Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Exchange 2010 ActiveSync not working

Posted on 2013-01-31
6
Medium Priority
?
1,371 Views
Last Modified: 2013-02-06
I have a new Exchange 2010 environment that is coexisting with Exchange 2003. All my 2003 users are perfect, ActiveSync, OWA, Etc. On my 2010 users, everything Except ActiveSync is working. This tells me I have most everything right from SSL to legacy.mydomain.com, etc.

I haven't bothered with Autodiscovery yet, so it's not that. I think it could be some IIS trick to redirect to the ActiveSync folder or something like that which is not right.

Any ideas?
0
Comment
Question by:cajx
  • 5
6 Comments
 

Author Comment

by:cajx
ID: 38840021
Ah ha, an error that helps:

Exchange ActiveSync doesn't have sufficient permissions to create CN=username, etc.  container under Active Directory user "Active Directory operation failed on cbrdcx.ccbtrnt.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.

Details:%3
0
 

Author Comment

by:cajx
ID: 38840245
Well that doesn't explain everything because that error is based solely around being a domain admin (etc.) that Microsoft started blocking from having Exchange admin rights years ago. BUT, I've just tried a normal user with no admin rights, and that user also does not work with ActiveSync on the new server.

So it looks like I have two problems, one of which I still haven't found a real error for.
0
 

Author Comment

by:cajx
ID: 38840442
Awesome. OK, it looks like the one non-domain user is just an anomaly (bad iPhone). The 2nd non-domain admin account works on another iPhone. So I'm back to that eventlog error about certain admins not having inherited rights related to Exchange, blah blah that old problem MS introduced way back when they tried to separate domain admins from exchange admins. So I'm going to try... one of these fixes, not sure which yet. Any recommendations? I want to make this EASY and troublefree for future use.

I'm leaning towards whatever is the cleanest way to allow all the domain admins to not have blocked inheritance or whatever via AD. I want my domain admins to be exchange admins, in other words.

http://support.microsoft.com/kb/2579075

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/6c7636ae-f41d-4f62-90c0-a3c9613f22d2

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/a536ff7b-90e1-4b8a-82d0-ae5111d5c607

http://support.microsoft.com/kb/817433
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38842809
My article explains what to do about this - and the recommendation is to have domain admins with two accounts:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html

Alan
0
 

Accepted Solution

by:
cajx earned 0 total points
ID: 38843778
Thanks, but I'm afraid it's not for me. I see MS is taking that stance lately. We have 5 people in IT supporting a medium sized company... everybody has to support nearly everything (one employee is more programming and isn't a domain admin... everybody else needs to be one though)... some days it's tricky. So that solution doesn't work for us... creates more work (can't use any of the domain admin tools on my desktop... would have to reinstall everything on a remote box and remote in... then it'd give me problems because I have a certain resolution/font set up to avoid eye strain, etc. etc.) when I'm already working weekends lately already. Not willing to do it.

I ended up doing this, and so far it has fixed us (And MS makes it sound sort of scary... but I'm 99.9% sure it will never impact us negatively):

http://support.microsoft.com/kb/817433
(text quoted below)

Enabling inheritance on the adminSDHolder container
If you enable inheritance on the adminSDHolder container, one of the two protective access control list (ACL) mechanisms is disabled. The default permissions are applied. However, all members of protected groups inherit permissions from the organizational unit and any parent organizational units if inheritance is enabled at the organizational unit level.

To provide inheritance protection for administrative users, move all administrative users (and other users who require inheritance protection) to their own organizational unit. At the organizational unit level, remove inheritance and then set the permissions to match the current ACLs on the adminSDHolder container. Because the permissions on the adminSDHolder container may vary (for example, Microsoft Exchange Server adds some permissions or the permissions may have been modified), review a member of a protected group for the current permissions on the adminSDHolder container. Be aware that the user interface (UI) does not display all permissions on the adminSDHolder container. Use DSacls to view all permissions on the adminSDHolder container.

You can enable inheritance on the adminSDHolder container by using ADSI Edit or Active Directory Users and Computers. The path of the adminSDHolder container is CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>

Note If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.

To enable inheritance on the adminSDHolder container:

    Right-click the container, and then click Properties.
    Click the Security tab.
    Click Advanced.
    Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
    Click OK, and then click Close.

The next time that the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).
0
 

Author Closing Comment

by:cajx
ID: 38858684
Not willing to increase my departments workload by 10% just to follow in the footsteps of fortune 500 companies that have infinite resources. 4 out of 5 IT employees in my group need to be domain admins and get their email all on the same desktop, etc.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question