Exchange 2010 SP3: Event ID 1053 Exchange ActiveSync doesn't have sufficient permissions to create the "CN" container under Active Directory use "Active Directory operation failed on dc.domain.local. This error is not retrial. Additional information: Access is denied".

You are experiencing problems with certain users connecting a mobile device to the Exchange Server using ActiveSync, after checking all of the usual things such as Mobile Device associations from the ECP, and if ActiveSync is enabled for the users. After checking the event logs on one of the Exchange Client Access Servers (CAS) under the Application Log the event "Event ID 1053 Exchange ActiveSync doesn't have sufficient permissions to create the "CN" container under Active Directory use "Active Directory operation failed on dc.domain.local. This error is not retrial. Additional information: Access is denied". is present stating the user you cannot connect to Exchange.

There is a Microsoft known-issue fix for this but although this fix is similar doing exactly what this document stated did not fix the issue for me http://support.microsoft.com/kb/2579075

The first step was to look at the Security Permissions on one of the effected users objects. I always enable the Advanced Features view from the Active Directory Users and Computers MMC.

Then do a search for the user object and open the Properties, click on the Security tab and click on the Exchange Servers security principal. When I first did this only "Read Exchange Information" and "Read Exchange Personal Information" was Allowed in the entire list.

To test this was causing my issue I gave the Exchange Servers principal Full Control over the object. Although I do not normally like to grant explicit Full Control to anything I was hesitant but since it's the Exchange Servers security principal I could not see any reason why not to.

Certain Users unable to connect via iPhone's to Exchange 2010: "An exception occurred and was handled by Exchange ActiveSync. This may have been caused by an outdated or corrupted Exchange ActiveSync device partnership."

You have a number of users complaining they cannot connect to Exchange ActiveSync using their iPhone/iPad. The standard, remove the account and re-add it trick does not resolve the issue. ActiveSync also appears to be working correctly for everyone else.

On investigation of the issue in the Windows Logs\Application there is a Warning related to Exchange "An exception occurred and was handled by Exchange ActiveSync. This may have been caused by an outdated or corrupted Exchange ActiveSync device partnership." This did not reference the problematic user.

The first stage was to view the ActiveSync DeviceID Associations with the users, this can be done by using the following PowerShell command;

Get-ActiveSyncDevice | ft UserDisplayName, DeviceID

This will display all of the users that have an associated ActiveSync device to their Exchange account. The user that was having problems had two entries.

I then logged into the Exchange ECP from a web browser, if it's enabled in your environment you can normally connect up to it using your namespace followed by /ECP. Then click on the Manage My Organization button and choose Another User....

Try the username of the problematic user, and click OK.

You then click on Phone and Mobile Phones from the left hand side menu. As you can see there is two entries for the iPhone. I selected them both and used the X button to delete the entries.

It will ask you to confirm if you would like to remove the device, click Yes. Please note this will not Wipe the device.

On the problematic iPhone I then tried to re-add the Exchange account and it worked correctly.

Blackberry's consistently recevies an e-mail stating "Outlook Message Manager (Surname, Firstname) (KEY: 96B2A5668CD0D8438AD1D549xxxxxxxx)", although the error does not appear in Microsoft Outlook 2010/Exchange 2010.

The following Blackberry document outlines the fix for this particular issue it is related to Microsoft Exchange 2010 and is automatically ignored by Outlook clients.

http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=92963A68CCF7910DC83B48677F08171C?externalId=KB32860&sliceId=2&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

Although the fix is to create a filter to basically ignore the message, in this instance it cannot be done on the local Blackberry handset and must be done from inside the Blackberry Enterprise Server (BES) console.

Open the Blackberry Administration Service and click Manage Users from the main landing page. Use the Display Name search field to locate the user experiencing the problem. Click on the user from list of returned results.

Click Edit User.

Click Default Configuration.

Click on the E-mail tab.

Name the filter descriptively, and tick Body: and insert the string "Outlook Message Manager", and ensure Recipient Type is selected and Sent directly to me. You must also tick Do not forward e-mail messages to the device.

 

Use the + icon to save the configuration. The user will no longer get the annoying message.