Solution: IPhone (SmartPhone) Active Sync Users are not able to connect Exchange 2010 CAS Active Sync after Migrating from Exchange 2007 CAS Active Sync

Author: Zahir Hussain Shah
Tag: Active Sync Transitioning from Exchange 2007 to Exchange 2010 | Iphone 4 is not working after migrating User from Exchange 2007 to Exchange 2010

Solution: Active Sync Users are not able to connect Exchange 2010 CAS Active Sync after Migrating from Exchange 2007 CAS Active Sync


Problem Statement:

Recently, I faced this problem, when one of my user who was configured for Active Sync for Exchange 2007 CAS EAS, and was working fine, but the moment we moved these accounts to Exchange 2010, users those who have configured their smartphones for Active Sync for mailboxes on Exchange 2007, are not able to connect to Exchange 2010, and all those new users which you create on Exchange 2010 are able to connect to Exchange 2010 CAS Active Sync, so what is the mystery here ???

It is also noticed that this issue occurs specially for those users, who are member of Privilege Groups, such as Domain Admins.


Symptoms:

After moving user from Exchange 2007 to Exchange 2010, and you try configure user IPHONE or any other smartphone Active Sync profile, user will receive error “Cannot connect to Server”, and on Exchange 2010 CAS Server, you will get below events log for this user, as:

Cause:
As I stated above in the problem statement section that mostly this problem happens with users those who are member of Domain Admins and other builtIn Administrative Groups, so what exactly stop the ActiveSync for working with these account after migrating from Exchange 2007 to Exchange 2010 is that, since these users are part of Domain Admins groups, so by default Active Directory prevent making changes for these account with the help of SDAdminHolder account and blocks inheritance from parents objects, so when you move user mailbox from Exchange 2007 to Exchange 2010, and Exchange 2010 tries to write new values for your user account in Active Directory, so SDAdminHolder prevent Exchange 2010 from write or update the user values in Active Directory, and therefore user faces problem when try to configure his Iphone or any other smartphone device for Active Sync after getting migrated from Exchange 2010.


Solution:
Follow the below steps to fix your Active Sync issue for Users who got migrated from Exchange 2007 to Exchange 2010.1) Open Active Directory User and Computers Snap-in
2) Browse user who are facing this problem and take user properties
3) User Properties

4) Click on Security Tab on the User properties area and click on Advance button.

5) In the Advance Security area of User account properties, you will click on “Include Inheritable permissions from this object’s parent”.

By checking “Include Inheritable permissions from this object’s parent” box on the affected user security page, now user will inherit all the permissions from the parent object, and the next time you will try to configure your Iphone or any other mobile device, you will get SUCCESSFUL results!!! :)

Note:
SDAdminHolder process runs every hour and will remove “”Include Inheritable permissions from this object’s parent” checkbox from the all Administrative User Accounts, so if you want to add any other Active Sync device for yourself, you have to check this box again.

I hope this article will fix your problem, and will help you to transition your legacy messaging environment smoothly.

Cheers!

Zahir Hussain Shah
Infrastructure Practice Consultant – Messaging Solutions
MCSE, MCTS, MCTIP Enterprise Administrator, ITIL
Blog: http://zahirshahblog.com | LinkedIn | Twitter

About these ads

About Zahir Hussain Shah

Systems Infrastructure Consultant, Systems Solution Architect, Senior Systems Engineer. Certifications: MCSE, MCTIP Entperprise Administrat

Posted on 06/05/2011, in Exchange 2010. Bookmark the permalink. 33 Comments.

  1. I’ve been at this migration for a few hours and stuck on this Activesync issue and came accross this.
    Thanks for posting this, saved me a lot of time. Yet another reason to not use domain admin accounts for “regular use”.

  2. Thank you John, for your appreciation.

    Zahir

  3. Thanks for the writeup. I ran into this problem migrating from 2003 to 2010.

  4. Thanks Billy for appreciation.

    Zahir

  5. Quratulain Maqsood

    Hi Zahir, I was trying to fix this issue from a month ago, and was not able to find solution at all, and finally when I looked at this solution, it worked quite well, and fix my problem, thank you, and I also checked the other articles, they are quite interesting, as they are solution oriented.

    Good work dude!

  6. When the AdminSDHolder Process runs wont it also strip the inhertible permissions that had been applied and revert the permssions back to the protected account permssions? As well as uncheck the box? Will this then cause Active sync to fail again on the device?

