Solved

Exchange 2010 ActiveSync not working

Posted on 2013-01-31
6
1,288 Views
Last Modified: 2013-02-06
I have a new Exchange 2010 environment that is coexisting with Exchange 2003. All my 2003 users are perfect, ActiveSync, OWA, Etc. On my 2010 users, everything Except ActiveSync is working. This tells me I have most everything right from SSL to legacy.mydomain.com, etc.

I haven't bothered with Autodiscovery yet, so it's not that. I think it could be some IIS trick to redirect to the ActiveSync folder or something like that which is not right.

Any ideas?
0
Comment
Question by:cajx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 

Author Comment

by:cajx
ID: 38840021
Ah ha, an error that helps:

Exchange ActiveSync doesn't have sufficient permissions to create CN=username, etc.  container under Active Directory user "Active Directory operation failed on cbrdcx.ccbtrnt.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.

Details:%3
0
 

Author Comment

by:cajx
ID: 38840245
Well that doesn't explain everything because that error is based solely around being a domain admin (etc.) that Microsoft started blocking from having Exchange admin rights years ago. BUT, I've just tried a normal user with no admin rights, and that user also does not work with ActiveSync on the new server.

So it looks like I have two problems, one of which I still haven't found a real error for.
0
 

Author Comment

by:cajx
ID: 38840442
Awesome. OK, it looks like the one non-domain user is just an anomaly (bad iPhone). The 2nd non-domain admin account works on another iPhone. So I'm back to that eventlog error about certain admins not having inherited rights related to Exchange, blah blah that old problem MS introduced way back when they tried to separate domain admins from exchange admins. So I'm going to try... one of these fixes, not sure which yet. Any recommendations? I want to make this EASY and troublefree for future use.

I'm leaning towards whatever is the cleanest way to allow all the domain admins to not have blocked inheritance or whatever via AD. I want my domain admins to be exchange admins, in other words.

http://support.microsoft.com/kb/2579075

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/6c7636ae-f41d-4f62-90c0-a3c9613f22d2

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/a536ff7b-90e1-4b8a-82d0-ae5111d5c607

http://support.microsoft.com/kb/817433
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38842809
My article explains what to do about this - and the recommendation is to have domain admins with two accounts:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html

Alan
0
 

Accepted Solution

by:
cajx earned 0 total points
ID: 38843778
Thanks, but I'm afraid it's not for me. I see MS is taking that stance lately. We have 5 people in IT supporting a medium sized company... everybody has to support nearly everything (one employee is more programming and isn't a domain admin... everybody else needs to be one though)... some days it's tricky. So that solution doesn't work for us... creates more work (can't use any of the domain admin tools on my desktop... would have to reinstall everything on a remote box and remote in... then it'd give me problems because I have a certain resolution/font set up to avoid eye strain, etc. etc.) when I'm already working weekends lately already. Not willing to do it.

I ended up doing this, and so far it has fixed us (And MS makes it sound sort of scary... but I'm 99.9% sure it will never impact us negatively):

http://support.microsoft.com/kb/817433
(text quoted below)

Enabling inheritance on the adminSDHolder container
If you enable inheritance on the adminSDHolder container, one of the two protective access control list (ACL) mechanisms is disabled. The default permissions are applied. However, all members of protected groups inherit permissions from the organizational unit and any parent organizational units if inheritance is enabled at the organizational unit level.

To provide inheritance protection for administrative users, move all administrative users (and other users who require inheritance protection) to their own organizational unit. At the organizational unit level, remove inheritance and then set the permissions to match the current ACLs on the adminSDHolder container. Because the permissions on the adminSDHolder container may vary (for example, Microsoft Exchange Server adds some permissions or the permissions may have been modified), review a member of a protected group for the current permissions on the adminSDHolder container. Be aware that the user interface (UI) does not display all permissions on the adminSDHolder container. Use DSacls to view all permissions on the adminSDHolder container.

You can enable inheritance on the adminSDHolder container by using ADSI Edit or Active Directory Users and Computers. The path of the adminSDHolder container is CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>

Note If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.

To enable inheritance on the adminSDHolder container:

    Right-click the container, and then click Properties.
    Click the Security tab.
    Click Advanced.
    Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
    Click OK, and then click Close.

The next time that the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).
0
 

Author Closing Comment

by:cajx
ID: 38858684
Not willing to increase my departments workload by 10% just to follow in the footsteps of fortune 500 companies that have infinite resources. 4 out of 5 IT employees in my group need to be domain admins and get their email all on the same desktop, etc.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses
Course of the Month9 days, 22 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question