Hello !
I have SCOM 2012, Exchange 2010 Sp3+ latest CU. After importing latest exchange MP, SCOM continuously alerts about some monitors. I followed the MP documentation and created test-mailbox account extest_ by running script.
Alert context example:
The test step GetProfileDetails running over protocol 'ncacn_ip_tcp' issued from test user '/o=CORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=extest_93854882952b4d20' failed with error: '5(Access is denied)'. The detailed information
of the running instance context: 'User = 'extest_93854882952b4', Server = 'cas1.corp.int', UseHttp = 'False''. The exception: 'Microsoft.Exchange.Monitoring.NSPIOperationException: The NSPI operation failed. Operation = '<Bind>b__4', ReturnValue = '5',
Server = 'cas1.corp.int', User = '/o=CORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=extest_93854882952b4d20', .
at Microsoft.Exchange.Monitoring.NspiClientWrapper.NspiCall(Func`1 nspiCall)
at Microsoft.Exchange.Monitoring.AddressbookTask.GetProfile()'
Verbose: Target Site = 'corp.int/Configuration/Sites/MSK'
Verbose: Target Domain = 'corp.int'
Verbose: Target User = 'extest_93854882952b4@corp.int'
Verbose: Based on RpcTestType, the cmdlet needs to dynamically look up the endpoint that uses this server as reference point.
Verbose: Target Client Access server = 'cas1.corp.int'
Verbose: RPC Endpoint = 'cas1.corp.int'
Verbose: RPC Endpoint = 'cas1.corp.int'
Verbose: RPC Endpoint = 'cas1.corp.int'
Verbose: Using connection parameters : 'corp.int\extest_93854882952b4: Rfri/TCP-IP, [cas1.corp.int/Negotiate]'
Verbose: Mailbox = 'corp.int\extest_93854882952b4', Owner = '/o=CORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=extest_93854882952b4d20'
Verbose: Address Book Operation = 'GetNewDSA', Input = 'userLegacyDN', Input Value = '/o=CORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=extest_93854882952b4d20'
Verbose: Microsoft.Exchange.Rpc.RpcException: Error 0x5 (Access is denied) from cli_RfrGetNewDSA
EEInfo: ComputerName: n/a
EEInfo: ProcessID: 15328
EEInfo: Generation Time: 2014-01-14 13:11:12.843
EEInfo: Generating component: 2
EEInfo: Status: 0x00000005
EEInfo: Detection location: 1710
EEInfo: Flags: 0
EEInfo: NumberOfParameters: 1
EEInfo: prm[0]: Long val: 0 (0x00000000)
EEInfo: ComputerName: n/a
EEInfo: ProcessID: 15328
EEInfo: Generation Time: 2014-01-14 13:11:12.843
EEInfo: Generating component: 2
EEInfo: Status: 0x00000005
EEInfo: Detection location: 1461
EEInfo: Flags: 0
EEInfo: NumberOfParameters: 0
EEInfo: ComputerName: n/a
EEInfo: ProcessID: 15328
EEInfo: Generation Time: 2014-01-14 13:11:12.843
EEInfo: Generating component: 2
EEInfo: Status: 0x00000005
EEInfo: Detection location: 141
EEInfo: Flags: 0
EEInfo: NumberOfParameters: 1
EEInfo: prm[0]: Long val: -2146893044 (0x8009030C)
EEInfo: ComputerName: n/a
EEInfo: ProcessID: 15328
EEInfo: Generation Time: 2014-01-14 13:11:12.843
EEInfo: Generating component: 3
EEInfo: Status: 0x8009030C
EEInfo: Detection location: 140
EEInfo: Flags: 0
EEInfo: NumberOfParameters: 4
EEInfo: prm[0]: Long val: 9 (0x00000009)
EEInfo: prm[1]: Long val: 6 (0x00000006)
EEInfo: prm[2]: Unicode string: exchangeRFR/cas1.corp.int
EEInfo: prm[3]: Long val: 68126 (0x00010A1E)
at ThrowRpcException(Int32 rpcStatus, String message)
at Microsoft.Exchange.Rpc.RpcClientBase.ThrowRpcExceptionWithEEInfo(Int32 rpcStatus, String routineName)
at Microsoft.Exchange.Rpc.Rfri.RfriRpcClient.GetNewDSA(String userDN, String& server)
at Microsoft.Exchange.Monitoring.RfriClientWrapper.<>c__DisplayClass7.<GetNewDSA>b__6()
at Microsoft.Exchange.Monitoring.OutlookConnectivityContext.RpcExceptionWrapper(Func`1 protectedCall)
Verbose: AddressBook operation failed. Operation = 'GetReferral', Error = 'The Address Book Referral operation failed. Operation = '<GetNewDSA>b__6', returnValue = '5', server = 'cas1.corp.int', user = '/o=CORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=extest_93854882952b4d20',
.'
