dougclingman
asked on
Include inheritable permissions continually being removed - causing problems with ActiveSync in Exchange 2010 SP1
Summary:
Migrating away from SBS 2003 to Exchange 2010 and Server 2008. Select users are not able to set up ActiveSync or are having problems afterwards.
- Company has outgrown SBS 2003 and we are migrating them to Exchange 2010sp1 and AD 2008.
- No problems with iPhone syncing to exchange 2003
- unable to get iPhones to setup activesync to exchange 2010
- found that the users with problems were members of the restricted groups affected by adminSDHolder
- SBS 2003 server is still in place as we have not finished migrating all items yet (close though)
Actions taken:
- removed users from restricted groups
- checked the "include inheritable permissions from this object's parent"
- used adsiedit.msc to set adminCount to 0 (zero) and also tried <not set>
Worked great...at first. Started getting complaints that people who didn't immediately set up their phone were having problems. Also, people who did set up their phone immediately were no longer able to "push sync."
Took a look at the checkbox for inherit and it was unchecked again for the users with problems. Ran through the steps listed above to verify that we didn't miss anything. adminCount is still at 0/<not set>, triple checked the list of restricted groups, etc...
Yet the inherit rights checkbox is getting unchecked from time to time.
Looking through EE and through Blackberry forums (where we first ran into this problem a long time ago) has not given any insight to the problem beyond the steps we have already tried.
Migrating away from SBS 2003 to Exchange 2010 and Server 2008. Select users are not able to set up ActiveSync or are having problems afterwards.
- Company has outgrown SBS 2003 and we are migrating them to Exchange 2010sp1 and AD 2008.
- No problems with iPhone syncing to exchange 2003
- unable to get iPhones to setup activesync to exchange 2010
- found that the users with problems were members of the restricted groups affected by adminSDHolder
- SBS 2003 server is still in place as we have not finished migrating all items yet (close though)
Actions taken:
- removed users from restricted groups
- checked the "include inheritable permissions from this object's parent"
- used adsiedit.msc to set adminCount to 0 (zero) and also tried <not set>
Worked great...at first. Started getting complaints that people who didn't immediately set up their phone were having problems. Also, people who did set up their phone immediately were no longer able to "push sync."
Took a look at the checkbox for inherit and it was unchecked again for the users with problems. Ran through the steps listed above to verify that we didn't miss anything. adminCount is still at 0/<not set>, triple checked the list of restricted groups, etc...
Yet the inherit rights checkbox is getting unchecked from time to time.
Looking through EE and through Blackberry forums (where we first ran into this problem a long time ago) has not given any insight to the problem beyond the steps we have already tried.
Doug - SBS 2003 > Exchange 2010 is not a microsoft supported migration path ?
What guide did you follow ?
Did you check demazter's guide here ?
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2881-Migrate-Small-Business-Server-2003-to-Exchange-2010-and-Windows-2008-R2.html
Also please check Alan's EAS page.
He is the resident Activesync genius.
What guide did you follow ?
Did you check demazter's guide here ?
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2881-Migrate-Small-Business-Server-2003-to-Exchange-2010-and-Windows-2008-R2.html
Also please check Alan's EAS page.
He is the resident Activesync genius.
ASKER
@alanhardisty - we already have done the steps in your post
- removed all users from the restricted groups
- modified their AD objects: adminCount .. (added a comment to your post about this)
- reset the checkbox for inherit rights
Alan - Sunnyc7 recommends that I look at your EAS page. Do you have a link for that?
@sunnyc7 -
I did review and utilize Demazter's article, that you mentioned, for migrating from SBS2003 to Exchange 2010. That article looks an awful lot like a migration....
As well as Middleton's and Palachuk's documentation. Used all three sets of documentation to pull together the process. All of them are great - but still miss some small items.... Don't forget to modify the creation of the OAB for 2007/2010 Outlook clients - as a default installation of Exchange did not enable the web distribution (at least not in our lab installation or the customer's installation).
Even with a some of the small items missed - they were all immensely better than the documentation that I found from Microsoft. ;-)
Thanks.
- removed all users from the restricted groups
- modified their AD objects: adminCount .. (added a comment to your post about this)
- reset the checkbox for inherit rights
Alan - Sunnyc7 recommends that I look at your EAS page. Do you have a link for that?
@sunnyc7 -
I did review and utilize Demazter's article, that you mentioned, for migrating from SBS2003 to Exchange 2010. That article looks an awful lot like a migration....
As well as Middleton's and Palachuk's documentation. Used all three sets of documentation to pull together the process. All of them are great - but still miss some small items.... Don't forget to modify the creation of the OAB for 2007/2010 Outlook clients - as a default installation of Exchange did not enable the web distribution (at least not in our lab installation or the customer's installation).
