Provide Feedback on this Broadcast

Note This document is based on the original spoken WebCast transcript. It has been edited for clarity.

Jim Westmoreland: My name is Jim Westmoreland. I wanted to take a quick moment to point out that Yan Balducci is actually the one who developed the slides. I went through and modified the content somewhat to make it appropriate for this audience. So I just wanted to make sure that he got appropriate credit where it is due.

Before I start going through the slides, I wanted to take a quick moment and just mention that the purpose of this WebCast, or my goal, is to go through the most common issues that we encounter with Microsoft® ActiveSync® in PSS, and to give you the information that will help you address those issues. I'll give you the common errors, where they'll happen, and I'll try to focus on using tools that ship with the product, so you don't have to call PSS and get any specialized tools or download anything off the Web. So you should be able to work these issues with what you have immediately at your fingertips.

(Slide 2) With that being said, we'll go on to the first slide. So what we have here is the ideal topology for deploying ActiveSync. Starting with Microsoft Exchange Server 2003, as you all know, ActiveSync is included with the product. So, really, we could be talking about a front-end server, but the ideal topology is going to involve two firewalls made by separate vendors. The logic behind that is that if you have an exploit vulnerability on firewall A, that same exploit can't be used to gain access to the other firewall as well.

We have been recommending, for some time now, that you install an application-hosting device such as ISA Server in your DMZ, and have other servers there. Again, the logic for that is that application-hosting appliances such as ISA Server fail safe, as opposed to fail open. So ultimately it leaves you in a more secure situation.

Being that these things aren't free, cost is almost always a factor. So it's okay to have a single firewall with three ports, and that's pretty typical of what we see a lot, too. One interface goes to the Internet. One goes to the LAN. And the remaining interface is left for your DMZ. It's also okay to just put your front-end server in the DMZ.

The main difference that you're going to encounter is the number of ports that you have to have open. Configuring it like we have here in the slide, if we're terminating SSL on the front-end server where ActiveSync is going to be running, the only port that we have to have open from the device, through ISA Server and the firewall, is port 443, which makes it quite simple.

If you move the front-end server into the DMZ, you're talking about ports to the global catalog server, for NetBIOS authentication, for DNS, ports 3268, 389, and then, of course, port 80 to your back-end server, your Kerberos ports. It starts to get really messy and sticky.

The one thing that we encounter every so often that seems to elude a lot of people, as far as resolving, is that when they put their front-end server in the DMZ located here, they neglect to create an associated subnet and then associate that with the site in Microsoft Active Directory®, which causes problems for DSAccess. We'll show how DSAccess plays into this in a little bit.

(Slide 3) Under the hood, these are the components that are doing the communication. So, from this side we have the device. It's pretty obvious there. Then IIS, and, as an ISAPI, we have Massync.dll, which is the actual ActiveSync application. This handles all your communication to your Exchange server, which a lot of people aren't aware of. We just send DAV traffic over port 80 to the Exchange virtual directory on your mailbox server.

So a lot of troubleshooting techniques are aimed at eliminating ActiveSync completely from the scenario. And then we turn it into a Microsoft Outlook® Web Access (OWA) troubleshooting issue, which some people are a lot more comfortable with. So the user will come in and contact the ActiveSync virtual directory. It uses DSAccess to contact Active Directory and find the user's mailbox. And then it contacts them over port 480, as I said before.

Note that we use Kerberos now. If you're familiar with previous versions of ActiveSync, we've used Kerberos for a while in the previous version, but we're using Kerberos for OWA as well, in the front-end/back-end configuration. If you don't have a front-end/back-end topology, that's okay. It's not required. If you have a standalone server, the ActiveSync component will talk to the Exchange virtual directory on the same box. So even though it's all on one box, you still have to pay attention to how the Exchange virtual directory is configured.

(Slide 4) So this is a detailed set of steps that occur when a user syncs. I'm going to go through this and just kind of highlight where some of the more common breaks occur. The first thing that happens is that you have to be able to resolve the name of the server through DNS. One of the things that tends to get a lot of people, as they create their own certificate, is that the FDQN that's being used to contact the server isn't what was used when they created the certificate. That will throw errors. The device can't handle it, so you'll get an error. But you need to be able to resolve that name.

After that, it does a check for SSL. If you don't have SSL enabled on the server, you're going to get an Internet_29 error on the device. That just basically means you don't have a certificate. If you install a certificate that you create yourself, you'll probably get an Internet_45 message, which means that there is a certificate, but it can't verify the certificate against the list of root certificates.

So what you need to do — there is a Disablessl utility that ships with the product on the CD. You can install that on the Pocket PC device. SSL is still used, but we don't perform the check to make sure that it's a valid certificate against the certificate authority that we have. Or you can add your certificate authority to the list of certificate authorities on the device. That's what I would recommend doing.

