As soon as I finished the 2013 CU6 update and rebooted the servers I started getting these RBAC related errors in the applications logs on my mailbox servers:

MSExchange RBAC 17 RBAC:

(Process w3wp.exe, PID 9000) "RBAC authorization returns Access Denied for user domain.local/Microsoft Exchange Servers/EXCHMBSVR2. Reason: No role assignments associated with the specified user were found on Domain Controller DC02.domain.local"

MSExchange RBAC Event 258 RBAC:

(Process 9000, PID w3wp.exe)"RemotePS Public API Func GetApplicationPrivateData throws Exception Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user "domain.local/Microsoft Exchange Servers/EXCHMBSVR2" isn't assigned to any management roles.

I found a reference to this error which pointed to a Symantec article that suggested to add the service account to the Organization Management group.  The problem is that this is the Computer Account for the Mailbox server that is being denied. I tried to add the server's computer account to the Organization Management group and that fixed the errors, but it also broke "Free/Busy" lookups.

I never had this error while we were running 2013 SP1, just once we upgraded to CU6 did I start seeing this error.

Hi,

Thanks for your question.

I am trying to involve someone familiar with this topic to further look at this issue.

Best regards,

If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Hello Corey,

As I know, we dont by default have a container Microsoft Exchange Servers/EXCHMBSVR2 and an account for each Exchange servers. Did we manually create them or actually they created by the system?

Also, please confirm that:

1. The server object is added to the Exchange Install Domain Servers group, Exchange Trusted Subsystem group and Exchange Servers group;
2. The account we login the server is added to the Organization Management group to manage the Exchange server;
3. Is the object EXCHMBSVR2 within the error message a Server object or just User account?
4. Only EXCHMBSVR2 reported in the error message? What about other Server object or user account?
5. Do we have any changes recently?
6. Do we have any group policy which affect the issue?

Meanwhile, I noticed that after we add the server's computer account to the Organization Management group, the event error was fixed, however it also broke "Free/Busy" lookups. So could you please describe in detail about broke free/busy lookup?

Moreover, please add the Exchange Servers security group to the Organization Management security group, then monitor the issue.

Hello Corey,

Do we have any update on this issue?

Sorry for the late response.

The Exchange server object is in the Exchange Install Domain Servers group, Exchange Trusted Subsystem group and Exchange Servers group.

My account is in the Organization Management Group but the issue occurs whether someone is logged in or not to the server.

The "EXCHMBSVR2" object referenced in the error is the exchange computer account.

Once the servers were placed into the Organization Management group, anyone who tried a free/busy lookup (Schedule a meeting) got the message that the "Free/Busy Service is unavailable".  I would imagine that's because the server could no longer proxy the free/busy lookup request.

The only thing that changed was I installed Exchange 2013 CU6.  I went back in the system event logs and I never got this error until after the server rebooted after the CU6 update.

Hi Corey,

Good to know the event error no longer exist after we reboot the server. Regarding the free/busy issue, curently we are also not sure whether related to server can't proxy the free/busy lookup request, since it will need differnet troubleshooting and check the fonfigurations. I recommend you open a new post to focus on the free/busy issue, so we can find more clues about the issue. Thanks for your understanding.

I will have to mock this up in my Dev environment then because I can't leave the free/busy broken in production. I know this is directly related to the servers being placed in the Org Management group because I can trace the time free/busy broke and started working again to the servers membership in that group.

As soon as I finished the 2013 CU6 update and rebooted the servers I started getting these RBAC related errors in the applications logs on my mailbox servers:

MSExchange RBAC 17 RBAC:

(Process w3wp.exe, PID 9000) "RBAC authorization returns Access Denied for user domain.local/Microsoft Exchange Servers/EXCHMBSVR2. Reason: No role assignments associated with the specified user were found on Domain Controller DC02.domain.local"

MSExchange RBAC Event 258 RBAC:

(Process 9000, PID w3wp.exe)"RemotePS Public API Func GetApplicationPrivateData throws Exception Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user "domain.local/Microsoft Exchange Servers/EXCHMBSVR2" isn't assigned to any management roles.

I found a reference to this error which pointed to a Symantec article that suggested to add the service account to the Organization Management group.  The problem is that this is the Computer Account for the Mailbox server that is being denied. I tried to add the server's computer account to the Organization Management group and that fixed the errors, but it also broke "Free/Busy" lookups.

I never had this error while we were running 2013 SP1, just once we upgraded to CU6 did I start seeing this error.

NOBODY SHOULD ADD EX 2013 CAS SERVERS TO ORGANIZATION MANAGEMENT!

I can't stress how bad this is.  Because the Organization Management group is a privileged group, it also includes some inherit deny permissions which will wreck havoc with a variety of functions in your environment.  It might have worked in Ex2010, but not now.  You've been warned (first hand experience here).  Problems won't fully manifest until your CAS and mailbox servers are rebooted following the group addition.

Same Event and Source here:

...

Log Name:      Application
Source:        MSExchange RBAC
Event ID:      258
"RemotePS Public API Func GetApplicationPrivateData throws Exception Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user "administration.org.com/_NNT/Machines/Server/ADMSV1" isn't assigned to any management roles.
...

with _NNT/Machines/Server being an Self created OU where we place machines that WSUS should ignore

and ADMSV1 being the Exchange Server 2013 CU8

Checked Eric Zou's list steps 1..6, all is fine.

Machine is running since June 2015 and will be rebooted once a month after updating.

Events started to show up @ Friday Sep 9 at 18:30 without any modifications on DC or EXCH Servers.

From now on we have:

Event Sequence 17,23,258 shows up two to three times @ 18:30 each day, where our backup starts

Event Sequence 17,23,258 shows up two to three times @ 8:55 *sometimes*, no tasks here.

Event Sequence 17,23,258 shows up two to three times @ 10:20 each day, no tasks here.