Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, December 11, 2017 3:04 PM
When I attempt to create a new user I get the following error. The mailbox creates. However the user is not created in active directory or sometimes will be after a period of time.
Any help would be appreciated in solving this problem.
Failed to save admin audit log for this cmdlet invocation.
Organization: First Organization
Log content:
Cmdlet Name: Remove-Mailbox
Object Modified: site.local/FL - Miami/Users/hosting/User Name
Parameter: Identity = User Name
Caller: site.local/Users/Administrator
ExternalAccess: False
Succeeded: True
Run Date: 2017-12-11T14:35:06
OriginatingServer: EXCH01 (15.01.0225.037)
Error:
Microsoft.Exchange.Data.ApplicationLogic.AuditLogException: An error occurred while trying to access the audit log. For more details, see the inner exception. > System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. > System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. > System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
End of inner exception stack trace
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
End of inner exception stack trace
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NetworkServiceHttpAuthenticator.AuthenticateAndExecute[T](CustomSoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBinding.GetFolder(GetFolderType GetFolder1)
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.<>c__DisplayClasse.<CheckAndCreateWellKnownFolder>b__6()
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CallEwsWithRetries(LID lid, Func`1 delegateEwsCall, Func`3 responseMessageProcessor, Func`3 responseErrorProcessor)
End of inner exception stack trace
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CallEwsWithRetries(LID lid, Func`1 delegateEwsCall, Func`3 responseMessageProcessor, Func`3 responseErrorProcessor)
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CheckAndCreateWellKnownFolder(DistinguishedFolderIdNameType parentFolder, DistinguishedFolderIdNameType targetFolder, FolderIdType& targetFolderId)
at Microsoft.Exchange.ProvisioningAgent.EwsAuditLogger.InitializeAdminAuditLogsFolder()
at Microsoft.Exchange.ProvisioningAgent.EwsAuditLogger..ctor(ExchangePrincipal principal)
at Microsoft.Exchange.ProvisioningAgent.AuditLoggerFactory.Create(ExchangePrincipal principal, ArbitrationMailboxStatus status)
at Microsoft.Exchange.ProvisioningAgent.ConfigWrapper.get_MailboxLogger()
at Microsoft.Exchange.ProvisioningAgent.AdminLogProvisioningHandler.WriteAuditRecord(Stopwatch stopwatch)
All replies (6)
Tuesday, December 12, 2017 10:02 AM
Hi,
Have you got the Record Management and Organization Management permission assinged to your admin account? Does the issue affect other administrators? When modify a mailbox, do you get error from Exchange Management Shell and event logs from Event Viewer?
From the error message in your post, there problem could be related to audit configuration. Please run the following commands to view the configurations and provide the outputs here.
Get-Mailbox -Arbitration
Get-AdminAuditLogConfig
Get-Mailbox "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" -Arbitration | fl *database*
Get-MailboxDatabase "DB identity" -Status | fl *mounted*
Regards,
Alex
Please remember to mark the replies as answers if they helped.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, December 12, 2017 1:30 PM
Hello Alex,
Thank you for your reply.
Good question. I'll have to see if I do. Though this issue is recent. I was not having these issues before. It's possible that I probably need to reset something.
Get-Mailbox -Arbitration
Name Alias ServerName ProhibitSendQuota
SystemMailbox{1f05a927... SystemMailbox{1f0... precexch01 Unlimited
SystemMailbox{bb558c35... SystemMailbox{bb5... precexch01 Unlimited
SystemMailbox{e0dc1c29... SystemMailbox{e0d... precexch01 Unlimited
Migration.8f3e7716-201... Migration.8f3e771... precexch01 300 MB (314,572,800 bytes)
FederatedEmail.4c1f4d8... FederatedEmail.4c... precexch01 1 MB (1,048,576 bytes)
Get-AdminAuditLogConfig
RunspaceId : 2bf1011f-d56c-4321-b06f-66dbb9fd546d
AdminAuditLogEnabled : True
LogLevel : None
TestCmdletLoggingEnabled : False
AdminAuditLogCmdlets : {*}
AdminAuditLogParameters : {*}
AdminAuditLogExcludedCmdlets : {}
AdminAuditLogAgeLimit : 90.00:00:00
LoadBalancerCount : 1
RefreshInterval : 10
PartitionInfo : {}
UnifiedAuditLogIngestionEnabled : False
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Admin Audit Log Settings
DistinguishedName : CN=Admin Audit Log Settings,CN=Global Settings,CN=Precedent,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=precedent,DC=local
Identity : Admin Audit Log Settings
Guid : 81c9b70b-1138-4c73-98e6-66df8b221b52
ObjectCategory : precedent.local/Configuration/Schema/ms-Exch-Admin-Audit-Log-Config
ObjectClass : {top, msExchAdminAuditLogConfig}
WhenChanged : 10/12/2016 6:25:03 PM
WhenCreated : 10/12/2016 5:56:05 PM
WhenChangedUTC : 10/12/2016 10:25:03 PM
WhenCreatedUTC : 10/12/2016 9:56:05 PM
OrganizationId :
Id : Admin Audit Log Settings
OriginatingServer : PRECDC01.precedent.local
IsValid : True
ObjectState : Unchanged
Get-Mailbox "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" -Arbitration | fl *database*
Database : Mailbox Database 1481129371
UseDatabaseRetentionDefaults : True
UseDatabaseQuotaDefaults : False
ArchiveDatabase :
DisabledArchiveDatabase :
Get-MailboxDatabase "DB identity" -Status | fl *mounted*
MountedOnServer : precexch01.precedent.local
Mounted : True
Wednesday, December 20, 2017 9:15 PM
I just checked the permissions.
