Some but not all ActiveSync users lose mailbox access in Exchange 2007/2013 coexistence scenario

Our customer has an SBS 2008 server running Exchange 2007.  We have deployed an Exchange 2013 server to coexist with the 2007 server, until all user mailboxes can be moved to the new server.  Users have always connected to mail.domain.com, which was pointed to the 2007 server.  Now, mail.domain.com is pointed to the 2013 server, which proxies users to the 2007 server (now it's legacy.domain.com) if their mailbox hasn't been moved.

SOME but not all users with mobile devices that use ActiveSync to connect to their Exchange mailboxes have lost access to the mailboxes since we put the new server in place.  However, no user mailboxes have been moved yet, and Outlook clients on user PCs have no issue connecting to the mailboxes on the 2007 server via the 2013 proxy.  And some users have no problems accessing their mailboxes using ActiveSync.  Furthermore, for the users who lost access, as soon as they delete their ActiveSync profile on the mobile device and recreate it with the same settings, they get access again.  This isn't a great solution, because we have a lot of users, and they get confused about how to redo their account settings.

We used the Microsoft Remote Connectivity Analyzer diagnostic tool to test AutoDiscover, ActiveSync AutoDiscover, and ActiveSync.  All tests pass.

What could be causing this issue, why are only some users affected, and why does recreating the ActiveSync profile fix the issue?  If their mailboxes haven't moved yet, users shouldn't need to redo ActiveSync on their devices, no?

For your reference, here's the output from running Get-ActiveSyncVirtualDirectory--I have removed identifying info and replaced it with "2007-Server", "2013-Server", "domain.com", etc.

RunspaceId                                 : e795d693-e84e-451a-af13-03b23b162b0f
MobileClientFlags                          : BadItemReportingEnabled, SendWatsonReport
MobileClientCertificateProvisioningEnabled : False
BadItemReportingEnabled                    : True
SendWatsonReport                           : True
MobileClientCertificateAuthorityURL        :
MobileClientCertTemplateName               :
ActiveSyncServer                           :
RemoteDocumentsActionForUnknownServers     : Allow
RemoteDocumentsAllowedServers              : {}
RemoteDocumentsBlockedServers              : {}
RemoteDocumentsInternalDomainSuffixList    : {}
MetabasePath                               : IIS://2007-Server.domain.com/W3SVC/3/ROOT/Microsoft-Server-ActiveSync
BasicAuthEnabled                           : True
WindowsAuthEnabled                         : False
CompressionEnabled                         : True
ClientCertAuth                             : Ignore
WebsiteName                                : SBS Web Applications
WebSiteSSLEnabled                          : True
VirtualDirectoryName                       : Microsoft-Server-ActiveSync
Path                                       :
ExtendedProtectionTokenChecking            : None
ExtendedProtectionFlags                    : {}
ExtendedProtectionSPNList                  : {}
AdminDisplayVersion                        : Version 8.3 (Build 83.6)
Server                                     : 2007-Server
InternalUrl                                : https://legacy.domain.com/Microsoft-Server-ActiveSync
InternalAuthenticationMethods              : {Basic}
ExternalUrl                                :
ExternalAuthenticationMethods              : {Basic}
AdminDisplayName                           :
ExchangeVersion                            : 0.1 (8.0.535.0)
Name                                       : Microsoft-Server-ActiveSync (SBS Web Applications)
DistinguishedName                          : CN=Microsoft-Server-ActiveSync (SBS Web
                                             Applications),CN=HTTP,CN=Protocols,CN=2007-Server,CN=Servers,CN=Exchange
                                             Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
                                             Groups,CN=OURDOM,CN=Microsoft
                                             Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
Identity                                   : 2007-Server\Microsoft-Server-ActiveSync (SBS Web Applications)
Guid                                       : 3f240a18-dfbd-45b5-9a3c-be56fe2ff519
ObjectCategory                             : domain.com/Configuration/Schema/ms-Exch-Mobile-Virtual-Directory
ObjectClass                                : {top, msExchVirtualDirectory, msExchMobileVirtualDirectory}
WhenChanged                                : 10/23/2015 4:06:30 PM
WhenCreated                                : 10/23/2009 11:02:02 PM
WhenChangedUTC                             : 10/23/2015 11:06:30 PM
WhenCreatedUTC                             : 10/24/2009 6:02:02 AM
OrganizationId                             :
Id                                         : 2007-Server\Microsoft-Server-ActiveSync (SBS Web Applications)
OriginatingServer                          : 2007-server.domain.com
IsValid                                    : True
ObjectState                                : Changed

RunspaceId                                 : e795d693-e84e-451a-af13-03b23b162b0f
MobileClientFlags                          : BadItemReportingEnabled, SendWatsonReport
MobileClientCertificateProvisioningEnabled : False
BadItemReportingEnabled                    : True
SendWatsonReport                           : True
MobileClientCertificateAuthorityURL        :
MobileClientCertTemplateName               :
ActiveSyncServer                           : https://mail.domain.com/Microsoft-Server-ActiveSync
RemoteDocumentsActionForUnknownServers     : Allow
RemoteDocumentsAllowedServers              : {}
RemoteDocumentsBlockedServers              : {}
RemoteDocumentsInternalDomainSuffixList    : {}
MetabasePath                               : IIS://2013-Server.domain.com/W3SVC/1/ROOT/Microsoft-Server-ActiveSync
BasicAuthEnabled                           : True
WindowsAuthEnabled                         : False
CompressionEnabled                         : False
ClientCertAuth                             : Ignore
WebsiteName                                : Default Web Site
WebSiteSSLEnabled                          : True
VirtualDirectoryName                       : Microsoft-Server-ActiveSync
Path                                       :
ExtendedProtectionTokenChecking            : None
ExtendedProtectionFlags                    : {}
ExtendedProtectionSPNList                  : {}
AdminDisplayVersion                        : Version 15.0 (Build 1130.7)
Server                                     : 2013-Server
InternalUrl                                : https://mail.domain.com/Microsoft-Server-ActiveSync
InternalAuthenticationMethods              : {}
ExternalUrl                                : https://mail.domain.com/Microsoft-Server-ActiveSync
ExternalAuthenticationMethods              : {}
AdminDisplayName                           :
ExchangeVersion                            : 0.10 (14.0.100.0)
Name                                       : Microsoft-Server-ActiveSync (Default Web Site)
DistinguishedName                          : CN=Microsoft-Server-ActiveSync (Default Web
                                             Site),CN=HTTP,CN=Protocols,CN=2013-Server,CN=Servers,CN=Exchange
                                             Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
                                             Groups,CN=OURDOM,CN=Microsoft
                                             Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
Identity                                   : 2013-Server\Microsoft-Server-ActiveSync (Default Web Site)
Guid                                       : 1c98054c-03fb-4204-a697-82589fca77b9
ObjectCategory                             : domain.com/Configuration/Schema/ms-Exch-Mobile-Virtual-Directory
ObjectClass                                : {top, msExchVirtualDirectory, msExchMobileVirtualDirectory}
WhenChanged                                : 10/23/2015 2:17:30 PM
WhenCreated                                : 10/23/2015 11:58:46 AM
WhenChangedUTC                             : 10/23/2015 9:17:30 PM
WhenCreatedUTC                             : 10/23/2015 6:58:46 PM
OrganizationId                             :
Id                                         : 2013-Server\Microsoft-Server-ActiveSync (Default Web Site)
OriginatingServer                          : 2007-Server.domain.com
IsValid                                    : False
ObjectState                                : Changed

Open in new window

AA-in-CAAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
You best bet is to check the IIS logs on the Exchange 2013 server and also on the Exchange 2007 server. These logs will provide you with error codes as to why you are not connecting.

Use the link below which outlines very nicely how/what the code mean. This will give you more insight as to what is happening...

http://msexchangeguru.com/2012/02/01/exchange-activesync/

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Yep Im getting at what Will says here too, I have seen issues like this where there are events listed in the windows application log too related to active sync. I would check the event logs for filter! error, critical and warning events only in the application log.

I think this will shed some light on the issue.

I am expecting to see an active sync issue which can be resolved by a permission change if you search the precise error in google, I believe this is quite a common scenario.
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
AA , for what its worth I also think you should be looking at migrating the mailboxes and completing the mailbox migration as soon as possible. Deal with the issues then.

You have patched this 2013 server with all of the latest rollups and cu?
AA-in-CAAuthor Commented:
Yes, both the 2007 and 2013 servers are fully up to date.  

MS Partner Support's official (forums) answer to my support request was basically "Oh, deleting and recreating the ActiveSync profiles on each device fixes this?  Have you considered deleting and recreating the ActiveSync profiles on each device?  We feel this would fix it."  Yeah, let me just send a field guy to visit 50 users today.

We looked at the event logs for ActiveSync-related errors a few days ago, and as I recall there was nothing relevant there, but I need to double-check.  Should have done that already, actually.

Mark, I think I know the permissions change you're referring to--the inherit permissions checkbox on the user object, right?  We investigated that angle for users with this problem, and they were all fine.

Will, thanks for the IIS article.  I'll pursue that angle and see if it gets us anywhere.  In the meantime, Mark, you're absolutely right, we need to finish this migration as swiftly as possible.

Next time I'm going to beg management to buy us an MDM platform subscription, so we can redo ActiveSync profiles for everyone centrally.  AirWatch looks awesome.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.