SBS Activesync error

[HughSmith]

Hi, at a client site...

On 3rd December all of the Windows Mobile devices stopped syncing wirelessly. Before that they worked.

We have SBS2003 R2 Std fully patched with nothing unusual about the setup. Single NIC. RWW and OWA work correctly.

When a mobile device attempts a sync it either hangs on the connecting stage, or displays - server error.

The server App log displays Event 3005 Server ActiveSync

Unexpected Exchange mailbox Server error: Server: [WARM-SERVER.WarmMyHome.local] User: [testoma@warmmyhome.co.nz] HTTP status code: [501]. Verify that the Exchange mailbox Server is working correctly

I have re initiated all of the virtual directories under default website in IIS and reset the permissions as advised by MS.

When I try and run CEICW it always fails at the firewall stage - then completes the other components successfully.

ICWlog.txt relevant entries are:
...
calling RegisterMSBOExchangeBP (0).
Error 0x1 returned from call to RegisterMSBOExchangeBP().
....
calling ADsGetObject (LDAP://WARM-SERVER.WarmMyHome.local/CN=SmallBusiness SMTP connector,CN=Connections,CN=first routing group,CN=Routing Groups,CN=first administrative group,CN=Administrative Groups,CN=WARMMYHOME,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=WarmMyHome,DC=local, IADs, 0x6e3cc).
Error 0x80072030 returned from call to ADsGetObject().
...
Call to Unpublishing the default web site () returned ok.
Error 0x80070003 returned from call to Fixing the inheritance for companyweb dir().
calling Set Web Publishing Rules (0x80070003).
Error 0x80070003 returned from call to CRFireCommit::Commit().
Calling CCertCommit::CommitEx
Calling CCertCommit::ValidatePropertyBag
Nothing is published, will not touch SSL Settings
*** CCertCommit::ValidatePropertyBag returned ERROR 1

NB::: This last series of errors repeats multiple times through the log.
...
calling RegisterMSBOExchangeBP (0).
Error 0x1 returned from call to RegisterMSBOExchangeBP().
...

IPCONFIG output is:

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : WARM-SERVER
Primary Dns Suffix . . . . . . . : WarmMyHome.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : WarmMyHome.local

Ethernet adapter Server Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC105i PCIe Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-23-7D-07-21-8D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.5.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.5.254
DNS Servers . . . . . . . . . . . : 192.168.5.5
Primary WINS Server . . . . . . . : 192.168.5.5

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.5.27
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

I've read lots of articles about the activesync error and the CEICW firewall error but none of the advice is working, or it is not applicable.

Any ideas because I'm about stumped?

Hugh

CEICW logs point to a busted companyweb (Intranet component). Do we really
use it ? If not then check if we have leftover for it in the registry as I
believe we tried removing it or re-doing it or we dont use it at all.
Look here for Intranet key-
HKLM\Software\Microsoft\Small business server
Above questions should give us a pointer.

Earlier you mentioned:


What article did you follow by Microsoft?

Also, it appears the ActiveSync errors may be due to IIS changes. You
earlier said ActiveSync worked up until Dec 3. Were the changes to IIS done
on Dec 3?

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

[HughSmith]

Thanks Ashish

Deleted the Intranet key under "HKLM\Software\Microsoft\Small business server" and re-ran CEICW without any errors.

However I am unsure what flow on effects deleting this entire key will have (it's backed up so can be restored if required).

Can still successfully browse to http://companyweb from the server - but have not rebooted yet as it's the middle of the day here.

First problem solved.

Am still getting the Activesync error though same as before.

Phone reports: Error in Exchange Server. Try again later.

Server app log reports: Server ActiveSync Event 3005

Unexpected Exchange mailbox Server error: Server: [WARM-SERVER.WarmMyHome.local] User: [testoma@warmmyhome.co.nz] HTTP status code: [501]. Verify that the Exchange mailbox Server is working correctly.

