Two Interesting Exchange 2013 Errors

I ran into two issues today with an Exchange 2013 CU3 machine that was migrating mailboxes over from an Exchange 2007 box. The webmail application would work just fine, but the ActiveSync interface bombed out with an HTTP 500 error. I used Microsoft’s Remote Connectivity Analyzer and saw no additional error information – how unusual.

Initially, I removed and re-added the virtual directory without success – this usually fixes it. So I did what I should have done in the first place: I checked the error logs. Knowing there were a number of phones trying to connect through the new server’s ActiveSync interface, I saw dozens of these errors a minute:

EXCH2013-Error-RBAC-Machine

(MSExchange RBAC Event #17: Process w3wp.exe, PID 8044) “RBAC authorization returns Access Denied for user local.<domainname>.com/BB Member Servers/<SERVER NAME>. Reason: No role assignments associated with the specified user were found on Domain Controller DC08.local.<domainname>.com“)

It was clear that some important permission had not been assigned when Exchange was installed – and my customer had issues from the start, unfortunately not just reloading from scratch. After searching a number of forums and checking a number of log files, I stare-and-compared another Exchange 2013 installation and found that the machine account needed to be a member of the Organization Management group in the Microsoft Exchange Security Groups OU. A quick Google search found a few other forums where members had the same issue.

However, no dice! The Remote Connectivity Analyzer was only one step closer to working – I was still getting HTTP 500 Errors, this time thankfully with error messages. The ActiveSync interface worked, up to the FolderSync step, where it failed. Reading through the encoded error message, I saw “Domain Controller dc08.local.domain.com returned Access Denied”. On that DC, I checked the Security log and found the following audit failure:

An operation was performed on an object.

Subject :
 Security ID: <DOMAIN>\EXCHANGE01$
 Account Name: EXCHANGE01$
 Account Domain: <DOMAIN>
 Logon ID: 0x904510a

Object:
 Object Server: DS
 Object Type: user
 Object Name: CN=<Vendor Acct>,OU=IT Staff,OU=BB Users and Computers,DC=local,DC=<DOMAINNAME>,DC=com
 Handle ID: 0x0

Operation:
 Operation Type: Object Access
 Accesses: Create Child

Additional Information:
Parameter 1: CN=ExchangeActiveSyncDevices,CN=<Vendor Acct>,OU=IT Staff,OU=BB Users and Computers,DC=local,DC=<DOMAINNAME>,DC=com
Parameter 2: {6dd8476f-656d-42bf-a758-ff648512deed}

Well, we’re still dealing with permissions issues it seems. I checked the EXCHANGE01 account’s permissions to my vendor account and saw it clearly did not have the Create/Delete msExchActiveSyncDevices Objects permissions necessary. I checked the first thing you do with Active Directory – was the Include inheritable permissions from this object’s parent checkbox checked? Indeed, it was not. Checking it immediately fixed up the necessary permissions and my ActiveSync interface immediately began working.

Because I like to check my work, I found this MS Technet article that explains how this issue affects Exchange 2010 – and obviously, Exchange 2013.

(Don’t forget you might have wait for or force DC replication for the above changes to hit the DC used by Exchange).