Troubleshooting_SQIn this mobile-first world, your end users can’t live without their smartphones. If they cannot get to email from anywhere at any time, deals could fall through and that just can’t happen. Ensuring that Exchange ActiveSync is working properly on both your Exchange infrastructure and your users’ myriad mobile devices is one of the most important things you can do. Usually, EAS works perfectly well, so this is not a problem for you. But occasionally, things do fail, so knowing what to look at and how to troubleshoot are critical skills. This article should help get you started.


Make sure DNS is properly resolving the name, that the user is attempting to use valid credentials that aren’t locked out, and that the certificate on the CAS server has not expired. It is amazing how many times sysadmins let a certificate expire, so don’t overlook that! There are actually several things you can check on your CAS, but you can first just check your phone to be sure it still works. True, if you have multiple CAS servers you need to make sure your phone and the affected user’s phone are both being serviced from the same CAS or CAS array.

On the server side

Ultimately, EAS is provided by your Exchange Client Access Server (CAS) server(s,) so knowing what to look at and where to check on things is key. And since you can reach right out and touch your CAS servers, this is probably the first place to start.


Always check the logs to see what they can tell you. Far too many admins make checking logs the last thing they do, rather than the first.


If you are using EAS Quarantine, check to make sure the device has not been quarantined. It could be that a policy is preventing the user from connecting the device, especially if it is a new one. Devices are allowed (or denied) based on a UUID, not a user’s account or a specific make/model. If they had to get a phone replaced, just because they got the same model doesn’t mean it will automatically be permitted.


Also check to be sure the device can support the EAS policy you have in place. Encryption is a big one. If a device does not support storage encryption and you set a policy that requires it, then that device won’t connect.

Other details

Use Exchange Management Shell to check on the mobile device and its association with a user’s mailbox.

Get-MobileDevice –Mailbox username


Since EAS is provided by IIS, first check IIS to be sure it is healthy. Confirm that the service is running, and that the app pools are also running. An IISRESET and restarting each app pool can often knock loose whatever is clogging the tubes.

Health Sets

There are several Health Sets built into Exchange for ActiveSync. These can monitor the overall health and performance of EAS and are very useful to run on your CAS. The ActiveSync, ActiveSync.Protocol, and ActiveSync.Proxy Health sets can all be used to monitor and perform diagnostics. You can get to each of these through the Exchange Management Shell

Get-ServerHealth servername | ?{$_.HealthSetName –eq “ActiveSync|ActiveSync.Protocol|ActiveSync.Proxy”}

With the output of each health set, you can dig deeper by checking a probe if it is indicated.

Invoke-MonitoringProbe ActiveSync\ActiveSyncCTPProbe –server servername | fl

Remote Connectivity Analyzer

The Exchange Remote Connectivity Analyzer includes tests for evaluating EAS from outside your network. Go to and run the tests for EAS located on the first tab, including both the Exchange ActiveSync and Autodiscover tests.

Mobile Devices

You can enable EAS logging for a user through Outlook Web App in order to gather client specific logs. Here’s how.

  1. Log on to OWA.
  2. Click on Settings, then Options.
  3. On the left, click on Phone.
  4. Select the appropriate device from the list of devices associated with your account.
  5. Click Start Logging and confirm.
  6. Reproduce the issue.
  7. Click on Retrive Log.

The server will email you a text file that contains the log. See for more on troubleshooting mobile devices and EAS using logs from the client.


Not all EAS clients are created equally. Some Android implementations make the assumption that a user’s email address and account name (UPN) are the same, and don’t expose any way to specify when they are different. Some users still try to use sAMAccountName when UPN is required. Visually confirming that the right username is being typed in is a worthwhile step.


Many companies implement a Mobile Device Management (MDM) solution to help secure mobile devices. If you do, make sure the phone has the agent installed and is configured to go through the MDM for access. Ensure that the service account used by the MDM (if any) has the appropriate permissions to the user’s mailbox.

Knowing where to look and what tools are available can make troubleshooting EAS issues much easier. Never underestimate the importance of getting your hands on a suspect device though. You can only check so much from the server side… sometimes the client really is the source of the problem.

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.