I've setup certificate based authentication for activesync on Exchange 2013.  We're using primarily iOS devices and that's all I'm testing with for now. 

I apply the profile using Apple's iPhone configuration Utility, install the profile on the phone and my mailbox syncs as expected.  I can send and receive messages for a short time, somewhere between 2 and 5 minutes.  After that I cannot get a connection again and get the message "The connection to the server failed."  I am able to access the server through safari so network connectivity is OK.  The only way to regain a working activesync connection seams to be either rebooting the phone completely or instructing the iPhone to "Reset Network Settings" which also ends up rebooting the phone.

I have verifiied that "Include inheritable permissions from this object's parent" is selected in the users AD security settings which was the only item I have found that may relate to this error in my searching.

I did have certificate based auth working in my Exchange 2007/2010 environment and also in my Exchange 2013 test environment.

The Exchange remote connectivity analyzer test for activesync fails but only because of the certificate auth which it doesn't seem to be setup to handle.  Everything else passes.

Hi everybody,

I'm hoping someone has a quick answer to this issue. I have a user with 15,000 mail folders in his mailbox. We recently tried to switch him from an old blackberry to an iOS device. Each time he starts to sync his mail client freezes. We also tried a BES 10 and Android. I'm pretty certain his problem is caused by the large number of folders but does anyone know of any limits on folder count or anything else that could definitively explain why the mail client on his device freezes.

Thanks!

Alastair

We are exploring activesync mailbox policies in exchange 2013.

The activesync mailbox policy has the option of enabling password recovery. Also the get-mobiledevicestatistics command has the -showrecoverypassword switch.

However there is no reference of how this works. I have created a mobile device mailbox policy with the PasswordRecoveryEnabled set to true. However when this policy is applied to the user, neither is the user asked for recovery password, nor is he able to see it in owa, nor is the administrator able to see anything in the get-mobiledevicestatistics command.

Searched a lot on the internet and could not find any references to exchange 2013 (though there were frequent references to exchange 2010).

also, is it supported by all device types (windows, apple, android)

Appreciate any help.

Ron

Ron

Hi, 

I have setup an on-premise RDS environment for RemoteApps and I have deployed Outlook, Word, SharePoint and PDF viewer.  The environment has also been setup with 2FA.  I would like to force everyone to use the Outlook RemoteApp and block all other forms of connecting to e-mail apart from ActiveSync for iOS.  I'm blocking the Outlook for iOS application already. 

Is there a way that I can block someone from just configuring their outlook application on their desktop computer?  I want to benefit from all the security implemented on this RDS environment but at the moment someone could undermine that by configuring their own outlook client.. 

I am using Exchange 2013 with Outlook 2013.  RDS is on Server 2012 R2. 

Advice is appreciated. 

Thanks

D

Hey Technet forums!

I wanted to create a quick TechNet question as I'm pretty stumped with an issue I'm having getting mobile devices to retrieve ActiveSync information from my Exchange server, but I'm noticing that the devices are connecting to, and getting basic responses from the server.

As a bit of background, I recently stood up a new lab-instance Exchange server with Client Access and mailbox roles after an older Exchange server I had was decommissioned (deleted and removed from ADSI/AD). The server itself appears to work fine. I am able to log into the Exchange server (OWA and ECP) with my AD credentials without any issues, and from there all Exchange tasks (sending/receiving email) appear to work fine as well. It's when I try to push this information to a mobile phone (Both iOS and Android OS's) that I see issues. When configuring my Exchange account on my mobile device, I'll notice that when entering the correct information, I'll receive 'Ok' prompts in the form of checks next to the server fields. If I proceed into the Mail app or try to gather other ActiveSync information, I will not be able to receive or send email. From there, when configuring the setup with an incorrect password or value for a field for instance, I will be alerted to that as well, prompting me that my AD credentials were incorrect or disallowing me to continue. Having these together leads me to believe that my phone can connect to the server and at the least receive responses, but the server is either refusing the connection, or there is a permission that I have not yet enabled.

As for any rules in ECP, I do not have any devices or users quarantined so that would rule that out. My default rule for ActiveSync is to allow any and all devices across the board as well. For authentication, I'm relying on just basic authentication (User Name & Passcode)

I've also attached a few snippets of code that I have from an email log of an Android device attempting to connect to the Exchange server. In particular, I'm noticing that I'm getting both 'Ok' messages as well as some error messages here. My question is, are these errors telling at all? From my research, it seems like the suggestion I've found here (Error code 111) is to simply try later. Please note, this error log has been stripped of other non-relevant information (such as MDM information) it can be reattached if it may help.

015-08-06T19:18:46.962+0000: INFO: Email : Onetime initialization: 1

2015-08-06T19:18:46.962+0000: INFO: Email : Onetime initialization: 2

2015-08-06T19:18:47.221+0000: INFO: Email : Onetime initialization: completed.

2015-08-06T19:20:27.056+0000: SEVERE: UnifiedEmail : FolderSync: Unknown status: 111

2015-08-06T19:20:27.058+0000: SEVERE: Exchange : CommandStatusException: FolderSync, 111

2015-08-06T19:20:27.059+0000: SEVERE: Exchange : Generic error for operation FolderSync: status 200, result -10

2015-08-06T19:20:57.712+0000: SEVERE: Exchange : Authentication error

2015-08-06T19:21:35.361+0000: SEVERE: UnifiedEmail : FolderSync: Unknown status: 111

2015-08-06T19:21:35.362+0000: SEVERE: Exchange : CommandStatusException: FolderSync, 111

2015-08-06T19:21:35.362+0000: SEVERE: Exchange : Generic error for operation FolderSync: status 200, result -10

Additionally, I'm noticing that it seems like the devices are never registered on the ActiveSync server as well. When running the Get-MobileDevices command in PS on my Exchange server, I'm noticing that none of the devices I'm trying to connect are populating.

If there's any questions or requests for information, I will definitely provide that ASAP.

Thanks again Technet!

Ive been working through the weekend to complete my Exchange 2013/2007 coexistence upgrade. I first upgraded 2007 to CU13.  I installed exchange 2013 CU9. I main problem at this time is active sync/autodiscover. I have not moved any 2007useres to 2013. 2007 users can successful send and receive mail via Outlook client and OWA. However, mobile devices do not connect. A work around is to change settings to legacy.domain.com instead of mail.domain.com. using remote connectivity analyser I get the following:

Attempting the Autodiscover and Exchange ActiveSync test (if requested).
 Testing of Autodiscover for Exchange ActiveSync failed.
 
Test Steps
 
Attempting each method of contacting the Autodiscover service.
 The Autodiscover service couldn't be contacted successfully by any method.

Test Steps
 
Attempting to test potential Autodiscover URL https://domain.com:443/Autodiscover/Autodiscover.xml
 Testing of this potential Autodiscover URL failed.
 
Test Steps
 
Attempting to resolve the host name domain.com in DNS.
 The host name resolved successfully.

Testing TCP port 443 on host domain.com to ensure it's listening and open.
 The specified port is either blocked, not listening, or not producing the expected response.
  Tell me more about this issue and how to resolve it
 
 A network error occurred while communicating with the remote host.

Attempting to test potential Autodiscover URL https://autodiscover.domain.com:443/Autodiscover/Autodiscover.xml
 Testing of this potential Autodiscover URL failed.
 
Test Steps
 
Attempting to resolve the host name autodiscover.domain.com in DNS.
 The host name resolved successfully.
 
Additional Details
 
IP addresses returned: X.X.X.X

Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
 The port was opened successfully.

Testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.domain.com on port 443.
 The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 
Additional Details
 
Remote Certificate Subject: CN=mail.domain.com, OU=Domain Control Validated, Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.

Validating the certificate name.
 The certificate name was validated successfully.
 
Additional Details
 
Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.

Certificate trust is being validated.
 The certificate is trusted and all certificates are present in the chain.
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.domain.com, OU=Domain Control Validated.
 One or more certificate chains were constructed successfully.
 
Additional Details
 
A total of 2 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.

Analyzing the certificate chains for compatibility problems with versions of Windows.
 Potential compatibility problems were identified with some versions of Windows.
 
Additional Details
 
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

Testing the certificate date to confirm the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 
Additional Details
 
The certificate is valid. NotBefore = 8/7/2015 10:37:38 PM, NotAfter = 3/10/2016 4:32:00 AM

Checking the IIS configuration for client certificate authentication.
 Client certificate authentication wasn't detected.
 
Additional Details
 
Accept/Require Client Certificates isn't configured.

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
 
Additional Details
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URLhttps://autodiscover.domain.com:443/Autodiscover/Autodiscover.xml for userme@domain.com.
 The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
 
Additional Details
 
An HTTP 500 response was returned from Unknown.
HTTP Response Headers:
request-id: f3644d3b-613e-43a1-b835-7191377d4891
X-CalculatedBETarget: exch2013.domain.com
X-DiagInfo: EXCH2013
X-BEServer: EXCH2013
Cache-Control: private
Content-Type: text/html; charset=utf-8
Set-Cookie: ClientId=FJVIVFPIURWYLXXJSUW; expires=Tue, 09-Aug-2016 13:39:49 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-3970167411-3836497950-71674325-1164=u56Lnp2ejJqBx5zLyZ2encjSz8+aytLLxsqZ0p2byMzSyZueyM/Jy8nNzcmagYHNz87K0s/G0s/Gq87MxczGxcvG; expires=Wed, 09-Sep-2015 13:39:49 GMT; path=/Autodiscover; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
Persistent-Auth: true
X-Powered-By: ASP.NET
X-FEServer: EXCH2013
Date: Mon, 10 Aug 2015 13:39:49 GMT
Content-Length: 7062

Attempting to contact the Autodiscover service using the HTTP redirect method.
 The attempt to contact Autodiscover using the HTTP Redirect method failed.
 
Additional Details
 
Test Steps
 
Attempting to resolve the host name autodiscover.domain.com in DNS.
 The host name resolved successfully.
 
Additional Details
 
IP addresses returned: X.X.X.X

Testing TCP port 80 on host autodiscover.domain.com to ensure it's listening and open.
 The port was opened successfully.

The Microsoft Connectivity Analyzer is checking the host autodiscover.domain.com for an HTTP redirect to the Autodiscover service.
 The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.
 
Additional Details
 
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
HTTP Response Headers:
request-id: 486dbd86-1b4a-484a-9921-c28f76103ca1
X-SOAP-Enabled: True
X-WSSecurity-Enabled: True
X-WSSecurity-For: None
X-OAuth-Enabled: True
Cache-Control: private
Set-Cookie: ClientId=GOMHIENKWTVLUOMSFDG; expires=Tue, 09-Aug-2016 13:39:49 GMT; path=/; HttpOnly
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate,NTLM,Basic realm="autodiscover.domain.com"
X-Powered-By: ASP.NET
X-FEServer: EXCH2013
Date: Mon, 10 Aug 2015 13:39:49 GMT
Content-Length: 0

Attempting to contact the Autodiscover service using the DNS SRV redirect method.
 The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
 
Test Steps
 
Attempting to locate SRV record _autodiscover._tcp.domain.com in DNS.
 The Autodiscover SRV record wasn't found in DNS.
  Tell me more about this issue and how to resolve it
 
Additional Details
 
Checking if there is an autodiscover CNAME record in DNS for your domain 'domain.com' for Office 365.
 Failed to validate autodiscover CNAME record in DNS. If your mailbox isn't in Office 365, you can ignore this warning.
  Tell me more about this issue and how to resolve it
 
Additional Details
 
There is no Autodiscover CNAME record for your domain 'domain.com'.

Hi all

i am a system administrator in a medium enterprise and i have a problem with multiple mobiles in the company, they don't sync mails with my server 

here it is some data of my exchange server

windows server 2008 r2 standard service pack 1

Microsoft exchange server 2010

active sync, POP 3 and IMAP are enabled for every single mailbox 

i am trying to connect using android phones and IOS phones but they accept the mail and try to sync but they couldn't and still trying like forever

Although, other mobiles are connected from a while and working perfectly 

ahmed nader

This past weekend, some users started seeing email not synching on their iPhone's.  Once the end user re-enter's their same network password, email starts synching again.

We've recently implemented Windows 2012 fine grain password policy's.  It's been a few weeks for some of these users who had to re-enter their password.

Environment - Windows 2012 R2 AD, Exchange 2010 SP3 RU 8-v2

Idea's or suggestions?

Thanks

Ron

Hello,

Please let me know whether there is any way iOS/Android user can sync his draft folder from Outlook to mobile device.

If its not possible please provide MS article.

Best Regards,

Irfan

Is the signature text in activesync/mobile devices discoverable by a PS script?

I have an email signature application that looks for the signature text being used by activesync/mobile device.  The signature application replaces the text with a signature template that I created.

Thanks

Ron

We have always had an issue with FIM not deleting old accounts when they still have active sync devices. We would run a script to remove those activesync devices, then it would complete successfully.

Now that we have migrated from Exchange on prem to Exchange Online, the script fails, but we still continue to have the issue deleting accounts.

If I manually run REMOVE-ACTIVESYNCDEVICES on our on-prem Exchange server I get the error. "Couldn't find 'domain.com/OU/username' as a recipient."

How can I remove activesync devices from all users now that we are fully migrated to exchange online?

Since installing Cumulative Update 10 on my Exchange Server 2010 SP3 system, I have experienced two events that have impacted my users with ActiveSync.  Apparently, after the update, ActiveSync will try to open a single person's mailbox (called firstname lastname in the error data) and is unable to do so.  ActiveSync thinks the server is unavailable due to load (it is not) and turns off ActiveSync for 60 seconds.  When ActiveSync turns back on after 60 seconds,  all ActiveSync users receive all of their messages again on their devices.  The event occurs every 10 minutes until ActiveSync is turned off for the user firstname lastname.  Additionally, I turn off IMAP and POP3 for firstname lastname.  ActiveSync no longer reports th error and all is well.  After deleting the devices from firstname lastname's account, the devices resync with ActiveSync and no longer have the problem.

I have never had this problem before the update.  I have two questions:

1)  Can I change the timeout to a very short number?

2)  Is this problem due to Cumulative Update 10?

Alert: Active Sync is temporarily suspending requests to an unresponsive mailbox server. Users with mailboxes on this server may not be able to sync until the server recovers.
Source: ActiveSync - SSS-CAT-FRONTEND1 (Client Access) - DataCenter
Path: SSS-CAT-FRONTEND1.domain.com;SSS-CAT-FRONTEND1 (Client Access) - DataCenter Last modified by: NT AUTHORITY\SYSTEM Last modified time: 8/17/2015 5:40:22 PM Alert description: Exchange ActiveSync has encountered repeated failures when it tries to access data on Mailbox server [SSS-CAT-DB01.domain.com]. It will temporarily stop making requests to the Mailbox server for [60] seconds to reduce load on that server. This delay may occur if the Mailbox server is overloaded. If this event is logged frequently, review the Application log on this server and the Mailbox server noted above for other events that could indicate the root cause of performance problems.
Additional information:
"serverFQDN=SSS-CAT-DB01.domain.com
Error 0:

ErrorTimeStamp:
8/17/2015 5:34:18 PM
Exception:
--- Exception start ---
Exception type: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException
Exception message: Cannot open mailbox /o=SS-Exchange/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Firstname Lastname.
Exception level: 0
Exception stack trace:    at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore)
   at Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(MapiStore linkedStore, LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, GenericIdentity auxiliaryIdentity)
   at Microsoft.Exchange.Data.Storage.MailboxSession.<>c__DisplayClass12.<CreateMailboxSession>b__10(MailboxSession mailboxSession)
   at Microsoft.Exchange.Data.Storage.MailboxSession.InternalCreateMailboxSession(LogonType logonType, ExchangePrincipal owner, CultureInfo cultureInfo, String clientInfoString, IAccountingObject budget, Action`1 initializeMailboxSession, InitializeMailboxSessionFailure initializeMailboxSessionFailure)
   at Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString, PropertyDefinition[] mailboxProperties, IList`1 foldersToInit, GenericIdentity auxiliaryIdentity, IAccountingObject budget)
   at Microsoft.Exchange.Data.Storage.MailboxSession.ConfigurableOpen(ExchangePrincipal mailbox, MailboxAccessInfo accessInfo, CultureInfo cultureInfo, String clientInfoString, LogonType logonType, PropertyDefinition[] mailboxProperties, InitializationFlags initFlags, IList`1 foldersToInit, IAccountingObject budget)
   at Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString, Boolean wantCachedConnection)
   at Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString)
   at Microsoft.Exchange.AirSync.Command.OpenMailboxSession(AirSyncUser user, Boolean shouldUseBudget)
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
Inner exception follows...
Exception type: Microsoft.Mapi.MapiExceptionLogonFailed
Exception message: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=1010) Diagnostic context:
    Lid: 55847   EMSMDBPOOL.EcPoolSessionDoRpc called [length=640]
    Lid: 43559   EMSMDBPOOL.EcPoolSessionDoRpc returned [ec=0x0][length=224][latency=0]
    Lid: 23226   --- ROP Parse Start ---
    Lid: 27962   ROP: ropLogon [254]
    Lid: 17082   ROP Error: 0x3F2     
    Lid: 26937  
    Lid: 21921   StoreEc: 0x3F2     
    Lid: 27962   ROP: ropExtendedError [250]
    Lid: 1494    ---- Remote Context Beg ----
    Lid: 26426   ROP: ropLogon [254]
    Lid: 56333  
    Lid: 6372    StoreEc: 0x80070005
    Lid: 24824  
    Lid: 4740    StoreEc: 0x80070005
    Lid: 30409   StoreEc: 0x80070005
    Lid: 19145   StoreEc: 0x3F2     
    Lid: 23241   StoreEc: 0x3F2     
    Lid: 32186  
    Lid: 8620    StoreEc: 0x3F2     
    Lid: 1750    ---- Remote Context End ----
    Lid: 26849  
    Lid: 21817   ROP Failure: 0x3F2     
    Lid: 26297  
    Lid: 16585   StoreEc: 0x3F2     
    Lid: 32441  
    Lid: 1706    StoreEc: 0x3F2     
    Lid: 24761  
    Lid: 20665   StoreEc: 0x3F2     
    Lid: 25785  
    Lid: 29881   StoreEc: 0x3F2     
Exception level: 1
Exception stack trace:    at Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, SafeExInterfaceHandle iUnknown, Exception innerException)
   at Microsoft.Mapi.ExRpcConnection.OpenMsgStore(OpenStoreFlag storeFlags, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, MapiStore msgStorePrivate, String& correctServerDn, ClientIdentityInfo clientIdentityAs, String userDnAs, String applicationId, CultureInfo cultureInfo)
   at Microsoft.Mapi.MapiStore.OpenMapiStore(String serverDn, String userDn, String mailboxDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, String httpProxyServerName, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, Boolean wantRedirect, String& correctServerDN, ClientIdentityInfo clientIdentity, String applicationId, Client xropClient, Boolean wantWebServices, Byte[] clientSessionInfo, TimeSpan connectionTimeout)
   at Microsoft.Mapi.MapiStore.OpenMailbox(String serverDn, String userDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, WindowsIdentity windowsIdentity, String applicationId)
   at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore)
--- Exception end ---
Error 1:

ErrorTimeStamp:
8/17/2015 5:34:17 PM
Exception:
--- Exception start ---
Exception type: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException
Exception message: Cannot open mailbox /o=SS-Exchange/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=firstname lastname.
Exception level: 0
Exception stack trace:    at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore)
   at Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(MapiStore linkedStore, LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, GenericIdentity auxiliaryIdentity)
   at Microsoft.Exchange.Data.Storage.MailboxSession.<>c__DisplayClass12.<CreateMailboxSession>b__10(MailboxSession mailboxSession)
   at Microsoft.Exchange.Data.Storage.MailboxSession.InternalCreateMailboxSession(LogonType logonType, ExchangePrincipal owner, CultureInfo cultureInfo, String clientInfoString, IAccountingObject budget, Action`1 initializeMailboxSession, InitializeMailboxSessionFailure initializeMailboxSessionFailure)
   at Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString, PropertyDefinition[] mailboxProperties, IList`1 foldersToInit, GenericIdentity auxiliaryIdentity, IAccountingObject budget)
   at Microsoft.Exchange.Data.Storage.MailboxSession.ConfigurableOpen(ExchangePrincipal mailbox, MailboxAccessInfo accessInfo, CultureInfo cultureInfo, String clientInfoString, LogonType logonType, PropertyDefinition[] mailboxProperties, InitializationFlags initFlags, IList`1 foldersToInit, IAccountingObject budget)
   at Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString, Boolean wantCachedConnection)
   at Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString)
   at Microsoft.Exchange.AirSync.Command.OpenMailboxSession(AirSyncUser user, Boolean shouldUseBudget)
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
Inner exception follows...
Exception type: Microsoft.Mapi.MapiExceptionLogonFailed
Exception message: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=1010) Diagnostic context:
    Lid: 55847   EMSMDBPOOL.EcPoolSessionDoRpc called [length=629]
    Lid: 43559   EMSMDBPOOL.EcPoolSessionDoRpc returned [ec=0x0][length=224][latency=0]
    Lid: 23226   --- ROP Parse Start ---
    Lid: 27962   ROP: ropLogon [254]
    Lid: 17082   ROP Error: 0x3F2     
    Lid: 26937  
    Lid: 21921   StoreEc: 0x3F2     
    Lid: 27962   ROP: ropExtendedError [250]
    Lid: 1494    ---- Remote Context Beg ----
    Lid: 26426   ROP: ropLogon [254]
    Lid: 56333  
    Lid: 6372    StoreEc: 0x80070005
    Lid: 24824  
    Lid: 4740    StoreEc: 0x80070005
    Lid: 30409   StoreEc: 0x80070005
    Lid: 19145   StoreEc: 0x3F2     
    Lid: 23241   StoreEc: 0x3F2     
    Lid: 32186  
    Lid: 8620    StoreEc: 0x3F2     
    Lid: 1750    ---- Remote Context End ----
    Lid: 26849  
    Lid: 21817   ROP Failure: 0x3F2     
    Lid: 26297  
    Lid: 16585   StoreEc: 0x3F2     
    Lid: 32441  
    Lid: 1706    StoreEc: 0x3F2     
    Lid: 24761  
    Lid: 20665   StoreEc: 0x3F2     
    Lid: 25785  
    Lid: 29881   StoreEc: 0x3F2     
Exception level: 1
Exception stack trace:    at Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, SafeExInterfaceHandle iUnknown, Exception innerException)
   at Microsoft.Mapi.ExRpcConnection.OpenMsgStore(OpenStoreFlag storeFlags, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, MapiStore msgStorePrivate, String& correctServerDn, ClientIdentityInfo clientIdentityAs, String userDnAs, String applicationId, CultureInfo cultureInfo)
   at Microsoft.Mapi.MapiStore.OpenMapiStore(String serverDn, String userDn, String mailboxDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, String httpProxyServerName, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, Boolean wantRedirect, String& correctServerDN, ClientIdentityInfo clientIdentity, String applicationId, Client xropClient, Boolean wantWebServices, Byte[] clientSessionInfo, TimeSpan connectionTimeout)
   at Microsoft.Mapi.MapiStore.OpenMailbox(String serverDn, String userDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, WindowsIdentity windowsIdentity, String applicationId)
   at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore)
--- Exception end ---
Error 2:

ErrorTimeStamp:
8/17/2015 5:34:17 PM
Exception:
--- Exception start ---
Exception type: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException
Exception message: Cannot open mailbox /o=SS-Exchange/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=firstname lastname.
Exception level: 0
Exception stack trace:    at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore)
   at Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(MapiStore linkedStore, LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, GenericIdentity auxiliaryIdentity)
   at Microsoft.Exchange.Data.Storage.MailboxSession.<>c__DisplayClass12.<CreateMailboxSession>b__10(MailboxSession mailboxSession)
   at Microsoft.Exchange.Data.Storage.MailboxSession.InternalCreateMailboxSession(LogonType logonType, ExchangePrincipal owner, CultureInfo cultureInfo, String clientInfoString, IAccountingObject budget, Action`1 initializeMailboxSession, InitializeMailboxSessionFailure initializeMailboxSessionFailure)
   at Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString, PropertyDefinition[] mailboxProperties, IList`1 foldersToInit, GenericIdentity auxiliaryIdentity, IAccountingObject budget)
   at Microsoft.Exchange.Data.Storage.MailboxSession.ConfigurableOpen(ExchangePrincipal mailbox, MailboxAccessInfo accessInfo, CultureInfo cultureInfo, String clientInfoString, LogonType logonType, PropertyDefinition[] mailboxProperties, InitializationFlags initFlags, IList`1 foldersToInit, IAccountingObject budget)
   at Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString, Boolean wantCachedConnection)
   at Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString)
   at Microsoft.Exchange.AirSync.Command.OpenMailboxSession(AirSyncUser user, Boolean shouldUseBudget)
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
Inner exception follows...
Exception type: Microsoft.Mapi.MapiExceptionLogonFailed
Exception message: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=1010) Diagnostic context:
    Lid: 55847   EMSMDBPOOL.EcPoolSessionDoRpc called [length=629]
    Lid: 43559   EMSMDBPOOL.EcPoolSessionDoRpc returned [ec=0x0][length=224][latency=0]
    Lid: 23226   --- ROP Parse Start ---
    Lid: 27962   ROP: ropLogon [254]
    Lid: 17082   ROP Error: 0x3F2     
    Lid: 26937  
    Lid: 21921   StoreEc: 0x3F2     
    Lid: 27962   ROP: ropExtendedError [250]
    Lid: 1494    ---- Remote Context Beg ----
    Lid: 26426   ROP: ropLogon [254]
    Lid: 56333  
    Lid: 6372    StoreEc: 0x80070005
    Lid: 24824  
    Lid: 4740    StoreEc: 0x80070005
    Lid: 30409   StoreEc: 0x80070005
    Lid: 19145   StoreEc: 0x3F2     
    Lid: 23241   StoreEc: 0x3F2     
    Lid: 32186  
    Lid: 8620    StoreEc: 0x3F2     
    Lid: 1750    ---- Remote Context End ----
    Lid: 26849  
    Lid: 21817   ROP Failure: 0x3F2     
    Lid: 26297  
    Lid: 16585   StoreEc: 0x3F2     
    Lid: 32441  
    Lid: 1706    StoreEc: 0x3F2     
    Lid: 24761  
    Lid: 20665   StoreEc: 0x3F2     
    Lid: 25785  
    Lid: 29881   StoreEc: 0x3F2     
Exception level: 1
Exception stack trace:    at Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, SafeExInterfaceHandle iUnknown, Exception innerException)
   at Microsoft.Mapi.ExRpcConnection.OpenMsgStore(OpenStoreFlag storeFlags, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, MapiStore msgStorePrivate, String& correctServerDn, ClientIdentityInfo clientIdentityAs, String userDnAs, String applicationId, CultureInfo cultureInfo)
   at Microsoft.Mapi.MapiStore.OpenMapiStore(String serverDn, String userDn, String mailboxDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, String httpProxyServerName, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, Boolean wantRedirect, String& correctServerDN, ClientIdentityInfo clientIdentity, String applicationId, Client xropClient, Boolean wantWebServices, Byte[] clientSessionInfo, TimeSpan connectionTimeout)
   at Microsoft.Mapi.MapiStore.OpenMailbox(String serverDn, String userDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, WindowsIdentity windowsIdentity, String applicationId)
   at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore)
--- Exception end ---
errorCount=3, backingOff=True".
EventSourceName: MSExchange ActiveSync

I'm working with a pair of users whose AD accounts have logon hours set for M-F only -- no weekend access.  Over the weekend the users lose ActiveSync on their iPhones (as expected) but on Monday morning it should start working again, yes?  It does not.  Both users have to delete and re-provision their accounts on their iPhone each Monday morning.

I've enabled ActiveSync logging for both users and will analyze on Monday.  Is there anything else I should examine?

Hello all

running Exchange 2013 Cu9. I want to know if a an iOS device is running the latest version\build and i perform a remote wipe against the device, will the device be reset to factory defaults?

Bulls on Parade

I wanted to reach out to this group to determine if we can collectively put pressure on Microsoft to resolve a bug with Samsung mobile devices and Exchange 2010.

Over the last few months, we've been working a Microsoft Exchange 2010 case targeting a large spike in ActiveSync connections, specifically fromAndroid \ Samsung and upgrade KitKat (4.4–4.4.4, 4.4W–4.4W.2) or later.  These devices are sending excessive “Ping” commands to our Exchange servers due to a bug with how Exchange and Samsung maintains keep alive sessions with ActiveSync.   With 44,000 mailboxes, the impact on our network and servers has been noticed.

In a nut shell, what’s occurring is a Samsung device issues a ping request to Exchange, Exchange 2010 sends a Null valued response the device can’t interpret, which in turn causes the Samsung device to repetitively resend the ping command.   The resulting loop causes a saturation of the network, generates tons of IIS logs, and eats up CPU\RAM on the CAS servers due to the 300,000+ ping requests per day \ per device that are processed.  

There’s good news and bad news with this Microsoft case.  Thegood news is Microsoft has identified and tagged this an official “bug” in how Exchange handles or sends null values to mobile clients.  Microsoft has also reported they addressed this bug in Exchange 2013.  Thebad news is Exchange 2010 is no longer covered by mainstream bug support, as it ended on January 13^th, 2015.   In order to get a hotfix issued, you must have an Extended Service Agreement with Microsoft, which is not covered by our Microsoft Select or Software Assurance agreement.   More importantly, the bug hotfix will only be issued to the organization with the ESA and is typically not released to the general public.    Likewise, enrolling in an ESA ($50K) is not cost effective as it only allows one bug case and costs $30K for any additional cases.  This also provides little help for us, as we only plan on being on Exchange 2010 until May of 2016.

Why this is agrowing issue:  When we first opened the case (April, 2015) we noticed just over 150 mobile devices that had over 10,000 connections per day.  As of today, this number has grown to over 550 devices, 300 of which have over 50,000 connections per day.    To put it into perspective, over a 24 hour period that’s over 37.6 million connections from less than 5% of our total email clients in useand over 55% of ALL client traffic, for all device types (including OWA, EWS, IMAP, POP,ActiveSync and Outlook).    In terms of server impact, we went from generating roughly25 GB to over 100 GB of IIS logs per day, with this number increasing daily.   CPU and RAM utilization has also increased.  As users continue to upgrade their mobile devices to newer Samsung devices, we believe the logs and connection counts will continue to grow in perpetuity.   Moreover, we do a lot of log analysis so this impacts our reporting processes greatly, as well.

Here’s a Sample of Connections by device we are seeing:

What you can do to help: Check your server logs, verify your Exchange environment is impacted too and open a case.   As of this writing, Microsoft has seen several cases opened by other customers exhibiting this same behavior.  However, per our TAM and the US Public Sector Support Engineer Manager, the number has not reached a critical mass where the product development cost of anout-of-band hotfix could be justified.   To gain momentum on a fix, they need more cases. My hunch is if customers knew where to look and how to analyze their logs, this issue would bemore easily identified.   If additional cases are opened, we should be able to place more pressure on the Microsoft product team to fix the bug. Since the issue has already been bugged, it will also be a non-decrement case, just in case you were wondering.   (We had right at 29 hours invested into the case that were credited back)

How to analyze your Exchange CAS - IIS Logs for the Samsung connection \ ping bug:

1. Download and install Microsoft’s Log Parser on your scripting server - https://www.microsoft.com/en-us/download/details.aspx?id=24659
2. On your scripting server, create the following folder structure:
   • C:\Scripts
   • C:\Scripts\IISLogs
   • C:\Scripts\IISLogs\EX-CAS1        (or the name of yourservers, etc)
   • C:\Scripts\IISLogs\EX-CAS2     
   • C:\Scripts\IISLogs\Total
3. Copy the IIS Logs off all of your CAS servers for the last 24 hours.   Swap out the EX-CAS1 name with the name of your servers.  We need all logs, so you don’t want to overwrite your IIS logs from each server, so rename them by server.  The more logs you have, the more accurate results you will get.  Here’s an example to copy logs over using the command line or a batch file:
   • Robocopy "\\EX-CAS1.Contoso.com\c$\inetpub\logs\LogFiles\W3SVC1" "C:\Scripts\IISLogs\EX-CAS1" /MAXAGE:1 /IS

ren C:\Scripts\IISLogs\EX-CAS1\*.log EX-CAS1-*.log

move C:\Scripts\IISLogs\EX-CAS1\*.log C:\Scripts\IISLogs\Total

• Robocopy "\\EX-CAS2.Contoso.com\c$\inetpub\logs\LogFiles\W3SVC1" "C:\Scripts\IISLogs\EX-CAS2" /MAXAGE:1 /IS

ren C:\Scripts\IISLogs\EX-CAS2\*.log EX-CAS2-*.log

move C:\Scripts\IISLogs\EX-CAS2\*.log C:\Scripts\IISLogs\Total

• Robocopy "\\EX-CAS3.Contoso.com\c$\inetpub\logs\LogFiles\W3SVC1" "C:\Scripts\IISLogs\EX-CAS3" /MAXAGE:1 /IS

ren C:\Scripts\IISLogs\EX-CAS3\*.log EX-CAS3-*.log

move C:\Scripts\IISLogs\EX-CAS3\*.log C:\Scripts\IISLogs\Total

1. Once the logs are copied to a single location for all CAS servers, opena Command Prompt and switch to the “C:\Program Files (x86)\Log Parser 2.2” directory.  

Run the following log parser query.  This query is essentially a SQL Selectstatement to count all Samsung device hits and dumps the results to an Excel CSV file.

Logparser -i:iisw3c "SELECT TOP 1000 TO_LOWERCASE (cs-username) AS User, MyDeviceId AS DeviceId, MyDeviceType AS DeviceType, cs(User-Agent) AS User-Agent, COUNT(*) AS Hits, SUM (MyPing) AS Ping, SUM (MySync) AS Sync, SUM (MyFolderSync) AS FolderSync, SUM (MySendMail) AS SendMail USING EXTRACT_VALUE(cs-uri-query,'DeviceType') AS MyDeviceType, EXTRACT_VALUE(cs-uri-query,'DeviceId') AS MyDeviceId,  EXTRACT_VALUE(cs-uri-query,'User-Agent') AS MyUser-Agent, EXTRACT_VALUE(cs-uri-query,'Cmd') AS MyCmd,  EXTRACT_VALUE(cs-uri-query,'Log') AS MyLog, SUBSTR(TO_STRING(sc-status),0,1) AS StatusCode, CASE MyCmd WHEN 'Sync' THEN 1 ELSE 0 END AS MySync, CASE MyCmd WHEN 'Ping' THEN 1 ELSE 0 END AS MyPing, CASE MyCmd WHEN 'SendMail' THEN 1 ELSE 0 END AS MySendMail, CASE MyCmd WHEN 'FolderSync' THEN 1 ELSE 0 END AS MyFolderSync INTO 'C:\Scripts\IISLogs\Total\ ActiveSync_Top-1000-Devices-And-Users.csv' FROM 'C:\Scripts\IISLogs\Total\*.log' WHERE cs-uri-stem LIKE '%%/Microsoft-Server-ActiveSync%%' GROUP BY User,DeviceType,DeviceId,User-Agent ORDER BY Hits DESC"

Note: Depending on the amount of log files you have it could take anywhere from 5-10 minutes to run.   We process about 100 GB of logs in about 20 mins.

*** Disclaimer: These instructions are only a guide on how to parse IIS log data.  Use these instructions at your own risk. ***

My apologies for the long write-up, but I thought I’d bring this issue up to others who might be experiencing the behavior and needed to reduce load on their servers.    Hopefully as a group we can get Microsoft to resolve this bug once and for all.

Please share this with any other Exchange engineers who might find this of interest.  We can also provide the contact info of the Microsoft - US Public Sector Manager, if needed.

If you have any questions or comments, please let me know.   

Many thanks,

Ed McKinzie

EM

Geting following error in both forest CAS servers 

Exchange 2007 is used in ABC.com forest and exchange 2010 is used in xyz.com forest.

Two-way direction truth is configured between both forest.

Recently our Exchange 2007 is used in ABC.com forest CAS certificate expired. We had change with other certificate but the name of site and certificate is different. So we had change the urls of all CAS webservices such as OWA,Autodiscover except active sync.

Event ID: 4001 category:Availability Service  Source: MSExchange Availability Type: Error. 

Process 8344[w3wp.exe:/LM/W3SVC/1/ROOT/EWS-1-130848839633268198]: Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestWithAutoDiscover failed. Exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverFailedException: A cross-forest Availability service that can fill request for mailbox <ASD2>SMTP:ASD2@xyz.com could not be found.. This event may occur when Availability Service cannot discover an Availability Service in the remote forest.

Shaikh Shahabuddin. (MSCA) This posting is provided AS IS with no warranties,and confers no rights.

Hi,

I have two mailbox with a problem, the users erase the default Contact Folder in their Outlook; they have other Contact Folders.

Windows phone sync correctly all Contact Folders, but when they want save a new contact these are not visible.

I think that default Contact Folder have an special attribute like "principal sync", and the new Contact Folders don't have it.