We've covered most of this already. Microsoft Exchange Server, or the ActiveSync component, at that point will contact the domain controller and the global catalog to authenticate and locate a user's mailbox. If you're having problems with this step in the process, you're going to see a lot of other issues as well. Before you even notice that there is something wrong with ActiveSync, your event logs probably are going to be full of lots of things for you to do in there. Pretty much any Active Directory DNS issue between those servers will cause a problem at this point.

ActiveSync authenticates to the user's mailbox: A good way to test that is from the Exchange ActiveSync server itself, particularly if you have a front-end server. Open a Web browser and attach to OWA on the mailbox server that you're going to be hitting, and see if that's successful.

If it is, then you probably just have a minor configuration issue, and we'll get to some ways to identify exactly what's going on at that point. If everything is successful at this point, there is a sync state file that's stored in the user's mailbox. The sync state file, going into the contents, isn't really of any benefit, so I'll just avoid that altogether. But the sync state file helps you keep track of what's been synchronized to the device, so that you don't do a complete sync of the mailbox every time you connect. It saves bandwidth and makes things quicker.

So we locate that file, and then we use that file to compare what we have and what changes are there. Then we basically reconcile all the changes. So that's the next few steps. We'll get into locating the file, because you may need to delete it at some point to force a full sync again. I'll show you how to get to that.

Let's say we download some e-mail, next we're going to modify the appropriate data in the folder. So, if we have some change messages or appointments for example, we'll make those changes. After that we save the sync state file, so that we can keep track of where we've been.

So that's a high-level overview. This covers the next several slides, where we're going to look at a typical device request. We're going to look at it from the client perspective on the device, and the device logging, and then we're going to turn around and look at the ActiveSync logging that happens in IIS.

(Slide 5) So, on the typical device request, you're going to be sending mail or meeting requests, for example. You're going to perform some action. The first thing that you're going to see is a GetHierarchy command from the client. And after that, you're going to see a GetItemEstimate, so that's going to tell you how many changes need to be made. You can see all of this happening. When you issue the GetHierarchy command, you'll see the list of folders come back, and then you'll see the number of items changing. I'll point that out in the slides that are coming up, when we're looking at logs.

Then, after the GetItemEstimate, you're going to download, using a sync command, each item individually. You'll see the e-mail coming across. You'll see attachments after that. I have examples of each of those. Now all the examples that I give are going to be successful.

Where you would use these logs is when the sync is failing in the middle of the process. So you're able to connect. You're able to view the default Web site from the device, for example. You know you have connectivity to the server. Then you go to sync. Halfway through the process it's failing, and you think you might have a bad message or something. So you can go into the logs, turn on device logging, and you'll see the GetHierarchy. You'll see the GetItemEstimate, and you'll sync.

You'll see e-mail messages coming down. Then all of a sudden, instead of getting the next e-mail, you get an error. At that point you would go into the Inbox and look at the particular message that should be coming down at that point, isolate it, move it into another folder, change your filter so that it's not coming down, and then repeat the sync to see if it works. So that's the goal of showing you all of this information.

(Slide 6) There are a lot of errors that were defined in this software. So it's pretty good at telling you what's wrong, and telling you that information accurately. The expected errors typically all start with MIS. For example, an MIS_5 error would indicate a corrupt message, or maybe you have the wrong off type on OWA. The wrong off type on OWA will also trigger a 500 error on the device, which is kind of confusing, because that tends to be a catchall error that we see a lot.

You'll see HTTP errors. One that you'll want to watch for there is an HTTP 403 error, which is SSL required. In particular, between the back-end server and the front-end server, if you have that scenario, if you require SSL on the back-end, it will break ActiveSync, and OWA for that matter.

Internet_ errors, an example of that would be the Internet_29 or the Internet_45 that I talked about earlier. Those are WinInet errors. WinInet is a set of APIs that we use in IIS for Gopher, FTP, or HTTP traffic. So it's basically that the ability to build the socket is blocked at some point.

ConnMgr_ errors tend to be device oriented. You're going to be looking at modem issues, possibly wireless NIC issues. A DEV_xx error, such as a DEV_10 error, is an example of one that we see every once in a while. That's a time-out, waiting for the server to respond. So if you're getting that every once in a while, you probably have a topology issue. That's not necessarily anything under your control. It might be by your provider. If you're going over a proprietary wireless network, they might have some latency there, and you might need to contact them. This would be the type of thing that you would present to them as a symptom.

(Slide 7) So the sync state file that we talked about earlier, if you open your Web browser and you click Open, you notice that it says Open as a Web folder. Enter http://servername/exchange/username/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync. After you have synchronized, this folder will have been created, and inside of that, if you use a Pocket PC, for example, you'll see a Pocket PC folder. You'll see a string that looks like a GUID sitting in there. Those are your sync files. You're going to get one of those per device, per folder that you sync.

