[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 969
  • Last Modified:

Cannot use ActiveSync with Motorola Q and Exchange 2007

We have an organization where 2 users have the new Motorola Q cell-phones (with Verizon service).  ActiveSync from the phone was working perfectly with Exchange 2003 SP2.  Then we upgraded to Exchange 2007 as everybody wanted the features of the new OWA.  Suddenly, syncing to Exchange no longer works.  I have personally spent well over 60+ hours on this so far, trying to figure out what is wrong.  I have found that there are actually very few people actually already using Exchange 2007, so finding information is proven to be very difficult.

I have already done ALL of the following with NO LUCK:
 - Installed the root certification (created during Exchange install) on the phone
 - Purchased and installed an SSL cert from RapidSSL on IIS AND on the phone
 - Completely disabled SSL throughout on IIS and on the phone, as some users suggested
 - Upgraded Windows 5.0 on the phone to the very latest version
 - Replaced the phone (twice)
 - Setup permissions in ADSI for the Exchange 2007 server to "Full Control"
 - Purchased ANOTHER "fast" SSL certificate from GLOBALSIGN.COM, but it was NOT instant
...and many more things that I no longer remember (it's been 2 months of pain and agony)

I even setup a new account on the OLD Exchange 2003 SP1 server (yes, it is still in the network), and the phone worked perfectly with that account.  But the phone will NOT work with the Exchange 2007 server.  I have been working with computers for more than 20-years and this is most frustrating experience I have ever had.  I have read several posts that say that simply removing all of the darn SSL requirments will fix the issue, and I have tried that, but I still get the above error code.  I really am at wits end on this one.  Any help is greatly appreciated!

Sincerely, Bjorgen
0
beatinger
Asked:
beatinger
  • 17
  • 16
  • +1
2 Solutions
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Your post has quite a bit of info, but I sitll have a few questions if you don't mind, because a 0x85010006  error indicates PERMISSIONS problems.

Do you have any other phones that you are synching with your Exchange server?

Can you open http://servername/oma from a computer within your LAN?
Can you open https://server.domain.com/oma or https://externalIPaddress/oma from outside your LAN?

Please verify that anonymous is NOT enabled on either /exchange, /oma or /Microsoft-Server-ActiveSync virtual sites.

Jeff
TechSoEasy
0
 
beatingerAuthor Commented:
Hello Jeff,
Thank you so much for your help!  I'll answer your questions in the order presented.

1. No, I am currently only trying to fix the issue using one subscriber, using his Motorola Q, which has all of the very latest firmware/software updates.

2. Keep in mind that this is Exchange 2007, which does not appear to have an OMA virtual site under the Default Site.  It has only the following sites (from the top, in order):
- AutoDiscover
-EWS
-Exadmin
-Exchweb
-OAB
-OWA
-Public
-RPC
-RPCWithCert
-TsWeb
-UnifiedMessaging

Perhaps that is the issue?  The fact that I don't have an OMA site?  I have found Microsoft Articles describing how to install the OMA Virtual Site, but the articles are all relative to Exchange 2003, not Exchange 2007.  In fact, it is rather difficult to find much information about Exchange 2007 for some reason.

Thank you again for your help!
Sincerely, Bjorgen T. Eatinger
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
No, it's not the issue... sorry about that, I wasn't thinking.  (I've used Exchange 2007 and have a virtual server set up on my lab machine, but I have no full implementations of it yet because all of my clients are SBS 2003 based).

Anyhow.  Check out this security tutorial to make sure you've set things right:
http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/mobility-client-access/mobile-messaging-exchange-server-2007-part2.html

Jeff
TechSoEasy
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
beatingerAuthor Commented:
Jeff,

I went through every word of the security tutorial mentioned above and still no dice.  I have tried using the simplistic ActiveSync policies, or not, and the result is exactly the same either way.  I find it amazing that there are not more people with this same issue, as I am a 30-year veteran programmer and IT expert, and this is the absolute worst time I have ever had with any issue at any time.  I've never spend this much time with an issue.  I can usually resolve nearly anything within a few days.  It's been almost 2-months and I am racking my brains out on this.  Wow...this is crazy.

Bjorgen
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I take it you've only been trying to sync over the air directly to the Exchange Server and have not tried by making a connection via ActiveSync on a Desktop running Outlook?

Jeff
TechSoEasy
0
 
beatingerAuthor Commented:
Hello Jeff,

I am making a connection to the Exchange 2007 server using Outlook and VPN, and also have over 100 users using OWA just fine; I have no idea how you would connect via ActiveSync on a desktop running Outlook.  How is that done?  However, I did try accessing OWA using the phone's Internet Explorer browser, and it also does not allow me to access.  After several attempts, it goes to a standard HTTP 405 page telling me that I do not have authorization, which by the way, is actually the same code as 81050006.  

