Today I spent sometime working on my exchange migration path. There was some concerns that needed to be addressed some of which opened up the migration path I originally thought was best, but put out of my mind due to …………… well anyhow! I am back with an issue, and it seems this time its mobile devices and active sync.
After moving my mailbox over to EX2010 I noticed I was unable to sync my i777 or my IOS device. After a little frustration, and searching Google, to only find post that did not help me at all; In fact some of them were instructing me to do things that would only wast my time.
Event Logs —
I decided to look in a place many of us system admin guys often forget to look; the event logs. I quickly noticed the following error event in applications:
Event ID: 1053
Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=Jermal Smith,OU=Users,OU=Information Technology,OU=*********,OU=*******,DC=******s,DC=*****” container under Active Directory user “Active Directory operation failed on ************. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domainExchange Servers to allow List, Create child, Delete child of object type “msExchActiveSyncDevices” and doesn’t have any deny permissions that block such operations.
Now I have something I can use to search out a solution. I also recalled having a similar issue testing out Lync where my admin account did not have inherited permission granted. I then did the following:
On a Domain Controller or any member machine with the proper tools, Click on Start/All Programs/Administrative Tools/Active Directory Users and Computers
Click on View and Select Advanced Features
Select a mailbox that isn’t working with Active Sync, double click on the account, Select the Security Tab and then the Advanced Button.
Select Exchange Servers, and tick the Include inheritable permissions then Apply and OK.
When this was completed, I went back to my mobile devices to check if they would now connect and like magic (well not so much magic) they were both working as i expected them to.