Pretty much the most useful tip that I can give you about that is if you're having problems synchronizing, and you've gone through all the troubleshooting steps that you can think of, or that you can find, one last step is to force a complete sync from the device. If you go in using your Web browser and delete the sync state file, it'll force a complete sync. So if you think that there is some sort of incongruency between the device and the server agreeing about what they need to sync, you can try that. As is noted down here, it's not a typical scenario, but you should know about doing that. It's something that you can try before calling PSS, because that's something that we might have you do.

(Slide 8) You'll want to turn on verbose logging in the ActiveSync application. If you dig down into that, you'll see there is an option to turn that on. It's documented pretty well, so I won't go into the details on how to do that.

The server log on a Pocket PC and on a Smartphone are in different locations. In a Pocket PC it's in a Windows ActiveSync file, and on the Smartphone it's IPSM\Windows\ActiveSync or Storage\Windows\ActiveSync. You'll see that on different versions. The ServerLog0.text is the actual name of the file.

If you repeatedly sync, and you're accessing it through your desktop, for example, it might overwrite it, so be careful. If you're troubleshooting this and you have it in a cradle, I'd recommend copying the file to your desktop, just so you don't lose it, and you can have a good record of that. We'll go through some of these logs in a moment.

(Slide 9) So we're going to start looking at some successful logs. Some things I'm going to point out: you're going to see the server name that was used. You're going to see the time that the transaction occurred, and the server requests. And then you're going to see the responses.

(Slide 10) So this is the first one. What we're looking at here is the GetHierarchy request from the clients. You can see the server name here. We use POST commands. I used to use the name Alias to denote the user name, but you'll see the user's actual alias listed there. The DeviceId is going to be unique. This is the user's DeviceId. The DeviceType is Pocket PC, and you can see the command.

(Slide 11) The response to that, notice we have an HTTP 200. That means okay. Down here we can see the version, IIS, and here we have the version of ActiveSync. We have the information that we requested. You can see FolderHierarchy. We have the DisplayName. We have a folder called Backup Data. We have another one called Drafts, and another one called Inbox. Those are the important takeaways for the GetHierarchy response.

(Slide 12) After that you're going to do a GetItemEstimate request. Again, here is the POST command. And here is the user alias. Here is our command, GetItemEstimate. We have Contacts, Calendar, and Email. Notice, on the slide, here is the SyncKey, but at this point it has already obtained the sync file. It's passing the SyncKey so it can track the versioning.

(Slide 13) And here is the response. It's important to note the status. Status of 1 means success. Status of 0 means fail. So for the Contacts collection or folder, the Estimate is 0. Here we have a successful sync request for Calendar. Again, the Estimate is 0. For the Email folder, Status is 1, Estimate is 1. So we have one object in sync at that point.

(Slide 14) So the next slide is the actual sync request to get that one e-mail message that we identified. So, again, here is the POST and here is the Sync. You can see the user name, it's a Pocket PC device again, and here you can see that we're synchronizing the e-mail folder. Here is a SyncKey being passed.

(Slide 15) Then here is the response. Here is the SyncKey. Here is the value of 1, Status 1 or successful, and then we're adding. Here it's 2; and that would be the user's display name that is going to be there. Then From, and the recipient's display name. Here you can see the subject line is SYNC. Then the Body is just "Some Text." You'll see the Modify, Delete, and Add commands. Status of 1 is always okay. That's the important takeaway from this.

(Slide 16) So some common device issues, again, I've stated a lot of this, but I'll just go over it again. You want to make sure that the device is able to contact the server. Clearly, if you're to the point where you're troubleshooting the devices, hopefully you would have checked to make sure the servers are on and functioning.

Again, the best way to test a back-end or a mailbox device is just to open a Web browser and see if you can get into OWA, if it's a single box, just accessing OWA for that particular user if you have their credentials, like some people do, or just testing your own mailbox. If that works, you're probably going to be alright. For the front-end/back-end topology, always use Internet Explorer from the front-end server to attach to the back-end server.

Try to hit the default Web site on the ActiveSync server. A lot of times we'll get various errors. HTTP 500 is probably the most common. HTTP 500, when you're trying to use ActiveSync, normally indicates that you have a configuration issue on your Exchange virtual directory. But you just want to see, can you reach the default Web site on the ActiveSync server?

Check your sync settings. You can restart or power cycle the Pocket PC or your Smartphone. You can re-create your sync settings. The device, it's quite possible, might be running out of disk space, if this user has downloaded a lot of attachments. You can delete some data. You can go through and have them configure a filter, so they're not downloading every attachment, particularly if they have a bad habit of sending large attachments.

Make sure, before they reset the device completely, that you check the log files before recommending that, because they might lose a lot of configuration data that they'll have to go through and set up again. And users don't like that.

