http://blog.nick.mackechnie.co.nz/post/2009/11/20/Exchange-2010-Active-Sync-Issue.aspx
Hi All,
I’ve spent the last few days
migrating to Hyper-V, SQL 2008, Windows Server 2008 R2 and Exchange 2010
from 3 machines - Windows Server 2003, SQL 2005 and Exchange 2003. The
last thing I had to turn on/get going was Active-Sync for syncing mail
with home via a mobile device. This failed miserably, as per the below
event log on my Exchange 2010 Server.
Log Name: Application
Source: MSExchange ActiveSync
Date: 11/20/2009 12:23:07 PM
Event ID: 1053
Task Category: Configuration
Level: Error
Keywords: Classic
User: N/A
Computer: <server>.thenet.gen.nz
Description:
Exchange
ActiveSync doesn't have sufficient permissions to create the
"CN=<name>,OU=<OU Name>,DC=thenet,DC=gen,DC=nz" container
under Active Directory user "Active Directory operation failed on
<server>.thenet.gen.nz. This error is not retriable. Additional
information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
Make
sure the user has inherited permission granted to domain\Exchange
Servers to allow List, Create child, Delete child of object type
"msExchangeActiveSyncDevices" and doesn't have any deny permissions that
block such operations.
Details:%3
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<rovider Name="MSExchange ActiveSync" />
<EventID Qualifiers="49156">1053</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-11-19T23:23:07.000000000Z" />
<EventRecordID>9577</EventRecordID>
<Channel>Application</Channel>
<Computer><server>.thenet.gen.nz</Computer>
<Security />
</System>
<EventData>
<Data>CN=<name>,OU=<OU Name>,DC=thenet,DC=gen,DC=nz</Data>
<Data>Active Directory operation failed on
<server>.thenet.gen.nz. This error is not retriable. Additional
information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
</Data>
</EventData>
</Event>
The
work around was pretty simple, however took me some time trolling
through external and internal Knowledge Base Articles. I came across
this article, however it didn’t seem to address the issue.
Here’s how I managed to get it sorted -
On a Domain Controller, Click on Start/All Programs/Administrative Tools/Active Directory Users and Computers
Click on View and Select Advanced Features
Select a mailbox that isn’t working with Active Sync, double click on the account, Select the Security Tab and then the Advanced Button.
Select Exchange Servers, and tick the Include inheritable permissions toggle then Apply and OK.
This issue is currently bugged and is likely to be fixed with an update in the future – It seems to be a symptom of ‘upgrading’.
Nick.