Solved

Exchange 2013, HealthMailBoxes Event ID 1025

Posted on 2015-01-26
22
4,283 Views
Last Modified: 2015-03-04
Hello experts.

We recently completed migration from SBS 2008 to Server 2012 R2 with Exchange 2013 CU7.
Old Exchange was uninstalled and demoted.
Every 5 min we getting an error in Application Event Log:

Event ID: 1025
Source: MS ExchangeTransport

SMTP rejected a (P1) mail from 'HealthMailbox065a4231a8a6475985d8d6a41f5b4c06@domain.local' with 'Client Proxy Server' connector and the user authenticated as 'HealthMailbox065a4231a8a6475985d8d6a41f5b4c06'. The Active Directory lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError

There are 14 HealthMailboxes account listed in AD including one listed in this event but only this one generates errors.

Please help.
0
Comment
Question by:Sashka54
  • 11
  • 10
22 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40572809
pls see Microsoft help message stating this issue is due to a problem validating the e-mail address of a sender that was using "Send as" permission to send a message. Apparently, the on behalf sender failed the authentication
To resolve this error, do one or more of the following:

Make sure that the Exchange server that logged this event can communicate with one or more Active Directory servers available in the organization.

Verified that the specified recipient has the "Send as" permission granted to the specified mail-enabled object.
https://technet.microsoft.com/en-us/library/ff982197(v=exchg.141).aspx
0
 
LVL 5

Expert Comment

by:Hello World
ID: 40572829
Hi,

How about the internal and external mail flow?

According to Microsoft article, please double check what event log level is set for MSExchangeTransport\SmtpReceive, if it's not set to lowest set it to lowest, if it already is  lowest there is nothing you can do.
Get-EventLoglevel -server Servername

More details about Source: MSExchangeTransport Event ID:1025, please refer to:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=1025&EvtSrc=MSExchangeTransport&LCID=1033/
0
 

Author Comment

by:Sashka54
ID: 40572840
I am not sure how this help message apply to our situation. HealthMail boxes do not send of other users behalf.  They used to monitor email flow and there are no problems with other 13 Health Mail boxes which have the same permissions and rights
0
 
LVL 61

Expert Comment

by:btan
ID: 40572851
the new account may not be existences and if no user faced difficulties, w can disable that account in AD if created due to migration. It should not be worst off as it seems to be blocking smtp traffic
0
 

Author Comment

by:Sashka54
ID: 40572853
Internal and external email flow is fine.  Logging on Client Proxy Connector is Off.
0
 
LVL 61

Expert Comment

by:btan
ID: 40572887
the health box acct is just not validating correcting as the other 13 acct, see this which suggested to allow this acct or even create a relay connector  as option.
https://social.technet.microsoft.com/Forums/exchange/en-US/39e508b7-3840-4b66-8187-69b7a9714dbb/1025-authentication-error-when-submitting-mail
But if there are no other leading errors accompanying this acct, I rather monitor it unless it is killing the server performance
https://technet.microsoft.com/en-us/library/hh994900(v=exchg.141).aspx
And if really need to we ca start tracking audit as below...I am just thinking it is worth drilling so deep if it is not worst off or creating any issues ...just eventlog may be flooded..
http://blogs.technet.com/b/messaging_with_communications/archive/2011/04/22/how-to-track-message-in-exchange-2003-2007-2010.aspx
0
 

Author Comment

by:Sashka54
ID: 40572910
Last two comments applied to previous versions of Exchange (2007 and 2010).  HealthMail Boxes is new feature in Exchange 2013.  These Events Id looks rather confusing.  I spent considerable amount of time on Internet before posting this question.  But thank you for your attention.
0
 
LVL 61

Expert Comment

by:btan
ID: 40572952
Noted thanks. Apparently I see the more critical health aspects as the back pressure instead - but they are different errors though https://technet.microsoft.com/en-us/library/bb201658%28v=exchg.150%29.aspx

Overall below are probably area to explore further and in particular, these
SMTP Send   When an Edge Transport server is subscribed to an internal Active Directory site, two Send connectors are automatically created and configured. One is responsible for sending outbound mail to Internet recipients; the other is responsible for sending inbound mail from the Internet to internal recipients. Inbound mail is sent to the Transport service on an available Mailbox server in the subscribed Active Directory site.
https://technet.microsoft.com/en-us/library/aa996349(v=exchg.150).aspx
...and
You can subscribe an Exchange 2007 or Exchange 2010 Edge Transport server to an Active Directory site that contains only Exchange 2013 servers. You can import the Edge Subscription file and run EdgeSync on a standalone Exchange 2013 Mailbox server, or on a server where the Mailbox server and the Client Access server are installed on the same computer. You can't import the Edge Subscription file or run EdgeSync on a standalone Exchange 2013 Client Access server.
https://technet.microsoft.com/en-us/library/jj150569(v=exchg.150).aspx
0
 

Author Comment

by:Sashka54
ID: 40573050
No it is not killing server performance. Except is it clogging up Event Log because it is coming up every 5 min.
Also I concern if it is not sign of a bigger problem.
0
 
LVL 61

Expert Comment

by:btan
ID: 40574223
understood, i do not see great implication though hence the various posting above. one mean is also to enable diagnostic to sieve more "evidence" on the implication really exist. there is instance where unknown account are spamming the email exchange with similar error but seems unrelated to additional healthbox acct added .

