Cannot open Exchange Management Console. Kerberos error. Access Denied.

This happened to me after we suffered a brute force attack on one of our 2 domain controllers. There were a number of services which would not start including the Exchange System Attendant and the Exchange Transport service. We were also seeing Event 2130 from source MSExchangeADAccess: Exchange Active Directory Provider could not find an available domain controller in domain <domain name>.

Soultion 1: Check the time on all domain controllers.

This was a common suggestion from other posts online but it was not the issue in my case since both servers were in perfect sync.

I decided to run the EMTShooter script to see what it would say. Basically it gave me the same Access Denied error message. That was not very helpful except it did tell me everything was fine with the IIS PowerShell virtual directory.  So I figured it had to be an account authentication problem of some kind.

Solution 2: Reset the secure channel

Open the command prompt on the Exchange server and type:

netdom reset <server_name> /domain:<domain_name>

The <server_name> should be one of your domain controllers.

Solution 3: Reset the machine password

From the command prompt on the Exchange server, type:

netdom resetpw /s:<server_name> /ud:<user_name> /pd:*

<user_name> should be a domain user with administrative privileges in the format DOMAIN\username

At this point I was able to start all the Exchange services, but the Exchange Management Console was still giving me Kerberos errors. I thought about rebooting the server but I remember reading somewhere about deleting cached Kerberos tickets. The command to do that is:

klist purge

The klist command is built into Server 2008 R2. After purging the cached Kerberos tickets I was finally able to open the Exchange Management Console and everything was good.