I recently upgraded from an iPhone 6S Plus to an iPhone 7 Plus, having gone through other iterations of iPhone upgrades with no issues connecting to my Exchange 2013 server, but this one was different. On restoring from iCloud, my iPhone could not connect to my Exchange 2013 server (hosted on-premise). A fair bit of Googling revealed varying solutions, most of which centered around enabling permission inheritance for my Active Directory users (which I’ve already done previously for an unrelated error).
Having double-checked that permission inheritance was turned on, I set about looking in the Event Viewer logs on my Exchange 2013 VM and noticed a recurring error every time my new device attempted to sync;
An exception occurred and was handled by Exchange ActiveSync. This may have been caused by an outdated or corrupted Exchange ActiveSync device partnership. This can occur if a user tries to modify the same item from multiple computers. If this is the case, Exchange ActiveSync will re-create the partnership with the device. Items will be updated at the next synchronization.
So off to my Windows Server 2012 R2 Domain Controller to take a look at the Active Directory Administrative Center. One quick global search for ‘iphone‘ revealed an Active Directory sync partnerships for the user I was interested in, once I’d confirmed it was the right container for the right user, I deleted the container, re-tried the sync and monitored the Event Viewer on the Exchange 2013 box. No change, the sync was still failing and the error still appeared.
I noticed that the stack trace related to the error log specifically mentioned deleting the ‘ExchangeActiveSyncDevices‘ container if it was empty (which it was now I’d deleted the only sync partnership contained within) so another global search for ‘ExchangeActiveSyncDevices‘, ensuring I chose the container for the right user, the container was deleted and my new iPhone sprung in to life. After refreshing the results in Active Directory Administrative Center, I could see the container had been re-created.
So it appears it was a permissions issue all along but the fix turned out to be deleting the ‘ExchangeActiveSyncDevices‘ container (and anything beneath it) for the affected user.