(Slide 17) So in the event log, one thing to look for is all the ActiveSync events start with 3000. You'll see an event that IIS has loaded Exchange ActiveSync. If you restart IIS at any point, you'll see all the applications loading. There's an event for that. HTTP 500 errors will be listed in there. You might see some communication failures such as DSAccess or Kerberos failures. In the system log you'll see w3svc 100 or 101 errors. Those are access denied or bad password.

Look for things like that associated with your user. It's just that you have to do a little bit of research and snoop around. If it's only happening for one user, it's more likely something with that user or their mailbox, as opposed to the entire configuration.

(Slide 18) A little bit more about the device-to-front-end communication. The AirSync protocol is wbXML. It's basically XML, but it's a scaled-down version that we use. It's smaller tags, and a smaller tag set. We don't need all of the fancy options that full XML uses. If you're using SSL, a lot of people like to use network traces such as Network Monitor or Ethereal on the front-end server. You're not going to be able to see anything when you're using SSL.

We don't require SSL with ActiveSync that ships with Exchange 2003, but please use it. When you are using it, you won't see anything under network sniff. I personally like to get network traces from the front-end server — not so much from the device traffic, but more for the traffic between the ActiveSync server and the rest of the network. But that's not something that ships with the product, so that's for another time, another discussion.

We use HTTP POST and HTTP options over WinInet sockets. I showed you some of those in the device logs. You want to watch out for the network hops that you have between your Exchange front-end and say proxy servers, firewalls, gateways, and things on your operator network. They operate their own proxy and gateway servers; you never know what they're going to introduce. And be sure to include your devices or hardware as a possible source of problems in your investigations. So never just rule that out, necessarily.

(Slide 19) So now we're going to start looking at some IIS logs. These look a little bit different, but a lot of the same information is contained in there. Remember an HTTP 200 = OK. There were some HTTP 200 messages in the device logs before, but we were looking more at status. The cs-uri-query is the actual line that you're going to be looking at. If you want to know more about the protocols, you can go to the URL that is listed here, http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html, or just search the Internet for "HTTP" and "RFC." You'll get a list of RFCs that you can read.

You'll see a cs(User-Agent). You'll see the device in the logs I'm about to show. You you'll see the user name, and you'll also see a time stamp, so you can see if things are taking a very long time. So, again, these IIS logs are from the ActiveSync server.

(Slide 20) In this particular IIS log, we can see the user alias. Here is the device ID. You can see that this one is a Smartphone. Before we were looking at a Pocket PC. And here is the GetHierarchy. So it's going to follow, again, the same logic that the Pocket PC was following before. The interesting thing to note here is that we have this particular tag. This is Adds, Changes, Deletes. The status is 0 for each one of them.

Here FS means this is first sync, so this is the first time that they've attached to the server with this device. This side is from the device, and you'll notice that it's repeated. This is from the server. So one side is from the device, and one side is from the server. So down here we can see, after the GetHierarchy, we do the GetItemEstimate. So here is the alias again. You can see that we're using a Smartphone still. Here is the GetItemEstimate request. You can see it's first sync.

(Slide 21) So here we have the user alias again, the DeviceId, the DeviceType = PocketPC, the sync log, and it's using version 2. This is a Pocket PC sync of a calendar. You can see CA. This is the first sync request coming in. You can see FS here.

(Slide 22) Here we're synchronizing e-mail. So the DeviceType = PocketPC, then Sync, then version 2. We're synchronizing our e-mail folder. This indicates that it's a second sync or a normal sync. They've already done the first sync, so there should be a sync state file there. Notice, at this time, that the Adds, Changes, Deletes column is on the server side. We have 56 Adds coming from the server. You'll see 56 new e-mails, and no other changes to or from the client.

(Slide 23) So here we have GetAttachment. So we would have sent the sync request by this point, and now, after we download the e-mail message, we go after the attachments. So you'll see the attachment name. In this example, they're downloading Moviefile.mov. So let's say you knew that the attachment was coming, and you got an error at that point. You would, instead of seeing this movie (you knew that the attachment was coming), go back and make sure that the attachment is there. Try moving the message out of the mailbox and back in, say move it to the desktop and then move it back, and then re-create the link to the attachment. Because if it's somehow that the link to the attachment is broken, you'll get an error at that point.

In the bottom bullet we have CreateCollection. This is a user creating a folder. So a collection is another way of saying that it is a folder name. The name of the folder is 1234. So those are just some examples of things that you would see in the IIS log.

Again, the point of this is to know what to expect under normal circumstances, when the traffic is flowing between the devices, so that when you do encounter an error, you'll be able to go through and say, "Okay, this is all working fine." Then you'll see the error. The error in an IIS log will be a standard IIS error that you'll be able to troubleshoot. It's one of the HTTP errors.