Below is the setting for the verbosity to see any more "other" errors or anomalies compared to past baseline..
http://thoughtsofanidlemind.com/2014/09/22/setting-server-diagnostic-levels-in-exchange-2013/
https://technet.microsoft.com/en-us/library/aa998905(v=exchg.150).aspx
0
 

Author Comment

by:Sashka54
ID: 40577602
Dear btan,

This all very informative. But I am looking for something which specifically applies to Exchange HealthMail Boxes.  Unfortunately information on internet and MS documentation is sketchy.  For example, I found that during setup two health monitoring mailboxes created per database.   Somewhere I remember seeing if you delete one of this mailboxes during restart of Exchange Transport Service, they will be recreated and issue fixed.  But again, I can't confirm it and I do not want to take chances on production server.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40579160
Yes, by default, there are 2 health mailboxes per mailbox database. We should be able to see each DB has two when we run in powershell on the exchange server and also see those warnings and errors (inclusive of the one stated in your qns). e.g. C:\windows\system32> Get-Mailbox -monitoring | Get-MailBoxStatistics

Agree that to delete and depend on the restart to recreate new healthbox mailbox can be risky as there are instance it is not working as expected. The "recreate" is to happen automatically every time when Exchange "Microsoft Exchange Health Manager" service gets restarted. The step for delete and recreate is as per shared in http://it.gamerz-bg.com/index.php/failed-security-audits-4265-hmworker-exchange-2013/

In fact, in the forum below, it did not take that "recreate" approach but found that the UPN is the issue
I did not try that. I have two UPNs on our AD Tree and apparently the UPN that the health mailboxes were assigned to do not match the UPN exchange was using to login the healthmail box in with.

I changed all the UPNs on the health mailbox accounts to our Domain's other UPN and that fixed it (this made the account's name+UPN match the account that the security event log showed exchange was attempting to authenticate as.
https://social.technet.microsoft.com/Forums/de-DE/be11fc40-0660-4bcb-88c9-43b89000af03/exchange-2013-monitoring-mailboxes?forum=exchangesvradmin

However, some has shared that they did delete it and restart but change the account to admin and then back to service to ensure the recreate works - we may want to take it as last resort if a/m is not applicable to your case.
I changed the startup account on the health monitoring service to my Admin account and restarted, within a few moments the mailboxes appeared, I change the account on the service back and everything is working as expected.
https://gerhardwessels.wordpress.com/2014/01/30/exchange-2013-health-monitoring-mailboxes-missing/
0
 

Author Comment

by:Sashka54
ID: 40579859
Dear btan,


When I type command Get-Mailbox - monitoring, It list 14 mentioned Health Mail boxes. One of them is causing an issue in Eventlog.

When I type command get-mailbox -monitoring | Get-MailboxStatistics,  I get statistics for 5 mailboxes, other 9 give me Warning " The user hasn't logged on to mailbox ....., so there is no data to return.  

Thank you.
0
 
LVL 61

Expert Comment

by:btan
ID: 40579880
looks likes account for that healthbox is not functioning as expected .. really tempted to delete and restart the services rather than trying to drill into those account http://it.gamerz-bg.com/index.php/failed-security-audits-4265-hmworker-exchange-2013/

but if you see the past first URL post, it also has the user cannot logon error adn it is due to the UPN issue extracted. Different UPN in AD and Exchange found and the Exchnage UPN is changed to in sync with Exchange UPN for that affected Healthbox account...
0
 

Author Comment

by:Sashka54
ID: 40586249
This is not clear to me: which user account logons into Health Mailbox. Or to put it better: which user account correspond to specific Health Mailbox and how to find out it?
0
 
LVL 61

Expert Comment

by:btan
ID: 40586270
it is the healthbox account e.g. HealthMailbox065a4231a8a6475985d8d6a41f5b4c06@domain.local as in your case flagged by the error, the link in prev post stated the removed and restart service to recreate. this account is not created by user admin
0
 

Author Comment

by:Sashka54
ID: 40598383
Thanks for your patience.
I am preparing to address this issue with a client.
What is worst case scenario in case I delete this HealthMail Box and it can't be created properly?
Please understand me, I am already got burned with this server. This was our first taste of Exchange 2013.  For past month it was working ok, except this issue.  But client is not aware about it.  So I am not is a rush to fix it unless we verify solution.
0
 
LVL 61

Expert Comment

by:btan
ID: 40598401
noted the worries, I cannot warrant there is no side effect since we are all shy after twice bitten, but so far, I did not hear of any since it is automatically created by restarting services. but as mentioned if it is not affecting greatly, I rather not touch it and it is best to test in staging and standby a backup with recovery backup ready for rollback. indeed trust and verify is of higher assurance but it will take some time if you can set the staging
0
 

Author Comment

by:Sashka54
ID: 40616594
Here is interesting development: I did not want to touch this server during this week because of holiday.  This error message mysteriously disappeared. It is not coming up for at least 7 days.
Account corresponding to that Health Mail Box is still there. The only work we did on this server was installation of regular Windows updates.  Any rational explanation?
0
 
LVL 61

Expert Comment

by:btan
ID: 40616741
Saw other mentioned this though
 - An email or something in the user's deactivated mailbox was causing the exchange problems. So what i did was basically disconnect(delete) the user's mailbox instead of deactivating it and the warning message disappeared.
 -  I also found out from another forum was to keep from having that msexchangesid warning appearing every day in the event viewer was to simply set the expiration date of the AD account to a previous date from present and that would deactivate the AD user account and exchange mailbox correctly.
0
 

Author Closing Comment

by:Sashka54
ID: 40645659
Thanks for your support. It took a while because implement this solution because it was production server.
0
 
LVL 61

Expert Comment

by:btan
ID: 40645902
no worries, glad to have helped
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now