Even with a some of the small items missed - they were all immensely better than the documentation that I found from Microsoft. ;-)
Thanks.
ASKER
p.s. Demazter's article mentioned above is great. That one article (yes, I voted for it) was probably the best single point of information that I found for moving someone from SBS2003 to Exchange 2010. It is well written.
There are the normal gotcha's that are unique to any environment that are not covered. Yet, with a little research you will find the answers for those.
..and hopefully we will find the answer this one.
Thanks.
There are the normal gotcha's that are unique to any environment that are not covered. Yet, with a little research you will find the answers for those.
..and hopefully we will find the answer this one.
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Doug
Before we go further on this issue, I wanted to know:
a) Did you run EAS and EAS Autodiscover from here
www.testexchangeconnectivity.com
Can you try that and copy paste the full results here.
b) Did you get a UCC/SAN Certificate and install it ?
thanks
sunny
Before we go further on this issue, I wanted to know:
a) Did you run EAS and EAS Autodiscover from here
www.testexchangeconnectivity.com
Can you try that and copy paste the full results here.
b) Did you get a UCC/SAN Certificate and install it ?
thanks
sunny
ASKER
Sunnyc7: Sorry for the slow response, been out of the loop with the holiday.
- we did install a UCC/SAN cert.
- ran the EAS and EAS Autodiscover tests and they were successful:
"Exchange ActiveSync was tested successfully." - The only item flagged was that Windows Mobile 5 devices wouldn't accept the cert, which is not an issue here as the only mobile devices are iPhones for the customer and one droid (i'm using for testing - it will not work and Motorola's fix is to use a 3rd party app)
....
going to dig through the things in your 9:49 pm post in a bit. Haven't' heard from the customer since Wed afternoon. Being a long holiday weekend, I would only expect to hear from him if there was server down issue.
Thanks
"Autodiscover was successfully tested for Exchange ActiveSync."
- we did install a UCC/SAN cert.
- ran the EAS and EAS Autodiscover tests and they were successful:
"Exchange ActiveSync was tested successfully." - The only item flagged was that Windows Mobile 5 devices wouldn't accept the cert, which is not an issue here as the only mobile devices are iPhones for the customer and one droid (i'm using for testing - it will not work and Motorola's fix is to use a 3rd party app)
....
going to dig through the things in your 9:49 pm post in a bit. Haven't' heard from the customer since Wed afternoon. Being a long holiday weekend, I would only expect to hear from him if there was server down issue.
Thanks
"Autodiscover was successfully tested for Exchange ActiveSync."
ASKER
edit: the "Autodiscover was successfully tested for Exchange ActiveSync." should have been higher in the message with the EAS/EASA comment.
ASKER
Very strange - After working on this issue for a couple of days before posting the question ... then letting it just sit over the holiday weekend; when I check today none of the users having problems are having the problem anymore.
I don't understand what waiting a couple of days would have done for this!
I don't understand what waiting a couple of days would have done for this!
Anything in event logs
Windows logs\application ?
Windows logs\application ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
regarding this issues - right now the customer is happy so I'm going to keep things as they are. I'm going to split the points between the two of you if that is okay.
This is the first non-SBS exchange server I have set up in many years. I have been lulled into the wizardized SBS way... I had forgotten how much stuff you have to do yourself.
This is the first non-SBS exchange server I have set up in many years. I have been lulled into the wizardized SBS way... I had forgotten how much stuff you have to do yourself.
LOL - I know where you are coming from.
In terms of points - they are yours to do what you like with. Split them however you feel you want to based on the answers posted.
Either way - glad it is working.
Alan
In terms of points - they are yours to do what you like with. Split them however you feel you want to based on the answers posted.
Either way - glad it is working.
Alan
Quite often you can make a change and then a day or so later having given up on the changes, they suddenly start to work.
>> HA HA !!
Experience talking.
I configured a Connector in 2010 with 995 SSL on Exchange 2007 for this client of mine.
It wasnt working the first day. It started working the second day. Third it stopped for some reason, and its working ok after that ?
Doug - I am glad it worked out.
Alan
Someone needs to write an article on how to "do nothing".
I think you are the right person for that :)
>> HA HA !!
Experience talking.
I configured a Connector in 2010 with 995 SSL on Exchange 2007 for this client of mine.
It wasnt working the first day. It started working the second day. Third it stopped for some reason, and its working ok after that ?
Doug - I am glad it worked out.
Alan
Someone needs to write an article on how to "do nothing".
I think you are the right person for that :)
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html
This only happens to accounts with Admin privileges. It is recommended to have a separate Admin account and a separate user account so that you can Sync happily.