locked
Activesync fails after cross domain migration 2003 – 2010 RRS feed

  • Question

  • We are migrating users from Exchange 2003 in Domain B to Exchange 2010 in Domain A and everything works as it should except ActiveSync. The user is staying in Domain B just the mailbox is moving to an Exchange 2010 server in Domain A.

    When I try to sync my iPhone it says “Cannot Get Mail The connection to the server failed.” When I try ExRCA I get the following

    -----------------------------------------------------------------------------------------------

      An ActiveSync session is being attempted with the server.
     Errors were encountered while testing the Exchange ActiveSync session.
       Test Steps
       Attempting to send the OPTIONS command to the server.
     The OPTIONS response was successfully received and is valid.
       Additional Details


      Attempting the FolderSync command on the Exchange ActiveSync session.
     The test of the FolderSync command failed.
      Tell me more about this issue and how to resolve it

       Additional Details
     Exchange ActiveSync returned an HTTP 500 response.

     -----------------------------------------------------------------------------------------------

    I know this is classic "Include inheritable permissions from this object's parent" but my problem is the box is ticked on the problem user and it’s not a member of any Admin Groups.

    When a user from Domain A connects via ActiveSync it works fine but any user that has been migrated from Domain B does not. Looking in the Security tab in ADUC the user from Domain B does not have the Exchange Groups (Organisation Management, Exchange Trusted Subsystem, Exchange Windows Permissions, and Exchange Enterprise Servers) but adding them manually does not fix the issue. It won’t let me add Exchange Enterprise Servers but I have added the other with read access the same as a user that is working.

    What permissions am I missing?

     

    Monday, July 30, 2012 10:14 AM

Answers

  • I found the answer with help from this thread an open call with Microsoft and trial and error.

    So I needed to set ExchangeTrustedSubsystem permissions as I had done but I had only applied them to the object and not the object and descendants. Adding the ExchangeTrustedSubsystem to the object and the descendants fixed the issue for me.

    Thanks for your help everyone.

    Tuesday, July 31, 2012 4:19 PM

All replies

  • What if you create a new account on Exch 2010 and test EAS?

    I assume 2010 is exposed for EAS?

    And you are sure about the admin membership?

    For the failed user check the IIS logs & see what that says?

    Are you publishing EAS?


    Sukh

    Monday, July 30, 2012 2:27 PM
  • Go over blog, covers AS issues I've encountered for 2003-2010 migrations.

    http://msexchangetips.blogspot.com/2012/04/exchange-2003-migration-to-exchange.html


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Monday, July 30, 2012 3:29 PM
  • Hi,
    Are you using Linked Mailboxes?

    You don't mention how you enter the logon credentials, but make sure you use UPN from Source Domain.

    Martina Miskovic

    Tuesday, July 31, 2012 8:09 AM
  • Thanks for the replies guys.

    In the logs I'm getting the following error when I'm trying to connect.

    DeviceType=iPhone&Cmd=Search&Log=V140_LdapC3_LdapL63_RpcC14_RpcL15_Cpo18796_Fet20033_Pk0_S110_Error
    :ADObjectWithNoSecurityDescriptor_Mbx:EXCHANGESERVER.DOMAINA.COM_Dc:DC1.DOMAINA.com_Throttle0_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f1%25%2cCAS%3a%24null%2f%24null%2f2%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F4b87cdaa-cd50-4494-aad2-93e6fe37c17d%2cNorm%5bResources%3a(Mdb)Mailbox+Database+1328929854(Health%3a-1%25%2cHistLoad%3a0)%2c(DC)DC1.DOMAINB.COM(Health%3a-1%25%2cHistLoad%3a0)%2c%5d_ 443 DOMAINB\TestUser (PublicIP) Apple-iPhone3C1/902.206 200 0 64 20423

    ActiveSync is working fine for users in Domain A so I'm thinking the users in Domain B are missing permissions as per Error:ADObjectWithNoSecurityDescriptor



    Tuesday, July 31, 2012 8:12 AM
  • Hi,
    Are you using Linked Mailboxes?

    You don't mention how you enter the logon credentials, but make sure you use UPN from Source Domain.

    Martina Miskovic

    I'm not using linked mailboxes as the two domains are in the same forest.

    The user credentials on the iPhone are entered for you. They ask for username and domain in seperate fields.

    Tuesday, July 31, 2012 8:15 AM
  • Hi

    Please have a look on below link

    http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx

    It said

    "If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked.  If you are experiencing a problem with members of these protected groups you should check the permissions on the AdminSDHolder object."

    Cheers


    Zi Feng

    TechNet Community Support

    Tuesday, July 31, 2012 8:25 AM
  • Ok, so you are only moving the mailboxes to DomainB so there's no migration involved.

    Have you prepared DomainB for Exchange 2010?
    You need to if you'll have users there with Exchange 2010 Mailboxes.

    Martina Miskovic

    Tuesday, July 31, 2012 8:33 AM
  • Hi

    Please have a look on below link

    http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx

    It said

    "If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked.  If you are experiencing a problem with members of these protected groups you should check the permissions on the AdminSDHolder object."

    Cheers


    Zi Feng

    TechNet Community Support


    I think this has something to do with it as the "Exchange Servers" group does not have any permissions for the user object. I have added them manually for the test user but this still does not work.
    Tuesday, July 31, 2012 8:44 AM
  • Ok, so you are only moving the mailboxes to DomainB so there's no migration involved.

    Have you prepared DomainB for Exchange 2010?
    You need to if you'll have users there with Exchange 2010 Mailboxes.

    Martina Miskovic

    I am moving the mailbox from an Exchange 2003 server in Domain B to an Exchange 2010 Server in Domain A with the user staying in Domain B.

    Do you still need to prepare a domain for Exchange 2010 if it doesn't have an Exchange 2010 Server within it?

    Tuesday, July 31, 2012 8:46 AM
  • Do you still need to prepare a domain for Exchange 2010 if it doesn't have an Exchange 2010 Server within it?

    Yes, absolutly since the domain will have Exchange 2010 Mailboxes.

    Martina Miskovic

    Tuesday, July 31, 2012 8:47 AM
  • If the prep doesnt work then check a test user in ADUC, go to the properties>Security>Advanced and check the permissoins for ExchangeTrustedSubsystem and see if it has msExchangeActiveSyncDevice & ...Devices

    Sukh

    Tuesday, July 31, 2012 2:50 PM
  • I found the answer with help from this thread an open call with Microsoft and trial and error.

    So I needed to set ExchangeTrustedSubsystem permissions as I had done but I had only applied them to the object and not the object and descendants. Adding the ExchangeTrustedSubsystem to the object and the descendants fixed the issue for me.

    Thanks for your help everyone.

    Tuesday, July 31, 2012 4:19 PM