Exchange 2010 ActiveSync Error

We currently run Exchange 2010 SP3 On-Premise and from some reason all of a sudden new users cannot get email on their IPhone's using ActiveSync. Existing users work fine.

When i look at the Event Logs it shows

Warning: MSExchangeActiveSync
Event ID: 1008
Details:
An exception occurred and was handled by Exchange ActiveSync. This may have been caused by an outdated or corrupted Exchange ActiveSync device partnership. This can occur if a user tries to modify the same item from multiple computers. If this is the case, Exchange ActiveSync will re-create the partnership with the device. Items will be updated at the next synchronization.

URL=/Microsoft-Server-ActiveSync/default.eas?User=pnadori&DeviceId=7DGJ1IPSG56OF198GS96EOIK64&DeviceType=iPhone&Cmd=FolderSync
--- Exception start ---
Exception type: Microsoft.Exchange.AirSync.AirSyncPermanentException
Exception message: A null value was received for the NTSD security descriptor of container CN=ExchangeActiveSyncDevices,CN=Peter Nadori,OU=Users,OU=FuelQuip National,DC=eclfuelquip,DC=com,DC=au.
Exception level: 0
HttpStatusCode: 500
AirSyncStatusCode: 110
XmlResponse:
This request does not contain a WBXML response.
Exception stack trace:    at Microsoft.Exchange.AirSync.ADDeviceManager.SetActiveSyncDeviceContainerPermissions(ActiveSyncDevices container)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDeviceContainer(Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.Command.UpdateADDevice(GlobalInfo globalInfo)
   at Microsoft.Exchange.AirSync.Command.CompleteDeviceAccessProcessing()
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
--- Exception end ---.

To try and resolve the issue i have tried the following:

1. I have tried suggestion in this website: http://www.it.ltsoy.com/exchange/mobile-phones-do-not-sync-with-new-exchange-2013 - Issue still exists
2. Unchecked "Include inheritable permissions from this object's parent" tickbox in Advance Permissions options of User and re-ticked - Issue still exists
3. Opened ADSIEDIT and performed step 2. as shown above - Issue still exists
4. Restarted IIS - Issue still exists
5. Restarted Exchange Server - Issue still exists
6. Created a completely new user -  Issue still exists
7. Compared problematic user with a user that works - Permissions identical
8. Re-applied Service Pack 3, restarted, re-applied SP3 Updates and restarted - Issue Still exists.

I have run out of things to try. Is there anything else I can check ?
LVL 3
TroyIT Support AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tom CieslikIT EngineerCommented:
Double check your AD replication service and if replication was done with status success

Also please check your message limit for ActiveSynch
Maybe there is a message over the limit that is causing Activesynch to reject any other connections.
0
TroyIT Support AdministratorAuthor Commented:
Just ran replication status in powershell and all seems to be replicating fine.

Repadmin: running command /showrepl against full DC localhost

Sydney\ECLGRP-NSW01

DSA Options: IS_GC

Site Options: IS_GROUP_CACHING_ENABLED

DSA object GUID: 937fe1c7-ed39-43d2-9b62-f2cb229d0a47

DSA invocationID: bf06b6ca-9eab-4429-9be9-446a119b6468



==== INBOUND NEIGHBORS ======================================



DC=eclfuelquip,DC=com,DC=au

    SydneyNational\FQ-SRVNAT via RPC

        DSA object GUID: 0da0b8bb-8f9b-4e76-ad04-15642bb6a041

        Last attempt @ 2017-12-02 08:00:48 was successful.

    Victoria\ECLGRP-VIC01 via RPC

        DSA object GUID: 918e0345-4724-4bc1-b64b-d0c6cbfd6caa

        Last attempt @ 2017-12-02 08:00:49 was successful.

    Quensland\ECLGRP-QLD01 via RPC

        DSA object GUID: 0f290149-9b6b-4659-a4e1-94ca4e31ffec

        Last attempt @ 2017-12-02 08:00:50 was successful.

    WA\ECLGRP-WA01 via RPC

        DSA object GUID: 5ce5a561-9acc-44ed-949a-8280581c5544

        Last attempt @ 2017-12-02 08:00:50 was successful.



CN=Configuration,DC=eclfuelquip,DC=com,DC=au

    SydneyNational\FQ-SRVNAT via RPC

        DSA object GUID: 0da0b8bb-8f9b-4e76-ad04-15642bb6a041

        Last attempt @ 2017-12-02 08:00:48 was successful.

    Victoria\ECLGRP-VIC01 via RPC

        DSA object GUID: 918e0345-4724-4bc1-b64b-d0c6cbfd6caa

        Last attempt @ 2017-12-02 08:00:48 was successful.

    Quensland\ECLGRP-QLD01 via RPC

        DSA object GUID: 0f290149-9b6b-4659-a4e1-94ca4e31ffec

        Last attempt @ 2017-12-02 08:00:48 was successful.

