Today while building a new Exchange 2010 environment I noticed a problem where Exchange servers were able to access themselves but not other Exchange 2010 servers in the same organisation.
The error I received when my powershell attempted to connect to another Exchange 2010 server was:
An IIS directory entry couldn't be created. The error message is Access is denied.
. HResult = -2147024891
+ CategoryInfo : NotInstalled: (DEVDREXCH171\EWS (Default Web Site):ADObjectId) [Get-WebServicesVirtualDirectory], IISGeneralCOMException
+ FullyQualifiedErrorId : E2E22D81,Microsoft.Exchange.Management.SystemConfigurationTasks.GetWebServicesVirtualDirectory
The problem was the Microsoft Exchange Security Groups\Exchange Trusted Subsystem group was no longer a member of the local admins on the Exchange 2010 servers. The customer was setting local admin on servers via Group Policy. When policy refreshed it removed any Exchange 2010 specific groups from the local administrators.