(Slide 24) The most common errors that we tend to see: Internet_7 is a DNS problem from the carrier, so the device is having difficulty either contacting the DNS server or resolving the name. An HTTP 403 – Forbidden, we normally see this from the OWA server to the ActiveSync server. Then the user gets an HTTP 500. You'll have to troubleshoot that from an OWA perspective. There is a lot documented about that. But that will at least get you going in the right direction.

So you would go, and if you're getting a 500 error on the client, I would look from the ActiveSync server, open OWA for that user's mailbox, and see if you can get in. If you can't, take the error that you're getting and look it up in the Knowledge Base, and try to go with it. There are so many errors, it's really beyond trying to tackle all of them. But that will help get you past what we see a lot when people come in, saying "I can't find anything under this error; it's too vague." If you treat it as OWA, you should normally be able to attack it right away and get to the resolution.

An HTTP 500, you might see that if you have an attachment that's corrupt or unreachable. I mentioned the URL being broken earlier. There's also HTTP 504, a gateway time-out.

Back to HTTP 500, if you see that frequently on many users, you might have a more serious issue. But generally it's more of something that we encounter during setup, when things aren't really configured right away. We just have to go in and make sure that, for example, Integrated Windows Authentication is configured on the Exchange virtual directory, on the back-end or the mailbox server; we make sure that we're not requiring SSL; we make sure that the user's mailbox is accessible, generally. Anything that you can think of that would break OWA will also affect the access.

Another one is when, on the alias, the RUS stamps on your mailbox do not match what would have been on drive M. I don't know if anybody has encountered that problem. But if the alias that you assign to a user isn't in the default recipient policy, you have to create another Web site for that user, and specify that alternate SMTP address. So, you can have issues with SMTP matching as well.

The MIS_5 or the Sync_5 errors, these tend to be failures on the ActiveSync server. Again, you're going to want to look at the client logs. You're going to find the specific e-mail and attachment that you're having a problem with. The best recommendation that I can give you on that is to move that particular item to the desktop or out of their mailbox, and try synchronizing again. If it's a large attachment, you can try setting a filter so that you don't get anything over a certain size, and exclude that.

Another thing that you might encounter a problem with is the Automatic-Up-to-Date (AUTD) synchronization. When you purchase these devices from your carrier and you set up a service, a lot of times they come with SMS, just by default. You should be able to send them SMS messages. Send them an e-mail message, so the device should have its own ID.

Try sending the messages that way, not using ActiveSync, and see if you can get anything that way. If you start to have more problems with that, open a case with Product Support Services (PSS), because we have some tools specifically to troubleshoot that. But that way you can see if base functionality is present. If not, you can rule out ActiveSync for the moment, and focus on getting the base functionality going.

Usually the majority of ActiveSync problems that I see in PSS are setup related. So it's just been deployed and many users are getting 500 errors, or they can't connect, or they're getting Internet_29 or Internet_45 errors.

(Slide 26) If you have a single user problem, and everybody else is working fine, the majority of these problems that you're going to see are attributable to "bad" messages. It's not really a bad message. It's just messages that were not able to download for whatever reason. Look through the logs. I've shown you how to use the client-side logging and also the server-side logs to follow the message path or follow the sync path. Identify which items you're able to get. The next one in your Inbox is going to be the one that you're not able to download. Try removing that item, and then try synchronizing again.

If you don't get it on that one, try moving a couple. Create a temporary .pst file and move everything out, and then start moving things back in. And see if you can get it to work, just with nothing. Then start moving items back in in small groups, to see if you can isolate it down to one message.

(Slide 27) There's a KB article that's been out, 330461. It covers a lot of what I've talked about. It also has links to other information, like how to add root CAs into your Pocket PC device. Everything that I've talked about is fully documented.

Terminating SSL off of the server and on ISA, this is all documented in ISA documentation. Use the Microsoft Knowledge Base to your advantage. ActiveSync has been one of the better-documented products, in my experience. I very rarely encounter an error that isn't documented well, or not at all.

With that being said, we can open this up to questions.

Otto Cate: Before we jump into the Q&A today, I'd like to share a couple of quick program notes with our listeners. If you'd like to provide any feedback on the events that we produce or on subjects that you'd like to see in the future, feel free to send that to http://support.microsoft.com/servicedesks/webcasts/feedback.asp. I certainly appreciate any feedback that you're willing to provide.

At this point we'd like to hear from you, our listeners, about the topic that we discussed today. So, with that, let's answer some questions that were submitted.

Jim: A lot of the errors are documented. As far as a complete list, I don't know. I know it's there. I don't know if it's public. But I know that the majority of issues are documented. If you look up, for example, the "Internet_ errors", you'll get several hits.

Otto: We currently have Exchange 2003 running well until we installed the Microsoft .NET Framework 1.1 and also the Device Update 4.0. The mobile facilities stopped working. During a support incident it was illustrated that this may not be supported until Exchange 2003 SP1 comes out, and we should be using Device Update 3.0. However, we haven't succeeded with that version either. Do you have any suggestions or recommendations with this scenario?

