Share iT…

After you have configured your mobile device to receive its business e-mail via ActiveSync from your SBS 2011 Exchange 2010 server, it is asking for a 4 digit pin code. This is because the default configuration on the SBS 2011 Exchange Server is to require a password for ActiveSync devices when they are going to synchronize with your server.

To disable or change this feature open Exchange Management Console, go to Organization Configuration, Client Access and choose the Exchange ActiveSync Mailbox Policies. Do properties on the Default policy and select the Passwords tab.

To completely disable the password remove the check at Require password. Of course you can also change the settings to your own requirements.

You can also create separate Mailbox policies with different settings, so you can set other policies for different users. When you create a new policy and want to attach it to a user, go to Recipient Configuration, Mailbox, do properties for the Mailbox user you want to change the policy.

Select the Mailbox Features tab, select Exchange ActiveSync and choose properties, now you can browse to select the other policy you have created.

Some additional information about what settings you can control with the ActiveSync policy are listed over here: Understanding Exchange ActiveSync Mailbox Policies

Please note not all features are supported with all kinds of mobile clients, so before you configure the settings make sure the settings are supported with your type of mobile devices.

When you install a Exchange 2007 or 2010 client access server and using outlook 2007 or 2010. You will get a autodiscover error by default. Also connect with outlook webaccess or web app you get a certificate error.

To solve this problem you will have to import the certificate on all computers. Another way is to buy a trusted third party certificate. In most cases this will be a SAN / UCC certificate so you can use multiple names on the certificate, webmail.domain.name, autodiscover.domain.name, servername.domain.name and for a transition legacy.domain.name.

But after you request and installed the certificate you still get a autodiscover or certificate error.

Possible solution: you will have to change some autodiscover and client access setting, I will describe the wat to check and change the settings with the Exchange management shell. Some settings can also be changed by GUI.

Check the AutoDiscoverServiceInternalUri with the following command: Get-ClientAccessServer |ft Identity,AutoDiscoverServiceInternalUri
To change the setting: Set-ClientAccessServer -Identity “SERVERNAME” -AutoDiscoverServiceInternalUri “https://url.domain.name/autodiscover/autodiscover.xml”

For the next options you can set for both internal and external a different url. But you can choose to use same url for both in that case you will have to setup your internal and external dns right.

Check the AutodiscoverVirtualDirectory Get-AutodiscoverVirtualDirectory |ft internalurl,externalurl
To change the settings:
Set-AutodiscoverVirtualDirectory -Identity ‘SERVERNAME\Autodiscover (Default Web site)’ -ExternalUrl https://externalurl.domain.name/Autodiscover/Autodiscover.xml’
Set-AutodiscoverVirtualDirectory -Identity ‘SERVERNAME\Autodiscover (Default Web site)’ -InternalUrl ‘https://internalurl.domain.name/Autodiscover/Autodiscover.xml’

Check the WebServicesVirtualDirectory InternalUrl and ExternalUrl Get-WebServicesVirtualDirectory |ft internalurl,externalurl
To change the settings:
Set-WebServicesVirtualDirectory -Identity ‘SERVERNAME\EWS (Default Web site)’ -ExternalUrl ‘https://externalurl.domain.name/EWS/Exchange.asmx’
Set-WebServicesVirtualDirectory -Identity ‘SERVERNAME\EWS (Default Web site)’ -InternalUrl ‘https://internalurl.domain.name/EWS/Exchange.asmx’

You will have to do the same thing for all the next option. If you don’t use one of these options you can consider skipping the setting.

Get-OabVirtualDirectory |ft internalurl,externalurl
Set-OabVirtualDirectory -Identity “SERVERNAME\OAB (Default Web site)” -InternalUrl ‘https://internalurl.domain.name/OAB’
Set-OabVirtualDirectory -Identity “SERVERNAME\OAB (Default Web site)” -ExternalUrl ‘https://externalurl.domain.name/OAB’

Get-UMVirtualDirectory |ft internalurl,externalurl
Set-UMVirtualDirectory -Identity “SERVERNAME\UnifiedMessaging (Default Web site)” -InternalUrl ‘https://internalurl.domain.name/UnifiedMessaging/Service.asmx’
Set-UMVirtualDirectory -Identity “SERVERNAME\UnifiedMessaging (Default Web site)” -ExternalUrl ‘https://externalurl.domain.name/UnifiedMessaging/Service.asmx’

Note: when you using SBS 2008 you should replace (Default Web site) by (SBS Web Applications)

By default members of an AD protected group like domain admins or enterprise admin cannot use microsoft activesync with a exchange 2010 server. They get a error like this: “Result: ActiveSync encountered a problem on the server. Support code: 0x85010014”.

Solution 1: Remove the protected group memberships for this account, more information about protected groups can be found here.

Solution 2: Goto active directory users and computers, turn on advanced features on the view menu. Go to the user account, security tab and tick the advanced button. After that you have to enable Include inheritable permissions from this object’s parent. Now activesync will work.

Note: some rules apply every hour and will disable inheritance so you have to activesync within this time otherwise you have to repeat the step in Solution 2. When get a other device to activesync with you also have to repeat this action.