So now we are down to the ActiveSync error to fix.

Regards,

Hugh

[HughSmith]

Hi Ace, Thanks for the reply.

There were no changes made to the server at all on 2nd or 3rd of December.

The reason I say 3rd for the problem beginning is that it is the last date that any of the mobile devices report a successful sync with the server.

The steps I have followed to reset the IIS virtual directories are at http://www.msexchange.org/tutorials/...tallation.html .

Regarding the comments at http://www.eventid.net/display.asp?e...veSync&phase=1 ...

There are no host headers set on the Default Website.

IP Address is already set to All Unassigned.

The NIC only has one IP address and has always been like this.

My http error code
in the server app log is 501.
I have verified the IIS Directory security by checking them off against another SBS03 Server that is working correctly.

I have checked the directory security settings including Authentication and Access Control, IP Address and Domain Name Restrictions, and Secure Communications for...

Default Website
Exadmin
Exchange
exchange-oma
Microsoft-Server-ActiveSync
OMA
Public
Remote
RPC
RpcWithCert

and all are correct.

I ran through these steps as suggested on the eventid.net site...

1. Open up Systems Manager (Start -> All Programs -> Microsoft Exchange Systems Manager).
2. Look for the "Servers" folder and drill down.
3. If you have a Front-End/Back-End (FE/BE) scenario like me you will have to do this fix to both machines.
4. Drill down to the server you want and then to "Protocols HTTP Exchange Virtual Server".
5. Once you have drilled down there, right click on the "Microsoft-Server-ActiveSync" and click Delete.
6. Right click on the "Exchange Virtual Server", click New, and then Virtual Directory.
7. Under Microsoft-Server-ActiveSync -> "Exchange Path" click "Exchange ActiveSync".
8. Then OK out of it.

I have also verified that the reg key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters / ExchangeVDir
is correct (i.e. value = /exchange-oma)


Gave the server a reboot for good measure here.

Now activesync says... Your account does not have permission to sync with current settings. Contact your administrator.

Re-ran CEICW successfully.
Re-ran Remote Access Wizard successfully.

Tried Sync again. Back to... error in exchange server. Try again later, on the phone

and...

Server ActiveSync Event 3005
Unexpected Exchange mailbox Server error: Server: [WARM-SERVER.WarmMyHome.local] User: [testoma@warmmyhome.co.nz] HTTP status code: [501]. Verify that the Exchange mailbox Server is working correctly.

in the server app log.

Not sure where to go next.

Regards,

Hugh

[HughSmith]

Hi Ace,

Have run the Exchange Remote Connectivity Analyzer at https://www.testexchangeconnectivity.com/

Fails with an Http 500 error - output below

Testing Exchange ActiveSync
Exchange ActiveSync test Failed
Test Steps
Attempting to resolve the host name remote.warmmyhome.co.nz in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 203.97.49.172

Testing TCP Port 443 on host remote.warmmyhome.co.nz to ensure it is listening and open.
The port was opened successfully.
Testing SSL Certificate for validity.
The certificate passed all validation requirements.
Test Steps
Validating certificate name
Successfully validated the certificate name
Additional Details
Found hostname remote.warmmyhome.co.nz in Certificate Subject Common name

Testing certificate date to ensure validity
Date Validation passed. The certificate is not expired.
Additional Details
Certificate is valid: NotBefore = 5/20/2009 5:06:37 AM, NotAfter = 5/20/2014 5:06:37 AM"



Testing Http Authentication Methods for URL https://remote.warmmyhome.co.nz/Micr...er-Activesync/
Http Authentication Methods are correct
Additional Details
Found all expected authentication methods and no disallowed methods. Methods Found: Basic

