep{ Exchange, menaundhln m`qrpnhr| nrmnxemh dnbeph lefds keq`lh h qstthjq{ hlem l`pxpsrhg`vhh wepeg keq`. Dnonkmhrek|m{e qbedemh ql. b qr`r|u Dnqrso j peqspq`l wepeg keq` h Qstthjq{ hlem l`pxpsrhg`vhh wepeg keq`.

Hdemrhthj`vh hlem sw`qrmhjnb-qksfa, jnrnp{e dnkfm{ a{r| qbg`m{ q swerm{lh d`mm{lh `k|repm`rhbmni swermni g`ohqh qksfa{

Onqke qngd`mh `k|repm`rhbmni swermni g`ohqh qksfa{ menaundhln nopedekhr| hlem` sw`qrmhjnb-qksfa Exchange (SPN), jnrnp{e asdsr qbg`m{ q swerm{lh d`mm{lh ASA. Qohqnj hlem sw`qrmhjnb-qksfa Exchange g`bhqhr nr rejsyei jnmthcsp`vhh, mn dnkfem qndepf`r| qkeds~yhe hlem`.

http ]rn hl SPN menaundhln hqonk|gnb`r| dk bea-qksfa Exchange, g`cpsgnj `brnmnlm{u `dpeqm{u jmhc h qksfa{ `brnnam`psfemh.
exchangeMDB ]rn hl SPN menaundhln hqonk|gnb`r| dk jkhemrqjncn dnqrso` RPC.
exchangeRFR ]rn hl SPN menaundhln hqonk|gnb`r| dk qksfa{ `dpeqmni jmhch.
exchangeAB ]rn hl SPN menaundhln hqonk|gnb`r| dk qksfa{ `dpeqmni jmhch.

Tnpl`r hlem sw`qrmhjnb-cksfa dnkfem qnnrberqrbnb`r| tnpl`rs hlemh qksfa{ b ondqhqrele a`k`mqhpnbjh qerebni m`cpsgjh, ` me m` nrdek|m{u qepbep`u.

Wrna{ kswxe ok`mhpnb`r| p`gbepr{b`mhe gm`wemhi SPN, menaundhln p`qqlnrper| qkeds~yhe jnmveors`k|m{e qvem`phh:

Ndhm q`ir Qksfa` j`r`kncnb Active Directory
Meqjnk|jn q`irnb Qksfa` j`r`kncnb Active Directory
Meqjnk|jn q`irnb Qksfa` j`r`kncnb Active Directory q sqrniwhbnqr|~ q`irnb cpsoo{ DAG

B j`fdnl hg }rhu qvem`pheb qwhr`erq, wrn onkm{e dnlemm{e hlem` q a`k`mqhpnbjni m`cpsgjh a{kh p`gbepmsr{ dk bmsrpemmhu URL-`dpeqnb, bmexmhu URL-`dpeqnb h bmsrpemmhu URI-jndnb `brnnam`psfemh, hqonk|gsel{u wkem`lh qepbep` jkhemrqjncn dnqrso`. Dnonkmhrek|m{e qbedemh ql. b p`gdeke Nayhe qbedemh on oeped`we d`mm{u wepeg opnjqh-qnedhmemh h oepem`op`bkemhe.

Ndhmnwm{i q`ir Active Directory

Oph m`khwhh ndhmnwmncn q`ir` Qksfa` j`r`kncnb Active Directory d`mm` qped` lnfer a{r| `m`knchwm` qpede hg qkeds~yecn ophlep`.

M` nqmnbe onkm{u dnlemm{u hlem, jnrnp{e hqonk|gs~rq bmsrpemmhlh jkhemr`lh Outlook b oped{dsyel ophlepe, onrpeaserq p`gbepr{b`mhe qkeds~yhu hlem SPN m` swerm{u d`mm{u ASA:

http/mail.corp.contoso.com
http/autod.corp.contoso.com
exchangeMDB/outlook.corp.contoso.com
exchangeRFR/outlook.corp.contoso.com
exchangeAB/outlook.corp.contoso.com

Bmexmhe hkh bea-jkhemr{, hqonk|gs~yhe Outlook Anywhere, me asdsr hqonk|gnb`r| opnbepjs ondkhmmnqrh Kerberos. Qkednb`rek|mn, onkm{e dnlemm{e hlem`, hqonk|gsel{e }rhlh jkhemr`lh, me msfmn dna`bkr| b j`weqrbe hlem sw`qrmhjnb-qksfa j swerm{l d`mm{l ASA.

B`fmn!
Oph p`gbepr{b`mhh p`gdekemmni hmtp`qrpsjrsp{ DNS bmexmhe h bmsrpemmhe jkhemr{ hqonk\|gs~r ndmh h re fe onkm{e dnlemm{e hlem`, h }rh hlem` dnkfm{ a{r\| opedqr`bkem{ j`j hlem` sw`qrmhjnb-qksfa b swerm{u d`mm{u ASA.

Meqjnk|jn q`irnb Active Directory

Oph m`khwhh meqjnk|jhu q`irnb Qksfa` j`r`kncnb Active Directory d`mm` qped` lnfer a{r| `m`knchwm` qpede hg qkeds~yecn ophlep`.

M` nqmnbe onkm{u dnlemm{u hlem, jnrnp{e hqonk|gs~rq bmsrpemmhlh jkhemr`lh Outlook b oped{dsyel ophlepe, qkeds~yhe hlem` sw`qrmhjnb-qksfa dnkfm{ a{r| p`gbepmsr{ m` swerm{u d`mm{u ASA, jnrnp{e hqonk|gs~rq dk l`qqhb` qepbepnb jkhemrqjncn dnqrso` q q`irnl ADSite1 Qksfa` j`r`kncnb Active Directory:

http/mail.corp.contoso.com
http/autod.corp.contoso.com
exchangeMDB/outlook.corp.contoso.com
exchangeRFR/outlook.corp.contoso.com
exchangeAB/outlook.corp.contoso.com

M` nqmnbe onkm{u dnlemm{u hlem, jnrnp{e hqonk|gs~rq bmsrpemmhlh jkhemr`lh Outlook b oped{dsyel ophlepe, qkeds~yhe hlem` sw`qrmhjnb-qksfa dnkfm{ a{r| p`gbepmsr{ m` swerm{u d`mm{u ASA, jnrnp{e hqonk|gs~rq dk l`qqhb` qepbepnb jkhemrqjncn dnqrso` b opedek`u q`ir` ADSite2 Qksfa` j`r`kncnb Active Directory:

http/mailsdc.corp.contoso.com
http/autodsdc.corp.contoso.com
exchangeMDB/outlooksdc.corp.contoso.com
exchangeRFR/outlooksdc.corp.contoso.com
exchangeAB/outlooksdc.corp.contoso.com

Ophlew`mhe.
]rnr ophlep onj`g{b`er, wrn bnglnfmn hqonk\|gnb`mhe meqjnk\|jhu swerm{u d`mm{u ASA dk }rncn jnmjpermncn qvem`ph. Ndm`jn dnosqj`erq ophlememhe ndmhu swerm{u d`mm{u ASA dk bqeu q`irnb Qksfa` j`r`kncnb Active Directory, m` jnrnp{u p`gleyem{ l`qqhb{ qepbepnb jkhemrqjncn dnqrso`, cde menaundhln p`gbepr{b`mhe opnbepjh ondkhmmnqrh Kerberos.

Meqjnk|jn q`irnb Active Directory q sqrniwhbnqr|~ q`irnb cpsoo{ DAG

Oph m`khwhh meqjnk|jhu q`irnb Qksfa` j`r`kncnb Active Directory q sqrniwhbnqr|~ q`irnb cpsoo{ DAG d`mm` qped` lnfer a{r| `m`knchwm` qpede hg qkeds~yecn ophlep`.

Opnbepj` ondkhmmnqrh Kerberos q meqjnk|jhlh q`ir`lh

Onqjnk|js d`mm` `puhrejrsp` qndepfhr cpsoos naeqoewemh dnqrsomnqrh a`g d`mm{u (DAG), p`gbepmsrs~ m` nanhu q`ir`u Qksfa` j`r`kncnb Active Directory, menaundhln p`gbepmsr| edhm{e swerm{e d`mm{e ASA dk hqonk|gnb`mh wkem`lh l`qqhbnb qepbepnb jkhemrqjncn dnqrso` m` q`ir`u ADSite1 h ADSite2. Eqkh me hqonk|gs~rq edhm{e swerm{e d`mm{e ASA, rn jkhemr{ asdsr hqo{r{b`r| opnakel{ q opnbepjni ondkhmmnqrh Kerberos oph oepejk~wemhh vemrp` nap`anrjh d`mm{u, r`j j`j wkem{ l`qqhb` qepbepnb jkhemrqjncn dnqrso` dnonkmhrek|mncn vemrp` nap`anrjh d`mm{u me qlncsr p`qxhtpnb`r| ahker qe`mq` Kerberos. Dnonkmhrek|m{e qbedemh na `jrhb`vhh dnonkmhrek|mncn vemrp` nap`anrjh d`mm{u ql. b p`gdeke Oepejk~wemh vemrp` nap`anrjh d`mm{u.

M` nqmnbe onkm{u dnlemm{u hlem, jnrnp{e hqonk|gs~rq bmsrpemmhlh jkhemr`lh Outlook b oped{dsyel ophlepe, qkeds~yhe hlem` sw`qrmhjnb-qksfa dnkfm{ a{r| p`gbepmsr{ m` swerm{u d`mm{u ASA, jnrnp{e hqonk|gs~rq dk l`qqhbnb qepbepnb jkhemrqjncn dnqrso` m` q`ir`u ADSite1 h ADSite2:

http/mail.corp.contoso.com
http/autod.corp.contoso.com
exchangeMDB/outlook.corp.contoso.com
exchangeRFR/outlook.corp.contoso.com
exchangeAB/outlook.corp.contoso.com
http/mailsdc.corp.contoso.com
http/autodsdc.corp.contoso.com
exchangeMDB/outlooksdc.corp.contoso.com
exchangeRFR/outlooksdc.corp.contoso.com
exchangeAB/outlooksdc.corp.contoso.com

P`gbepr{b`mhe swerm{u d`mm{u `k|repm`rhbmni swermni g`ohqh qksfa{

Onqke qngd`mh swerm{u d`mm{u ASA saedhreq|, wrn swerm` g`ohq| a{k` peokhvhpnb`m` m` bqe jnmrpnkkep{ dnlem` b opedek`u bqeu q`irnb Qksfa` j`r`kncnb Active Directory, qndepf`yhu qepbep{ jkhemrqjncn dnqrso`, jnrnp{e asdsr hqonk|gnb`r| swerm{e d`mm{e ASA.