Org management is set. Record Management was not.
I added the admin account to it.
Thursday, December 21, 2017 6:13 AM
Hi,
Does it occur on some special OU, Group or other AD object?
Audit log works with ms-Exch-Store-Bypass-Access-Auditing permission, please ensure inheritance is enabled on effected AD account. You can open ADUC to enable Advanced features, then check the permission for those objects.
More information, for your reference: Audit Exchange 2007 SP2 Auditing
Regards,
Allen Wang
Please remember to mark the replies as answers if they helped.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, December 21, 2017 9:17 PM
I didn't want to mess around with my administrator account. Inheritance was not enabled.
So I went to my user account and checked to see if the enable inheritance was set. And it was.
I then went back to the ecp and added permissions and attempted to do a task. I have to do a hold on some email.
If you look at the inner exception, for some reason it's closing the connection.
Failed to save admin audit log for this cmdlet invocation.
Organization: First Organization
Log content:
Cmdlet Name: New-MailboxSearch
Object Modified:
Parameter: Name = test
Parameter: SearchQuery = untangle
Parameter: SourceMailboxes = username
Parameter: EstimateOnly = True
Caller: site.local/FL - Miami/Users/username
ExternalAccess: False
Succeeded: True
Run Date: 2017-12-21T21:14:12
OriginatingServer: PRECEXCH01 (15.01.0225.037)
Error:
Microsoft.Exchange.Data.ApplicationLogic.AuditLogException: An error occurred while trying to access the audit log. For more details, see the inner exception. > System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. > System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. > System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
End of inner exception stack trace
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
End of inner exception stack trace
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NetworkServiceHttpAuthenticator.AuthenticateAndExecute[T](CustomSoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBinding.GetFolder(GetFolderType GetFolder1)
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.<>c__DisplayClasse.<CheckAndCreateWellKnownFolder>b__6()
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CallEwsWithRetries(LID lid, Func`1 delegateEwsCall, Func`3 responseMessageProcessor, Func`3 responseErrorProcessor)
End of inner exception stack trace
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CallEwsWithRetries(LID lid, Func`1 delegateEwsCall, Func`3 responseMessageProcessor, Func`3 responseErrorProcessor)
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CheckAndCreateWellKnownFolder(DistinguishedFolderIdNameType parentFolder, DistinguishedFolderIdNameType targetFolder, FolderIdType& targetFolderId)
at Microsoft.Exchange.ProvisioningAgent.EwsAuditLogger.InitializeAdminAuditLogsFolder()
at Microsoft.Exchange.ProvisioningAgent.EwsAuditLogger..ctor(ExchangePrincipal principal)
at Microsoft.Exchange.ProvisioningAgent.AuditLoggerFactory.Create(ExchangePrincipal principal, ArbitrationMailboxStatus status)
at Microsoft.Exchange.ProvisioningAgent.ConfigWrapper.get_MailboxLogger()
at Microsoft.Exchange.ProvisioningAgent.AdminLogProvisioningHandler.WriteAuditRecord(Stopwatch stopwatch)
Thursday, February 15, 2018 2:28 PM
And I keep running into this issue.
Failed to save admin audit log for this cmdlet invocation.
Organization: First Organization
Log content:
Cmdlet Name: New-ComplianceSearch
Object Modified: 8e73a9d0-2a88-4111-d2df-08d573ecc9d2
Caller: precedent.local/Users/Administrator
ExternalAccess: False
Succeeded: True
Run Date: 2018-02-14T21:15:10
OriginatingServer: PRECEXCH01 (15.01.0225.037)
Error:
Microsoft.Exchange.Data.ApplicationLogic.AuditLogException: An error occurred while trying to access the audit log. For more details, see the inner exception. > System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. > System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. > System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
End of inner exception stack trace
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
End of inner exception stack trace
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NetworkServiceHttpAuthenticator.AuthenticateAndExecute[T](CustomSoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBinding.GetFolder(GetFolderType GetFolder1)
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.<>c__DisplayClasse.<CheckAndCreateWellKnownFolder>b__6()
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CallEwsWithRetries(LID lid, Func`1 delegateEwsCall, Func`3 responseMessageProcessor, Func`3 responseErrorProcessor)
End of inner exception stack trace
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CallEwsWithRetries(LID lid, Func`1 delegateEwsCall, Func`3 responseMessageProcessor, Func`3 responseErrorProcessor)
at Microsoft.Exchange.Data.ApplicationLogic.EwsAuditClient.CheckAndCreateWellKnownFolder(DistinguishedFolderIdNameType parentFolder, DistinguishedFolderIdNameType targetFolder, FolderIdType& targetFolderId)
at Microsoft.Exchange.ProvisioningAgent.EwsAuditLogger.InitializeAdminAuditLogsFolder()
at Microsoft.Exchange.ProvisioningAgent.EwsAuditLogger..ctor(ExchangePrincipal principal)
at Microsoft.Exchange.ProvisioningAgent.AuditLoggerFactory.Create(ExchangePrincipal principal, ArbitrationMailboxStatus status)
at Microsoft.Exchange.ProvisioningAgent.ConfigWrapper.get_MailboxLogger()
at Microsoft.Exchange.ProvisioningAgent.AdminLogProvisioningHandler.WriteAuditRecord(Stopwatch stopwatch)