This week we finally got around to upgrade our old Exchange 2003 server, fortunately we waited a few extra months and skipped Exchange 2007 for 2010. The upgrade was handled by our friendly neighbor and also our new ISP: DGC. We did encounter one problem after the upgrade that I assume others will face as well. Some accounts, mine included, couldn’t get the iPhone ActiveSync to work, it worked before the migration to 2010.

Cannot get mail. The connection to the server failed.

After the migration it didn’t. I tried the test service from Microsoft: Microsoft Exchange Server Remote Connectivity Analyzer and it clearly indicated that something was wrong with my account but suggested it had something to do with forms authentication being enabled, which it wasn’t. I found this error message in the event log on our new Exchange 2010 server:

Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=Björn Sållarp,OU=Users,OU=Avantime Development,OU=Avantime Production,DC=avantime,DC=local” container under Active Directory user “Active Directory operation failed on KELLY.avantime.local. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.

Details:%3

Right.. This basically means the account lack permissions in the Active Directory. I figured out that because my account has been added to what’s called a “protected group” such as Domain Admins the setting for my account to inherit permissions has been removed by Active Directory. This excellent blog post explains how to get the inherited permissions back. http://www.ffoutpost.net/2009/11/10/resolve-issues-with-activesync-not-working-in-exchange-2010 remember to remove the account from the protected group before you enable inheritance, otherwise inheritance will be removed again by Active Directory within an hour or so.

Related posts