Microsoft KB Archive/257679

= How to troubleshoot an event ID 9318 message and an event ID 9322 message that contains error code 5 =

Article ID: 257679

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange 2000 Enterprise Server
 * Microsoft Exchange Server 5.5 Standard Edition

-



This article was previously published under Q257679



This article is a consolidation of the following previously available articles: 274770, 279030, 289609, 327004, 323733, 298604 and 217142



SUMMARY


This article describes how to troubleshoot scenarios in which an event ID 9318 message and an event ID 9322 message that contains error code 5 may be logged in the event log. This article describes the following scenarios in which these events may occur:


 * You upgrade Microsoft Exchange Server 5.5 to Microsoft Exchange 2000 Server or to Microsoft Exchange Server 2003.
 * You install the Microsoft Windows 2000 Security Rollup Package on a Windows 2000-based server.
 * You use the Dynamic RAS Connector to connect servers in two different untrusted domains.

Additionally, this article describes the following methods that you can use to troubleshoot these event ID messages:
 * Review the service account.
 * Troubleshoot the network connection.



INTRODUCTION
This article describes how to troubleshoot the event ID 9318 message and the event ID 9322 message. These events are logged when mail flow stops between two servers that are running Microsoft Exchange Server 5.5 or between a server that is running Exchange Server 5.5 and a server that is running Microsoft Exchange Server 2003 or Microsoft Exchange 2000 Server.



MORE INFORMATION
When you send messages between two servers that are running Microsoft Exchange Server 5.5 or between a server that is running Exchange Server 5.5 and a server that is running Microsoft Exchange Server 2003 or Microsoft Exchange 2000 Server, mail flow may stop. Additionally, the following issues may occur:  On the Exchange 2000 server or on the Exchange Server 2003 server, you can see the messages in the X.400 message transfer agent (MTA) queue for the destination servers. On the Exchange Server 5.5 server, you can see the messages in the MTA queue. The messages eventually returned together with a non-delivery report (NDR) because a time-out occurs.  The following RPC event ID messages may be logged in the Application log on both servers: Event Type: Warning

Event Source: MSExchangeMTA

Event Category: Interface

Event ID: 9318

Description:

An RPC communications error occurred. Unable to bind over RPC. Locality Table (LTAB) index: 4, NT/MTA error code: 5. Comms error 5, Bind error 0, Remote Server Name  [MAIN BASE 1 500 %10] (14) Event Type: Warning

Event Source: MSExchangeMTA

Event Category: Interface

Event ID: 9322

Description:

An interface error has occurred. An MtaBindBack over RPC has failed. Locality Table (LTAB) index: 13, NT/MTA error code: 5. Comms error 5, Bind error 0, Remote Server Name, Protocol String ncacn_ip_tcp:16.37.164.181[4749] [BASE IL INCOMING RPC 23 507] (14) 

The significant section of the event ID 9318 and 9322 messages is Microsoft Windows and MTA error code 5. Windows error code 5 indicates that there is a security problem between the two servers.

You upgrade Exchange Server 5.5 to Exchange 2000 or to Exchange Server 2003
Warning If you use the raw mode of the Exchange Server Administrator program (admin /r) incorrectly, serious problems may occur that may require you to reinstall Microsoft Windows NT Server, Microsoft Exchange Server, or both. Microsoft cannot guarantee that problems that result from using raw mode incorrectly can be solved. Use raw mode at your own risk.

If you upgrade an Exchange Server 5.5 server in an Exchange Server 5.5 site to Exchange 2000 Server or to Exchange Server 2003, mail flow stops between the remaining Exchange Server 5.5 servers and all Exchange 2000 and Exchange Server 2003 servers. However, mail flow does not stop between the Exchange 2000 server and the Exchange Server 2003 servers.



