Exchange Server TechCenter >
Exchange Server 2010 Forums
>
Exchange Server 2010
>
Windows Mobile 6.1 Sync Error
Windows Mobile 6.1 Sync Error
- Support Code 0x85030022
'The Server you are synchronizing with is not an Exchange Server, or is running incompatable software. Choose Configure Server on the ActiveSync menu to specify the correct sever.'
Users went from 2007 to 2010 same saccess setting (Active Sync url)
Answers
W/O inheritible permissions enabled. Exchange does not have the necessary permissions over that user object to sync a phone because Exchange creates a container under that user object to store data about the mobile device. You can disable inheritible permissions if you want, but it'll take extra work to make sync'ing work. You might be able to enable it, ensure AD replication completes, have the user sync once, then disable it again. As long as Exchange has the rights to create that container when the initial partnership is created it *might* be ok, but then wouldn't be able to update anything within that container going forward.Okay I fixed most of my problem, However I do want to get back to your statement about inheritable permissions and what you think I need to do, Exchange should not be checking for inheritable permisisions that's not it's function it should only check for nessecary rights, there are way to many senerio's where this will break, I want to hear from microsoft if this is a flaw or by design..
For members of protected groups you're dealing with the AdminSDHolder ACL set being written over the current ACL set of of those users (which one of the items is removing inheritence) every hour.
http://support.microsoft.com/kb/232199/
Brian Day / MCSA / CCNA, Exchange/AD geek.- Proposed As Answer byBrian Day Friday, October 30, 2009 9:59 PM
- Marked As Answer byGeoffM - MCP Tuesday, November 03, 2009 1:50 AM
All Replies
- New Error - Your Account on Microsoft Exchange Server does not Have Permission to synchornize with your current Settings
we did before double checked the AS Policy and Users are enabled - Is your user account a member of an AD protected group (aka Domain Admins, Enterprise Admins, etc...)? If it is, then inheritable permissions probably got turned off and you'll need to remove the account from the protected group and enable inherited permissions.
Brian Day / MCSA / CCNA, Exchange/AD geek.- Proposed As Answer byBrian Day Saturday, October 24, 2009 12:09 AM
Is this New and by design?, was it in the deployment and coexistance docs I read, because if so this has a huge impact on our agency which leaves us with returning to 2007 or not using exchange at all, in fact I see this inheritable permissions inpacting other functions as well - because of certain sec pols in place at our agency I can't just remove certain users from a group.
Fortunately (or unfortunately depends on the view) the error is reported for all users not just the admins
GeoffM are you saying you have most of your users in AD protected groups? That would be against AD best practices in the first place.
Brian Day / MCSA / CCNA, Exchange/AD geek.- No I'm say it's being reported by users not in AD protected the very same error- well let me correct that they're aren't in any KNOWN Ad protected group to accomadate the 2010 Exchange we also upgraded our DC's from 2008 to 2008 R2 normally we review such changes like we did when we went from 2003 DC to 2008 but haven't as yet....
- Okay reviewed - these users are in a REMOTE ACCESS Group And a MOBILE ACCESS Group basicily group & policy to premit mobile and remote access and other then a couple Supervisor level premission group to some read only folders they are standard users
- Additional Info - https://www.testexchangeconnectivity.com/
Testing Exchange ActiveSync Exchange ActiveSync test Failed 
Test Steps 
Attempting to resolve the host name webmail.DOMAINS.net in DNS. Host successfully resolved 
Additional Details IP(s) returned: 216.xx.xxx.xxx Testing TCP Port 443 on host webmail.DOMAINS.net to ensure it is listening and open. The port was opened successfully. Testing SSL Certificate for validity. The certificate passed all validation requirements. Test Steps Validating certificate name Successfully validated the certificate name Additional Details Found hostname webmail.DOMAINS.net in Certificate Subject Common name Testing certificate date to ensure validity Date Validation passed. The certificate is not expired. Additional Details Certificate is valid: NotBefore = 10/23/2009 7:25:50 PM, NotAfter = 8/31/2012 7:53:44 PM" Testing Http Authentication Methods for URL https://webmail.DOMAINS.net/Microsoft-Server-Activesync/ Http Authentication Methods are correct Additional Details Found all expected authentication methods and no disallowed methods. Methods Found: Basic Attempting an ActiveSync session with server Errors were encountered while testing the ActiveSync session Test Steps Attempting to send OPTIONS command to server Testing the OPTIONS command failed. See Additional Details for more info 