Verbose: RPC Endpoint = 'cas1.corp.int'
Verbose: Using connection parameters : 'corp.int\extest_93854882952b4: Nspi/TCP-IP, [cas1.corp.int/Negotiate]'
Verbose: Address Book Operation = 'Bind'
Verbose: Microsoft.Exchange.Rpc.RpcException: Error 0x5 (Access is denied) from cli_NspiBind
EEInfo: ComputerName: n/a
EEInfo: ProcessID: 15328
EEInfo: Generation Time: 2014-01-14 13:11:13.359
EEInfo: Generating component: 2
EEInfo: Status: 0x00000005
EEInfo: Detection location: 1710
EEInfo: Flags: 0
EEInfo: NumberOfParameters: 1
EEInfo: prm[0]: Long val: 0 (0x00000000)
EEInfo: ComputerName: n/a
EEInfo: ProcessID: 15328
EEInfo: Generation Time: 2014-01-14 13:11:13.359
EEInfo: Generating component: 2
EEInfo: Status: 0x00000005
EEInfo: Detection location: 1461
EEInfo: Flags: 0
EEInfo: NumberOfParameters: 0
EEInfo: ComputerName: n/a
EEInfo: ProcessID: 15328
EEInfo: Generation Time: 2014-01-14 13:11:13.359
EEInfo: Generating component: 2
EEInfo: Status: 0x00000005
EEInfo: Detection location: 141
EEInfo: Flags: 0
EEInfo: NumberOfParameters: 1
EEInfo: prm[0]: Long val: -2146893044 (0x8009030C)
EEInfo: ComputerName: n/a
EEInfo: ProcessID: 15328
EEInfo: Generation Time: 2014-01-14 13:11:13.359
EEInfo: Generating component: 3
EEInfo: Status: 0x8009030C
EEInfo: Detection location: 140
EEInfo: Flags: 0
EEInfo: NumberOfParameters: 4
EEInfo: prm[0]: Long val: 9 (0x00000009)
EEInfo: prm[1]: Long val: 6 (0x00000006)
EEInfo: prm[2]: Unicode string: exchangeAB/cas1.corp.int
EEInfo: prm[3]: Long val: 68126 (0x00010A1E)
at ThrowRpcException(Int32 rpcStatus, String message)
at Microsoft.Exchange.Rpc.RpcClientBase.ThrowRpcExceptionWithEEInfo(Int32 rpcStatus, String routineName)
at Microsoft.Exchange.Rpc.Nspi.NspiRpcClient.Bind(UInt32 flags, IntPtr stat, IntPtr guid)
at Microsoft.Exchange.Monitoring.NspiClientWrapper.<Bind>b__4()
at Microsoft.Exchange.Monitoring.OutlookConnectivityContext.RpcExceptionWrapper(Func`1 protectedCall)
Verbose: Address Book operation failed. Details: The NSPI operation failed. Operation = '<Bind>b__4', ReturnValue = '5', Server = 'cas1.corp.int', User = '/o=CORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=extest_93854882952b4d20',
..
Diagnostic command: "Test-OutlookConnectivity -RpcTestType:Server -TrustAnySSLCert:$true -MonitoringContext:$true"
TimeWindowStart: 2014-01-14T17:06:04.8354467+04:00
TimeWindowEnd: 2014-01-14T17:19:24.8354466+04:00
TimeFirst: 2014-01-14T17:06:04.8354467+04:00
TimeLast: 2014-01-14T17:11:13.8901877+04:00
Count: 2
EventSourceName: MSExchange Monitoring OutlookConnectivity Enterprise Internal
I think something wrong with credentials. On CAS server i see Failure Audit log:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: CAS1$
Account Domain: corp.int
Logon ID: 0x3e7
Logon Type: 8
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: extest_93854882952b4
Account Domain: corp.int
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x2bac
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: CAS1
Source Network Address: 10.72.10.121
Source Port: 34239
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
On Domain controller the same audit failure:
Pre-authentication failed:
User Name: extest_93854882952b4
User ID: MSK\extest_93854882952b4
Service Name: krbtgt/corp.int
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 10.72.10.121
I tried recreating test mailbox, reseting password by running Test-WebServicesConnectivity -ResetTestAccountCredentials - it helps for a short period (about for 5 minutes SCOM Alerts automatically closed).
Running manually from EMS Test-OutlookConnectivity -RpcTestType:Server -TrustAnySSLCert:$true gives me Success.BUT Running manually from EMS Test-OutlookConnectivity -RpcTestType:Server -TrustAnySSLCert:$true-MonitoringContext:$true gives me Failure !Please help !