  7. Yes, it unchecks the inhertible permission box, and also applies the protected accounts permission, and which causes when you configure your account on any new device or first removal the mobiel partnership and try to join it again, it fails, because AdminSDHolder process runs preodically, and performs its operations.

    • Having trouble understanding if…after you do the Inheritable procedure and AdminSDHolder runs… will the ActiveSync/iPhone still function at that point or will it stop again? Which means basically you have to take the user out of the Domain Admin Group? Please confirm which is it? It will keep working or you have to remove the user from Domain Admins?

      • Without setting up the proper permission again, if you don’t remove the user from the domain admins group, it wont allow you. So you could remove it first attempt to sync (setup) the mail account on phone, and add it back. This is the same with the permission, since it is a default behavior, so you have to do this everytime, you want to add a new mobile device for user.

    • Sorry, I am being a little thick on understanding…what I am asking is…once the Inheritable procedure is done and the iPhone is syncing properly, about an hour later the AdminSDHolder process will run. Will this break the syncing process for the current iPhone I just setup? Even if I keep the user in the Domain Admin Group?

      • The answer is “NO”, if you are all set with the permission settings, and you successfully configured the iPhone for the mailbox, and even if the user later added to the protected group, like “Domain Admins”, the EAS association with mobile-device stays intact, it wont be removed when the AdminSDHolder operations will kick-in.

  8. Interesting issue. Exactly the problem I was having. Thank you.

  9. Vey nice tip.
    Thanx!

  10. Good work Zahir – Thanks for saving everyone ton of time….Tahir.

  11. However what the article is missing is that once you follow the steps listed the affected account has to be removed from any protected groups permanently, otherwise the active sync issue returns within an hour. How do we sync iPhone now without creating two accounts – one for regular user and one with admin privilleges for admin work.

  12. Hi Tahir,

    Make it simple, lets say my AD user 008877@domain.com is added in the Domain Admins Active Directory Security Group, and I just bought the new iPHON, and I want it to be connected / configured for Microsoft Exchange, so since my user is part of Domain Admins group, the above scenario will effect it, so what I will do I will set the inheritance security setting check-box, and then will configure my iphone, and It will get successfully connected to Exchange.

    Second scenario, I already have one, and I just bought a new one, so I will be doing the same above setting inheritance security setting, and will also be able to add the second iphone for my Exchange account.

  13. Thanks

  14. DaveHouston

    Saw this problem with old users that were moved from one OU to another OU, they lost the ability to attach new Droid phones. Users that were not moved were syncing properly to iPads, Droids & iPhones without issue. Went line by line through the Attributes Tab of a working and broken user to determine differences, assumed their old Blackberry USB sync values were still burried in their user attributes and were preventing a new Sync with the Exchange2010 server.

    Solution: Move the users back into their original active directory OU and they are adding new devices and syncing properly.
    fwiw, DaveHouston

  15. javid sididqi

    Dear Zair,
    We are transitioning Exchange 2007 to 2010. My mailboxes on Exchange 2007 Mailbox Server and CAS is Exchange 2010. Smart Phones such as iPhones or Android unable to access their mailbox if it exist on 2007. However if i move to 2010 they can access. Though laptop or PC’s can access OWA irrespective of the location of mailbox i.e. either on 2007 or 2010. Please advice.

    • Hi Javid,

      Make sure your Exchange 2010 CAS Server EAS and other CAS virtual directories are configured correctly for proxying or re-directing, wherever is needed.

      Try to keep your Exchange 2010 EAS Virtual Directory empty, and give a try, well I have seem most of the places Iphone has problems, but Android works fine. For fixing this problem, you have to read about how and when Exchange Server proxy / redirect request. Check out this… http://blogs.technet.com/b/exchange/archive/2007/09/05/3403852.aspx

      • javid sididqi

        Dear Zahir,

        My only concern now is Blackberry devices not redirecting to Legacy, however iPhones and computers are doing. I read one of the blog says Blackberry doesnt use ActivSynch, hence its not possible to redirect.
        http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/90822b1a-3a58-428b-a294-14ae6a33479e/

        We dont have BES too, however we have large number of Blackberry users, could you please advice the work around in this regard.

        Regards
        Javid

      • It is indeed true that BlackBerry doesn’t work on Microsoft ActiveSync Protocol, and hence it will not be redirected to legacyExchange FQDN.