To resolve this issue, follow these steps:
 * 1) On the Exchange Server 5.5 server, start the Exchange Administrator program in raw mode. To do this, click Start, click Run, type   :\exchsrvr\bin\admin.exe /r, and then press ENTER. In this path,   is the drive on which Exchange is installed.
 * 2) On the View menu, click Raw Directory.
 * 3) In the left pane, double-click Schema.
 * 4) In the right pane, double-click NT-Security-Descriptor.
 * 5) Click Yes to display the raw properties of the object.
 * 6) In the List attributes of type list, click All.
 * 7) In the Object attributes list, click NT-Security-Descriptor.
 * 8) Click Editor.
 * 9) Click NT security descriptor, and then click OK.
 * 10) Click Add.
 * 11) Click the account that is being used as the Exchange service account, and then click Add.
 * 12) Click OK.
 * 13) In the Role box, click Service Account Admin, and then click Apply.
 * 14) Click OK.
 * 15) Click Set.
 * 16) Click Apply, and then click OK.
 * 17) Click OK, and then click YES in the dialog boxes that appear.
 * 18) Quit the Administrator program.
 * 19) Restart all Exchange services.

You install the Microsoft Windows 2000 Security Rollup Package on a Windows 2000Server -based server
Consider the following scenario:
 * An Exchange Server 5.5 site contains a server that is running Microsoft Windows NT 4.0 Service Pack 6 and a server that is running Windows 2000.
 * You install the Microsoft Windows 2000 Security Rollup Package on the Windows 2000-based server.

In this scenario, mail flow stops between the Windows NT-based server and the Windows 2000-based server.

This issue may occur if the following dynamic-link libraries (DLLs) in Microsoft Windows NT Server 4.0 Service Pack 6 do not match the same DLLs in Windows 2000:
 * Schannel.dll
 * Ntlmssps.dll

If these DLLs do not match, the Windows NT 4.0-based server must negotiate a 128-bit connection. However, the 56-bit Windows NT security DLLs cannot decrypt the packets. The Windows 2000 Security Rollup Package forces NTLM version 2 connections to the Windows NT 4.0-based server. In this scenario, messages are queued to be sent to the other server, but the messages are not sent.

To resolve this issue, install the hotfix that is described in the following Microsoft Knowledge Base article:

322051 Programs may not connect to the server with mismatched security DLLs in Windows NT 4.0

You connect two Exchange Server 5.5 servers by using the Dynamic RAS Connector
Consider the following scenario:
 * You connect two Exchange Server 5.5 servers by using the Dynamic RAS Connector over TCP/IP.
 * The servers are in two different untrusted domains.
 * The servers are running Microsoft Windows NT 4.0.

In this scenario, the server that is contacting the other server may log an event ID 9318 message and an event ID 289 Message transfer agent (MTA) message in the Application log. The server that is being contacted will log an event ID 9322 message.

To work around this issue, follow these steps:  Create a new Windows NT user account that is named "Rascon". Repeat this process on each untrusted domain.</li> Give the new Rascon accounts the same password.</li> Add the Rascon account to the Domain Admins group.</li> Use Windows NT User Manager to verify that the Rascon account has the permissions to log on to the Exchange Server 5.5 server.</li> In the Microsoft Exchange Administrator program, give the new Rascon account Service Account Admin permissions at the Organization, Site, and Configuration levels of the Exchange Server 5.5 server.</li> Modify the RAS Override tab of the Dynamic RAS Connector to use these new accounts on both Exchange Server 5.5 servers. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> In the Administrator window, click Connections.</li> In the right pane, double-click the Dynamic RAS Connector that you want to modify.</li> Click the RAS Override tab.</li> Type the new Windows NT account and the password for the service account in the remote site.</li> Confirm your password, and then type the Windows NT domain name of the remote site.</li></ol> </li> Retest mail flow over the Dynamic RAS Connector.</li></ol>

Review the service account
An event ID 9318 or 9322 message may be logged if any one of the following conditions is true:
 * The service account on the Exchange Server 5.5 server does not match the service account on the Exchange 2000 or Exchange Server 2003 server.
 * The service account contains extended characters.

For information about how to resolve these issues, see the following sections.

