Exchange 2010 – iPhone ActiveSync issue

This week we finally got around to upgrade our old Exchange 2003 server, fortunately we waited a few extra months and skipped Exchange 2007 for 2010. The upgrade was handled by our friendly neighbor and also our new ISP: DGC. We did encounter one problem after the upgrade that I assume others will face as well. Some accounts, mine included, couldn’t get the iPhone ActiveSync to work, it worked before the migration to 2010.

Cannot get mail. The connection to the server failed.

After the migration it didn’t. I tried the test service from Microsoft: Microsoft Exchange Server Remote Connectivity Analyzer and it clearly indicated that something was wrong with my account but suggested it had something to do with forms authentication being enabled, which it wasn’t. I found this error message in the event log on our new Exchange 2010 server:

Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=Björn Sållarp,OU=Users,OU=Avantime Development,OU=Avantime Production,DC=avantime,DC=local” container under Active Directory user “Active Directory operation failed on KELLY.avantime.local. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.

Details:%3

Right.. This basically means the account lack permissions in the Active Directory. I figured out that because my account has been added to what’s called a “protected group” such as Domain Admins the setting for my account to inherit permissions has been removed by Active Directory. This excellent blog post explains how to get the inherited permissions back. http://www.ffoutpost.net/2009/11/10/resolve-issues-with-activesync-not-working-in-exchange-2010 remember to remove the account from the protected group before you enable inheritance, otherwise inheritance will be removed again by Active Directory within an hour or so.

15 thoughts on “Exchange 2010 – iPhone ActiveSync issue

  1. HAHA ! YOU LEGENDDDDD

    I recently came back to work and while I was gone they had upgraded to exchange 2010. I was previously a domain admin and did not have inheritable permissions set on my account.

    I had been trying for about 6 hours.. reloading software… checking settings.. but after this post I went straight to my Active Directory account and saw that in my permissions, ‘inherit permissions from parent object’ was unticked. I ticked it and began synching straight away – you are a legend thank you !!

  2. Hi guys, I have exactly the same issue, just the link here is broken. Can you help me getting around this problem?

    Thanks

  3. All what you have to do is: right clic on your user account in Active Directory Users and Computers MMC – on the Security tab you clic ADVANCED then you check the cas near include inheritble permissions….etc. and OK.
    That’s all.

    Thanks.

  4. Hi,
    Thanks for the Tip. It save my day. Now, I’m able to Sync iPhone / Nokia to my Exchange 2010. Five Stars *****

    Thanks Again.

  5. I administer 15 or so IPhones, do I need to do this for ALL users, or just the user I log into Exchange with?

  6. I am a domain admin. I cannot do my job without being a member of the group. So can I not have my exchange account on my iPhone because of this issue? Surely there must be a way!

  7. Ryan, Best Practice would be to have a Domain admin account, and then a regular user account for yourself. Just log into the Domain Admin account, when you need to do Admin Things. Use the regular account for day to day stuff. When you need to do admin things, many of the apps allow you to open them with the ‘right Click’ LOG ON AS …. option, where you would put in your Admin credentials

  8. What is being discussed here is the adminsdholder function. This affects a wide range of domain groups – although the one that comes up the most is the domain admins.
    If you migrate, or fail to migrate, and you check that box, the required perms flow down into your account, that is why things start working. Simple enough.
    As to the “I need that group membership” – I agree with the second account advice. But know this also – after adminsdholder clears your account checkbox, the perms that flowed down are still there and your sync will still work.
    http://tsoorad.blogspot.com/2011/08/adminsdholder-with-exchange-and-lync.html may help you understand this in more detail.
    -John

  9. Worked like a charm, thanks! Now to get resources from a 2003 server to work with 2010 users who have been migrated…

  10. Oh My GOD… IF it was in my hand… i would have given you noble award for this finding …

  11. All –

    One thing that was tripping me up until I woke up (*laughs at self*) is that to get the ‘Security’ tab that you need to, in ADUC, go to View and turn on Advanced Features. Just thought I’d share this. Otherwise, this solution that James posted – SPOT ON!!

    Charles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>