Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 9297 Source: MSExchangeMTA

Source
Level
Description
The user /o=ORGanization /ou=SITE1 /cn=Configuration /cn=Servers /cn=SERVER1 /cn=Microsoft Private MDB has caused a security violation. Locality table (LTAB) index: 5. Windows NT error code: <error code>. [BASE IL MAIN BASE 1 237] (14)
Comments
 
Setting up Routing Group Connectors to a Exchange 5.5 site requires the use of override credentials. If using other than the E5.5 site's exchange service account and password, this event will show up on the E2k3 server. To correct this, either use the remote site's exchange service account or grant "send as" and "receive as" permissions at the server level for the account used.
See the link to "www.larkware.com - TheDailyGrind125" for information on this event.
As per Microsoft: "The operating system indicates that the user caused a security violation. The user may not have the appropriate permissions to perform this operation". See MSEX2K3DB for more information.

From a newsgroup post: "I had the same error Event ID 9297 after I did a rebuild on my E2K bridgehead server. I was able to fix the problem by following the instructions found in KB article ME325674. Even though my issue was with MTA, the error code was "error code: 0X80070005". The permissions are granted through ADSI as per that article".

See ME824054 and ME842097 for additional information on this event.
This event occurred, and incoming mail queued at the hub-site when a remote Exchange site was using a different Exchange service account than the hub-site Exchange servers. The hub-site serverís service account must have "Service Account Admin" permissions at the "Configuration" level of the remote site. Once permissions were set properly, mail flowed and the 9297 errors stopped. See ME152624 for more details.
As per Microsoft: "To resolve this issue, make sure that the Permissions pages for the organization, site, and configuration objects list the service account with the Service Account Admin role.". See the links below for more details.


There seems to be a problem when a recipient policy contains the Fully Qualified Domain Name (FQDN) of an Exchange Server. ME288175 suggests either to rename the reference to the FQDN inside the policy or to rename the server (which obviuosly is not too preferrable).

We discovered that Exchange - at least sometimes - tries to deliver the concerned mail via X.400 instead of STMP, causing the mail to stay in the X.400 queue and producing this error every 10 minutes. Deleting the mail from the queue should stop the error messages.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...