Lots of error messages in Security Log

We have installed a fresh install of Exchange 2013 on Server 2012.

We see Event ID: 4625 in the Security Logs and see thousands a day.

I have a read a few articles on this but I cannot put my finger on the cause so would welcome comment or solution.


A typical error reads as follows:

 
An account failed to log on.
 
Subject:
                Security ID:                         SYSTEM
                Account Name:                 SERVER$
                Account Domain:                             SERVER0
                Logon ID:                             0x3E7
 
Logon Type:                                       3
 
Account For Which Logon Failed:
                Security ID:                         NULL SID
                Account Name:                 
                Account Domain:                             
 
Failure Information:
                Failure Reason:                 Unknown user name or bad password.
                Status:                                  0xC000006D
                Sub Status:                         0xC0000064
 
Process Information:
                Caller Process ID:             0xfc8
                Caller Process Name:     C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe
 
Network Information:
                Workstation Name:        SERVER
                Source Network Address:            -
                Source Port:                       -
 
Detailed Authentication Information:
                Logon Process:                  C
                Authentication Package:               Kerberos
                Transited Services:          -
                Package Name (NTLM only):       -
                Key Length:                        0
 
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
 
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
 
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
 
The Process Information fields indicate which account and process on the system requested the logon.
 
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
 
The authentication information fields provide detailed information about this specific logon request.
                - Transited services indicate which intermediate services have participated in this logon request.
                - Package name indicates which sub-protocol was used among the NTLM protocols.
                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.


  • Edited by MrNewbie Tuesday, August 06, 2013 3:55 PM
August 6th, 2013 3:55pm

Hi,
Your problem might be caused by an orphaned monitoring mailbox.
I suggest that you recreate them all and see if that helps.

1. Stop-Service MSExchangeHM
2. Get-Mailbox -Monitoring | Remove-Mailbox
3. Start-Service MSExchangeHM

Free Windows Admin Tool Kit Click here and download it now
August 6th, 2013 4:01pm

Hi Martina,

Ok, I get the start and stop the services.

How does one go about Get-Mailbox -Monitoring | Remove-Mailbox?

August 6th, 2013 4:03pm

Hi Martina,

Ok, I get the start and stop the services.

How does one go about Get-Mailbox -Monitoring | Remove-Mailbox?


Run three commands I posted above in Exchange Management Shell (EMS).
Free Windows Admin Tool Kit Click here and download it now
August 6th, 2013 4:04pm

OK so when I attempt this I get a rather scary:

Confirm
Are you sure you want to perform this action?
Removing mailbox "Servername.local/Users/HealthMailbox3ea1232423424" will remote the active directory user object and mark the mailbox and the archive <if present> in the database for removal.

YES or No?

What is actually going to do?

August 6th, 2013 4:29pm

OK so i just ran:

Get-MailboxStatistics -Server MailboxServer01

This list all the mailboxes and I can see a number of users with no time or dates next to them for last login.  I therefore assume these are the problem mailboxes.

User A = Has left and there mailbox address has been assigned to another user.
MS Exchange Migra... = Not sure what this is
User B = Has never logged onto their mailbox
Administrator =
Discover Search Mailbox =

Are these the problem mailboxes and what should I now do?

  • Edited by MrNewbie Tuesday, August 06, 2013 4:47 PM
Free Windows Admin Tool Kit Click here and download it now
August 6th, 2013 4:33pm

OK so when I attempt this I get a rather scary:

Confirm
Are you sure you want to perform this action?
Removing mailbox "Servername.local/Users/HealthMailbox3ea1232423424" will remote the active directory user object and mark the mailbox and the archive <if present> in the database for removal.

YES or No?

What is actually going to do?


The above will delete the monitoring mailbox. These mailboxes can at any given time be recreated so you don't need to worry about running the above. When you have deleted the monitoring mailboxes, they will automatically be recreated when you start the service MSExchangeHM again.

August 6th, 2013 8:20pm

Hello,

Is there any update?

If you have any feedback on our support, please click here

Free Windows Admin Tool Kit Click here and download it now
August 9th, 2013 8:36am

OK, I have run all these commands succesfuly

I will check the logs and feedback when I know the result.  Fingers crossed!

Thanks for your help so far!

August 9th, 2013 3:46pm

I think we may have cracked the problem.

Nearly and hour later and nothing appearing in the security log.

I will feedback again in a few days.

Thanks again.

Free Windows Admin Tool Kit Click here and download it now
August 9th, 2013 4:34pm

Yes this definitely was the problem.!

Thanks Martina Miskovic i really appreciate your help.   

No doubt you will see me again on here :)

August 10th, 2013 7:14am

hi. i realize this is a very old thread...but...i have the same error on my exchange server. it just started last night at 11pm or so, but when i try to remove the monitoring mailbox i get the following. also, there are 3 monitoring mailboxes listed??

Active Directory operation failed on TGBDC.*****.***. This error is not retriable. Additional information:
Access is denied.
Active directory response: 00000005: SecErr: DSID-03152501, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    + CategoryInfo          : NotSpecified: (:) [Remove-Mailbox], ADOperationException
    + FullyQualifiedErrorId : [Server=TGM,RequestId=211da1e8-3813-49aa-917b-5c448f82ec46,TimeStamp=8/11/2015 3:07:07 P
   M] [FailureCategory=Cmdlet-ADOperationException] CE616F21,Microsoft.Exchange.Management.RecipientTasks.RemoveMailb
  ox
    + PSComputerName        : tgm.*****.***

Active Directory operation failed on TGBDC.*****.***. This error is not retriable. Additional information:
Access is denied.
Active directory response: 00000005: SecErr: DSID-03152501, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    + CategoryInfo          : NotSpecified: (:) [Remove-Mailbox], ADOperationException
    + FullyQualifiedErrorId : [Server=TGM,RequestId=211da1e8-3813-49aa-917b-5c448f82ec46,TimeStamp=8/11/2015 3:07:07 P
   M] [FailureCategory=Cmdlet-ADOperationException] CE616F21,Microsoft.Exchange.Management.RecipientTasks.RemoveMailb
  ox
    + PSComputerName        : tgm.*****.***

Active Directory operation failed on TGBDC.*****.***. This error is not retriable. Additional information:
Access is denied.
Active directory response: 00000005: SecErr: DSID-03152501, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    + CategoryInfo          : NotSpecified: (:) [Remove-Mailbox], ADOperationException
    + FullyQualifiedErrorId : [Server=TGM,RequestId=211da1e8-3813-49aa-917b-5c448f82ec46,TimeStamp=8/11/2015 3:07:07 P
   M] [FailureCategory=Cmdlet-ADOperationException] CE616F21,Microsoft.Exchange.Management.RecipientTasks.RemoveMailb
  ox
    + PSComputerName        : tgm.*****.***

TGBDC is our "backup" domain controller. I am logged into the exchange server as the domain administrator and running management shell as admin.  do i need to ad the exchange box itself and grant permissions? im completely stuck here.  getting nearly 1000 of these errors per hour but all functions of exchange appear to be working for everyone


Free Windows Admin Tool Kit Click here and download it now
August 11th, 2015 11:16am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics