• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1373
  • Last Modified:

Exchange 2010 Activesync will not connect to phone

A couple of accounts will not connect to Exchange Activesync.  Any advice is much appreciated.

Fact:
Exchange 2010 SP1 installed on Windows 2008 R2.  Exchange Activesync is configured correctly and 99% of other accounts work both on Android and iPhones.  Configuration variables to connect phones are certain.  Activesync for the accounts in question are enabled.  We do not use POP.  We do have SSL in place.

Issue:  
A couple of accounts cannot connect to cell phones, both Android and iPhone.  Tried different phones and still same problem.  Getting server connection error and config variables are certain since we can connect to other accounts successfully.  SSL checkbox is checked.

Everything is pointing to the actual account settings.  Is there anything that I might have missed?  Pls advise.
0
gbksphere
Asked:
gbksphere
1 Solution
 
Jamie McKillopCommented:
Hello,

A couple of things to check:

Run get-casmailbox <user> |  select ActiveSyncAllowedDeviceID and make sure this is blank.

Run Get-ActiveSyncDeviceStatistics -mailbox <email address> and make sure there are less than ten devices returned. Exchange 2010 has a limit of ten device partnerships. You will need to clear out any old partnerships if you reach ten.

JJ
0
 
Frosty555Commented:
Do these users happen to be domain admins? In Exchange 2010 activesync does NOT work for users who are administrators because of the way the admin's permissions are inherited (or more correctly, how they are NOT inherited).

http://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-permissions-not-set/

You can check if this is the problem that is affecting you because there will be a whole pile of errors in the exchange server's error log reported "permission-denied" issues regarding the failed user.

The best practice suggested by microsoft is to give admin two different accounts - one with admin privileges and used for admin purposes only, and one for their regular day-to-day use.

It is NOT recommended to simply tick the "Include inheritable permissions from this object's parent" in active directory, because Windows will automatically reset that checkbox periodically, as described in the article above.

I'm looking for the original microsoft KB article... will post it when I find it.
0
 
gbksphereAuthor Commented:
Thank you for all the responses.  I managed to resolve the issue after fiddling with the issue for 2 hrs.  Frosty55 comment pointed me in the direction which eventually assisted me to resolve the problem.  The accounts in question were not admin accounts.  The problem turned out to having something to do with permission.  The steps I took eventually was to remove all security groups associated with the accounts except for domain users.  Then ticked the inherited permissions from parent.  Force replication throughout the DCs.  Went back and unticked the inherited permission.  Force replication again.  Connect to cell phones successfully after second try after clearing app cache/data on the phone (android).  Went back to AD and re-added all security groups the accounts had.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now