Sunday, October 14, 2012

Active Sync Issues on Exchange 2010

I migrated 600 mailboxes to a new Exchange server from 2003 to 2010.  The next morning when users got to work some users were complaining that their email was not working on their mobile phone.  When creating a new test account, Active Sync works fine so the issue is narrowed down to either a problem with the user account migrated from Exchange 2003 or a problem with the mailbox.  The error I experienced when running the Exchange Remote Connectivity Analyzer (ExRCA) against a problematic user was as follows:

An ActiveSync session is being attempted with the server.

Errors were encountered while testing the Exchange ActiveSync session.

Test Steps

Attempting to send the OPTIONS command to the server.

The OPTIONS response was successfully received and is valid.

Additional Details
Headers received: Allow: OPTIONS,POST
MS-Server-ActiveSync: 14.2
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
Public: OPTIONS,POST
Content-Length: 0
Cache-Control: private
Date: Mon, 15 Oct 2012 02:38:58 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET


Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.


Additional Details
Exchange ActiveSync returned an HTTP 500 response.

 
After investigating the issue further it turned out that the issue was to do with incorrect security settings on the Active Directory user account.  To resolve the problem I performed the following steps:

If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View --> Advanced Features from the Menu at the top of the screen then navigate back to your user).

Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.


In the user account properties click the advanced button.


In the advanced security window select "Include inheritable permissions from this object"


This will fix the problem for the account in question.

A Note for Administrator Accounts

If your account has administrative privilages in Active Directory you may find after inheriting permissions that your account may stop working again an hour later.  This happens because Active Directory uses AdminSDHolder to define permissions the default protected security groups receive.  Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.

Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.

The built in groups that are affected with Windows 2008 are:
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators

The built in users that are affected with Windows 2008 are:
Administrator
Krbtgt

4 comments:

  1. That worked perfect. Thanks!

    ReplyDelete
  2. Another article mentioned that if you are an administrative user (as I am) to look at the AdminSDHolder object in active directory. I did that and set the inherited check box on it. Is this going to work or mess something up? Thanks for any thoughts.

    ReplyDelete
  3. It works perfect. Thanks a lot! I just wanted to share you with a link to be followed. Another nice writing piece!

    ReplyDelete