Some email account, ActiveSync not working on mobile phones (Android/iOS)

N Brod
N Brod used Ask the Experts™
on
We're having an issue on some (not all) Email accounts.  When configured to mobile (Android or iOS), it will not sync. On OWA and Outlook are working fine. Tested with Microsoft Connectivity Analyzer, shows, "Attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed.".

One email account reported the same when trying to setup to the new mobile phone. The weird thing happened is from his old phone, email account is configured and working well till now. Incoming/Outgoing is working well (old phone). When I check with Connectivity Analyzer, same issue I got, FolderSync command failed. Viewed on Exchange, Manage Mobile Phone, no device listed like other has.

Some email accounts (like mine and other I knew) are working fine with mobile, OWA and Outlook. Also tested with Microsoft Connectivity Analyzer, "Attempting the FolderSync command on the Exchange ActiveSync session. The FolderSync command completed successfully."

We have Exchange 2010 (Exchange Server 2010 Microsoft Corporation  Version: 14.03.0382.000) on Windows Server 2008 R2 Enterprise SP1.

Anyone can help us here? What might be the caused of the problem? Please note that I have checked the inherent permission under Security Tab on AD. And for the Virtual Directory on IIS? I doubt if there's an issue cause not all having the same.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MichelangeloSystem Administrator / Postmaster

Commented:
Check that these account have not been given privileges in the past whihc resulted in adminsdholder as described here:
https://blogs.technet.microsoft.com/exchange/2009/09/23/exchange-2010-and-resolution-of-the-adminsdholder-elevation-issue/
SysToolsData Expert - Recovery,Backup,Migration

Commented:
Try this tip:  Go to the user in the AD and click on the Security settings Tab, click on Advanced and press the enable Inheritance button.

Ref: https://community.spiceworks.com/topic/383511-exchange-2013-configuring-activesync-clients-android-ios-wp
@garethlefleurPimientogarethlefleur  [Answer]
MichelangeloSystem Administrator / Postmaster

Commented:
N Brod,
find here some more details: removing inheritance is not enough if AdminCount attribute of these users is still set to 1 and/or if the user is still member of an administrative group. SdProp process which runs every hour will bring the situation back to starting point.
https://blogs.technet.microsoft.com/chadcox/2018/01/08/adposh-find-and-fix-adminsdholder-orphans-admincount/

Use this script to perform all checks
https://notesbytom.wordpress.com/2017/12/01/clear-admincount-and-enable-inheritance-on-user/

Or.
- remove user from all administrative groups
- enable inheritance as shown above
- clear admincount attribute :
  • open Active Directory USers and computers
  • go to the oU the user belongs to by following the tree (don't use Find)
  • enable Advanced Features in View Menu of Active Directory Users and Computers
  • Right click on the user, choose Properties, choose Attributes tab
  • Find AdminCount attribute, if 1 set it to 0
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Hi Michaelangelo,

Let me check using the script you’ve said and will let you know.

As I’ve remembered, those users are not part of any admin group. I’ll take a snapshot and provide it here.

As part of my troubleshooting, I created a test user with Domain user and signature group Policy and it is the same  ActiveSync issue. OWA & Outlook are working fine.
MichelangeloSystem Administrator / Postmaster

Commented:
Check also in application log of mailboxes for activesync events regarding throttling policies ( doubt it if you tested with a new user but one never knows )

Author

Commented:
Hi Michelangelo,

from Attribute Tab, •Find AdminCount attribute, if 1 set it to 0  >>>>> <not set>

Pls. find attached Application log snapshot (I covered a bit information. Sorry for that).

Thank you for  in advance.
Exchange-ActiveSync-Apps-Logs-for-Up.pdf
System Administrator / Postmaster
Commented:
Regarding ActiveSync device "An exception occurred and was handled by Exchange Activesync"

try removing device partnership, and recreate it afterwards
Get-Activesyncdevice -Mailbox yourmailbox
# remove devices not working selecting correcty identity
Remove-ActiveSyncDEvice -Identity IdentitiOfDeviceToremove

Open in new window


note that right now I cannot test these commands as i do not have an Exchange 2010 ready so check command syntax and use
-whatif:$true

Open in new window

to test command.
-whatif:$false 

Open in new window

to run the command

DC permission issue "ActiveSync does not have sufficient permissions to create xxx container"
try this
Start Active Directory Users and Computers.
Click View, and then click Advanced Features.
right click on your problematic users OU (they are in a ou or a CN?), then Properties
Click Advanced
Click on Principal column to sort permissions
Find yourrootDomain\Exchange Servers where Access column reports Special ( my lab has 2 such entries )
Select yourrootDomain\Exchange Servers entry, click View, verify that it has
Create msExchActiveSyncDEviceObjects
Delete msExchActiveSyncDEviceObjects


Otherwise add that permission:
Choose Add,
In Principal select yourrootDomain\Exchange Servers
In Type select Allow, in Applies To select Descendant InetOrgPerson objects
in Permissions Select  Create msExchActiveSyncDEviceObjects and Delete msExchActiveSyncDEviceObjects
Confirm where necessary.
Delete activesync partnership as shown above and recreate it

===
Certificate issue: "Microsoft Exchange could not find a certificate that contains the Domain name"
I believe it's not related, however
Do you have a SSL certificate to assign to SMTP service?
paste the ouptut of this command
get-exchangecertificate -Server yourserver | ft -auto -wrap dnsnamelist, IsSelfSigned, Services, Status, RootCAType, thumbprint, not*

Open in new window

Author

Commented:
Hi Michelangelo,

Thanks alot! it works for me below.  It was not configured. No tick on Allow and Deny. When I checked Allow, the users account is starting to sync successfully.

Start Active Directory Users and Computers.
 Click View, and then click Advanced Features.
 right click on your problematic users OU (they are in a ou or a CN?), then Properties
 Click Advanced
 Click on Principal column to sort permissions
 Find yourrootDomain\Exchange Servers where Access column reports Special ( my lab has 2 such entries )
 Select yourrootDomain\Exchange Servers entry, click View, verify that it has
Create msExchActiveSyncDEviceObjects
 Delete msExchActiveSyncDEviceObjects

Author

Commented:
Thanks a lot Michelangelo!

Our problem has been resolved with your solution on the "Create msExchActiveSyncDEviceObjects,   Delete msExchActiveSyncDEviceObjects "

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial