Solved

Exchange 2010 ActiveSync not working

Posted on 2013-01-31
6
1,176 Views
Last Modified: 2013-02-06
I have a new Exchange 2010 environment that is coexisting with Exchange 2003. All my 2003 users are perfect, ActiveSync, OWA, Etc. On my 2010 users, everything Except ActiveSync is working. This tells me I have most everything right from SSL to legacy.mydomain.com, etc.

I haven't bothered with Autodiscovery yet, so it's not that. I think it could be some IIS trick to redirect to the ActiveSync folder or something like that which is not right.

Any ideas?
0
Comment
Question by:cajx
  • 5
6 Comments
 

Author Comment

by:cajx
ID: 38840021
Ah ha, an error that helps:

Exchange ActiveSync doesn't have sufficient permissions to create CN=username, etc.  container under Active Directory user "Active Directory operation failed on cbrdcx.ccbtrnt.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.

Details:%3
0
 

Author Comment

by:cajx
ID: 38840245
Well that doesn't explain everything because that error is based solely around being a domain admin (etc.) that Microsoft started blocking from having Exchange admin rights years ago. BUT, I've just tried a normal user with no admin rights, and that user also does not work with ActiveSync on the new server.

So it looks like I have two problems, one of which I still haven't found a real error for.
0
 

Author Comment

by:cajx
ID: 38840442
Awesome. OK, it looks like the one non-domain user is just an anomaly (bad iPhone). The 2nd non-domain admin account works on another iPhone. So I'm back to that eventlog error about certain admins not having inherited rights related to Exchange, blah blah that old problem MS introduced way back when they tried to separate domain admins from exchange admins. So I'm going to try... one of these fixes, not sure which yet. Any recommendations? I want to make this EASY and troublefree for future use.

I'm leaning towards whatever is the cleanest way to allow all the domain admins to not have blocked inheritance or whatever via AD. I want my domain admins to be exchange admins, in other words.

http://support.microsoft.com/kb/2579075

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/6c7636ae-f41d-4f62-90c0-a3c9613f22d2

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/a536ff7b-90e1-4b8a-82d0-ae5111d5c607

http://support.microsoft.com/kb/817433
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38842809
My article explains what to do about this - and the recommendation is to have domain admins with two accounts:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html

Alan
0
 

Accepted Solution

by:
cajx earned 0 total points
ID: 38843778
Thanks, but I'm afraid it's not for me. I see MS is taking that stance lately. We have 5 people in IT supporting a medium sized company... everybody has to support nearly everything (one employee is more programming and isn't a domain admin... everybody else needs to be one though)... some days it's tricky. So that solution doesn't work for us... creates more work (can't use any of the domain admin tools on my desktop... would have to reinstall everything on a remote box and remote in... then it'd give me problems because I have a certain resolution/font set up to avoid eye strain, etc. etc.) when I'm already working weekends lately already. Not willing to do it.

I ended up doing this, and so far it has fixed us (And MS makes it sound sort of scary... but I'm 99.9% sure it will never impact us negatively):

http://support.microsoft.com/kb/817433
(text quoted below)

Enabling inheritance on the adminSDHolder container
If you enable inheritance on the adminSDHolder container, one of the two protective access control list (ACL) mechanisms is disabled. The default permissions are applied. However, all members of protected groups inherit permissions from the organizational unit and any parent organizational units if inheritance is enabled at the organizational unit level.

To provide inheritance protection for administrative users, move all administrative users (and other users who require inheritance protection) to their own organizational unit. At the organizational unit level, remove inheritance and then set the permissions to match the current ACLs on the adminSDHolder container. Because the permissions on the adminSDHolder container may vary (for example, Microsoft Exchange Server adds some permissions or the permissions may have been modified), review a member of a protected group for the current permissions on the adminSDHolder container. Be aware that the user interface (UI) does not display all permissions on the adminSDHolder container. Use DSacls to view all permissions on the adminSDHolder container.

You can enable inheritance on the adminSDHolder container by using ADSI Edit or Active Directory Users and Computers. The path of the adminSDHolder container is CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>

Note If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.

To enable inheritance on the adminSDHolder container:

    Right-click the container, and then click Properties.
    Click the Security tab.
    Click Advanced.
    Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
    Click OK, and then click Close.

The next time that the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).
0
 

Author Closing Comment

by:cajx
ID: 38858684
Not willing to increase my departments workload by 10% just to follow in the footsteps of fortune 500 companies that have infinite resources. 4 out of 5 IT employees in my group need to be domain admins and get their email all on the same desktop, etc.
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now