To resolve this issue, follow these steps:
- On the Exchange Server 5.5 server, start the Exchange Administrator program in raw mode. To do this, click Start, click Run, type drive :\exchsrvr\bin\admin.exe /r, and then press ENTER. In this path, drive is the drive on which Exchange is installed.
- On the View menu, click Raw Directory.
- In the left pane, double-click Schema.
- In the right pane, double-click NT-Security-Descriptor.
- Click Yes to display the raw properties of the object.
- In the List attributes of type list, click All.
- In the Object attributes list, click NT-Security-Descriptor.
- Click Editor.
- Click NT security descriptor, and then click OK.
- Click Add.
- Click the account that is being used as the Exchange service account, and then click Add.
- Click OK.
- In the Role box, click Service Account Admin, and then click Apply.
- Click OK.
- Click Set.
- Click Apply, and then click OK.
- Click OK, and then click YES in the dialog boxes that appear.
- Quit the Administrator program.
- Restart all Exchange services.
You install the Microsoft Windows 2000 Security Rollup Package on a Windows 2000Server -based server
Consider the following scenario:
- An Exchange Server 5.5 site contains a server that is running Microsoft Windows NT 4.0 Service Pack 6 and a server that is running Windows 2000.
- You install the Microsoft Windows 2000 Security Rollup Package on the Windows 2000-based server.
In this scenario, mail flow stops between the Windows NT-based server and the Windows 2000-based server.
This issue may occur if the following dynamic-link libraries (DLLs) in Microsoft Windows NT Server 4.0 Service Pack 6 do not match the same DLLs in Windows 2000:
If these DLLs do not match, the Windows NT 4.0-based server must negotiate a 128-bit connection. However, the 56-bit Windows NT security DLLs cannot decrypt the packets. The Windows 2000 Security Rollup Package forces NTLM version 2 connections to the Windows NT 4.0-based server. In this scenario, messages are queued to be sent to the other server, but the messages are not sent.
To resolve this issue, install the hotfix that is described in the following Microsoft Knowledge Base article:
322051�
Programs may not connect to the server with mismatched security DLLs in Windows NT 4.0
You connect two Exchange Server 5.5 servers by using the Dynamic RAS Connector
Consider the following scenario:
- You connect two Exchange Server 5.5 servers by using the Dynamic RAS Connector over TCP/IP.
- The servers are in two different untrusted domains.
- The servers are running Microsoft Windows NT 4.0.
In this scenario, the server that is contacting the other server may log an event ID 9318 message and an event ID 289 Message transfer agent (MTA) message in the Application log. The server that is being contacted will log an event ID 9322 message.
To work around this issue, follow these steps:
- Create a new Windows NT user account that is named "Rascon". Repeat this process on each untrusted domain.
- Give the new Rascon accounts the same password.
- Add the Rascon account to the Domain Admins group.
- Use Windows NT User Manager to verify that the Rascon account has the permissions to log on to the Exchange Server 5.5 server.
- In the Microsoft Exchange Administrator program, give the new Rascon account Service Account Admin permissions at the Organization, Site, and Configuration levels of the Exchange Server 5.5 server.
- Modify the RAS Override tab of the Dynamic RAS Connector to use these new accounts on both Exchange Server 5.5 servers.
To do this, follow these steps:
- In the Administrator window, click Connections.
- In the right pane, double-click the Dynamic RAS Connector that you want to modify.
- Click the RAS Override tab.
- Type the new Windows NT account and the password for the service account in
the remote site.
- Confirm your password, and then type the Windows NT domain name of the
remote site.
- Retest mail flow over the Dynamic RAS Connector.
How to troubleshoot an event ID 9318 or 9322 message
Review the service account
An event ID 9318 or 9322 message may be logged if any one of the following conditions is true:
- The service account on the Exchange Server 5.5 server does not match the service account on the Exchange 2000 or Exchange Server 2003 server.
- The service account contains extended characters.
For information about how to resolve these issues, see the following sections.
The service account on the Exchange Server 5.5 server does not match the service account on the Exchange 2000 or Exchange Server 2003 server
An event ID 9318 or 9322 message may be logged if you are working in a mixed environment in which the service account and the password on the Exchange Server 5.5 server does not match the service account and the password on the Exchange 2000 or Exchange 2003 server. This condition may occur if there is a problem with the Exchange Server 5.5 service account or the password that was specified when the Exchange 2000 or Exchange Server 2003 server was installed in the Exchange Server 5.5 site.
To resolve this issue, follow these steps:
- Start Exchange System Manager. To do this, click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
- Locate the Administrative group in which the Exchange 2000 server was installed.
- Right-click the Administrative group, and then click Properties.
- On the General tab, click Modify.
- Type the password.
If the service account name that appears on the
General tab is incorrect, manually change the
MSExchLegacyAccount attribute value for the affected Exchange Administrative group. To do this, follow these steps:
- Start the ADSI Edit tool.
- Expand Configuration Container, expand CN=Configuration, expand CN=Services, expand CN=MicrosoftExchange, expand CN=Organization_Name, expand CN=AdministrativeGroups, and then expand CN=Your Admin Group Name.
- Open the CN=Your Admin Group Name properties.
- In Windows 2000, click BOTH under Select which Properties to View. In Windows Server 2003, click to select the following check boxes:
- Show Mandatory Attribute
- Show Optional Attribute
- In Windows 2000, double-click MSExchLegacyAccount under Select a property to view. In Windows Server 2003, double-click MSExchLegacyAccount.
- Click CLEAR
- Type the Exchange Server 5.5 service account name.
- Click Apply.
- Quit ADSIEdit.
- In Exchange System Manager, examine the Exchange Administrative group properties to make sure that the name of the new Exchange Server 5.5 service account is displayed.
- Re-enter the password for the Exchange Server 5.5 service account.