Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Exchange 2010 ActiveSync not working

Posted on 2013-01-31
6
1,221 Views
Last Modified: 2013-02-06
I have a new Exchange 2010 environment that is coexisting with Exchange 2003. All my 2003 users are perfect, ActiveSync, OWA, Etc. On my 2010 users, everything Except ActiveSync is working. This tells me I have most everything right from SSL to legacy.mydomain.com, etc.

I haven't bothered with Autodiscovery yet, so it's not that. I think it could be some IIS trick to redirect to the ActiveSync folder or something like that which is not right.

Any ideas?
0
Comment
Question by:cajx
  • 5
6 Comments
 

Author Comment

by:cajx
ID: 38840021
Ah ha, an error that helps:

Exchange ActiveSync doesn't have sufficient permissions to create CN=username, etc.  container under Active Directory user "Active Directory operation failed on cbrdcx.ccbtrnt.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.

Details:%3
0
 

Author Comment

by:cajx
ID: 38840245
Well that doesn't explain everything because that error is based solely around being a domain admin (etc.) that Microsoft started blocking from having Exchange admin rights years ago. BUT, I've just tried a normal user with no admin rights, and that user also does not work with ActiveSync on the new server.

So it looks like I have two problems, one of which I still haven't found a real error for.
0
 

Author Comment

by:cajx
ID: 38840442
Awesome. OK, it looks like the one non-domain user is just an anomaly (bad iPhone). The 2nd non-domain admin account works on another iPhone. So I'm back to that eventlog error about certain admins not having inherited rights related to Exchange, blah blah that old problem MS introduced way back when they tried to separate domain admins from exchange admins. So I'm going to try... one of these fixes, not sure which yet. Any recommendations? I want to make this EASY and troublefree for future use.

I'm leaning towards whatever is the cleanest way to allow all the domain admins to not have blocked inheritance or whatever via AD. I want my domain admins to be exchange admins, in other words.

http://support.microsoft.com/kb/2579075

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/6c7636ae-f41d-4f62-90c0-a3c9613f22d2

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/a536ff7b-90e1-4b8a-82d0-ae5111d5c607

http://support.microsoft.com/kb/817433
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38842809
My article explains what to do about this - and the recommendation is to have domain admins with two accounts:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html

Alan
0
 

Accepted Solution

by:
cajx earned 0 total points
ID: 38843778
Thanks, but I'm afraid it's not for me. I see MS is taking that stance lately. We have 5 people in IT supporting a medium sized company... everybody has to support nearly everything (one employee is more programming and isn't a domain admin... everybody else needs to be one though)... some days it's tricky. So that solution doesn't work for us... creates more work (can't use any of the domain admin tools on my desktop... would have to reinstall everything on a remote box and remote in... then it'd give me problems because I have a certain resolution/font set up to avoid eye strain, etc. etc.) when I'm already working weekends lately already. Not willing to do it.

I ended up doing this, and so far it has fixed us (And MS makes it sound sort of scary... but I'm 99.9% sure it will never impact us negatively):

http://support.microsoft.com/kb/817433
(text quoted below)

Enabling inheritance on the adminSDHolder container
If you enable inheritance on the adminSDHolder container, one of the two protective access control list (ACL) mechanisms is disabled. The default permissions are applied. However, all members of protected groups inherit permissions from the organizational unit and any parent organizational units if inheritance is enabled at the organizational unit level.

To provide inheritance protection for administrative users, move all administrative users (and other users who require inheritance protection) to their own organizational unit. At the organizational unit level, remove inheritance and then set the permissions to match the current ACLs on the adminSDHolder container. Because the permissions on the adminSDHolder container may vary (for example, Microsoft Exchange Server adds some permissions or the permissions may have been modified), review a member of a protected group for the current permissions on the adminSDHolder container. Be aware that the user interface (UI) does not display all permissions on the adminSDHolder container. Use DSacls to view all permissions on the adminSDHolder container.

You can enable inheritance on the adminSDHolder container by using ADSI Edit or Active Directory Users and Computers. The path of the adminSDHolder container is CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>

Note If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.

To enable inheritance on the adminSDHolder container:

    Right-click the container, and then click Properties.
    Click the Security tab.
    Click Advanced.
    Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
    Click OK, and then click Close.

The next time that the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).
0
 

Author Closing Comment

by:cajx
ID: 38858684
Not willing to increase my departments workload by 10% just to follow in the footsteps of fortune 500 companies that have infinite resources. 4 out of 5 IT employees in my group need to be domain admins and get their email all on the same desktop, etc.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question