Jim: I'd actually like to take that one offline. I'd like to look into that myself.

Otto: ActiveSync fails if the SMTP primary e-mail is not the same as the user ID. For example, we have users who have set up primary SMTP e-mail addresses that are different from their User ID. So, for instance, John Doe, domain user ID Jdoe, and then SMTP primary e-mail address johndoe@example.com. This does not work. We have to change the primary e-mail address to jdoe@example.com to match their domain user ID. Could this behavior be changed overall? We have a lot of users who have their primary e-mail addresses different from their domain user name.

Jim: I remember hearing about this. I thought it was going to be addressed. I'll have to look into that. That's not something that I've seen. I've heard of it one time, honestly. That's another one that I will be happy to take offline and address, as to the current status of that issue and what we're going to do about it.

Otto: Next question: How can you make sure that IIS has loaded EAS?

Jim: When IIS starts up, there's an event that's generated. I don't recall the specific event ID, but you'll see an event generated, saying that ActiveSync is loaded.

Otto: I've installed, reinstalled, and repaired Exchange 2003, and I have also re-run the domain prep. The only items that I have under global settings are Internet settings, formats, and message delivery. How would I get the mobile settings option?

Jim: I haven't seen that. I'll have to research that one. You're probably missing an attribute in Active Directory. I'll see if I can find what it is.

Otto: How do I synchronize other folders, for instance Notes, or maybe a second Contacts folder?

Jim: By default, we only sync the Inbox, Calendar, and Contacts. That's pretty much it. We can do subfolders and the Inbox, but that's going to have to fall under the scope of the original folders that we provide access for.

Otto: Can ActiveSync work with SyncML-enabled devices?

Jim: Can you clarify that?

Otto: If we can get a little bit of extra clarification on SyncML, that would certainly help. We'll come back to that question for you.

Jim: It would have to be something that the Pocket PC can resolve to get to, say, the default Web site. So you don't have to add the HTTP, you just add the server name, and then you'll have your domain name. So if your server is Mail, which you have external to your DNS record, it would be mail.domain.com. Then you have to add the forward slash (/). Actually, the /Microsoft-Server-ActiveSync is added for you.

Otto: Do you know if we're currently able to sync Tasks, Notes, and the file folders, or if in the future we'll be able to do this?

Jim: There has been a lot of talk about it. I don't know the disposition on any decisions to move forward on any of that. I think right now everything is pretty focused on the Inbox, Contacts, and Calendar. From a mobility perspective, that seems to be the most useful feature.

Otto: Can Smartphone 2002 sync with Exchange 2003 ActiveSync with no SSL?

Jim: I believe the SSL is hard-coded in Smartphone 2002. I don't have the UI off the top of my head, but if there is no option to not use SSL — I know in Pocket PC 2003 there is — then no. It's going to require SSL, which I believe is the case.

Otto: How can we import a certificate to a Pocket PC? I always seem to get the invalid certificate error on my device. But I've imported the root certificate to the device.

Jim: It's not so much adding the certificate to the device as adding the certificate authority that it came from to the list of trusted CAs. There is the Disablessl utility, which it sounds like you don't want to use. There's another article that we can send out and post with a follow-up as well, but you can find it by searching on "certificate," "Pocket PC," and "trust list." You can go into the registry and add your certificate authority to that list. That should take care of that error for you.

Otto: We have a follow-up on that SyncML question we addressed earlier. The original question was: Can ActiveSync work with SyncML-enabled devices? SyncML is an over-the-air protocol to send phone book items and calendar items to a device. They're referring to Syncml.org as a source.

Jim: That's really cool. I'll check that out. No. As it's described, the ActiveSync client, it's very — I wouldn't say proprietary — but it's designed to use very specific WebDAV methods to request the data from the server. WebDAV being open, it's feasible you could develop your own application, but there is no other application that will work with ActiveSync.

Otto: A couple of users are commenting about the primary SMTP address issue, and I guess there actually may be a registry change that can be made to address that. It appears that it may actually be a known issue in that case. So in those cases, it might be a good idea to have those users contact Product Support Services directly, and open a support incident.

Jim: Yes. If you just need instructions on something like that, if you just need contents for a KB article, those are free calls to PSS. You just say, "I don't have a break fix. I just have a question about a KB article or a known issue. I remember the issue. I just don't remember, off the top of my head, what the resolution was." The registry hack, that sounds legitimate.

Otto: Yes. It looks like a server-side registry setting.

Jim: Yes. Absolutely, it would be.

Otto: We're currently running Exchange on a single machine, with no front-end or back-end. And for ActiveSync to work, we have to turn off require SSL on the Exchange folder. Can you provide some insight on that?

Jim: Yes. You can't require SSL on the Exchange virtual directory, because the request from the ActiveSync application to the Exchange virtual directly folder is done over port 80. So what you'll need to do is just have SSL configured, but you can't select the require SSL box.

So a way to address that is, in your firewall, do not open port 80. I would just open port 443, and it sounds like you're going to have a user training issue, so that when your users are accessing OWA, they're going to have to manually enter HTTPS. That will probably work for you. It's not the most ideal, but when you're using OWA and ActiveSync on the same server, and you want to require SSL, that does get kind of tricky.

Otto: And just a clarification on contacting PSS: Is there a charge for server ActiveSync incidents, or does that pretty much fall under the same standard?

Jim: There's a charge. If you have a break fix incident, or you need help configuring it, yes, there is a standard charge for that. However, the things that you call PSS about where there is no charge is if you need a hotfix. If your incident turns out to be a bug, they'll refund it.

So if you're able to reproduce the issue every single time you try to sync, and it's something obscure and not documented, if when you call PSS it ends up being a bug or a problem on our end, that charge will be refunded. Or if you need clarification on a KB article, we don't charge for that, either.

Otto: On a fresh install of Exchange 2003, the Microsoft server ActiveSync virtual directory is empty. Is that normal? The OWA virtual directory, on the other hand, is not empty, and it has appropriate files.

Jim: Yes. That's fine. Remember that even with Exchange, the application itself is a .dll. What you're seeing is the map to Exchweb for OWA. There's a path, and we have to pull up GIF images, and that sort of thing, to actually paint your window. We don't have that with ActiveSync. So it's an application that runs, and it's spitting pure wbXML back to your clients. So, yes, that's fine.

Otto: A clarification question on subfolder sync: Can you sync subfolders of a primary Contacts folder? I'm not sure if we covered that.

Jim: On the Contacts folder? Usually it's about the Inbox. I think it would be fine. I can double-check, but I'm pretty sure that would be fine.

Otto: I've received the following error: "Your account does not have permissions to sync with your current settings." The account shows that the mobile services are enabled, but still unable to sync. Do you have any thoughts regarding this?

Jim: It sounds like your Active Directory might be out of sync. So when you go into Active Directory Users and Computers and you enable your account for synchronizing — and I assume you also have enabled this globally at this point, but let's say you've enabled the user, and you've enabled it globally — if you have more than one domain controller, it could be that that information hasn't replicated to the domain controller that your ActiveSync server is using.

You can use a utility such as LDP in the support tools to pull your user account information out of Active Directory and attach specifically to the different global catalogs, and see what is actually stored on your account, if you have more than one global catalog. Let me know if you only have one server, though.

Otto: Is it possible to send the AUTD SMS message through our in-house SMS application, thus avoiding the mobile carrier?

Jim: It's going to have to go through the mobile carrier, because that's how it's going to get to the device. You think of the carrier's network as their LAN, and that's like a PC on their LAN. So you have to go, of course, across the Internet through their gateway. It's not that that device is straight on the Internet.

Otto: The root certificate solution that we addressed earlier says that it's specific to Pocket PC 2002, but we're wondering if it also is applicable to Pocket PC 2003. It looks like this user may have been successful with Pocket PC 2003 devices.

Jim: Well, if you get your certificate from VeriSign, you won't have that problem; or with a third-party certificate, you won't have that problem. The article probably just needs to be updated. But, yes, you will have that problem if your root CA is not on the list, and the list is very short to begin with.

Otto: Would you explain how ActiveSync is different between the two versions, between Pocket PC 2002 and 2003? Other than, for instance, the SMS notification process?

Jim: It's a complete rewrite. So a lot of the base functionality is there, but the things that are mostly different are under the hood. I can't really get into the things that I do know. I'd probably get in trouble if I did. But it is a complete rewrite. I will say that. Functionality-wise, the Always-Up-to-Date, I think you noted that. But they're about the same.

Otto: This question looks like it is quite a bit outside of the scope, but I'm going to ask it just in case: Do we have any public information on when Smartphone 2003 might be available to users?

Jim: The general line that we take, not just on Smartphone, but on any product — is we might drop some hints every now and then about quarters or when we expect it to be shipped, but we never really give hard dates on when anything is going to ship. I don't have any information on Smartphone.

In fact, on some devices that are pretty hot, we keep a pretty tight lid on it. But we generally don't announce dates, because as everybody knows, in the software and/or hardware industry, dates tend to slip. So we don't make a habit of giving specific dates. Sorry.

Otto: Can a network load-balanced IIS 6.0 cluster server as the front-end for a back-end Exchange 2003? And we're wondering if Exchange would have to be installed on each server in the cluster?

Jim: So, you want to load-balance ActiveSync? I think that is the question? Yes. That will work. Using Windows load balancing, that's fine. If you want to use a clustered back-end, that'll work as well. When you say close to the back-end, I just want to clarify: don't use Windows load balancing to cluster your mailbox servers. I assume you're using Microsoft Cluster Services.

