We are putting in a new 2010 Exchange enviroment, coming from 2003. We has two cas servers(load balanced) and two DB server running in a DAG. When I go into the EMC on CAS01, drill down to Server Configuration, and click on the the CAS01 server, I see the info I should see. When I click on cas02, it gives me this: The Exchange Certificate operation has failed with an exception. The error message is: A security package specific error occurred. It was running the command 'Get-ExchangeCertificate' -Server 'cas02' On cas01 I bring up EMS and type: Get-ExchangeCertificate -server cas01 results look good...I type: Get-ExchangeCertificate -server cas02, and I get: The Exchange Certificate operation has failed with an exception. The error message is: A security package specific err or occurred + CategoryInfo : InvalidOperation: (:) [Get-ExchangeCertificate], LocalizedException + FullyQualifiedErrorId : 5FAB0AB5,Microsoft.Exchange.Management.SystemConfigurationTasks.GetExchangeCertificate I do this same process on cas02, and the results are good. So, when cas01 wants to look at the ExchangeCertificate info on cas02, it can't Has anyone run into this before? Thanks

Addition: Actually, when I go to the EMC on cas02->Server Configuration, I click on cas02 and everything looks good. Click on cas01, and I get: The Exchange Certificate operation has failed with an exception. The error message is: A security package specific error occurred. It was running the command 'Get-ExchangeCertificate' -Server 'cas01' However, when I go to the EMS and run the Get-ExchangeCertificate , for both servers, the results are good for both!

Hi, Which mode that you use to create windows network load balance? I recommend you to use multicast. Simiar thread to share with you: Exchange Management Shell discrepancy http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/d9e13faa-de43-4864-8612-353164eb387d/ If it is not the case, then please try the following steps: 1. Please use ping to test the communication between CAS1 and CAS2. Note: Please test to ping the servername and IP address 2. Please run Net view \\CAS1 from CAS2 and run net view \\CAS2 from CAS1. Note: If any error occur, then please check event log and then post the detail error event information here. 3.Please use Nltest from both CAS server. C:\>nltest /sc_query:DC C:\Nltest /sc_verify:DCXiu Zhang TechNet Community Support

Basically, what I got our of the above is this: On cas01 when I do a net view \\cas02, I get: C:\Users\adminUser>net view \\cas02 System error 5 has occurred. Access is denied. When I use the IP address of cas02, I get successful results. Also, a System event gets logged, not as a result of the Net View command, but it's in there. Log Name: Security, Source: Security-Kerberos, Level: Error, Event ID: 4 The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cas01$. The target name used was cifs/cas02.ofcwic.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Hi, Please verify if you have enable 6to4 adapter. You can run netsh with show state to check the 6to4 state. If it has been enabled, then I recommend you to run the command below to disable. netsh int 6to4 set status disable Netsh commands for Interface 6to4 http://technet.microsoft.com/en-us/library/cc730854(WS.10).aspx Besides, please check NIC settings to see if DNS can correctly reslove CAS02 to ip address. Xiu Zhang TechNet Community Support

I forgot to reply to the load balance mode. We are, currently, using Unicast. Due to network compatibility, we changed from Multicast.

I disabled 6to4 on both CAS01 & 02. I rebooted the servers. Now, when I go into EMC->Server Configuration, and click on the cas servers, I can't see any certificates on the other cas server. So each server doesn't see the other, in that context.

Hi, Please check if you have public ip address for internal Exchange Servers. Please check if every ipv4 and ipv6 address have been registered in DNS. If yes, please try to remove the IPv6 addresses from DNS for CAS servers. Please delete the below mentioned registry key and restarted the Exchange Server which resolved the issue: Path: HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters Value Name: DefaultEncryptionType Value Type: Reg_DWORD Value Data: 0x17(23) Besides, I recommend you to change the IP of the Exchange servers to use a private address rangeXiu Zhang TechNet Community Support