Exchange 2010 & iPhone Active Sync Issue
I’ve spent the last few weeks migrating to Windows Server 2008 R2 and Exchange 2010 from 2 different forest. The last thing is users calling me with iphone not working and not synching. As per the below event log on my Exchange 2010 Server.
– System – Provider [ Name] MSExchange ActiveSync
-EventID 1053 [ Qualifiers] 49156 Level 2 Task 2 Keywords 0x80000000000000
– TimeCreated [ SystemTime] 2013-09-17T13:54:30.000000000Z
EventRecordID 34801 Channel Application Computer LOB-SRV-EXCH01.arc.company.co.uk Security
– EventData CN=Richard Hnderson,OU=Users,OU=M,OU=Area,DC=arc,DC=company,DC=co,DC=uk Active Directory operation failed on LOB-SRV-DC01.arc.company.co.uk. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
—
or in Mobile / Apple device you get error “Cannot Get Mail, connection to server failed”
—
The work around was pretty simple, however took me some time trolling through external and internal Knowledge Base Articles.
Here’s how I managed to get it sorted –
On a Domain Controller, Click on Start/All Programs/Administrative Tools/Active Directory Users and Computers
Click on View and Select Advanced Features
Select a mailbox that isn’t working with Active Sync, double click on the account, Select the Security Tab and then the Advanced Button.
Select Exchange Servers, and tick the Include inheritable permissions togglethen Apply and OK.
I believe this is a bugg, who know if it will ever get fixed in update in the future – This resolved my users iphone sync issue.
Also, I have notice for couple of users didn’t work with just making above changes I did additional changes below from http://support.microsoft.com/kb/2579075
Assign the Exchange Servers group the right to change permissions against msExchActiveSyncDevices objects. To do this, follow these steps:
- Start Active Directory Users and Computers.
- Click View, and then click to enable Advanced Features.
- Right-click the object where you want to change the Exchange Server permissions, and then click Properties.Note You can change permissions against a user, an organizational unit, or a domain.
- On the Security tab, click Advanced.
- Click Add, type Exchange Servers, and then click OK.
- In the Apply to box, click Descendant msExchActiveSyncDevices objects.
- Under Permissions, click to enable Modify Permissions.
- Click OK three times.
Also Make sure the user has inherited permission granted to domain\Exchange Servers to
allow List, Create child, Delete child of object type “msExchActiveSyncDevices” and
doesn’t have any deny permissions that block such operations.
UPDATE: If you still can’t get the device to connect you may be exceeding number of ActiveSync Devices for mailbox, maybe check this first how many devices are doing sync, for Exchange 2010 open Exchange Management Console -> Select Mailbox then -> Mange Mobile phone.
Remove all devices that haven’t tried to sync in the past 30 days:
Get-ActiveSyncDevice -ResultSize unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-30)}| Remove-ActiveSyncDevice
When you get error use force:
foreach-object {Remove-ActiveSyncDevice ([string]$_.Guid) -confirm:$false}
You can use it like this:
$DevicesToRemove = Get-ActiveSyncDevice -result unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSuccessSync -le (Get-Date).AddDays("-30")} $DevicesToRemove | foreach-object {Remove-ActiveSyncDevice ([string]$_.Guid) -confirm:$false}
Remove single mailbox devices that haven’t tried to sync in the past 30 days:
$DevicesToRemove = Get-ActiveSyncDevice -Mailbox shiraj.ali -result unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSuccessSync -le (Get-Date).AddDays("-30")} $DevicesToRemove | foreach-object {Remove-ActiveSyncDevice ([string]$_.Guid) -confirm:$false}
Categorised as: Exchange, Microsoft
[…] Source: Exchange 2010 & iPhone Active Sync Issue « Memorise […]