Unable to configure new exchange accounts on any smartphone.

Current environment: VM Server 2008R2 running Exchange 2010 V14.03.0248.002 fully updated, behind an X300 firewall using there ESS & web security.  Currently we have 15 units configured with exchange accounts and have no issues but we are unable to configure any new units. Purchased a SAN SSL and installed it. I have an A Record in my public zone and on premise DNS for the autodiscover URL. I am seeing this error in the exchange server event log.

I have verified my internal and external URL'S for my client access services are configured correctly running the following.
Get-ActiveSyncVirtualDirectory | fl internalurl,externalurl
Get-AutoDiscoverVirtualDirectory | fl internalurl,externalurl
Get-ECPVirtualDirectory | fl internalurl,externalurl
Get-OabVirtualDirectory | fl internalurl,externalurl
Get-WebServicesVirtualDirectory | fl internalurl,externalurl

Exchange ActiveSync device requests for your users are being blocked. This problem frequently occurs when the HTTP OPTIONS method request isn't allowed by the firewall. Please check the firewall that filters requests in front of your Client Access server and the Microsoft-Server-ActiveSync virtual directory.

Another note is looking at my active directory (w/advance and  Users, contacts, groups and ..)  I see that current users have a ExchangeActiveSyncDevices folder listed under there user name in the OU but new ones do not.

Running  a testconnectivity.microsoft.com produces the following

Attempting the FolderSync command on the Exchange ActiveSync session.
       The test of the FolderSync command failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       
Exchange ActiveSync returned an HTTP 503 response (Service Unavailable).
HTTP Response Headers:
MS-Server-ActiveSync: 14.3
X-MS-RP: 2.0,2.1,2.5,12.0,12.1,14.0,14.1
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
Content-Length: 27
Cache-Control: private
Content-Type: text/html
Date: Thu, 09 Jul 2015 22:17:07 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Elapsed Time: 20489 ms.

User is not part of any admin groups or permissions.

Another error I am seeing.  I have changed the DC name and the domain name in the output.

Exchange ActiveSync experienced a transient error when it tried to access Active Directory information for user "quality\bar". Exchange ActiveSync will try this operation again. If this event occurs infrequently, no user action is required. If this event occurs frequently, check network connectivity using PING or PingPath. You can also use the Test-ActiveSyncConnectivity cmdlet. More information:

Microsoft.Exchange.Data.Directory.ADTransientException: Exchange couldn't find any usable connections to the Active Directory server DC.DOMAIN. Take a look at the event logs, and try again later. ---> System.DirectoryServices.Protocols.DirectoryOperationException: The administration limit on the server was exceeded.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDeviceContainer(Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime)
   at Microsoft.Exchange.AirSync.Command.UpdateADDevice(GlobalInfo globalInfo)
   at Microsoft.Exchange.AirSync.Command.CompleteDeviceAccessProcessing()
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
Robert CabreraAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Primary reason for ActiveSync connection failures are lack of permission inheritance enabled on the account in ADUC, so start there.
Have the accounts EVER been a member of a protected group? In ADUC, look on Attribute Editor for AdminCount - it should be clear. If it says 1 then it still counted as having membership of a protected group.

Have you attempted to connect the devices using internal Wifi?

Simon.
0
Robert CabreraAuthor Commented:
Hello Simon. Thank you for responding. Yes I see many have had permission inheritance (not selected) be an issue but not so in this case.  No this brand new user is not part of any administrative groups.  What I see in attempting to setup an account is the following error.

Log Name:      Application
Source:        MSExchange ActiveSync
Date:          7/10/2015 3:08:50 PM
Event ID:      1015
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ExchangeServer.domain
Description:
Exchange ActiveSync experienced a transient error when it tried to access Active Directory information for user "DOMAIN\USER". Exchange ActiveSync will try this operation again. If this event occurs infrequently, no user action is required. If this event occurs frequently, check network connectivity using PING or PingPath. You can also use the Test-ActiveSyncConnectivity cmdlet. More information:

Microsoft.Exchange.Data.Directory.ADTransientException: Exchange couldn't find any usable connections to the Active Directory server DC.DOMAIN. Take a look at the event logs, and try again later. ---> System.DirectoryServices.Protocols.DirectoryOperationException: The administration limit on the server was exceeded.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDeviceContainer(Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime)
   at Microsoft.Exchange.AirSync.Command.UpdateADDevice(GlobalInfo globalInfo)
   at Microsoft.Exchange.AirSync.Command.CompleteDeviceAccessProcessing()
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchange ActiveSync" />
    <EventID Qualifiers="49156">1015</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-07-10T19:08:50.000000000Z" />
    <EventRecordID>883222</EventRecordID>
    <Channel>Application</Channel>
    <Computer>ExchangeServer.DOMAIN</Computer>
    <Security />
  </System>
  <EventData>
    <Data>DOMAIN\USER</Data>
    <Data>Microsoft.Exchange.Data.Directory.ADTransientException: Exchange couldn't find any usable connections to the Active Directory server DC.DOMAIN. Take a look at the event logs, and try again later. ---&gt; System.DirectoryServices.Protocols.DirectoryOperationException: The administration limit on the server was exceeded.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDeviceContainer(Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime)
   at Microsoft.Exchange.AirSync.Command.UpdateADDevice(GlobalInfo globalInfo)
   at Microsoft.Exchange.AirSync.Command.CompleteDeviceAccessProcessing()
   at Microsoft.Exchange.AirSync.Command.WorkerThread()</Data>
  </EventData>
</Event>

While troubleshooting I needed to make a new email distribution group but found that I can't now. I am getting the following error.

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:01


NEWGROUP
Failed

Error:
Exchange couldn't find any usable connections to the Active Directory server DC.DOMAIN. Take a look at the event logs, and try again later.

The administration limit on the server was exceeded.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.140).aspx?v=14.3.248.2&t=exchgf1&e=ms.exch.err.ExE542FC

Exchange Management Shell command attempted:
new-DistributionGroup -Name 'NEWGROUP' -SamAccountName 'NEWGROUP' -Alias 'NEWGROUP'

Elapsed Time: 00:00:01
0
Robert CabreraAuthor Commented:
I figured out how I shot myself in the face with one of my issues!  I had looked into limiting the changes one of my helpdesk individuals could make. I was following this article

http://clintboessen.blogspot.com/2013/10/what-is-ntds-quotas-container-in-active.html and had set my msDS-DefaultQuota attribute to 50.

Removed that and my https://testconnectivity.microsoft.com now reports flawlessly.

Still cannot get new iPhone to configure email though. Perhaps a server reboot tonight!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robert CabreraAuthor Commented:
After having removed the msDS-DefaultQuota attribute and resetting iPhone network settings I was able to configure the email account on the device.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.