Exchange 2013 Health Mailboxes
Exchange 2013 uses Managed Availability to monitor it's own health. A key part of this monitoring is the use of synthetic transactions which mimic user activity such as sending and receiving Email. As you can imagine, this activity needs to come from and get to somewhere, which is where the Health Mailbox comes into play. The Health Mailbox is, for all intents and purposes, just like a normal mailbox with an Active Directory account. There have been a few changes in the Health Mailbox architecture since RTM, namely the location of the AD accounts, the naming convention and the amount of Health Mailboxes created.
Active Directory Location
In RTM we created the Health Mailboxes in Contoso/Users. I would love to you show you a pretty picture here, but I don't have an RTM lab and I don't feel like building a new forest just for one screenshot. Close your eyes and it should come to you.
In CU1 we created a dedicated home for these objects, as per below:
Amount of Health Mailboxes and Naming Convention
Up to Exchange 2013 CU6, we created one Health Mailbox per mailbox database copy and one per CAS. The naming convention was not particularly admin-friendly, being that it was the GUID - either of the CAS or of the database. It would look something like this:
CU6 introduced some tasty changes to both the naming convention and the amount of Health Mailboxes that are created. We now create a Health Mailbox for every mailbox database hosted on a Mailbox server (Active or Passive) and 10 Health Mailboxes for every CAS role! Yes, there will be lots of these Health Mailboxes around. As I mentioned, we also changed the naming convention to make it a bit more admin-friendly, as we are nice like that.
Database Health mailbox is now HealthMailbox+Servername+DatabaseName:
CAS Health Mailboxes are now HealthMailbox+ServerName+001-010 (remember, 10 per CAS role):
When you view these through the ADUC console, we still show the GUID unless you add the Display Name column. But of course you are using the EMS, so no bother!
Common Issues
So now we know a bit more about the Health Mailboxes, lets look at two common issues.
1. "Corrupt" Health Mailboxes. We often hear this term, and it seems to come from the error message which is sometimes shown when you run Get-Mailbox -Monitoring. "/HealthMailboxXXXXXXXXX has been corrupted, and it's in an inconsistent state. The following validation errors happened: Database is mandatory on UserMailbox". So what does this mean, and is the mailbox really "corrupted"? Well, no, not really. What has actually happened is that this Health Mailbox has the database it corresponds to deleted. It is therefore "orphaned" and will throw up this error. This can often happen when admins install a new server, which gets a database created by default, and this is then removed and the clean-up piece doesn't happen properly. The AD account is still there, but the mailbox is gone and the database attribute is empty. These can (and should) be safely removed from Active Directory. It may be prudent to restart the Health Manager service on the affected server, too, just in case any probes are referencing them.
2. Account Lockouts. How on earth can a "system" mailbox account get locked out? Well, as I said, for all intents and purposes, you can look at these Health Mailboxes as normal mailboxes with a corresponding AD account. They have passwords which are periodically reset. The password is a random 128 character secure string, so if you have any kind of domain password policy which could affect that, then it's possible to cause issues when the passwords are reset on the Health mailbox accounts. It is best practice to make sure /Monitoring Mailboxes is not included in ANY domain password policies (including lockouts). You can view password change/failure activity from the following log:
....\Exchange Server\V15\Logging\Monitoring\Monitoring\MSExchangeHMWorker\ActiveMonitoringTraceLogs
I hope this helps demystify the Health Mailbox a little bit!
Adrian Moore
Senior Premier Field Engineer
Comments
- Anonymous
January 01, 2003
Another possible issue is "You have mailbox database(s) on the server. But you don't have valid Health Mailboxes for the server".
1. Stop the Microsoft Exchange Health Manager service on that server.
2. Delete corresponding accounts in the ADUC console on the domain controller.
3. Then run the Microsoft Exchange Health Manager service and wait few minutes.
Health Manager will re-create the user accounts and Health mailboxes.
(Originally wrote by Rajith Jose Enchiparambil - http://theucguy.net/recreate-exchange-2013-health-mailboxes/ )
Note: Do not do that in the case of the Arbitration mailboxes. - Anonymous
March 11, 2015
Thanks - Anonymous
March 17, 2015
The comment has been removed - Anonymous
February 03, 2016
It is not possible to apply lockout policy to the Monitor mailboxes container as it is not an OU. How to apply such lockout policy only to the health mailboxes?