Wildcard Accepted Domains and ActiveSync Issues

Recently had a customer who contracted us to fix some Exchange 2013 issues. They were having issues with ActiveSync and claimed that ActiveSync had never worked. They provided a few test mailboxes for me to work with and to help troubleshoot the issue.

Troubleshooting

Setup

  • IIS Logs – First, I set up a couple mailboxes on my phone to see what sort of sync errors I could produce when downloading emails to the phone. The IIS logs were not enabled on the Exchange servers either, so those were enabled for troubleshooting purposes as well.
  • Active Sync Virtual Directory – For good measure, since ActiveSync had never worked, we decided to reset the ActiveSync Virtual Directory. In order to do this, log into the Exchange Server EAC. Click on the Servers tab on the left an then highlight the Microsoft ActiveSync virtual directory:

eas-reset-01a

    Then click on the Reset button:

    eas-reset-02a
    After clicking on Reset, specify a location to save current settings to:

    eas-reset-03a

    —- INTENTIONAL GAP —-

  • Diagnostic Logging

Testing

Initial tests on the phone revealed that a smartphone could download messages, but never send the messages. The mobile device did not report sync errors other than the fact that the emails that were outbound, ended up in the Outbox of the phone. Since there were no error codes on the phone, the next step was to review the IIS logs. The IIS logs did not reveal enough about the error or problem to troubleshoot it. The Event logs were not helpful either and did not provide troubleshooting clues either.

Where can we go from here? Luckily, ActiveSync also has a debug function that is well documented by Microsoft:

Exchange ActiveSync Mailbox Logging

Following the instructions of the article, we can turn on the logging using this one-liner:

Set-CASMailbox alias -ActiveSyncDebugLogging:$true

After the debug is setup, we can then try to sync and send email from the Smartphone to general some debug logs to analyze. After doing this a few times, we run this PowerShell cmdlets:

Get-ActiveSyncDeviceStatistics -Mailbox alias -GetMailboxLog:$true -NotificationEmailAddress <Recipient email address for logs>

When I reviewed the ActiveSync debug logs, I found a few messages like the below:

Command_WorkerThread_Exception :
— Exception start —
Exception type: System.ArgumentException
Exception message: imceaDomain must be a valid domain name. Domain value: *.domain1.com
Exception level: 0
Exception stack trace:    at Microsoft.Exchange.Data.Storage.InboundConversionOptions..ctor(String imceaDomain)
   at Microsoft.Exchange.AirSync.AirSyncUtility.GetInboundConversionOptions()
   at Microsoft.Exchange.AirSync.SendMailBase.ParseMimeToMessage(MessageItem message)
   at Microsoft.Exchange.AirSync.SendMailCommand.ExecuteCommand()
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
— Exception end —


The key line from the above is “imceaDomain must be a valid domain name. Domain value: *.domain1.com”. Doing research online revealed a lot of problems with invalid domains or domains not correctly configured. The client and I reviewed their Accepted domains and found that they had two wildcard domains configured in Accepted Domains for Exchange:

*.Domain1.Com
*.Domain2.com


The Solution

In order to fix the issue with ActiveSync, we would need to reset both of these domains and configured them as such:

Domain1.Com
Domain2.Com


The problem with this is that all mailboxes were configured to automatically pickup the email address policy to update their email addresses. Any changes to these lists could cause potential email address removal. We could verify that mailboxes were configured this way (which is a default setting) by using PowerShell:

Get-Mailbox | ft alias,EmailAddressPolicyEnabled

To remove this from all mailboxes in order to avoid causing issue with email address change, we run this in PowerShell:

Get-Mailbox |set-mailbox -EmailAddressPolicyEnabled $false

Because there were only two defined domains in Accepted Domains and both were wildcard domains, I created a dummy domain so I could remove the offending wildcard domains. Remember that one of these is configured as a default domain, which will need to be switches as well.

After the dummy Accepted Domain was created, we can make that domain the default domain:

eas-reset-04b
Next, (in the GUI) remove the offending domain from the address policy:

eas-reset-05a
Using PowerShell remove Accepted Domain(s) with the wildcard:

 
Remove-AcceptedDomain domain1.com
Remove-AcceptedDomain domain2.com

Then the domains were added back without the wildcard – with PowerShell:

New-AcceptedDomain -DomainName domain1.com -DomainType Authoritative -Name domain1.com
New-AcceptedDomain -DomainName domain2.com -DomainType Authoritative -Name domain2.com

For cleanup purposes, we did the following:

  • Set Domain1.Com as the Default Domain
  • Added Domain1.Com and Domain2.Com back to the address policy
  • Reset the EmailAddressPolicyEnabled value on all mailboxes back to $true for those that were enabled.  How can we do this?
    Get-Mailbox |set-mailbox -EmailAddressPolicyEnabled $false
    
  • Remove the logging on the user object
    Get-CasMailbox Damian | Set-CASMailbox -ActiveSyncDebugLogging $False
    

Once these changes were completed all users could now send and receive emails from their devices.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s