Additional Details An HTTP 403 was received because ISA denied the specified URL Testing Exchange ActiveSync Exchange ActiveSync test Failed Test Steps Attempting to resolve the host name webmail.DOMAIN.net in DNS. Host successfully resolved Additional Details IP(s) returned: 216.57.200.250 Testing TCP Port 443 on host webmail.DOMAIN.net to ensure it is listening and open. The port was opened successfully. Testing SSL Certificate for validity. The certificate passed all validation requirements. Test Steps Validating certificate name Successfully validated the certificate name Additional Details Found hostname webmail.DOMAINS.net in Certificate Subject Common name Testing certificate date to ensure validity Date Validation passed. The certificate is not expired. Additional Details Certificate is valid: NotBefore = 10/23/2009 7:25:50 PM, NotAfter = 8/31/2012 7:53:44 PM" Testing Http Authentication Methods for URL https://webmail.DOMAINS.net/Microsoft-Server-Activesync/ Http Authentication Methods are correct Additional Details Found all expected authentication methods and no disallowed methods. Methods Found: Basic Attempting an ActiveSync session with server Errors were encountered while testing the ActiveSync session Test Steps Attempting to send OPTIONS command to server Testing the OPTIONS command failed. See Additional Details for more info Tell me more about this issue and how to resolve it Additional Details An HTTP 403 was received because ISA denied the specified URL
Nothings really change on our ISA we swaped out the the cert, confirmed the PATHS and every other service that is supposed to work, does from the outside I really really want to resolve this - guess it's time to get microsoft directly involve but thats what Enterprise Agreements and Technet Plus Subs are for :) Is your user account a member of an AD protected group (aka Domain Admins, Enterprise Admins, etc...)? If it is, then inheritable permissions probably got turned off and you'll need to remove the account from the protected group and enable inherited permissions.
Brian Day / MCSA / CCNA, Exchange/AD geek.
Okay I fixed most of my problem, However I do want to get back to your statement about inheritable permissions and what you think I need to do, Exchange should not be checking for inheritable permisisions that's not it's function it should only check for nessecary rights, there are way to many senerio's where this will break, I want to hear from microsoft if this is a flaw or by design..
W/O inheritible permissions enabled. Exchange does not have the necessary permissions over that user object to sync a phone because Exchange creates a container under that user object to store data about the mobile device. You can disable inheritible permissions if you want, but it'll take extra work to make sync'ing work. You might be able to enable it, ensure AD replication completes, have the user sync once, then disable it again. As long as Exchange has the rights to create that container when the initial partnership is created it *might* be ok, but then wouldn't be able to update anything within that container going forward.Okay I fixed most of my problem, However I do want to get back to your statement about inheritable permissions and what you think I need to do, Exchange should not be checking for inheritable permisisions that's not it's function it should only check for nessecary rights, there are way to many senerio's where this will break, I want to hear from microsoft if this is a flaw or by design..
For members of protected groups you're dealing with the AdminSDHolder ACL set being written over the current ACL set of of those users (which one of the items is removing inheritence) every hour.
http://support.microsoft.com/kb/232199/
Brian Day / MCSA / CCNA, Exchange/AD geek.- Proposed As Answer byBrian Day Friday, October 30, 2009 9:59 PM
- Marked As Answer byGeoffM - MCP Tuesday, November 03, 2009 1:50 AM
- So lets be clear when you say Exchange your talking about 2010 because this was not the case in 2007, (I am familar with AdminSDHolder it's been there since AD was born as your KB points out) since Exchange 2K10 needs just to write the contianer values then appling inheritable permissions and Syncing is all that's required - as I've been testing these last 3 days the "Sync" remains even though the account has reset tono inheritable permissions - I still don't believe that this is one check that Exchange needs to make as long as access rights and Policy(s) dictate users right to access or not- next time I head south for the next usability study I'll make sure I bring it up..
- as I've been testing these last 3 days the "Sync" remains even though the account has reset tono inheritable permissions - I still don't believe that this is one check that Exchange needs to make as long as access rights and Policy(s) dictate users right to access or not- next time I head south for the next usability study I'll make sure I bring it up..
Yes, this is new to 2010. It has been exposing a lot of bad practices in general. :)
Try deleting your mobile device partnership and reestablishing it now that inheritence is disabled, I'm curious to see what happens.
The long of it is, as long as Exchange has the permissions (through inheritence or not, doesn't matter) then sync'ing should work. Some organizations have to disable inheritence for certain security policies and they just have to then manually script the perms for Exchange to be able to do it's thing.
Brian Day / MCSA / CCNA, Exchange/AD geek.- I did just that , infact I reflashed my TP2 now that the SPLUnlock is out now I'm running WM 6.5, I added the Exchange Server and no issues
Possible or Partial Answer for Mobile Exchange Users without Inheritable Premissions
-When the user(s) are ready enable "Allow Inheritable Permission" under AD Users > Security > Advanced
-Have the User or Admin Create Server Source and Sync Device - Confirm Download of Items
- Let AD alone it will return the inheritable premissions to off in the next AD Replication (About an Hour by default)