The service account on the Exchange Server 5.5 server does not match the service account on the Exchange 2000 or Exchange Server 2003 server
An event ID 9318 or 9322 message may be logged if you are working in a mixed environment in which the service account and the password on the Exchange Server 5.5 server does not match the service account and the password on the Exchange 2000 or Exchange 2003 server. This condition may occur if there is a problem with the Exchange Server 5.5 service account or the password that was specified when the Exchange 2000 or Exchange Server 2003 server was installed in the Exchange Server 5.5 site.

To resolve this issue, follow these steps:
 * 1) Start Exchange System Manager. To do this, click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
 * 2) Locate the Administrative group in which the Exchange 2000 server was installed.
 * 3) Right-click the Administrative group, and then click Properties.
 * 4) On the General tab, click Modify.
 * 5) Type the password.

If the service account name that appears on the General tab is incorrect, manually change the MSExchLegacyAccount attribute value for the affected Exchange Administrative group. To do this, follow these steps:
 * 1) Start the ADSI Edit tool.
 * 2) Expand Configuration Container, expand CN=Configuration, expand CN=Services, expand CN=MicrosoftExchange, expand CN= , expand CN=AdministrativeGroups, and then expand CN= .
 * 3) Open the CN=  properties.
 * 4) In Windows 2000, click BOTH under Select which Properties to View. In Windows Server 2003, click to select the following check boxes:
 * 5) * Show Mandatory Attribute
 * 6) * Show Optional Attribute
 * 7) In Windows 2000, double-click MSExchLegacyAccount under Select a property to view. In Windows Server 2003, double-click MSExchLegacyAccount.
 * 8) Click CLEAR
 * 9) Type the Exchange Server 5.5 service account name.
 * 10) Click Apply.
 * 11) Quit ADSIEdit.
 * 12) In Exchange System Manager, examine the Exchange Administrative group properties to make sure that the name of the new Exchange Server 5.5 service account is displayed.
 * 13) Re-enter the password for the Exchange Server 5.5 service account.

<div class="moreinformation_section">

The service account contains extended characters
An event ID 9318 or 9322 message may be logged if the service account in Exchange Server 5.5 or in Exchange 2000 contains extended characters. The extended character may be misinterpreted when the Exchange 2000 MTA binds with the Exchange Server 5.5 MTA or when one Exchange Server 5.5 MTA binds with another Exchange Server 5.5 MTA.

If the service account contains extended characters, use one of the following methods to resolve this issue.

Exchange 2000

To resolve this issue, obtain the latest service pack for Microsoft Exchange 2000 Server.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

301378 How to obtain the latest Exchange 2000 Server service pack

Exchange Server 5.5

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. <pre class="fixed_text">File name     Version

Dbserver.sch   N/A Dcprods.cat N/A Ems_rid.dll 5.5.2655.1 Emsmta.exe 5.5.2655.1 Infoplog.cfg   N/A Mtacheck.exe   5.5.2655.1 Mtamsg.dll 5.5.2655.1 Mtaperf.dll 5.5.2655.1 P2.xv2     N/A P42.tpl    N/A P772.tpl   N/A X400om.dll 5.5.2655.1

Note Because of file dependencies, this hotfix requires Microsoft Exchange Server 5.5 Service Pack 4.

To work around this issue in Exchange Server 5.5, change the Exchange Server service account that is used on the override page of the Site Connector so that the service account does not include any extended characters.

<div class="moreinformation_section">

Troubleshoot the network connection
An event ID 9318 or 9322 message may be logged if the server cannot connect to the network. Sometimes, the Windows Group Policy settings may prevent a server from connecting to the network.

To troubleshoot the network connection, follow these steps:
 * 1) Right-click the Administrative group that contains the Exchange Server 5.5 computer that cannot connect, and then click Properties. Verify that the service account name and the password are correct.
 * 2) Verify that you have NetBIOS name resolution with both servers.
 * 3) If the event ID messages are logged across trusted domains, verify that you can browse the other networks and the Exchange Server shares while you are logged on by using the service account.
 * 4) In User Manager, verify that the service account has "Access this computer from the network" user rights. By default, this user right is assigned to the Everyone group.

<div class="references_section">