G`rel lnfmn g`osqrhr| qvem`phi swerm{u d`mm{u AlternateServiceAccount b jnl`mdmni jnmqnkh Exchange. Dnonkmhrek|m{e qbedemh ql. b p`gdeke Hqonk|gnb`mhe qvem`ph RollAlternateserviceAccountCredential.ps1 b jnmqnkh. Onqke b{onkmemh }rncn qvem`ph pejnlemdserq saedhr|q b rnl, wrn bqe vekeb{e qepbep{ op`bhk|mn namnbkem{.

Ophlew`mhe.
]rnr qvem`phi dnqrsoem rnk\|jn m` `mckhiqjnl g{je.

Qbedemh on sqrp`memh~ nxhanj qvem`ph ql. b p`gdeke Sqrp`memhe meonk`dnj qvem`ph RollAlternateServiceAccountCredential.ps1.

B onj`g`mmnl mhfe ophlepe b{undm{u d`mm{u qvem`ph RollAlternateServiceAccountPassword.ps1 hqonk|gserq swerm` g`ohq| jnlo|~rep`, qngd`mm` b j`weqrbe swerm{u d`mm{u ASA. ]r` swerm` g`ohq| mnqhr hl contoso/newSharedServiceAccountName. B qkeds~yel ophlepe qvem`phi ophlemer o`p`lerp{ swerm{u d`mm{u j j`fdnls wkems l`qqhb` qepbepnb jkhemrqjncn dnqrso` q hlemel outlook.corp.contoso.com.

Wrna{ g`osqrhr| qvem`phi, hqonk|gsire qkeds~ys~ jnl`mds.

	Qjnohpnb`r\| jnd
RollAlternateServiceAccountPassword.ps1 -ToArrayMembers outlook.corp.contoso.com -GenerateNewPasswordFor contoso\newSharedServiceAccountName$

Onqke g`osqj` qvem`ph dnkfm{ a{r| onkswem{ qkeds~yhe b{undm{e d`mm{e. Nrnap`ghrq g`opnq ondrbepfdemh m` hglememhe o`pnk.

	Qjnohpnb`r\| jnd
========== Started at 08/02/2010 15:48:09 ========== Destination servers that will be updated: Name ---- CASA CASB Credentials that will be pushed to every server in the specified scope (recent first): UserName Password -------- -------- contoso\newSharedServiceAccountName$ System.Security.SecureString Prior to pushing new credentials, all existing credentials that are invalid or no longer work will be removed from the destination servers. Pushing credentials to server CASA Pushing credentials to server CASB Setting a new password on Alternate Service Account in Active Directory Password change Do you want to change password for contoso\newSharedServiceAccountName$ in Active Directory at this time? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y Preparing to update Active Directory with a new password for contoso\newSharedServiceAccountName$ ... Resetting a password in the Active Directory for contoso\newSharedServiceAccountName$ ... New password was successfully set to Active Directory. Retrieving the current Alternate Service Account configuration from servers in scope Alternate Service Account properties: StructuralObjectClass QualifiedUserName Last Pwd Update --------------------- ----------------- --------------- computer contoso\newSharedServiceAccountName$ 8/2/2010 3:49:05 PM SPNs ----- Per-server Alternate Service Account configuration as of the time of script completion: Array: outlook.corp.contoso.com Identity AlternateServiceAccountConfiguration -------- ------------------------------------ NAE14CAS Latest: 8/2/2010 3:48:38 PM, contoso\newSharedServiceAccountName$ Previous: <Not set> NAE14CAS2 Latest: 8/2/2010 3:48:51 PM, contoso\newSharedServiceAccountName$ Previous: <Not set>

Qjnohpnb`r| jnd

========== Started at 08/02/2010 15:48:09 ==========
Destination servers that will be updated:
Name
----
CASA
CASB
Credentials that will be pushed to every server in the specified scope (recent first):
UserName							 Password
--------							 --------
contoso\newSharedServiceAccountName$				System.Security.SecureString

Prior to pushing new credentials, all existing credentials that are invalid or no longer work will be removed from the destination servers.
Pushing credentials to server CASA
Pushing credentials to server CASB
Setting a new password on Alternate Service Account in Active Directory
Password change
Do you want to change password for contoso\newSharedServiceAccountName$ in Active Directory at this time?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y

Preparing to update Active Directory with a new password for contoso\newSharedServiceAccountName$ ...
Resetting a password in the Active Directory for contoso\newSharedServiceAccountName$ ...
New password was successfully set to Active Directory.
Retrieving the current Alternate Service Account configuration from servers in scope
Alternate Service Account properties:
StructuralObjectClass QualifiedUserName	 Last Pwd Update	 
--------------------- -----------------	 ---------------	 
computer			contoso\newSharedServiceAccountName$ 8/2/2010 3:49:05 PM 


SPNs
-----

Per-server Alternate Service Account configuration as of the time of script completion:


   Array: outlook.corp.contoso.com

Identity  AlternateServiceAccountConfiguration
--------  ------------------------------------
NAE14CAS  Latest: 8/2/2010 3:48:38 PM, contoso\newSharedServiceAccountName$
		Previous: <Not set>
NAE14CAS2 Latest: 8/2/2010 3:48:51 PM, contoso\newSharedServiceAccountName$
		Previous: <Not set>

R`jfe nrnap`grq db` hdemrhthj`rnp` qna{rhi b fspm`k`u qna{rhi. Ndmn qna{rhe opedm`gm`wemn dk g`osqj` qvem`ph, ` dpscne — dk sqoexmncn g`bepxemh. Mhfe ophbedem nrp{bnj hg qna{rh sqoexmncn g`bepxemh.

	Qjnohpnb`r\| jnd
Log Name: Application Source: MSExchange Management Application Event ID: 14002 Task Category: Kerberos Level: Information Description: Maintenance of the Alternate Service Accounts succeeded.

Opnbepj` p`gbepr{b`mh swerm{u d`mm{u ASA

B jnmqnkh sop`bkemh Exchange b{onkmhre qkeds~ys~ jnl`mds, wrna{ opnbephr| o`p`lerp{ m` qepbep`u jkhemrqjncn dnqrso`.

	Qjnohpnb`r\| jnd
Get-ClientAccessServer -IncludeAlternateServiceAccountCreden tialStatus \| fl name,alter

Pegsk|r`r d`mmni jnl`md{ dnkfem b{ckder| qkeds~yhl nap`gnl.

	Qjnohpnb`r\| jnd
Name : CASA AlternateServiceAccountConfiguration : Latest: 8/2/2010 3:48:38 PM, contoso\newSharedServiceAccountName$ Previous: <Not set> Name : CASB AlternateServiceAccountConfiguration : Latest: 8/2/2010 3:48:51 PM, contoso\newSharedServiceAccountName$ Previous: <Not set>

Qjnohpnb`r| jnd

Name								 : CASA
AlternateServiceAccountConfiguration : Latest: 8/2/2010 3:48:38 PM, contoso\newSharedServiceAccountName$
									 Previous: <Not set>

Name								 : CASB
AlternateServiceAccountConfiguration : Latest: 8/2/2010 3:48:51 PM, contoso\newSharedServiceAccountName$
									 Previous: <Not set>

Eqkh qvem`phi a{k b{onkmem meqjnk|jn p`g h a{kh bmeqem{ hglememh, oped{dsy` g`ohq| onj`fer, jncd` a{kn qdek`mn onqkedmee hglememhe.

	Qjnohpnb`r\| jnd
Name : NAE14CAS AlternateServiceAccountConfiguration : Latest: 8/2/2010 4:32:38 PM, contoso\newSharedServiceAccountName$ Previous: 8/2/2010 4:32:24 PM, contoso\sharedkerbacct$ Name : NAE14CAS2 AlternateServiceAccountConfiguration : Latest: 8/2/2010 4:32:38 PM, contoso\newSharedServiceAccountName$ Previous: 8/2/2010 4:32:24 PM, contoso\sharedkerbacct$

Qjnohpnb`r| jnd

Name								 : NAE14CAS
AlternateServiceAccountConfiguration : Latest: 8/2/2010 4:32:38 PM, contoso\newSharedServiceAccountName$
									 Previous: 8/2/2010 4:32:24 PM, contoso\sharedkerbacct$

Name								 : NAE14CAS2
AlternateServiceAccountConfiguration : Latest: 8/2/2010 4:32:38 PM, contoso\newSharedServiceAccountName$
									 Previous: 8/2/2010 4:32:24 PM, contoso\sharedkerbacct$

Qnonqr`bkemhe hlem sw`qrmhjnb-qksfa q `k|repm`rhbmni swermni g`ohq|~ qksfa{

Oeped m`qrpnijni hlem sw`qrmhjnb qksfa saedhreq|, wrn vekeb{e hlem` sfe me m`qrpnem{ dk dpschu swerm{u g`ohqei b keqs. ]rh hlem` sw`qrmhjnb-qksfa menaundhln qnonqr`bhr| rnk|jn q swerm{lh d`mm{lh ASA b keqs. Wrna{ saedhr|q, wrn hlem` sw`qrmhjnb-qksfa me m`gm`wem{ dpschl swerm{l g`ohql b keqs, b{onkmhre jnl`mds setspn q o`p`lerp`lh q h f b jnl`mdmni qrpnje. B qkeds~yel ophlepe onj`g`mn, j`j b{onkmhr| }rs jnl`mds. Jnl`md` dnkfm` me bngbp`rhr| mhj`jhu d`mm{u. Eqkh asder bngbp`yemn gm`wemhe, dpsc` swerm` g`ohq| sfe qbg`m` q hlemel sw`qrmhj`-qksfa{, jnrnpne opedonk`c`erq hqonk|gnb`r|.