Attempting an ActiveSync session with server
Errors were encountered while testing the ActiveSync session
Test Steps
Attempting to send OPTIONS command to server
OPTIONS response was successfully received and is valid
Additional Details
Headers received: MicrosoftOfficeWebServer: 5.0_Pub
Pragma: no-cache
Public: OPTIONS, POST
Allow: OPTIONS, POST
MS-Server-ActiveSync: 6.5.7638.1
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,M oveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingRes ponse,ResolveRecipients,ValidateCert,Provision,Search,Notify,Ping
Content-Length: 0
Date: Sat, 12 Dec 2009 04:40:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET



Attempting FolderSync command on ActiveSync session
FolderSync command test failed
Tell me more about this issue and how to resolve it
Additional Details
Exchange ActiveSync returned an HTTP 500 response.

I followed the link in the test results to http://technet.microsoft.com/en-nz/l...EXCHG.80).aspx but I am not sure how this stuff relates to SBS (as I know SBS does some stuff to combine front-end and back-end into one box).

Any advice you have would be appreciated.

Thanks,

Hugh

You know, I had a feeling this was the issue. I was going to ask if you are
using Forms Based Authentication. I forgot, SBS is set to Forms Based by
default (IIRC). Therefore, you will have to follow Method #2 in the
following link. I had to set this on a few of my customer sites to get it to
work, but trying to think back, I believe they were non-SBS servers. I
thought the SBS wizard configures this for you?

Nonetheless, please read the following to understand what is going on, and
the fix for it.

Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or
forms-based authentication is required for Exchange Server 2003
http://support.microsoft.com/?kbid=817379

[HughSmith]

Hi Ace

I have followed the steps in http://support.microsoft.com/?kbid=817379, method 2.

When I got to step 8 of Create a secondary virtual directory for Exchange server I ran into an issue as the exchange-oma vdir already existed as a sub folder of Default Website in IIS, and I see further down in that article that SBS must use this name for OMA.

So I deleted the existing exchange-oma vdir from IIS and re-ran the whole process from the beginning of "Create a secondary virtual directory for Exchange server" onwards.

My original problem remains.

I followed the link through to http://support.microsoft.com/kb/898131/ and ran the steps here as I was unable to browse to https://FQDN/oma.

After adding an additional identity for the default website as per 898131 I can now successfully browse the exchange folders of my testoma user.


Same error as before - output below...

Testing Exchange ActiveSync
Exchange ActiveSync test Failed
Test Steps
Attempting to resolve the host name remote.warmmyhome.co.nz in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 203.97.49.172

Testing TCP Port 443 on host remote.warmmyhome.co.nz to ensure it is listening and open.
The port was opened successfully.
Testing SSL Certificate for validity.
The certificate passed all validation requirements.
Test Steps
Validating certificate name
Successfully validated the certificate name
Additional Details
Found hostname remote.warmmyhome.co.nz in Certificate Subject Common name

Testing certificate date to ensure validity
Date Validation passed. The certificate is not expired.
Additional Details
Certificate is valid: NotBefore = 5/20/2009 5:06:37 AM, NotAfter = 5/20/2014 5:06:37 AM"



Testing Http Authentication Methods for URL https://remote.warmmyhome.co.nz/Micr...er-Activesync/
Http Authentication Methods are correct
Additional Details
Found all expected authentication methods and no disallowed methods. Methods Found: Basic

Attempting an ActiveSync session with server
Errors were encountered while testing the ActiveSync session
Test Steps
Attempting to send OPTIONS command to server
OPTIONS response was successfully received and is valid
Additional Details
Headers received: MicrosoftOfficeWebServer: 5.0_Pub
Pragma: no-cache
Public: OPTIONS, POST
Allow: OPTIONS, POST
MS-Server-ActiveSync: 6.5.7638.1
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,M oveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingRes ponse,ResolveRecipients,ValidateCert,Provision,Search,Notify,Ping
Content-Length: 0
Date: Sun, 13 Dec 2009 03:20:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET



Attempting FolderSync command on ActiveSync session
FolderSync command test failed
Tell me more about this issue and how to resolve it
Additional Details
Exchange ActiveSync returned an HTTP 500 response.

