I ran into an interesting Mobile Smartphone issue recently with an iPhone and Exchange 2010 ... and by "interesting" I really mean annoyingly frustrating . >.<
The end-user reported that he had copied the settings from another iPhone user and he was able to get the
Exchange account setup, but it would error out when he tried to send an email.
We had him
delete the account and we went through the setup a second time; same results - no sendy no receivey
I attempted to reproduce the issue on an iPad I had available. I
was able to create the account and confirmed that the security certificate was
accepted correctly but still was unable to send or receive email.
Remotely
accessed the client's Exchange 2010 email server and confirmed that the user's mailbox and Active
Directory account looked correct when compared to a user who was using their
iPhone successfully with the company's exchange email and had 'Manage Mobile Phone' showing their iPhone had successfully made a partnership with Exchange via ActiveSync but the account for the user I was working with did not show that any devices have been synced/partnered successfully. ARGH!
Things smarter people would do = With ActiveSync enabled correctly in Exchange/AD etc; this is where, if I was smarter, I would have gone directly to using the
Microsoft Remote Connectivity Analyzer
But ... Alas .. I didn't
The next thing I did was review the Event logs
and found ActiveSync errors in the Application log.
I researched resolutions
for the following error:
Source: MSExchange ActiveSync
Event ID: 1053
Task Category: Configuration
Description:
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=MailboxName,OU=OrganizationalUnitName,DC=domain,DC=suffix" container under Active Directory user "Active Directory operation failed on DOMAINCONTROLLER.domain.suffix. This error is not
retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0".
Make sure the user has inherited permission granted to domain\Exchange
Servers to allow List, Create child, Delete child of object type
"msExchangeActiveSyncDevices" and doesn't have any deny permissions that
block such operations.
I applied a few fixes but was still having issues ... it was at this point inspiration hit and I started using the
Microsoft Remote Connectivity Analyzer and was eventually able
to get ActiveSync working on the iPad and then on the user's iPhone.
“In Exchange Server 2010, you may also experience
this issue if the Exchange Servers group does not have the appropriate
permission to the mailbox object in Active Directory. The most common
cause for this is broken Access Control List
(ACL) inheritance in Active Directory.
To check whether inheritance is disabled on the user:
- Open Active Directory Users and Computers.
- On the menu at the top of the console, click
View then Advanced Features.
- Locate and right-click the mailbox account
in the console, and then click Properties.
- Click the Security tab.
- Click Advanced.
- Make sure that the check box for "Include inheritable permissions from this object's parent" is selected.
If the user is a member of certain protected groups such as Domain
Administrators, it is normal for this box to be unchecked. If you are
experiencing a problem with members of these protected groups you should
check the permissions on the
AdminSDHolder object.”
So this brings me to my real point here: Be smarter than me ...
** Always use the Microsoft Remote Connectivity Analyzer FIRST to test for ActiveSync issues by default with the user’s email account and credentials" **
Note: Admin accounts will not work with the Microsoft Remote Connectivity Analyzer or with ActiveSync at all (Check to make sure the user having the issue is not a member of an adminstrators group in AD)
I hope this information helps you resolve this issue faster than I did! :)