Ophlew`mhe.
Rnk\|jn NQ Windows Server 2008 onddepfhb`er o`p`lerp opnbepjh dsakhj`rnb m` spnbme keq` (-f) b jnl`mde setspn.

	Qjnohpnb`r\| jnd
Setspn -q -f exchangeMDB/outlook.corp.contoso.com

B qkeds~yei jnl`mde onj`g`m ophlep sqr`mnbjh hlem sw`qrmhjnb-qksfa m` nayhu swerm{u d`mm{u ASA. Jnl`mds setspn q r`jni qhmr`jqhweqjni jnmqrpsjvhei menaundhln b{onkmr| ndhm p`g dk j`fdncn hdemrhthvhpselncn jnmewmncn hlemh SPN.

	Qjnohpnb`r\| jnd
Setspn -S exchangeMDB/outlook.corp.contoso.com contoso\newSharedServiceAccountName$

Onqke m`gm`wemh hlem sw`qrmhjnb qksfa saedhreq|, wrn nmh dna`bkem{, hqonk|gs qkeds~ys~ jnl`mds.

	Qjnohpnb`r\| jnd
Setspn -L contoso\newSharedServiceAccountName$

Opnbepj` opnbepjh ondkhmmnqrh Kerberos dk jkhemrnb Exchange

Onqke sqoexmni m`qrpnijh opnbepjh ondkhmmnqrh Kerberos h p`gbepr{b`mh qvem`ph RollAlternateServiceAccountCredential.ps1 saedhreq| b sqoexmnqrh b{onkmemh opnbepjh ondkhmmnqrh jkhemr`lh.

Saedhreq|, wrn g`osyem` qksfa` Microsoft Exchange Service Host.

Qksfa` Microsoft Exchange Service Host m` qepbep`u jkhemrqjncn dnqrso` sop`bker swerm{lh d`mm{lh ASA. Eqkh }r` qksfa` me g`osyem`, opnbepj` ondkhmmnqrh Kerberos mebnglnfm`. On slnkw`mh~ qksfa` m`qrpnem` m` `brnl`rhweqjhi g`osqj oph bjk~wemhh jnlo|~rep`. Saedhreq|, wrn sqr`mnbkem` qhqrel` Exchange Server 2010 q o`jernl namnbkemh 1 (SP1) Rollup 3 (m`jnohrek|m{i o`jer namnbkemh 3) hkh ankee ongdm bepqh m` bqeu qepbep`u jkhemrqjncn dnqrso` b d`mmni qpede.

Reqrhpnb`mhe b{onkmemh opnbepjh ondkhmmnqrh dk Outlook

Wrna{ opnbephr| bnglnfmnqr| ophknfemh Outlook ondjk~w`r|q j qepbep`l jkhemrqjncn dnqrso` q opnbepjni ondkhmmnqrh Kerberos, b{onkmhre qkeds~yhe x`ch.

Saedhreq|, wrn ophknfemhe Outlook m`qrpnemn m` b{anp op`bhk|mncn l`qqhb` qepbepnb jkhemrqjncn dnqrso` q a`k`mqhpnbjni m`cpsgjh.
M`qrpnire o`p`lerp{ aegno`qmnqrh qepbep` dk swermni g`ohqh }kejrpnmmni onwr{ m` hqonk|gnb`mhe o`p`lerpnb aegno`qmncn bund` b qer| Opnbepj` ondkhmmnqrh q qnck`qnb`mhel. Lnfmn r`jfe m`qrpnhr| jkhemr m` hqonk|gnb`mhe lernd` Opnbepj` ondkhmmnqrh Kerberos. Ndm`jn onqke sd`kemh hlem SPN jkhemr{ me qlncsr b{onkmr| opnbepjs ondkhmmnqrh, onj` leu`mhgl opnbepjh ondkhmmnqrh me asder hglemem nap`rmn m` lernd Opnbepj` ondkhmmnqrh q qnck`qnb`mhel.
Saedhreq|, wrn tsmjvh Outlook Anywhere nrjk~wem` dk }rncn jkhemr`. Eqkh jkhemrs Outlook me sd`qrq b{onkmhr| opnbepjs ondkhmmnqrh Kerberos, nm bepmerq j hqonk|gnb`mh~ tsmjvhh Outlook Anywhere, on}rnls menaundhln nrjk~whr| Outlook Anywhere m` bpel }rni opnbepjh.
Oepeg`osqrhre ophknfemhe Outlook.
Eqkh m`qrnk|m{i jnlo|~rep p`anr`er ond sop`bkemhel Windows 7, lnfmn g`osqrhr| qksfeams~ opncp`lls klist.exe, wrna{ onqlnrper|, j`jhe ahker{ Kerberos a{kh opednqr`bkem{ h hqonk|gs~rq. Eqkh noep`vhnmm` qhqrel` Windows 7 me sqr`mnbkem`, lnfmn onkswhr| opncp`lls klist.exe q onlny|~ o`jer` peqspqnb dk Windows Server 2003.

