Sunday, December 13, 2009

Exchange 2010 Migration - Part 3

Since my user account has been migrated to Exchange 2010, my iPhone ActiveSync is broken.

Existing Environment:
1 x Exchange 2007 SP2 (Mailbox)
1 x Exchange 2010 (CAS, Hub and UM)
1 x Exchange 2010 (Mailbox)

Part 3 - ActiveSync Issue

The following event log will be seen on the CAS server:

Exchange ActiveSync doesn't have sufficient permissions to create the "CN=User,OU=Users,DC=domain,DC=local" container under Active Directory user "Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: Access is denied.Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0".Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.

It turns out that the AD user account is a member of the protective group (e.g. Domain Admins).
To fix this, remove the user from the protective group, go to the user's properties - security - Advanced and tick "Include inheritable permissions from this object's parent"

I had to remove my exchange account from my iPhone and re-add it back to make it work.

No comments: