Monday, July 15, 2013

Exchange 2013 Corrupted Health Mailboxes

While in the process of removing a database from an Exchange 2013 server, I got the following error:
Failed to remove monitoring mailbox object of database "DBname". Exception: Active directory operation failed on Servername. This error is not retriable. Additional information: Access is denied. Active directory response: 000000005: SecErr: DSID-031520B2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0.
The database was removed, but there seemed to be some sort of Active Directory error when deleting the monitoring mailboxes associated with the database.

Next I tried to view the monitoring mailboxes by using:
Get-Mailbox -Monitoring
This showed me mailboxes with the following error:
WARNING: The object domainname/Microsoft Exchange System Objects/Monitoring Mailboxes/HealthMailboxbiglongGUID has been corrupted, and it's in an inconsistent state. The following validation errors happened: WARNING: Database is mandatory or UserMailbox.
After doing some searching, this problem is a result of Exchange 2013 not having sufficient permissions to the domainname/Microsoft Exchange System Objects/Monitoring Mailboxes OU. The database attribute is blank because the database it referenced no longer exists.

The simple fix is to manually delete the objects referenced by the errors from that OU by using Active Directory Users and Computers. After removing the object, the error is gone. You cannot use the Remove-Mailbox cmdlet to remove the accounts because Exchange does not have the necessary permissions.

It may be possible to resolve this error by giving Exchange Trusted Subsystem additional permissions to this OU, but I'll leave that for the Exchange team in the next cumulative update.

Note: Exchange 2013 RTM created the user accounts for these mailboxes in the Users folder. Exchange 2013 CU1 creates them in this new location. This may account for the changed behaviour causing the errors.

Deleting the health mailboxes is low risk because they should be recreated by the Microsoft Exchange Health Manager service on the Exchange 2013 server when that service is restarted.

Update: If the health monitoring mailboxes are not being recreated after you delete them, verify that the domainname/Microsoft Exchange System Objects/Monitoring Mailboxes OU exists. One commenter below was having issues and running ADPrep again created the container which allowed the health mailboxes to be recreated.

9 comments:

  1. What to check if Health mailboxes are not re-created after deletion from AD? Service is running, but nothing in AD and Get-Mailbox -Monitoring does not showing anything...

    ReplyDelete
  2. Hello,

    I have the same Problem! After deleting the Healthmailbox and restarting the Exchange Health Service there was no recreating of the Mailbox. :(

    ReplyDelete
  3. I'm not sure what issues you folks are running into. On a test system, I just removed the two user accounts associated with a health mailbox and confirmed that the monitoring mailboxes were gone. I then restarted the Microsoft Exchange Health Manager service and both Health Mailboxes were recreated.

    In general, you should only be deleting health mailboxes for databases that have already been deleted.

    I suppose worst case, if you deleted the wrong health mailbox and they are not being recreated, then you could create a new DB and move mailboxes to the new DB, but that should not be necessary.

    ReplyDelete
  4. I am having the same issue, corrupted health mailboxes on a DB, removed the mailboxes restarted the service and nothing is being recreated..

    Any suggestions?

    ReplyDelete
  5. after some further research and problem solving i discovered the proper container for the health mailboxes were not in AD. To resolve the issue I re-ran setup /preparead from the PDC and the container was created.

    Once the AD container exists just restart the Health monitoring service and it will recreate all the mailboxes in each database.

    Problem solved for now. I still have no idea why the container wasn't in AD.

    ReplyDelete
  6. I think that missing AD container may be due to an upgrade from Exchange 2013 RTM to Exchange 2013 CU1 or CU2. Exchange 2013 RTM created those accounts in the Users container and ADprep for RTM probably didn't create that container. However, I'm surprised it was not created during an upgrade.

    100% guessing here as I don't know your exact scenario.

    ReplyDelete
  7. That was my exact scenario, upgrading to CU2. I looked through all the logs and still have no idea why that folder was not created. But after re-running preparead it was created and everything is fixed now.

    Thanks.

    ReplyDelete
  8. I too had a corrupted Health Monitor Mailbox. Per the instructions above, deleted them out of AD and restarted the services. The service only recreated one (of the four) accounts and when I re-run Get-Mailbox -Monitoring, it's still showing my old corrupted account and also the old accounts I've already deleted.

    Anyone have a clue what to do here to flush these all out?

    ReplyDelete
    Replies
    1. If Get-Mailbox -Monitoring is still showing the corrupted accounts, are you sure you deleted the correct user accounts. In my experience, when you delete the user accounts, the corrupted mailboxes no longer show up.

      Please also note that you may need to run /preaparead from CU1 or CU2 if your original installation was from RTM media.

      Delete