I am currently migrating some Exchange 5.5 users to some new hardware. The new system is running Exchange 5.5 SP4 on Win2k Adv Server SP2. The server is a member server in an NT 4 domain (they are not quite ready for AD here yet). I was hoping someone could clarify some confusing information in the KB articles regarding the Kerberos KDC.
Initially the Kerberos KDC was giving the following errors at startup: Service Control Manager - Event 7023 The Kerberos Key Distribution Center service terminated with the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. Q295381 states that the Kerberos KDC should not be enabled on member servers so I disabled it. Since disabling the service, we have been getting a number of the following events: MrxSmb - Event 3034 The redirector was unable to initialize security context or query context attributes. According to Q316710, having the Kerberos KDC service disabled will cause this error and can prevent E2K services from starting up. There is no mention in Q316710 of only enabling the service if E2k is on a Win2K DC and no mention of any potential problems with Exchange 5.5. As far as I know, it is not possible to run Kerberos KDC in an NT4 Domain so Q295381 should hold true in this case and I have left the service disabled. We have been experiencing some performance problems on this server where the server will periodically stop responding for about 5 - 10 seconds and then continue functioning normally. Thanks to eventid.net, we have now determined that these slowdowns correspond with the MrxSmb events and that these events correspond directly with when backup operations are initiated against the server. The server is being backed up using Veritas Backup Exec 8.5 and a corresponding DCOM error occurs on the backup server (http://seer.support.veritas.com/docs/238513.htm). We have been in touch with Veritas on this issue and so far have had little success in getting a resolution. There is one article in their knowledge base describing something very similar (MrxSmb 3034 errors) but it is apprantly only caused by a System State backup whereas we are seeing it with all backup operations (online Exchange backups included). The workaround proposed by Veritas is to install Certificate Services on the remote server (the Exchange server in this case) as the backup job is apparantly making a call to the Certificate Service to see if it should back up the database. According to the article, this only occurs with the System State backup and we are seeing it much more often than that. IMO, installing Certificate server on every Win2K member server in our NT4 domain is not a very reasonable workaround to this issue and I have my doubts that it will even resolve the issue since it is occurring with all backup jobs. At this point the whole issue appears to be directly related to the Veritas BackupExec software but I was wondering if anyone else had experienced anything similar and if they had any other potential solutions. I have not yet had a chance to verify my suspicions that NTBackup will not produce the same errors but that will be next on my list if Veritas does not provide anything useful. Any other suggestions would be greatly appreciated. _______________________________ Dan Ferneyhough Information Systems Vancouver Island Health Authority, South Island Tel: 370-8012 _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
