Activesync fails after cross domain migration 2003 â 2010
We are migrating users from Exchange 2003 in Domain B to Exchange 2010 in Domain A and everything works as it should except ActiveSync. The user is staying in Domain B just the mailbox is moving to an Exchange 2010 server in Domain A.
When I try to sync my iPhone it says Cannot Get Mail The connection to the server failed. When I try ExRCA I get the following
-----------------------------------------------------------------------------------------------
An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
The OPTIONS response was successfully received and is valid.
Additional Details
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Tell me more about this issue and how to resolve it
Additional Details
Exchange ActiveSync returned an HTTP 500 response.
-----------------------------------------------------------------------------------------------
I know this is classic "Include inheritable permissions from this object's parent" but my problem is the box is ticked on the problem user and its not a member of any Admin Groups.
When a user from Domain A connects via ActiveSync it works fine but any user that has been migrated from Domain B does not. Looking in the Security tab in ADUC the user from Domain B does not have the Exchange Groups (Organisation Management, Exchange Trusted
Subsystem, Exchange Windows Permissions, and Exchange Enterprise Servers) but adding them manually does not fix the issue. It wont let me add Exchange Enterprise Servers but I have added the other with read access the same as a user that is working.
What permissions am I missing?
July 30th, 2012 6:22am
What if you create a new account on Exch 2010 and test EAS?
I assume 2010 is exposed for EAS?
And you are sure about the admin membership?
For the failed user check the IIS logs & see what that says?
Are you publishing EAS?Sukh
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2012 10:35am
Go over blog, covers AS issues I've encountered for 2003-2010 migrations.
http://msexchangetips.blogspot.com/2012/04/exchange-2003-migration-to-exchange.htmlJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
July 30th, 2012 11:37am
Hi,
Are you using Linked Mailboxes?
You don't mention how you enter the logon credentials, but make sure you use UPN from Source Domain.Martina Miskovic
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 4:18am
Thanks for the replies guys.
In the logs I'm getting the following error when I'm trying to connect.
DeviceType=iPhone&Cmd=Search&Log=V140_LdapC3_LdapL63_RpcC14_RpcL15_Cpo18796_Fet20033_Pk0_S110_Error
:ADObjectWithNoSecurityDescriptor_Mbx:EXCHANGESERVER.DOMAINA.COM_Dc:DC1.DOMAINA.com_Throttle0_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f1%25%2cCAS%3a%24null%2f%24null%2f2%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F4b87cdaa-cd50-4494-aad2-93e6fe37c17d%2cNorm%5bResources%3a(Mdb)Mailbox+Database+1328929854(Health%3a-1%25%2cHistLoad%3a0)%2c(DC)DC1.DOMAINB.COM(Health%3a-1%25%2cHistLoad%3a0)%2c%5d_
443 DOMAINB\TestUser (PublicIP) Apple-iPhone3C1/902.206 200 0 64 20423
ActiveSync is working fine for users in Domain A so I'm thinking the users in Domain B are missing permissions as per Error:ADObjectWithNoSecurityDescriptor
July 31st, 2012 4:21am
Hi,
Are you using Linked Mailboxes?
You don't mention how you enter the logon credentials, but make sure you use UPN from Source Domain.
Martina Miskovic
I'm not using linked mailboxes as the two domains are in the same forest.
The user credentials on the iPhone are entered for you. They ask for username and domain in seperate fields.
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 4:24am
Hi
Please have a look on below link
http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx
It said
"If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked. If you are experiencing a problem with members of these protected groups you should check the permissions on the AdminSDHolder
object."
CheersZi Feng
TechNet Community Support
July 31st, 2012 4:34am
Ok, so you are only moving the mailboxes to DomainB so there's no migration involved.
Have you prepared DomainB for Exchange 2010?
You need to if you'll have users there with Exchange 2010 Mailboxes.Martina Miskovic
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 4:42am
Hi
Please have a look on below link
http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx
It said
"If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked. If you are experiencing a problem with members of these protected groups you should check the permissions on the AdminSDHolder
object."
Cheers
Zi Feng
TechNet Community Support
I think this has something to do with it as the "Exchange Servers" group does not have any permissions for the user object. I have added them manually for the test user but this still does not work.
July 31st, 2012 4:52am
Ok, so you are only moving the mailboxes to DomainB so there's no migration involved.
Have you prepared DomainB for Exchange 2010?
You need to if you'll have users there with Exchange 2010 Mailboxes.
Martina Miskovic
I am moving the mailbox from an Exchange 2003 server in Domain B to an Exchange 2010 Server in Domain A with the user staying in Domain B.
Do you still need to prepare a domain for Exchange 2010 if it doesn't have an Exchange 2010 Server within it?
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 4:54am
Do you still need to prepare a domain for Exchange 2010 if it doesn't have an Exchange 2010 Server within it?
Yes, absolutly since the domain will have Exchange 2010 Mailboxes.Martina Miskovic
July 31st, 2012 4:56am
If the prep doesnt work then check a test user in ADUC, go to the properties>Security>Advanced and check the permissoins for ExchangeTrustedSubsystem and see if it has msExchangeActiveSyncDevice & ...DevicesSukh
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 10:59am
I found the answer with help from this thread an open call with Microsoft and trial and error.
So I needed to set ExchangeTrustedSubsystem permissions as I had done but I had only applied them to the object and not the object and descendants. Adding the ExchangeTrustedSubsystem to the object and the descendants fixed the issue for me.
Thanks for your help everyone.
July 31st, 2012 12:28pm