Solved

Outlook not able to connect to Exchange server

Posted on 2010-11-17
14
480 Views
Last Modified: 2012-05-10
In a nutshell the issue is a permissions issue but it is unclear to me where the problem exist.  This is the second time that this has happened and I know how to 'repair' the problem but no idea on a real fix.

Windows 2003 server R2, Exchange 2007, Outlook 2007, Windows 7 desktop - all up to date on patches etc.

My Outlook account can no longer connect to the Exchange server.  OWA and my mobile phone also loose the ability to connect to the Exchange server.  The main errors that show up in the Exchange event viewer are 1016 and 1022.

They talk about a mapi faliure due to the login.  In researching the errors, it narrowed down to the permissions set on my AD account.  Under my account/Security/Advanced, I found that my "include inheritable permissions from this object's parent" is unchecked.  I go through the steps to check that box, save it etc to find that it is unchecked about 20 minutes later!  When it is checked it does not solve the problem right away but last time I talked with MS, that was the root of the issue.  Although they had me pretty much delete my Exchange account and recreate it to get my e-mail working again.  That fixed lasted almost 3 weeks to the day.

Needless to say, they also thought it was a group policy problem that was causing the problem but I have moved my account to it's own OU and the problem still exist.  I am running a Windows 7 machine along with others but the problem exist only with my account.  The backup domain adminstrator who has the same permissions etc doesn't have this problem... any ideas?

Tia,
Andrew
0
Comment
Question by:itbossman
  • 9
  • 3
  • 2
14 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 34155957
Rather than propagating the permissions over and over and having it clear out again, you might try assigning specific permissions. I believe the Exchange Servers group is the one that needs permission on your account in this situation. It would be difficult to dig into the cause of the problem, but explicitly assigning the permissions that should be propagated to your account is a feasible work around since there is only one account having this problem.
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34155962
a mapi issue mostly likely related to your phone setup, under your user object in AD make sure that feature is enabled and also make sure that any SSL (if running it) is checked on the phone and that your password if changed is updated on the mobile phone. in regards to exchange services make sure the map services are running.
0
 

Author Comment

by:itbossman
ID: 34156005
All of the services are running, the account is a member of all of the Exchange groups.  The password has not been reset.  The account has full domain/enterprise permissions etc.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 34156072
The permissions that the account has doesn't matter in this situations. It's what has permission to read and write *to* the account. If the Exchange Servers Group doesn't have the necessary permission to read and write on your account object, you won't be able to connect to the Exchange Server because the permissions only exist one way. AD Permissions work two ways with Exchange. Your account has to have access to the Exchange Server to read data, and the Server has to have permission to your account in order to read account information and write changes if necessary. When you lose the Inherit Permissions checkmark on your account's security settings, it effectively removes the Exchange Server group from the list of objects that are able to read and write to your account's AD Object, thus breaking the two way permissions requirement.
0
 

Author Comment

by:itbossman
ID: 34156117
Your comments make sense, the question is why is that happening though and how do I restore it.  How can I be sure it is the Exchange Servers Group is the one that is having the issue?
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34156210
i agree with acbrown, mine was a shot in the dark but his makes sense.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 34156252
I've run into this problem before. We had a couple of users in a recent migration that were just randomly set to not inherit permissions. I remember reading that the Exchange Servers group was the one that needed the access. However, you *can* get it so you have all of the necessary permissions written explicitly to your account without having to put them all in manually. On the Advanced Screen for your Accounts Security, check the Inherit Permissions box and hit apply, once that's done, remove the check mark and you'll be prompted to Copy, Remove, or Cancel. Clicking Copy will assign the necessary permissions explicitly to your account. Hit OK to close your Account Properties box and Click Yes when prompted to write the additional ACLs. Once you have the permissions assigned explicitly, you can then re-enable Inherited permissions and they won't go away if the Inheritable permissions box gets unchecked for some reason.
0
 

Author Comment

by:itbossman
ID: 34156441
I had tried that yesterday and the prompt for the username and password still pops up.  I agree that your idea should work but it isn't.  I just tried it again and the same problem happens.  I can try to reboot instead of exiting and re-entering Outlook if that would make a difference.
0
 

Author Comment

by:itbossman
ID: 34156597
Rebooted and same issue.
0
 

Author Comment

by:itbossman
ID: 34160750
Spent all day with MS and they are still working on the issue.  Odd thing is that they said over the last month or so they have seen this problem pop up.  If that were the case then why can't they fix it =p

A lot of changes were made to the back end permissions and will be rebooting the DC's, Catalog Server and the Exchange Server in the am.  Fingers crossed.
0
 

Author Comment

by:itbossman
ID: 34163304
Servers rebooted, problem still exist.
0
 

Author Comment

by:itbossman
ID: 34170568
After talking with MS, the finally concluded that the problem was with the AD account, not with Exchange.  I spent countless hours with them changing permissions on groups and ultimately my account where 'nothing' was set to deny but yet I still would get prompted for a user name a password that would not work.

I ended up setting up a backup domain account and gave that rights to get into the e-mail account and that work fine but at the end of the day, I created a new AD account that had to have a different name since I left the existing problem account active but not pointing to an e-mail account.  MS felt that if this happens again, they could compare the permissions between the two accounts to see where the problem exist.

They wanted me to create the new account and add the permission groups one by one to see which one has the problem but I told them that would be fine, it would take a few weeks to see the problem flair up so we are watching for the next installment.  With a clean AD account, hopefully this won't happen again.  Yes, the backup admin has the same permissions as I do but his account was not effected ???

For the admins on the site, I would not close this based on date or lack of a definitive answer for a while since I am in the waiting process but from researching the net, others have had this problem with no rationale on why and a 'true' fix; as of yet.

Andrew
0
 

Accepted Solution

by:
itbossman earned 0 total points
ID: 34526130
The fix was to delete my AD account, delete my Exchange account and start from scratch.  I made a backup of my current e-mail folder and imported it after the new accounts were setup.  No 'fix' but a complete 'do over'.  Yes, don't forget to redo 'all' of you domain shares, permissions etc.  Huge time project...
0
 

Author Closing Comment

by:itbossman
ID: 34613301
that was the solution
0

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now