Oh wait,---I think when you say making a connection to a desktop, you mean using the Microsoft ActiveSync 4.2 program, and the USB cable from the phone to a desktop?  Yes, that works fine.  I was able to sync all my contacts to/from the phone to the desktop Outlook no problem.

This issue is strictly isolated to an over-the-air sync, and an over-the-air access to OWA using the phone's IE browser.  Now, this led me to believe that there might be a problem with the certificate, but I spent $189.00 Monday purchasing the real thing from GlobalSign, who are listed as one of the phone's approved root certificate providers.  And that works perfectly now with OWA, using a root and intermediate certificate (so that there are no messages when a user uses OWA), but the phone still will not sync.

We tried contacting Microsoft regarding this issue but were told that we would have to spend a very large sum of money to open a case, with no gaurantee that they can solve it.  This was surprising, given that we are a MAPS subscriber and Partner.

Sincerely, Bjorgen
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Why are you using a VPN connection?  That's totally unnecessary for over-the-air sync... but if you did use it you'd have to change your Exchange Server's address to the local name... ie, exchange.yourdomain.local, but then it won't match your SSL cert, so that's not a good idea.

Then, you need to upgrade to ActiveSync 4.5 which has a much better troubleshooting capability.

Jeff
TechSoEasy
0
 
beatingerAuthor Commented:
Jeff,

The VPN connection is only so that we can use standard Office Outlook 2003 from our remote offices into the Exchange 2007 server.  That actually had nothing at all to do with the over-the-air discussion.  Sorry to have confused you.

I'll try updating to ActiveSync 4.5 and see if it can deliver some better error codes.

Bjorgen
0
 
gooberpeaCommented:
Hey I know this might be a little elementary, but verify the server name in the phone sync config menu is correct.  I just had the same issue happen and stupid me was asking the wrong server.  I spent the better part of this morning on the server checking out all of the settings I could think about and the solution was the very first setting on the phone sync config menu.  I was simply asking the wrong server.  Please laugh all you want and call me any name you want to, I know I did after I found out.

Hope this helps
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
That's actually why I suggested that the relationship be set up using Outlook and ActiveSync on a desktop PC rather than manually configuring the settings on the device.  

Jeff
TechSoEasy
0
 
beatingerAuthor Commented:
I used ActiveSync on the desktop PC to configure the phone (ActiveSync v4.5) and the results are always the same, no matter what.  This thing is just spooked!  I have no idea what else to do or try, and am running out of time (I purchased a phone on 30-day evaluation from Verizon just to try to fix this issue, as I cannot use the client's phones, as they are using them daily).  This is a serious heartbreak, because I spent more than 75-hours now, and cannot bill the client, because I didn't get it to work.  The phone will go back to Verizon soon, and that will be it I guess.
Bjorgen
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
So, wait a minute... you are using a separate device?  Did you create a new Exchange Mailbox to sync to for this new device?  (ie, a test account?).

Then... can the device sync with the Exchange Mailbox while connected to the PC via USB?  

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Also... let's take this back to basics... did you install the Client Access Server Role on your Exchange 2007 Server?

because that would enable Exchange ActiveSync?  See this documentation:
http://technet.microsoft.com/en-us/library/aa998357.aspx

Then be sure to review this SSL documentation for Exchange 2007:
http://msexchangeteam.com/archive/2007/07/02/445698.aspx

Jeff
TechSoEasy
0
 
beatingerAuthor Commented:
Hello Jeff,

Following are the answers to your questions:
1. The phone I purchased from Verizon for testing is complete with Internet access.  And yes, it syncs up fine to an Outlook installation on the PC (I only sync contacts to keep test time minimal).

2. No, I did not try creating a new Exchange Mailbox and testing that.  These are all legacy Exchange 2003 mailboxes that were "Moved" from the existing Exchange 2003 server using the Exchange 2007 Management Console.  This is for obvious reasons, since all of the client's contacts and email are coming from the Exchange 2003 server.  So I just tried creating a brand-new mailbox just now on the Exchange 2007 server, and the results were exact the same (Support Code: 0x85010006).

3. Yes, the Client Access Server is installed on the Exchange 2007 server.  Remember that there are several hundred other OWA clients using the server non-stop (all of them imported successfully imported in from the Exchange 2003 server).

4. We are using a bonafide purchased SSL Certification from GlobalSign, supported on the phone's OS (Windows Mobile 5.0) by default, and which is working flawlessly with the aforementioned OWA clients (they don't even receive a "Please accept certificate" warning, etc.).  I also installed the GlobalSign certificate on the phone, (I know I shouldn't have to), and the results were exactly the same with or without it.

The only possibility that I can think of is the fact that there is still an Exchange 2003 server existing in the domain.  Which is actually a good thing in a way, as I can still create mailboxes on it and switch the phones to authenticating on that server, and they work perfectly.  They simply will NOT work on the new Exchange 2007 server.

Bjorgen
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, you're getting closer... guess what:  http://support.microsoft.com/kb/937031

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Also, according to:  http://msexchangeteam.com/archive/2007/05/23/439541.aspx

"For mailboxes that are still on Exchange 2003 SP2, the SP2 policies will apply even though Exchange ActiveSync requests may be first hitting an Exchange 2007 CAS box.

In this type of topology, the EAS request is being "proxied" to the Exchange 2003 SP2 server (and that server is running IIS 6 w/ the Microsoft-Server-ActiveSync virtual directory)."

So, you really may have problems due to the Exchange 2003 Server still being active.

Jeff
TechSoEasy
0
 
beatingerAuthor Commented:
Jeff,

Well, you got me excited there for a minute, but then I read the links you provided, and KEY is the fact that we are NOT running the mailboxes on the Exchange 2003 server.  ALL of the mailboxes that were originally on the Exchange 2003 server were migrated to the Exchange 2007 server.

The only reason I brought up Exchange 2003 is the fact that it is running on the Primary Domain Controller (PDC), which is responsible for providing the authentication for the mailbox users, regardless of where the Exchange 2007 mailboxes reside.

However, I would like to remove Exchange 2003 from the PDC for several reasons, one of which is I just don't like anything but Active Directory to run on the PDC, and the other because we just don't really need it anymore (unless we can never get these darn phones to work---then we'll have to go back to it actually, at least for the phone users).  Do you know of any good articles on the best way to remove it?  It's not going to be easy, because the SEND connectors are still being used on the Exchange 2003 server for other purposes.  Yes...I know that I will have to configure my network to use the Send Connector on the Exchange 2007 server, but I just don't fully trust it yet.  I can make too much damage all at once to the user base, as they start getting very edgy.

Bjorgen
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Yikes... having Exchange on a DC?  That's something I would only want to see on a Small Business Server, never with stand-alone Server 2003's.  Also, that server still has it's SYSTEM Mailboxes in tact, so I'd get rid of it ASAP!

Worst case with the Mobile users is to enable IMAP and let them sync that way temporarily.

The technical how-to for removing the server is here:  http://technet.microsoft.com/en-us/library/bb288905.aspx

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Also, review this list to make sure that you aren't still needing the Exchange 2003 for any of the listed items:
http://technet.microsoft.com/en-us/library/aa998911.aspx

Jeff
TechSoEasy
0
 
beatingerAuthor Commented:
Jeff,

How would we setup IMAP so that mobile users could sync to it?

We'll also try to remove the Exchange 2003 server tomorrow.

MS should have made this whole thing a tad easier.

Bjorgen
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, I was just going to say, it's easy... just enable IMAP4, but when I quickly pulled up the documentation on that, it reminded me about something else that you may have overlooked...  enabling the user's mailbox via PowerShell to be ActiveSync enabled.  (since the GUI settings aren't coming along until Exchange 2007 SP1 is released).  

See the graphic in this article:  http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/using-pop3-imap4-access-exchange-2007-part1.html

But basically you would need to run:

Set-CASMailbox -Identity John -ActiveSyncEnabled $true
(per http://technet.microsoft.com/en-us/library/bb124809.aspx)

Which is what you'd need to run to enable IMAP4 as well (although using ImapEnabled instead).

Jeff
TechSoEasy
0
 
beatingerAuthor Commented:
Jeff,

Yes, I had already tried that, also to no avail.  I believe I have already installed SP1 for Exchange, as I am a MAPS subscriber.  But I did try the graphics method and PowerShell and the changes I made in one affected the other, so I knew the settings were having the exact same effect as each other.

I'll try it all again just to be 100% certain, and will update.

Bjorgen
0
 
beatingerAuthor Commented:
I am still working on this problem...isn't thier anybody at all out there that can help with this?

How about some of you guys from Microsoft?
Bjorgen
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Not sure what you mean by "some of you guys from Microsoft" as there are no Microsoft engineers that monitor questions from Experts-Exchange.  Additionally, once a question is more than a few days old there is very little likelihood that anyone new will even look at it.

There are a number of Microsoft MVP's that participate on this site (I'm one of those), and I can certainly send out request to the zone advisors asking for additional help, but I'm curious about your comment that you already have installed Exchange 2007 SP1 because beta's aren't included in the MAPS subscription.  Do you mean that you got it from MSDN?

Jeff
TechSoEasy

0
 
beatingerAuthor Commented:
Jeff,

I said that "I believe" that must have SP1, since I don't need to use the PowerTool to make that setting change...see the following:

[PS] C:\Documents and Settings\Administrator.EHADS>Set-CASMailbox -Identity dsea
ls -ActiveSyncEnabled $true
WARNING: The command completed successfully but no settings of
'ehads.edenhosting.net/Users/Debi Seals' have been modified.
[PS] C:\Documents and Settings\Administrator.EHADS>

When I go into the graphical tool, there IS a place where ActiveSync can be Enabled/Disabled, which you said would only be possible with SP1, so I assumed that I must have it already.  Sorry, my mistake.

However, I just noticed that when I view the properties on user's mailboxes, there is nothing listed under the "Member Of" tab.  It's just blank.  But the Administrator's mailbox does have several groups listed, one of which is "Users"  How would I at least add all of the mailboxes to the user's group?  Or is this not necessary?  Remember that the error on the phone states that "Your user account does not have permission to perform this action...etc." and is code 0x81050006.
Bjorgen
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, that's probably something you DO need to attend to... since your environment still contains an Exchange 2003 Server you need to add the permissions as described in this article:
http://technet.microsoft.com/en-us/library/bb310792.aspx

Jeff
TechSoEasy
0
 
beatingerAuthor Commented:
Jeff,

Isn't that already done as part of the overall Exchange 2007 setup process?  It's okay to go back and do this after the fact?  The Exchange 2007 server has been up and running now for 2 months.  Just don't want to screw up anything.

Bjorgen
0
 
beatingerAuthor Commented:

Jeff,
I ran the PrepareLegacyExchangePermissions command from the CD, first specifying EHADS as the domain controller and then using the FQDN name instead, and the following occurred.  What's odd about this is that it says to refer to an Error ID, but there isn't any, and none in the Error Log.  Do you know what this registery "override" is all about?

F:\>Setup /PrepareLegacyExchangePermissions /dc:ehads

Welcome to Microsoft Exchange Server 2007 Unattended Setup
Preparing Exchange Setup
No server roles will be installed

Performing Microsoft Exchange Server Prerequisite Check
    Organization Checks              ......................... COMPLETED
Exchange Server setup encountered an error.

F:\>Setup /PrepareLegacyExchangePermissions /dc:ehexchange01.ehads.edenhosting.net

Welcome to Microsoft Exchange Server 2007 Unattended Setup
Preparing Exchange Setup
No server roles will be installed

Performing Microsoft Exchange Server Prerequisite Check
    Organization Checks              ......................... FAILED
Setup cannot use domain controller 'ehexchange01.ehads.edenhosting.net' because an override is set in the registry. Run Setup again, and specify '/DomainController:'.

The Exchange Server setup operation did not complete. Visit http://support.microsoft.com and enter the Error ID to find more information.

Exchange Server setup encountered an error.

Bjorgen
0
 
beatingerAuthor Commented:
Never mind the above...I got all of that to work by modifying a registry value which was supposed contain a static reference to the domain controller.  Now all the Setup commands are working fine, but even after doing all of them, the PDA still cannot sync, and has the same error.

Bjorgen
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Yeah, but do the mailboxes have the permissions that they need?  Per the article I linked above?  Because at first you said that they didn't have any permissions listed... (ie, not members of any security groups).

Jeff
TechSoEasy
0
 
beatingerAuthor Commented:
The one mailbox that needs to sync I setup in the PowerUsers Group.  I don't know what other permissions it would need.  I tried opening the link you included above and it just will not open.

Bjorgen
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
There's something going on with the TechNet site... because all links to it seem to be down.

Jeff
TechSoEasy
0
 
beatingerAuthor Commented:
Okay, I got into the TechNet site again and read through that entire page, but I see nothing indicitive of setting permissions on mailboxes so that the user can perform an ActiveSync partnership.  And if all of our OWA users are able to fully function, including the PDA users (they also have OWA), then where exactly is this permission to be set to allow for a PDA partnership sync?

Bjorgen
0
 
fuzzwolf235Commented:
I was having this same problem until i found this article. http://support.microsoft.com/kb/829167

All of the other virtual directory were using the right application pool except for the Microsoft Server ActiveSync which was using DefaultAppPool i changed it too the MSExchangeSyncAppPool now everything is syncing including our Motorola q

Hope this helps.
0
 
beatingerAuthor Commented:
The solution (finally) posted at http://support.microsoft.com/kb/829167 is as accurate as it gets.  
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 17
  • 16
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now