    WA\ECLGRP-WA01 via RPC

        DSA object GUID: 5ce5a561-9acc-44ed-949a-8280581c5544

        Last attempt @ 2017-12-02 08:00:49 was successful.



CN=Schema,CN=Configuration,DC=eclfuelquip,DC=com,DC=au

    SydneyNational\FQ-SRVNAT via RPC

        DSA object GUID: 0da0b8bb-8f9b-4e76-ad04-15642bb6a041

        Last attempt @ 2017-12-02 08:00:49 was successful.

    Victoria\ECLGRP-VIC01 via RPC

        DSA object GUID: 918e0345-4724-4bc1-b64b-d0c6cbfd6caa

        Last attempt @ 2017-12-02 08:00:49 was successful.

    Quensland\ECLGRP-QLD01 via RPC

        DSA object GUID: 0f290149-9b6b-4659-a4e1-94ca4e31ffec

        Last attempt @ 2017-12-02 08:00:49 was successful.

    WA\ECLGRP-WA01 via RPC

        DSA object GUID: 5ce5a561-9acc-44ed-949a-8280581c5544

        Last attempt @ 2017-12-02 08:00:49 was successful.



DC=DomainDnsZones,DC=eclfuelquip,DC=com,DC=au

    SydneyNational\FQ-SRVNAT via RPC

        DSA object GUID: 0da0b8bb-8f9b-4e76-ad04-15642bb6a041

        Last attempt @ 2017-12-02 08:00:50 was successful.

    Victoria\ECLGRP-VIC01 via RPC

        DSA object GUID: 918e0345-4724-4bc1-b64b-d0c6cbfd6caa

        Last attempt @ 2017-12-02 08:00:50 was successful.

    Quensland\ECLGRP-QLD01 via RPC

        DSA object GUID: 0f290149-9b6b-4659-a4e1-94ca4e31ffec

        Last attempt @ 2017-12-02 08:00:50 was successful.

    WA\ECLGRP-WA01 via RPC

        DSA object GUID: 5ce5a561-9acc-44ed-949a-8280581c5544

        Last attempt @ 2017-12-02 08:00:50 was successful.



DC=ForestDnsZones,DC=eclfuelquip,DC=com,DC=au

    SydneyNational\FQ-SRVNAT via RPC

        DSA object GUID: 0da0b8bb-8f9b-4e76-ad04-15642bb6a041

        Last attempt @ 2017-12-02 08:00:50 was successful.

    Victoria\ECLGRP-VIC01 via RPC

        DSA object GUID: 918e0345-4724-4bc1-b64b-d0c6cbfd6caa

        Last attempt @ 2017-12-02 08:00:50 was successful.

    Quensland\ECLGRP-QLD01 via RPC

        DSA object GUID: 0f290149-9b6b-4659-a4e1-94ca4e31ffec

        Last attempt @ 2017-12-02 08:00:50 was successful.

    WA\ECLGRP-WA01 via RPC

        DSA object GUID: 5ce5a561-9acc-44ed-949a-8280581c5544

        Last attempt @ 2017-12-02 08:00:50 was successful.
0
RoninCommented:
Let's see the current status of your environment: (mask real domain with domain.com, paste results as CODE)
Get-OabVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-WebServicesVirtualDirectory | fl server, Name,ExternalURL, InternalURL, *auth*
Get-EcpVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-ActiveSyncVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*
Get-OwaVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-ClientAccessServer| fl Name,OutlookAnywhereEnabled, AutodiscoverServiceInternalUri
Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*
Get-MapiVirtualDirectory | fl server, Name,ExternalURL,InternalURL, *auth*
Get-ClientAccessArray | fl
Get-OutlookProvider
Get-Command Exsetup.exe | ForEach-Object {$_.FileVersionInfo}

Open in new window

0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

TroyIT Support AdministratorAuthor Commented:
I managed to solve the issue by adding the following permission to the user:

permission.JPG
How can i get this permission to apply to multiple users within the OU. I tried the delegation wizard and it didn't apply the permission.

Here is the output of the script you sent:

[PS] C:\Windows\system32>Get-OabVirtualDirectory | fl FQ-EXCHSRV, Name, ExternalURL, InternalURL, *auth*


Name                          : OAB (Default Web Site)
ExternalUrl                   : https://mail.eclgroup.com.au/oab
InternalUrl                   : https://mail.eclgroup.com.au/oab
BasicAuthentication           : False
WindowsAuthentication         : True
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalAuthenticationMethods : {WindowsIntegrated}



[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl FQ-EXCHSRV, Name,ExternalURL, InternalURL, *auth*


Name                          : EWS (Default Web Site)
ExternalUrl                   :
InternalUrl                   : https://mail.eclgroup.com.au/ews/exchange.asmx
CertificateAuthentication     :
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
LiveIdSpNegoAuthentication    : False
WSSecurityAuthentication      : False
LiveIdBasicAuthentication     : False
BasicAuthentication           : False
DigestAuthentication          : False
WindowsAuthentication         : True



[PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl FQ-EXCHSRV, Name, ExternalURL, InternalURL, *auth*


Name                          : ecp (Default Web Site)
ExternalUrl                   : https://mail.eclgroup.com.au/ecp
InternalUrl                   : https://mail.eclgroup.com.au/ecp
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication           : True
WindowsAuthentication         : False
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
ExternalAuthenticationMethods : {Fba}



[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory | fl FQ-EXCHSRV, Name, ExternalURL, InternalURL, *auth*


Name                                : Microsoft-Server-ActiveSync (Default Web Site)
ExternalUrl                         : https://mail.eclgroup.com.au/Microsoft-Server-ActiveSync
InternalUrl                         : https://mail.eclgroup.com.au/Microsoft-Server-ActiveSync
MobileClientCertificateAuthorityURL :
BasicAuthEnabled                    : True
WindowsAuthEnabled                  : False
ClientCertAuth                      : Ignore
InternalAuthenticationMethods       : {}
ExternalAuthenticationMethods       : {}

[PS] C:\Windows\system32>Get-OutlookAnywhere | fl FQ-EXCHSRV, Name, *hostname*, *auth*


Name                       : Rpc (Default Web Site)
ExternalHostname           : mail.eclgroup.com.au
ClientAuthenticationMethod : Ntlm
IISAuthenticationMethods   : {Ntlm}



[PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl FQ-EXCHSRV, Name, ExternalURL, InternalURL, *auth*


Name                          : owa (Default Web Site)
ExternalUrl                   : https://mail.eclgroup.com.au/owa
InternalUrl                   : https://mail.eclgroup.com.au/owa
ClientAuthCleanupLevel        : High
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication           : True
WindowsAuthentication         : False
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
ExternalAuthenticationMethods : {Fba}



[PS] C:\Windows\system32>Get-ClientAccessFQ-EXCHSRV| fl Name,OutlookAnywhereEnabled, AutodiscoverServiceInternalUri
The term 'Get-ClientAccessFQ-EXCHSRV' is not recognized as the name of a cmdlet, function, script file, or operable pro
gram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:27
+ Get-ClientAccessFQ-EXCHSRV <<<< | fl Name,OutlookAnywhereEnabled, AutodiscoverServiceInternalUri
    + CategoryInfo          : ObjectNotFound: (Get-ClientAccessFQ-EXCHSRV:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

[PS] C:\Windows\system32>Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, I
ssuer, *not*


FriendlyName       : mail.eclgroup.com.au
Subject            : CN=mail.eclgroup.com.au, OU=Domain Control Validated
CertificateDomains : {mail.eclgroup.com.au, www.mail.eclgroup.com.au, mail.eclfuelquip.com.au}
Thumbprint         : AB88443518BB2584EF079C0A5043EE2C3D269509
Services           : IMAP, POP, IIS, SMTP
Issuer             : CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="
                     Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 4/11/2018 4:23:38 PM
NotBefore          : 4/11/2015 4:23:38 PM



[PS] C:\Windows\system32>Get-MapiVirtualDirectory | fl FQ-EXCHSRV, Name,ExternalURL,InternalURL, *auth*
The term 'Get-MapiVirtualDirectory' is not recognized as the name of a cmdlet, function, script file, or operable progr
am. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:25
+ Get-MapiVirtualDirectory <<<<  | fl FQ-EXCHSRV, Name,ExternalURL,InternalURL, *auth*
    + CategoryInfo          : ObjectNotFound: (Get-MapiVirtualDirectory:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

[PS] C:\Windows\system32>Get-ClientAccessArray | fl
[PS] C:\Windows\system32>Get-OutlookProvider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                                                      1
EXPR                                                        msstd:mail.eclgroup.com.au    1
WEB                                                                                       1


[PS] C:\Windows\system32>Get-Command Exsetup.exe | ForEach-Object {$_.FileVersionInfo}

ProductVersion   FileVersion      FileName
--------------   -----------      --------
14.03.0361.001   14.03.0361.001   C:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetup.exe
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RoninCommented:
Glad to hear you got this working, you would also need to fix EWS's external URL.
Set-WebServicesVirtualDirectory –Identity "EWS (default web site)" -ExternalUrl https://mail.eclgroup.com.au/ews/exchange.asmx

Open in new window


Note that you don't seems to have autodiscover.eclgroup.com.au in the certificate, it will prevent you from automatically configuring devices (phones and Outlook) to connect to your environment.
0
TroyIT Support AdministratorAuthor Commented:
Any ideas on applying the permission i referred to across multiple users and OU's ?

I also tried Active Directory Schema in the Management Console and applied to Authenticated Users Group, but even after replication finished it still didn't apply the permission.

Powershell script maybe ? and what would that look like
0
TroyIT Support AdministratorAuthor Commented:
Never mind. I managed to work out applying permissions.

I manually edited the Users container permissions on all OU's and the permissions applied across all users.

Thanks for your assistance :)
0
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Troy (https:#a42396235)
-- Troy (https:#a42396260)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.