        However, in this case, where you have large number of BlackBerry users, and since you have transitioned your external client connectivity from Exchange 2007 to Exchange 2010, and where few users are not able to redirected to legacyExchange, so in this case, what you can do, you have to move all these BES users to Exchange 2010 in one move, so there will be less pain.

  16. shawn Bryson

    Your statement about BlackBerry users unable to connect to Exchange 2010 and legacy Exchange servers is missing a bit of research on what type of Exchange configurations are failing.

    If your Exchange servers are configured to run in parallel properly, and the BESadmin account had full rights on both servers. I experienced no issues in my 3 years of running this configuration

    Use the DSACLs script to validate that the BESadmin account has rights

    Complete the following steps to apply this workaround: BlackBerry Article ID: KB04707

    Log in to a domain controller for the network.
    Ensure that the DSACLS utility is installed on the computer that the workaround would be applied on.
    Open the Notepad.exe application.
    Copy and paste the following commands into Notepad:
    dsacls “cn=adminsdholder,cn=system,dc=domain,dc=local” /G “\SELF:CA;Send As”
    dsacls “cn=adminsdholder,cn=system,dc=domain,dc=local” /G “\SELF:CA;Receive As”
    dsacls “cn=adminsdholder,cn=system,dc=domain,dc=local” /G “\SELF:CA;Change Password”
    dsacls “cn=adminsdholder,cn=system,dc=domain,dc=local” /G “\SELF:RPWP;Personal Information”
    dsacls “cn=adminsdholder,cn=system,dc=domain,dc=local” /G “\SELF:RPWP;Phone and Mail Options”
    dsacls “cn=adminsdholder,cn=system,dc=domain,dc=local” /G “\SELF:RPWP;Web Information”
    dsacls “cn=adminsdholder,cn=system,dc=domain,dc=local” /G “\BESAdmin:CA;Send As”

    Replace the following text in Notepad:
    On the last line, replace BESAdmin with the name of the BlackBerry server account if different than the default of BESAdmin
    On all lines, replace dc=domain,dc=local with the name of the Windows domain
    For example, if the Windows domain is eastern.mycompany.local, the new text would be dc=eastern,dc=mycompany,dc=local.

    To locate the name of the domain, find the domain node in the Active Directory Users and Computer tree list. The domain should read or similar.

    Save the file as SendAsFix.bat and exit Notepad.

  17. Devon Brown

    Thank u very much for your post, i was beating my head against the wall trying to figure out what the issue was……..very much appreciated!!

  18. Chris Unnewehr

    This was a great help, I have been pulling my hair out for the past two days. I just took on a new network admin job,The person that set my account up set me up as a domain admin. I have been meaning to strip my permissions back but never got around to it. Thanks for this info on this problem, it’s the only one out there on the web that I could find.

  19. You realize thus considerably on the subject of this subject, made me for my part consider it from a lot of numerous angles. Its like men and women are not fascinated unless it’s something to do with Girl gaga! Your individual stuffs outstanding. At all times care for it up!

  20. Hello, your method does work but I still meet issue.
    there are 3 administrators include me in our company and I do what you do.
    one administrator is ok and the other two is still have the old issue.
    would you please give us some advice regarding this?

  21. I have been surfing online more than 2 hours today, yet I never found any interesting article like yours.
    It’s pretty worth enough for me. Personally, if all web owners and bloggers made good content as you did, the web will be a lot more useful than ever before.

  1. Pingback: Microsoft Exchange Server ActiveSync Troubleshooting | Exchange Server ActiveSync Reporting Script | iPhone iOS 4.0 ActiveSync Connectivity Issues | Exchange ActiveSync Server failed to communicate with the Exchange mailbox server in a timely manner &laqu

  2. Pingback: Microsoft Exchange Server ActiveSync Troubleshooting | Exchange Server ActiveSync Reporting Script | iPhone iOS 4.0 ActiveSync Connectivity Issues | Exchange ActiveSync Server failed to communicate with the Exchange mailbox server in a timely manner &laqu

  3. Pingback: Microsoft Exchange Server ActiveSync Troubleshooting | Exchange Server ActiveSync Reporting Script | iPhone iOS 4.0 ActiveSync Connectivity Issues | Exchange ActiveSync Server failed to communicate with the Exchange mailbox server in a timely manner &laqu

  4. Pingback: Righteous Hack » Exchange Active Sync Fails After Transition From 2003 to 2010

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 338 other followers

%d bloggers like this: