Activesync with Exchange 2010 SP1 will not connect

Another small problem we had was we couldnt get devices to connect using activesync.  Turns out to be a small bug.

You will know this is the problem by looking in the application log in the event viewer. You will see the following error:

Exchange ActiveSync doesn't have sufficient permissions to create the "CN=<name>,CN=<container>,DC=ads,DC=ssc,DC=wisc,DC=edu" container under Active Directory user "Active Directory operation failed on <exchange server>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.

To fix this, you need to go to Active Directory Users and Computers. Then click on view on the top, and make sure “Advanced Features” is checked. Right click on the user that is having problems, and choose “Properties.” Then go to Security -> Advanced -> click the button for “Include inheritable permissions from this object’s parent” and then apply and OK.

After that, you should be able to connect!

Filed under: Exchange, Microsoft | Posted on March 17th, 2011 by CharlieMaurice | No Comments »

The Name on the security certificate is invalid or does not match the name of the site

After following the articles I posted about a few days ago about our exchange 2003 to 2010 upgrade, we ran into another hiccup.  You receive an error when opening outlook “The Name on the security certificate is invalid or does not match the name of the site.”  This is because our certificate didnt match the fqdn of the mail server.  For us the fqdn was, and the cert was for  After some googlefoo, I found the solution.

You can change all but two of teh URL’s in the exchange management console.  Go to server configuration, then to the CAS role.  When you open on properties on the different sections (OWA, ECP, etc), you will see the url’s used both internally and externally.  Change all those to match the cert (in our case the outside facing url was right).  That will get you all but two.  The next two have to be done in the exchnage powershell environment.

You can start by typing:

Get-ClientAccessServer -identity CASservername | FL

At the top of the returned info is AutoDiscoverServiceInternalUri. That will be pointing to the wrong url. To change it, type the following:

Set-ClientAccessServer -Identity "CASServerName" -AutodiscoverServiceInternalURI https://domainonthecert/autodiscover/autodiscover.xml

My code was:

Set-ClientAccessServer -Identity "exchange" -AutodiscoverServiceInternalURI

If you run the first command again, you can verify it has been changed. Second command is this:


To fix this one, we would use:

Set-WebServicesVirtualDirectory -Identity "CASservername\EWS (Default Web Site)" -InternalUrl https://domainonthecert/EWS/Exchange.asmx

For example, here is what I put in:

Set-WebServicesVirtualDirectory -Identity "exchange\EWS (Default Web Site)" -InternalUrl

After that, go to IIS, open up the application pool, and right click on MSExchangeAutodiscoverAppPool and click recycle.

After that, Outlook opened without any more errors.

Filed under: Exchange, Microsoft | Posted on March 17th, 2011 by CharlieMaurice | No Comments »

Exchange 2010 Upgrade

Im in the process of upgrading our exchange 2003 server to 2010.  There is a whole 2 users who use it (myself and another MS admin).  The rest of our organization uses our linux mail server.  I ran into a few issues and thought I would put them all here.

I first started with this guide as a basis:

It worked great.  The only thing that was missing was to download and install the Filter Pack before you install exchange:

I got everything setup, and couldnt move my mailbox because of errors.  The first one was “This mailbox exceeded the maximum number of corrupted items that were specified for this move request.” I tried to just up the number it allowed.  No dice.  New error.  So I then ran outlook.exe with /cleanreminders and /resettodobar options.  Took care of the next error.  Then I got “Fatal error MapiExceptionNoSupport has occurred.” That sounded bad.  I found this post: After running that program (from your desktop, NOT the server…needs .net 1.1 also!) mailboxes moved like cake!  In the process of doing the other handfull, but the new OWA rocks!

Filed under: Exchange, Microsoft | Posted on March 15th, 2011 by CharlieMaurice | No Comments »

Suppressing notifications for SCCM App-V Packages

App-V packages/programs do not give you the option to suppress notifications for the program.  They pop up by default.  You can override this by running the following VBScript.  Save the code to a file ending with .vbs, change the packageID value, then run it.  No more notifications!

strSMSServer = "."
strPackageID = "XYZ00001"
strProgramName = "[Virtual application]"

Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSCCM = objLocator.ConnectServer(strSMSServer, "root\sms")
Set Providers = objSCCM.ExecQuery("SELECT * From SMS_ProviderLocation WHERE ProviderForLocalSite = true")
For Each Provider in Providers
If Provider.ProviderForLocalSite = True Then
Set objSCCM = objLocator.ConnectServer(Provider.Machine, "root\sms\site_" & Provider.SiteCode)
' strSMSSiteCode = Loc.Sitecode
End If

Set objProgram = objSCCM.Get("SMS_Program.PackageID='" & strPackageID & "',ProgramName='" & strProgramName & "'")

ProgramFlags = objProgram.ProgramFlags
WScript.Echo "Flags for " & strPackageID & ":" & strProgramName & " currently set to " & ProgramFlags
WScript.Echo "Adding 0x00000400 (COUNTDOWN. The countdown dialog is not displayed)" ' see ConfigMgr SDK for details ("SMS_Program Server WMI Class")
ProgramFlags = ProgramFlags + 1024
WScript.Echo "Set flag to: " & ProgramFlags
objProgram.ProgramFlags = ProgramFlags

Filed under: App-V, SCCM | Posted on March 8th, 2011 by CharlieMaurice | No Comments »

Altiris DS 6.9 SP4 imaging task fails with Incorrect Function

I searched a long time for this.  It appears to be a bug that is fairly uncommon.  Here is what I did to fix it.  Modify Configuration -> TCP/IP -> Advanced -> Static Routes.  I deleted them, then reboot the machine and reimage.  Wholla!  Task works again.

Mike Rowland on the Symantec forums gave me the idea.  Here is his post.


Filed under: Altiris | Posted on March 8th, 2011 by CharlieMaurice | No Comments »

RSS Feed





Copyright © 2023 Charlie's Tech Ramblings. All rights reserved.

Tech Blue designed by Hive Designs • Ported by Free WordPress Themes