Opnbepj` q onlny|~ jnl`mdker` Test-OutlookConnectivity

Wrna{ opnbephr| op`bhk|mnqr| b{onkmemh opnbepjh ondkhmmnqrh Kerberos, hqonk|gsire jnl`mdker Test-OutlookConnectivity. ]rn kswxhi qonqna opnbepjh bnglnfmnqrh ondjk~wemh on opnrnjnks TCP. On slnkw`mh~ }rnr jnl`mdker asder hqonk|gnb`r| opnbepjs ondkhmmnqrh q qnck`qnb`mhel dk ondjk~wemh on opnrnjnks TCP. On}rnls, eqkh opnbepj` ondkhmmnqrh Kerberos m`qrpnem`, jnl`mdker asder hqonk|gnb`r| ee. Opncp`ll` klist.exe ongbnker opnql`rphb`r| ahker{ Kerberos m` jnlo|~repe. Ecn lnfmn g`osqrhr| m` q`lnl qepbepe jkhemrqjncn dnqrso` hkh q onlny|~ qpedqrb` `brnl`rhweqjncn nrqkefhb`mh, r`jncn j`j SCOM. Oph hqonk|gnb`mhh jnl`mdker` Test-OutlookConnectivity saedhreq|, wrn b j`weqrbe gm`wemh qbniqrb` RPCClientAccessServer a`g{ d`mm{u onwrnb{u yhjnb sqr`mnbkemn hl l`qqhb` qepbepnb jkhemrqjncn dnqrso`. B opnrhbmnl qksw`e jnl`mdker me asder opnbepr| tsmjvhnm`k|mnqr| nayhu swerm{u d`mm{u ASA.

	Qjnohpnb`r\| jnd
Test-OutlookConnectivity -Identity administrator -MailboxCredential $c -Protocol tcp

Wrna{ saedhr|q, wrn ondjk~wemhe sqr`m`bkhb`erq q onlny|~ opnbepjh ondkhmmnqrh Kerberos, opnbep|re b opncp`lle klist.exe, qnonqr`bkem{ kh ahker{ Kerberos q mnb{lh dna`bkemm{lh hlem`lh sw`qrmhjnb-qksfa.

Reqrhpnb`mhe b{onkmemh opnbepjh ondkhmmnqrh Kerberos m` qepbepe jkhemrqjncn dnqrso`

Wrna{ saedhr|q b op`bhk|mnqrh b{onkmemh opnbepjh ondkhmmnqrh Kerberos m` qepbepe jkhemrqjncn dnqrso`, lnfmn opnqlnrper| fspm`k{ opnrnjnk` dk opnbepjh sqoexmnqrh ondjk~wemhi on rhos Kerberos. D`mm{e fspm`k{ bleqre q dpschlh qonqna`lh opnbepjh lnfmn hqonk|gnb`r| q }rni fe vek|~.

M` qepbepe jkhemrqjncn dnqrso` opnbep|re fspm`k{ opnrnjnk` `dpeqmni jmhch. ]rh fspm`k{ na{wmn p`qonknfem{ b qkeds~yei o`oje: C:\Program Files\Microsoft\Exchange server\v14\Logging\AddressBook Service.

Opnqlnrphre onqkedmhi t`ik fspm`k` h m`idhre qknbn Kerberos onqke b{onkmemmncn qvem`ph. Oph nrnap`femhh qbedemhi n rp`thje Kerberos ondjk~wemhe sqr`mnbkemn sqoexmn. Qrpnj` b t`ike fspm`k` dnkfm` b{ckder| ophlepmn qkeds~yhl nap`gnl:

	Qjnohpnb`r\| jnd
2010-06-11T22:58:49.799Z,9,0,/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Administrator,,2001:4898:f0:3031:99f:ce35:750a:8b09,EXCH-A-363,ncacn_ip_tcp,Bind,,6,,,Kerberos,

Qjnohpnb`r| jnd

2010-06-11T22:58:49.799Z,9,0,/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Administrator,,2001:4898:f0:3031:99f:ce35:750a:8b09,EXCH-A-363,ncacn_ip_tcp,Bind,,6,,,Kerberos,

Eqkh b mei qndepfhrq qknbn Kerberos, qepbep sqoexmn qngd`er ondjk~wemh q opnbepjni ondkhmmnqrh Kerberos. Dnonkmhrek|m{e qbedemh n fspm`ke qksfa{ `dpeqmni jmhch ql. b p`gdeke Nayhe qbedemh n qksfae `dpeqmni jmhch.

Sqrp`memhe meonk`dnj, qbg`mm{u q opnbepjni ondkhmmnqrh

Qsyeqrbser meqjnk|jn p`qopnqrp`memm{u nxhanj, jnrnp{e lncsr opnhgnirh oph m`qrpnije opnbepjh ondkhmmnqrh Kerberos.

Jkhemr`l Outlook, m`qrpnemm{l rnk|jn m` opnbepjs ondkhmmnqrh Kerberos, me sd`erq sqr`mnbhr| ondjk~wemhe

Eqkh jkhemrs Outlook, dk jnrnpncn m`qrpnemn hqonk|gnb`mhe rnk|jn opnbepjh ondkhmmnqrh Kerberos, me sd`erq sqr`mnbhr| ondjk~wemhe, b{onkmhre qkeds~yhe x`ch on sqrp`memh~ }rni meonk`djh.

M`qrpnire ophknfemhe Outlook m` hqonk|gnb`mhe rnk|jn opnbepjh ondkhmmnqrh NTLM, ` g`rel opnbep|re bnglnfmnqr| ondjk~wemh. Eqkh ondjk~wemhe sqr`mnbhr| me sd`erq, saedhreq|, wrn l`qqhb qepbepnb jkhemrqjncn dnqrso` dnqrsoem hkh qerebne ondjk~wemhe bkerq sqrniwhb{l.

Eqkh ondjk~wemhe NTLM sqr`mnbkemn sqoexmn, mn me sd`knq| sqr`mnbhr| ondjk~wemhe Kerberos, saedhreq|, wrn hlem` sw`qrmhjnb-qksfa me g`pechqrphpnb`m{ dk j`jhu-khan dpschu swerm{u g`ohqei, jpnle `k|repm`rhbmni swermni g`ohqh qksfa{. Q onlny|~ jnl`md{ g`opnq` setSPN saedhreq|, wrn }rh hlem` Exchange g`pechqrphpnb`m{ dk rni swermni g`ohqh, jnrnp` hqonk|gserq nayei `k|repm`rhbmni swermni g`ohq|~ qksfa{, j`j nohq`mn b{xe b }rnl p`gdeke.
Saedhreq|, wrn m` bqeu qepbep`u jkhemrqjncn dnqrso` h b qksfae j`r`kncnb Qksfa` j`r`kncnb Active Directory hqonk|gserq ndhm o`pnk|. Dk }rncn g`osqrhre qvem`phi b pefhle q qnopnbnfdemhel h ophmsdhrek|mn m`gm`w|re dk mecn qngd`mhe mnbncn o`pnk.
Saedhreq|, wrn qksfa` `dpeqmni jmhch Microsoft Exchange p`anr`er m` qepbep`u jkhemrqjncn dnqrso`.
Eqkh opnbepjs ondkhmmnqrh on-opefmels me sd`erq b{onkmhr|, saedhreq|, wrn b bhprs`k|m{u j`r`knc`u dk reu qksfa, dnqrso j jnrnp{l menaundhln onkswhr| q onlny|~ opnbepjh ondkhmmnqrh Kerberos, bjk~wem` bqrpnemm` opnbepj` ondkhmmnqrh Windows. Opnbephr| lernd{ opnbepjh ondkhmmnqrh lnfmn q onlny|~ jnl`mdkernb Get-VirtualDirectory. Dnonkmhrek|m{e qbedemh n bhprs`k|m{u j`r`knc`u ql. b p`gdek`u Nayhe qbedemh n bhprs`k|m{u j`r`knc`u Outlook Web App h Nayhe qbedemh n bhprs`k|m{u j`r`knc`u bea-qksfa Exchange.

Qanh qksfa{ `brnnam`psfemh

Sbednlkemhe n qkeds~yel qane qksfa{ `brnnam`psfemh lnfer nrnap`f`r|q b rnl qksw`e, eqkh g`cnknbnj g`opnq` qksfa{ `brnnam`psfemh qndepfhr ahker opnbepjh ondkhmmnqrh Kerberos ank|xncn p`glep`, opeb{x`~yecn opedek|mne gm`wemhe p`glep` g`cnknbj`, m`qrpnemmne qepbepnl IIS. Qnnayemhe na nxhaje asder `m`knchwmn ophbedemmnls mhfe.

	Qjnohpnb`r\| jnd
HTTP/1.1 400 Bad Request Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 09 Mar 2010 18:06:18 GMT Connection: close Content-Length: 346 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>Bad Request</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD> <BODY><h2>Bad Request - Request Too Long</h2> <hr><p>HTTP Error 400. The size of the request headers is too long.</p> </BODY></HTML>

Qjnohpnb`r| jnd

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 09 Mar 2010 18:06:18 GMT
Connection: close
Content-Length: 346

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">

<HTML><HEAD><TITLE>Bad Request</TITLE>

<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>

<BODY><h2>Bad Request - Request Too Long</h2>

<hr><p>HTTP Error 400. The size of the request headers is too long.</p>

</BODY></HTML>

Wrna{ sqrp`mhr| }rs nxhajs, sbekhw|re opedek|mne gm`wemhe p`glep` g`cnknbj` IIS. Dnonkmhrek|m{e qbedemh ql. b p`gdeke Dnjslemr`vh j IIS.

Rejsyee naqksfhb`mhe swerm{u d`mm{u ASA

Oph menaundhlnqrh oephndhweqjncn namnbkemh knj`k|mncn o`pnk dk nayhu swerm{u d`mm{u ASA ql. hmqrpsjvhh on m`qrpnije g`ok`mhpnb`mmni g`d`wh on b{onkmemh~ pecskpmncn naqksfhb`mh o`pnk b p`gdeke Hqonk|gnb`mhe qvem`ph RollAlternateserviceAccountCredential.ps1 b jnmqnkh. Nrqkefhb`ire b{onkmemhe }rni g`ok`mhpnb`mmni g`d`wh dk opnbepjh qbnebpelemmncn oepejk~wemh o`pnkei h opednrbp`yemh bnglnfm{u opnqrneb opnbepjh ondkhmmnqrh.

Nrjk~wemhe opnbepjh ondkhmmnqrh Kerberos

Wrna{ nrjk~whr| m` l`qqhbe qepbepnb jkhemrqjncn dnqrso` opnbepjs ondkhmmnqrh Kerberos, sd`khre hlem` sw`qrmhjnb qksfa hg nayei swermni g`ohqh qksfa{. Eqkh hlem` sw`qrmhjnb qksfa sd`kem{, rn jkhemr{ me asdsr b{onkmr| opnbepjs ondkhmmnqrh Kerberos, ` jkhemr{, m`qrpnemm{e m` hqonk|gnb`mhe opnbepjh ondkhmmnqrh q qnck`qnb`mhel, asdsr b{onkmr| opnbepjs ondkhmmnqrh NTLM. Jkhemr{, m`qrpnemm{e m` hqonk|gnb`mhe rnk|jn opnbepjh ondkhmmnqrh Kerberos, me qlncsr sqr`m`bkhb`r| ondjk~wemh. Onqke sd`kemh hlem sw`qrmhjnb-qksfa menaundhln r`jfe sd`khr| nays~ swerms~ g`ohq| qksfa{. Lnfmn hqonk|gnb`r| qvem`phi naqksfhb`mh, wrna{ sd`khr| swerm{e d`mm{e dk bqeu wkemnb l`qqhb` qepbepnb jkhemrqjncn dnqrso` q onlny|~ o`p`lerp` toEntireForest, h b{ap`r| o`p`lerp -copy from server, wrna{ sj`g`r| qepbep, me hle~yhi swerm{u d`mm{u Kerberos. Jpnle rncn, lnfer onrpeanb`r|q oepeg`cpsghr| bqe jkhemrqjhe jnlo|~rep{ dk nwhqrjh j}x` ahker` Kerberos.

Qngd`mhe swerm{u d`mm{u `k|repm`rhbmni swermni g`ohqh qksfa{ b qksfae j`r`kncnb Active Directory

Rho swerm{u d`mm{u

Hl swerm{u d`mm{u

Cpsoo{ h pnkh

O`pnk|

Qvem`phh q meqjnk|jhlh keq`lh

Hdemrhthj`vh hlem sw`qrmhjnb-qksfa, jnrnp{e dnkfm{ a{r| qbg`m{ q swerm{lh d`mm{lh `k|repm`rhbmni swermni g`ohqh qksfa{

Ndhmnwm{i q`ir Active Directory

Meqjnk|jn q`irnb Active Directory

Meqjnk|jn q`irnb Active Directory q sqrniwhbnqr|~ q`irnb cpsoo{ DAG

P`gbepr{b`mhe swerm{u d`mm{u `k|repm`rhbmni swermni g`ohqh qksfa{

Opnbepj` p`gbepr{b`mh swerm{u d`mm{u ASA

Qnonqr`bkemhe hlem sw`qrmhjnb-qksfa q `k|repm`rhbmni swermni g`ohq|~ qksfa{

Opnbepj` opnbepjh ondkhmmnqrh Kerberos dk jkhemrnb Exchange

Saedhreq|, wrn g`osyem` qksfa` Microsoft Exchange Service Host.

Reqrhpnb`mhe b{onkmemh opnbepjh ondkhmmnqrh dk Outlook

Opnbepj` q onlny|~ jnl`mdker` Test-OutlookConnectivity

Reqrhpnb`mhe b{onkmemh opnbepjh ondkhmmnqrh Kerberos m` qepbepe jkhemrqjncn dnqrso`

Sqrp`memhe meonk`dnj, qbg`mm{u q opnbepjni ondkhmmnqrh

Jkhemr`l Outlook, m`qrpnemm{l rnk|jn m` opnbepjs ondkhmmnqrh Kerberos, me sd`erq sqr`mnbhr| ondjk~wemhe

Qanh qksfa{ `brnnam`psfemh

Rejsyee naqksfhb`mhe swerm{u d`mm{u ASA

Nrjk~wemhe opnbepjh ondkhmmnqrh Kerberos

Hl swerm{u d`mm{u

Hdemrhthj`vh hlem sw`qrmhjnb-qksfa, jnrnp{e dnkfm{ a{r| qbg`m{ q swerm{lh d`mm{lh `k|repm`rhbmni swermni g`ohqh qksfa{

Opnbepj` p`gbepr{b`mh swerm{u d`mm{u ASA

Opnbepj` opnbepjh ondkhmmnqrh Kerberos dk jkhemrnb Exchange

Reqrhpnb`mhe b{onkmemh opnbepjh ondkhmmnqrh dk Outlook

Reqrhpnb`mhe b{onkmemh opnbepjh ondkhmmnqrh Kerberos m` qepbepe jkhemrqjncn dnqrso`

Sqrp`memhe meonk`dnj, qbg`mm{u q opnbepjni ondkhmmnqrh

Jkhemr`l Outlook, m`qrpnemm{l rnk|jn m` opnbepjs ondkhmmnqrh Kerberos, me sd`erq sqr`mnbhr| ondjk~wemhe

Qanh qksfa{ `brnnam`psfemh