Solved

Include inheritable permissions continually being removed - causing problems with ActiveSync in Exchange 2010 SP1

Posted on 2010-11-24
14
4,023 Views
Last Modified: 2012-05-10
Summary:
Migrating away from SBS 2003 to Exchange 2010 and Server 2008.  Select users are not able to set up ActiveSync or are having  problems afterwards.

- Company has outgrown SBS 2003 and we are migrating them to Exchange 2010sp1 and AD 2008.
- No problems with iPhone syncing to exchange 2003
- unable to get iPhones to setup activesync to exchange 2010
- found that the users with problems were members of the restricted groups affected by adminSDHolder
- SBS 2003 server is still in place as we have not finished migrating all items yet (close though)

Actions taken:
- removed users from restricted groups
- checked the "include inheritable permissions from this object's parent"
- used adsiedit.msc to set adminCount to 0 (zero) and also tried <not set>

Worked great...at first.  Started getting complaints that people who didn't immediately set up their phone were having problems.  Also, people who did set up their phone immediately were no longer able to "push sync."

Took a look at the checkbox for inherit and it was unchecked again for the users with problems.  Ran through the steps listed above to verify that we didn't miss anything.  adminCount is still at 0/<not set>, triple checked the list of restricted groups, etc...

Yet the inherit rights checkbox is getting unchecked from time to time.

Looking through EE and through Blackberry forums (where we first ran into this problem a long time ago) has not given any insight to the problem beyond the steps we have already tried.
0
Comment
Question by:dougclingman
  • 6
  • 5
  • 3
14 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34209362
Please have a read of my article with an explanation for the rights disappearing from time to time:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html

This only happens to accounts with Admin privileges.  It is recommended to have a separate Admin account and a separate user account so that you can Sync happily.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 34209436
Doug - SBS 2003  > Exchange 2010 is not a microsoft supported migration path ?
What guide did you follow ?

Did you check demazter's guide here ?
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2881-Migrate-Small-Business-Server-2003-to-Exchange-2010-and-Windows-2008-R2.html

Also please check Alan's EAS page.
He is the resident Activesync genius.
0
 

Author Comment

by:dougclingman
ID: 34210138
@alanhardisty - we already have done the steps in your post

- removed all users from the restricted groups
- modified their AD objects: adminCount .. (added a comment to your post about this)
- reset the checkbox for inherit rights

Alan - Sunnyc7 recommends that I look at your EAS page.  Do you have a link for that?

@sunnyc7 -
I did review and utilize Demazter's article, that you mentioned, for migrating from SBS2003 to Exchange 2010.  That article looks an awful lot like a migration....  

As well as Middleton's and Palachuk's documentation.  Used all three sets of documentation to pull together the process.  All of them are great - but still miss some small items....  Don't forget to modify the creation of the OAB for 2007/2010 Outlook clients - as a default installation of Exchange did not enable the web distribution (at least not in our lab installation or the customer's installation).

Even with a some of the small items missed - they were all immensely better than the documentation that I found from Microsoft. ;-)

Thanks.
0
 

Author Comment

by:dougclingman
ID: 34210177
p.s. Demazter's article mentioned above is great.  That one article (yes, I voted for it) was probably the best single point of information that I found for moving someone from SBS2003 to Exchange 2010.  It is well written.

There are the normal gotcha's that are unique to any environment that are not covered.  Yet, with a little research you will find the answers for those.

..and hopefully we will find the answer this one.

Thanks.
0
 
LVL 28

Assisted Solution

by:sunnyc7
sunnyc7 earned 125 total points
ID: 34210286
AdminSDHolder, broken Activesync and Exchange 2010.
http://blog.pennic.com/?p=35

Please give that a read.

EAS = Exchange Active Sync.
The link is in Alan's post.

other articles are here
http://www.experts-exchange.com/M_4926565.html
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 34210537
Doug
Before we go further on this issue, I wanted to know:

a) Did you run EAS and EAS Autodiscover from here
www.testexchangeconnectivity.com

Can you try that and copy paste the full results here.

b) Did you get a UCC/SAN Certificate and install it ?

thanks
sunny
0
 

Author Comment

by:dougclingman
ID: 34225873
Sunnyc7: Sorry for the slow response, been out of the loop with the holiday.

- we did install a UCC/SAN cert.

- ran the EAS and EAS Autodiscover tests and they were successful:       

"Exchange ActiveSync was tested successfully."  -  The only item flagged was that Windows Mobile 5 devices wouldn't accept the cert, which is not an issue here as the only mobile devices are iPhones for the customer and one droid (i'm using for testing - it will not work and Motorola's fix is to use a 3rd party app)

....

going to dig through the things in your 9:49 pm post in a bit.  Haven't' heard from the customer since Wed afternoon.  Being a long holiday weekend, I would only expect to hear from him if there was server down issue.

Thanks

"Autodiscover was successfully tested for Exchange ActiveSync."

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:dougclingman
ID: 34225874
edit: the "Autodiscover was successfully tested for Exchange ActiveSync." should have been higher in the message with the EAS/EASA comment.
0
 

Author Comment

by:dougclingman
ID: 34230559
Very strange - After working on this issue for a couple of days before posting the question ... then letting it just sit over the holiday weekend; when I check today none of the users having problems are having the problem anymore.

I don't understand what waiting a couple of days would have done for this!
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 34230783
Anything in event logs

Windows logs\application ?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 125 total points
ID: 34230820
Exchange 2010 / Windows 2008 can take a some time for the settings to kick in properly before they actually work.

Quite often you can make a change and then a day or so later having given up on the changes, they suddenly start to work.

I had the same thing with my Global Address Lists.  I was pulling empty GAL's and checked the permissions / settings, made some changes and nothing happened.

The following week, I had some more spare time and looked at the problem again only to find the problem was no longer a problem.

Weird - but that is Exchange 2010 / Windows 2008!
0
 

Author Comment

by:dougclingman
ID: 34231613
regarding this issues - right now the customer is happy so I'm going to keep things as they are.  I'm going to split the points between the two of you if that is okay.

This is the first non-SBS exchange server I have set up in many years.  I have been lulled into the wizardized SBS way...  I had forgotten how much stuff you have to do yourself.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34231658
LOL - I know where you are coming from.

In terms of points - they are yours to do what you like with.  Split them however you feel you want to based on the answers posted.

Either way - glad it is working.

Alan
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 34231810
Quite often you can make a change and then a day or so later having given up on the changes, they suddenly start to work.

>> HA HA !!
Experience talking.

I configured a Connector in 2010 with 995 SSL on Exchange 2007 for this client of mine.
It wasnt working the first day. It started working the second day. Third it stopped for some reason, and its working ok after that  ?

Doug - I am glad it worked out.

Alan
Someone needs to write an article on how to "do nothing".
I think you are the right person for that :)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now