Exchange 2010 Active Sync Issue

Hi All,

I’ve spent the last few days migrating to Hyper-V, SQL 2008, Windows Server 2008 R2 and Exchange 2010 from 3 machines – Windows Server 2003, SQL 2005 and Exchange 2003. The last thing I had to turn on/get going was Active-Sync for syncing mail with home via a mobile device. This failed miserably, as per the below event log on my Exchange 2010 Server.

Log Name:      Application

Source:        MSExchange ActiveSync

Date:          11/20/2009 12:23:07 PM

Event ID:      1053

Task Category: Configuration

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      <server>.thenet.gen.nz

Description:

Exchange ActiveSync doesn’t have sufficient permissions to create the « CN=<name>,OU=<OU Name>,DC=thenet,DC=gen,DC=nz » container under Active Directory user « Active Directory operation failed on <server>.thenet.gen.nz. This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

« .

Make sure the user has inherited permission granted to domainExchange Servers to allow List, Create child, Delete child of object type « msExchangeActiveSyncDevices » and doesn’t have any deny permissions that block such operations.

Details:%3

Event Xml:

<Event xmlns= »http://schemas.microsoft.com/win/2004/08/events/event »>

  <System>

    <Provider Name= »MSExchange ActiveSync » />

    <EventID Qualifiers= »49156″>1053</EventID>

    <Level>2</Level>

    <Task>2</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime= »2009-11-19T23:23:07.000000000Z » />

    <EventRecordID>9577</EventRecordID>

    <Channel>Application</Channel>

    <Computer><server>.thenet.gen.nz</Computer>

    <Security />

  </System>

  <EventData>

    <Data>CN=<name>,OU=<OU Name>,DC=thenet,DC=gen,DC=nz</Data>

    <Data>Active Directory operation failed on <server>.thenet.gen.nz. This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

</Data>

  </EventData>

</Event>

The work around was pretty simple, however took me some time trolling through external and internal Knowledge Base Articles. I came across this article, however it didn’t seem to address the issue.

Here’s how I managed to get it sorted –

On a Domain Controller, Click on Start/All Programs/Administrative Tools/Active Directory Users and Computers

Click on View and Select Advanced Features

Select a mailbox that isn’t working with Active Sync, double click on the account, Select the Security Tab and then the Advanced Button.

Select Exchange Servers, and tick the Include inheritable permissions toggle then Apply and OK.

This issue is currently bugged and is likely to be fixed with an update in the future – It seems to be a symptom of ‘upgrading’.

Nick.