Kerberos enabled on Network Name resource

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2005-11-18

The Microsoft® Exchange Server Analyzer Tool reads the following registry entry to determine the version of the Microsoft Windows® operating system that is running on the server:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentVersion

A CurrentVersion value of 4.0 indicates the computer is running Windows NT® Server 4.0. A value of 5.0 indicates the computer is running a Windows 2000 Server operating system, and a value of 5.2 indicates the computer is running a Windows Server™ 2003 operating system.

The Exchange Server Analyzer also queries the Active Directory® directory service to determine the value of the serialNumber attribute for all objects with an object class of msExchExchangeServer. If the string value includes "Version 5.5," the computer is running Exchange Server 5.5. If the string value includes "Version 6.0," the computer is running Exchange 2000 Server. If the string value includes "Version 6.5," the computer is running Exchange Server 2003.

Finally, the Exchange Server Analyzer reads the following registry value to determine whether Exchange is running in a cluster with a Kerberos-enabled Network Name cluster resource:

HKLM\Cluster\Resources\<Resource GUID for Network Name resource>\RequireKerberos

A value of 0 for RequireKerberos indicates that the Network Name resource is not enabled for Kerberos and a value of 1 indicates that the Network Name resource is enabled for Kerberos.

If the Exchange Server Analyzer finds the value for RequireKerberos set to 1 on an Exchange 2000 Server virtual server that is running in a Windows 2000 Server server-based cluster, a warning is displayed.

This warning indicates that a Kerberos-enabled Network Name cluster resource is being used for an Exchange 2000 Server virtual server. This is not a supported configuration, and should be corrected as soon as possible. As stated in the Microsoft Knowledge Base article 235529, "Kerberos support on Windows 2000-based server clusters" (, Kerberos authentication for an Exchange 2000 Server Network Name resource is not supported. Exchange 2000 Server has not been tested to ensure that a clustered Exchange 2000 Server virtual server supports Kerberos authentication.

To correct this warning

  1. Open a command prompt on any node in the cluster.

  2. Run the following command: cluster res "Name of Network Name Resource" /priv requirekerberos=0:dword


    The resource name should be enclosed in quotation marks.

  3. Take the Network Name resource offline and delete it.

  4. Open Active Directory Users and Computers.

  5. Locate the computer account object for the deleted Network Name resource and delete it from Active Directory.

  6. Create a new Network Name resource for this Exchange Virtual Server (EVS) and do not make it Kerberos-enabled. You can use the same name and configuration as the Network Name resource that you deleted in step 3.

  7. Bring the new Network Name resource online, and then bring the remaining resources in the EVS online.

For more information about using Kerberos-enabled Network Name resources on a Windows 2000 Server cluster, see the Microsoft Knowledge Base article 235529, "Kerberos support on Windows 2000-based server clusters" (