Otto: Where can I get the Disablessl utility for my PPC 2002 devices?

Jim: It should be on the CD. If you absolutely cannot find it, you can contact PSS for this utility. They won't charge you for that. They should send it to you.

Otto: And another clarification question: I've added the root certificate to my pocket device, but I'm still getting an invalid certificate error on that device. Is there somewhere I might be able to look for logging information, or a different support article to follow? I've actually used 322956 and the AddRootCert utility.

Jim: I would make sure, because if it's an invalid certificate error — and it sounds like you've added the root certificate appropriately, and you've done your due diligence — does the name match? When you created the certificate, is the FQDN that you used for the common name, is that the FQDN that you're using to get to the actual server? If any information that you gave to create the certificate doesn't match the actual facts — the FQDN is the most common issue — that will generate a certificate error. So, yes, I would look at that next.

Otherwise, I would try using Internet Explorer with the same certificate, and see if you get a prompt about not being able to validate the certificate. And then contact your certificate vendor for some assistance.

Otto: Is there a link on the Web where I can find a document to configure a mobile device to sync with Exchange 2003?

Jim: You might look in the troubleshooting guide or in the troubleshooting document. Some configuration settings are mentioned in there. If you're able to browse the default Web site on your ActiveSync server, you've done the majority of the work to get it going.

All that's left at that point is to go into the Server tab in your ActiveSync and give it the FQDN of your server, so that the ActiveSync application knows that there is a server running ActiveSync at that location. Yes. There should be some links off of this. As a follow-up, I can post what I can dig up. I'll send that out.

http://www.microsoft.com/windowsxp/expertzone/columns/bowman/september24.asp

Otto: It looks like we have a follow-up regarding one of the questions we had addressed earlier. The original question, I believe, that this links to, was: What would the standard server name be, being placed in your Pocket PC configuration? The follow-up is: In regard to the DCs, there are actually two in the organization, and the settings have been enabled for about three months.

Jim: So I would test Active Directory. If they're both global catalog servers, again, I would use LDP or the Active Directory administrative tools from the support tools, query each server respectively, and get your particular attributes out and compare them. Because it seems like, although you've enabled it, the changes aren't being replicated to the server that the ActiveSync is using.

Again, make sure you've enabled it globally. It sounds like you've enabled it on your account and that you've double-checked it. But it just really seems like if you don't have a "permission to sync" error, that's pretty specific. And the one thing I know is ActiveSync errors are not vague at all. They are pretty to the point. It just really seems like you have an Active Directory problem. You might follow that up with a call to PSS if that doesn't pan out, or if you have trouble with the tool.

Otto: Will there be notification support for folders other than Inbox? It looks like we've kind of addressed that. I'm currently synchronizing on my Smartphone, but I get a notification only if there is a new item in my Inbox and not other folders. Can you clarify which ones are currently supported and which ones are not, as far as folders are concerned?

Jim: Lots of good device questions: I don't deal with the devices that often. I believe it's just the Inbox that's supported for that. I'm not 100 percent sure, so I will follow up.

Otto: How do you configure a UTD?

Jim: Well, on the user's account, you have to give the device address, so that when the event triggers, it knows where to send that notification. So, after you've globally enabled ActiveSync and you've enabled the user, one of the options, globally, is enabling always-up-to-date synchronization. It would be easier if I had the UI. I could walk your through it, but you have to specify a device address. That's, in a nutshell, it.

Otto: What ports need to be open on my firewall if I have one Exchange 2003 server for the ActiveSync device to connect?

Jim: That leaves a lot open for assumption. If your ActiveSync server is in the DMZ, I'm assuming, and your Exchange server is on the LAN, this is documented. There are articles on how to do this. But if you follow the instructions for putting OWA in a DMZ, that will work as well. It uses all the same ports for an OWA front-end server, but you'll need one for the connection to the global catalog and the domain controller. For OWA.ActiveSync combination, you'll need 137, 138, 139. If you ever do change passwords or for NetBIOS authentication, you'll need 389, 3268, port 53 to DNS, port 88 for Kerberos. And for the Exchange server you're going to want to have port 80 open. Depending on what services you're running, you could add many more or have many fewer.

My general recommendation for front-end/back-end has always been to use IPSec between the two, because you will need to have many fewer ports open. All that is documented. If you search on "firewall" and "Exchange," you'll get plenty of articles on how to do that in different scenarios.

Otto: It appears that that was the final question in the queue here, so I'm going to wrap up our session today.

I certainly wanted to thank Jim for coming out and giving us a great presentation. As always, I wanted to thank you, our audience, for coming out and attending today's event. We certainly hope that this information was helpful to you and your business. We look forward to seeing you again in the near future.

Thank you, everyone, and have a great day.