Clicked through on the More info link to http://technet.microsoft.com/en-nz/l...EXCHG.80).aspx.

Downloaded the IIS Auth Diagnostics Tool (from http://www.microsoft.com/downloads/d...isplaylang=en).

I'll stick those diagnostics in a separate post below.

Next step?

Cheers,

Hugh

[HughSmith]

Hey Ace,

IIS Auth Diagnostics Output below...

Checking Authentication on http://localhost...

Server's response: HTTP/1.1 200 OK
Learn about IIS status codes Path:W3SVC/599050834/ROOT
AuthType:Anonymous
BUILTIN\Users does not have Access this computer from the networkprivilege Path:W3SVC/599050834/ROOT
AuthType:NTLM
Everyone does not have Access this computer from the networkprivilege Path:W3SVC/599050834/ROOT
AuthType:NTLM
Test Authentication
Path:W3SVC/599050834/ROOT
AuthType:NTLM
Diagnostics complete

**************************************************

Check Permissions of testoma to ****\intranet

All OK

**************************************************

View Permissions Results

E:\Program Files\Exchsrvr\MDBDATA\.
NT AUTHORITY\Authenticated Users: R
BUILTIN\Server Operators: C
BUILTIN\Administrators: F
NT AUTHORITY\SYSTEM: F

E:\Program Files\Exchsrvr\MDBDATA\E00.chk
BUILTIN\Administrators: F
NT AUTHORITY\SYSTEM: F
BUILTIN\Administrators: F
BUILTIN\Users: R

E:\Program Files\Exchsrvr\MDBDATA\E00.log
NT AUTHORITY\SYSTEM: F
BUILTIN\Administrators: R

E:\Program Files\Exchsrvr\MDBDATA\E0000E99.log
NT AUTHORITY\SYSTEM: F
BUILTIN\Administrators: R

E:\Program Files\Exchsrvr\MDBDATA\priv1.edb
BUILTIN\Administrators: F
NT AUTHORITY\SYSTEM: F
BUILTIN\Administrators: F
BUILTIN\Users: R

E:\Program Files\Exchsrvr\MDBDATA\priv1.stm
BUILTIN\Administrators: F
NT AUTHORITY\SYSTEM: F
BUILTIN\Administrators: F
BUILTIN\Users: R

E:\Program Files\Exchsrvr\MDBDATA\pub1.edb
BUILTIN\Administrators: F
NT AUTHORITY\SYSTEM: F
BUILTIN\Administrators: F
BUILTIN\Users: R

E:\Program Files\Exchsrvr\MDBDATA\pub1.stm
BUILTIN\Administrators: F
NT AUTHORITY\SYSTEM: F
BUILTIN\Administrators: F
BUILTIN\Users: R

E:\Program Files\Exchsrvr\MDBDATA\res1.log
BUILTIN\Administrators: F
NT AUTHORITY\SYSTEM: F
BUILTIN\Administrators: F
BUILTIN\Users: R

E:\Program Files\Exchsrvr\MDBDATA\res2.log
BUILTIN\Administrators: F
NT AUTHORITY\SYSTEM: F
BUILTIN\Administrators: F
BUILTIN\Users: R

E:\Program Files\Exchsrvr\MDBDATA\tmp.edb
NT AUTHORITY\SYSTEM: F
BUILTIN\Administrators: R
Diagnostics complete

E:\Program Files\Exchsrvr\OMA\.
BUILTIN\Administrators: (OI)(CI)F
NT AUTHORITY\SYSTEM: (OI)(CI)F
BUILTIN\Administrators: F
CREATOR OWNER: (OI)(CI)(IO)F
BUILTIN\Users: (OI)(CI)R
BUILTIN\Users: (CI)(special access:)
FILE_APPEND_DATA
FILE_ADD_SUBDIRECTORY

BUILTIN\Users: (CI)(special access:)
FILE_WRITE_DATA
FILE_ADD_FILE

Diagnostics complete

C:\Inetpub\wwwroot\.
WARMMYHOME\IIS_WPG: (OI)(CI)R
NT AUTHORITY\SYSTEM: (CI)F
NT AUTHORITY\SYSTEM: (OI)(IO)F
BUILTIN\Administrators: (CI)F
BUILTIN\Administrators: (OI)(IO)F
BUILTIN\Users: (OI)(CI)R
NT AUTHORITY\NETWORK: (CI)R
NT AUTHORITY\NETWORK: (OI)(IO)(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_READ_DATA
FILE_LIST_DIRECTORY
FILE_READ_EA
FILE_READ_ATTRIBUTES

WARMMYHOME\IUSR_WARMMYHOME-SERV: (CI)R
WARMMYHOME\IUSR_WARMMYHOME-SERV: (OI)(IO)(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_READ_DATA
FILE_LIST_DIRECTORY
FILE_READ_EA
FILE_READ_ATTRIBUTES

WARMMYHOME\OWS_2476834583_admin: (CI)(special access:)
DELETE
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_LIST_DIRECTORY
FILE_WRITE_DATA
FILE_ADD_FILE
FILE_APPEND_DATA
FILE_ADD_SUBDIRECTORY
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_TRAVERSE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES

Curious, have you been changing the authentication methods in IIS and not in
the ESM? You should only be using the ESM to change anything like that. If
it is not available in the ESM, then you use IIS. This is because there is a
utility that runs in the background called the DS2Meta function that reads
the the data in AD (the Config Container in AD is where the Exchange stores
it's data), and populates the IIS Metabase.

[HughSmith]

Hi Ace,

I assume you are talking about steps 20 and 21 of "Create a secondary virtual directory for Exchange server" in http://support.microsoft.com/?kbid=817379.

I've just doubled checked the reg entry and it is correct, including the case sensitive name.

Are you able to give me a bit more information about ...

"Curious, have you been changing the authentication methods in IIS and not in the ESM? You should only be using the ESM to change anything like that. If
it is not available in the ESM, then you use IIS."

I turned off Forms Based Authentication in ESM, but the rest of the stuff I've done through IIS Manager

Regards,

Hugh

Why did you turn off Forms Based Authentication? When did you do that?

Messing with settings in IIS could have caused this. The cardinal rule with
Exchange, is that you ALWAYS (I can't stress that any further than typing it
in upper case characters) make all website and other protocol adjustments
using the ESM FIRST. If the option is not in the ESM, then you use IIS, such
as SSL/Certificate settings with Exchange 2003. If you make any
authentication changes in IIS and not the ESM, it will cause problems. That
is why with Exchange 2007, most of this was changes where your only option
is to do it in the EMC, which prevents issues altering it in IIS.

[HughSmith]

Hi Ace,

IIS was totally fried no matter what I tried.

We had Storage craft imaging software on the server so backed up all the exchange mailboxes with exmerge, rolled the OS and Exchange partitions back to before the problem started, then imported the missing mail back into the exchange store with exmerge.

Problem sorted.

Thanks for your help.

Hugh

"HughSmith" <HughSmith.43h3nc@DoNotSpam.com> wrote in message
news:HughSmith.43h3nc@DoNotSpam.com...
>
> Hi Ace,
>
> IIS was totally fried no matter what I tried.
>
> We had Storage craft imaging software on the server so backed up all
> the exchange mailboxes with exmerge, rolled the OS and Exchange
> partitions back to before the problem started, then imported the
> missing mail back into the exchange store with exmerge.
>
> Problem sorted.
>
> Thanks for your help.
>
> Hugh
>


Wow, suprised, but then again, possibly not surprised that you had to go
through all of that. I figured it was something in IIS. Good to hear you
cleared it up. :-)

Cheers!

Ace