Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ActiveSync Error when setting up iPhone

Posted on 2010-09-03
13
Medium Priority
?
7,808 Views
Last Modified: 2016-01-25
I'm having a problem setting up ActiveSync on an iPhone in a new Exchange 2010 SP1 environment. This phone has been set up and worked properly once before in a previous failed Exchange 2010 install.

I have made sure that my Active Directory account has the Inherited Permissions box checked, it was working previously in this Domain. I had completely re-installed the Windows 2008R2 server, and re-installed Exchange.

In the Application log on the Exchange Server, I get the following Event ID 1008: (I x'd out some of the confidential info)

An exception occurred and was handled by Exchange ActiveSync. This may have been caused by an outdated or corrupted Exchange ActiveSync device partnership. This can occur if a user tries to modify the same item from multiple computers. If this is the case, Exchange ActiveSync will re-create the partnership with the device. Items will be updated at the next synchronization.

URL=/Microsoft-Server-ActiveSync/default.eas?User=bxxxxx&DeviceId=Appl87924Y70Y7H&DeviceType=iPhone&Cmd=FolderSync
--- Exception start ---
Exception type: Microsoft.Exchange.AirSync.AirSyncPermanentException
Exception message: Security settings couldn't be applied to the user device container 'CN=ExchangeActiveSyncDevices,CN=Bxxxx Exxxx,OU=Ixxxxx Sxxxx Users,OU=Ixxxxx Sxxxxx,DC=cxxxx,DC=local' in Active Directory. Delete the container if it's empty.
Exception level: 0
HttpStatusCode: 500
AirSyncStatusCode: 111
XmlResponse:
This request does not contain a WBXML response.
Exception stack trace:    at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.Command.UpdateADDevice(GlobalInfo globalInfo)
   at Microsoft.Exchange.AirSync.Command.CompleteDeviceAccessProcessing()
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
Inner exception follows below:
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on DC2.cuzone.local. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Exception level: 1
Exception stack trace:    at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner)
   at Microsoft.Exchange.AirSync.ADDeviceManager.SetActiveSyncDeviceContainerPermissions(ActiveSyncDevices container)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
Inner exception follows below:
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.
Exception level: 2
Exception stack trace:    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
--- Exception end ---.

Any help is appreciated

Thanks!
0
Comment
Question by:jr4235
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 750 total points
ID: 33600621
Is this a fresh Exchange install or a migration from a previous version?
Either way - please check your inherited permissions:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html 
0
 

Author Comment

by:jr4235
ID: 33600655
Thanks so much for your reply.

Fresh install... second attempt. First install was aborted but iPhone was working properly. Also, I did state that the inherited permission was checked.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33600705
Sorry - lots to read and I only skimmed : (
Has the account got Exchange Activesync enabled in Exchange Management Console> Recipient Configuration> Mailbox> Mailbox Properties> Mailbox Features Tab?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:jr4235
ID: 33601444
Not a problem, I appreciate all the answers I can get.

Yes it does. I have a feeling that the account has an attribute hidden somewhere in AD that still contains info from a previous install but I can't seem to find it.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 750 total points
ID: 33601488
Have you tried un-checking the inherit permissions, applying the settings, then re-checking the permission and applying the settings?
Have you installed a 3rd party SSL certificate?
What is the result of:
get-activesyncvirtualdirectory | fl
0
 

Expert Comment

by:ranakular
ID: 33603702
a different angle. try running the following as the user, does it show up anything?
https://www.testexchangeconnectivity.com/
0
 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 33603834
Have you checked this setting:
Go to the Properties/Security of the user account, click on Advanced and enable the checkbox "Include inheritable permissions from this object's parent"



0
 

Author Comment

by:jr4235
ID: 33607716
Thanks again Alan, I do have the cert and running that command returns nohing. When I go to that site it tells me everything is set up correctly. I'm thinkin there is some reference to the serial number of my iPhone hidden in AD somewhere, just can't seem to find anything digging around in adsiedit.

I think I'm going to borrow a coworkers iPhone and try to set it up wih my exchange account after the holiday, just to see what happens.


Shreedhar, thank you for your reply but that was addresses in my initial question and in subsequent answers.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33607996
If using another phone does not work, I would recommend removing the Activesync virtual directory and re-creating a new one.
You can use the following commands to achieve this:
Remove-ActiveSyncVirtualDirectory domain\Microsoft-Server-ActiveSync
Reference : http://technet.microsoft.com/en-us/library/aa996916.aspx
New-ActiveSyncVirtualDirectory -WebSiteName "Default Web Site" -ExternalURL http://www.domain.com/Microsoft-Server-ActiveSync 
Reference : http://technet.microsoft.com/en-us/library/aa997160.aspx 
 
0
 

Expert Comment

by:ranakular
ID: 33613021
I would also recommend looking at the following article:
http://discussions.apple.com/thread.jspa?threadID=1728784
0
 

Author Comment

by:jr4235
ID: 33617828
Ok, finally found the solution. Seemed to be a combination of problems... biggest was something left over from the failed install.

Had to go into the user container inside of ADSIEdit and delete the Activesync device. Here were the exact steps I took.

1. Disable Activesync on the Exchange account.
2. Uncheck inheritable permissions
3. Delete CN=ExchangeActiveSyncDevices from under my user container in ADSIEdit
4. Force AD Replication
5. Enable Activesync on my Exchange account
6. Check Inheritable permissions
7. Force AD Replication
8. Create Exchange profile on my iPhone.

I may not have needed to replicate AD, but did anyway for good measure. I re-created the steps a second time just to be sure the solution worked too.

Thank you all for your help.

0
 

Author Closing Comment

by:jr4235
ID: 33617854
Very helpful
0
 

Expert Comment

by:FontanaIT
ID: 41432747
I had a corrupt device listed in my CN=ExchangeActiveSyncDevices container and followed jr4235 directions for the resolution to the issue:


1. Disable Activesync on the Exchange account.
2. Uncheck inheritable permissions
3. Delete CN=ExchangeActiveSyncDevices from under my user container in ADSIEdit
4. Force AD Replication
5. Enable Activesync on my Exchange account
6. Check Inheritable permissions
7. Force AD Replication
8. Create Exchange profile on my iPhone.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question