symbian -> RE: Exchange 2010 Active Sync issues (coexist with 2003) (22.Sep.2011 2:08:52 PM)
Solved it myself.
What are the configuration changes I must make on the Exchange 2003 Front-End servers to support ActiveSync?
In order to introduce Exchange 2010 into your "Internet Facing AD Site" and support your Exchange 2003 mailboxes, you will move the primary EAS namespace that is associated with the Exchange 2003 Front-End servers and associate it with the Exchange 2010 CAS array. For more information on the detailed steps required to support coexistence process see my first blog article in the series, TechNet, or within the Deployment Assistant.
What are the configuration changes I must make on the Exchange 2003 mailbox servers?
Users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access server and the Exchange 2003 back end server to communicate using Kerberos authentication.
To enable this authentication change on Exchange 2003 you need to either:
1. Install http://support.microsoft.com/?kbid=937031 and then use the Exchange System Manager to adjust the authentication settings of the ActiveSync virtual directory.
2. Or, set the msExchAuthenticationFlags attribute to a value of 6 on the Microsoft-Server-ActiveSync object within the configuration container on each Exchange 2003 mailbox server. An example script is provided at http://technet.microsoft.com/en-us/library/cc785437.aspx.
Note: It is important that you do not use IIS Manager to change the authentication setting on the ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.
What scenarios involve proxying and what scenarios involve redirection for Exchange ActiveSync (Exchange 2003)?
Hopefully the Exchange 2003 coexistence diagram is self-explanatory, but if it is not, the key thing here is that regardless of the location of the Exchange 2003 mailbox (remember Exchange 2003 is not site aware), CAS2010 will always proxy the request to the Exchange 2003 mailbox server. Also, since Exchange 2003 does not support Autodiscover, the device version does not matter.
1. User's device is already configured to use the namespace mail.contoso.com.
2. User's device attempts to synchronize.
3. CAS2010 will authenticate the user, determine the mailbox version is Exchange 2003 by performing a service discovery lookup in Active Directory, and retrieve the Exchange 2003 mailbox server FQDN.
4. CAS2010 will proxy the connection to the Exchange 2003 mailbox server's Microsoft-Server-ActiveSync virtual directory. In the IIS logs, you will see a response similar to:
POST /Microsoft-Server-ActiveSync/default.eas User=user5&DeviceId=foo&DeviceType=PocketPC&Cmd=FolderSync&Log=PrxTo:mail.contoso.com_LdapC2_ 443 contoso\user5 10.20.100.117 MSFT-PPC/5.1.2301 200 0 0 189
5. The mailbox server will authenticate the user and retrieve and render the mailbox data and will provide the rendered data back to the CAS2010 server.
6. CAS2010 will expose the data to the end user.
You need to install the hotfix on ALL exchange 2003 servers, and check the intergrated authentication setting on each Active Sync Virtual Directory