Bart's Weblog

Just a blog…

Archive for June, 2011

BlackBerry Enterprise Server support for IPv6

Posted by bartvdw on 2323/0606/2011

Currently BlackBerry Enterprise Server does not support IPv6, see link below!

BlackBerry Enterprise Server support for IPv6
http://www.blackberry.com/btsc/KB05094

Advertisements

Posted in BlackBerry | 1 Comment »

McAfee ePolicy Orchestrator 4.x backup and disaster recovery

Posted by bartvdw on 1111/0606/2011

Recently encountered some problems with a McAfee ePolicy Orchestrator installation. As a result, I’ve learned:
– Use default installation path, unless you have a very good reason no to
– If using a SQL Express database, install also in default path unless you have a very good reason not to, and then make sure you don’t install it in the same directory as ePolicy Orchestrator itself
– Take a backup of specific ePolicy Orchestrator folder before upgrades or anything
– Read the backup and disaster recovery documentation published by McAfee

In short:
– Backup DB (if SQL Express, I’ll update this post later with commands you need)
– Backup ePolicy Orchestrator directories "Server", "DB\Software", "DB\Keystore", "Apache2\Conf"

 

ePO 4.5 and 4.6 server backup and disaster recovery procedure
https://kc.mcafee.com/corporate/index?page=content&id=KB66616

Posted in McAfee | Leave a Comment »

Deploying printers using GPP

Posted by bartvdw on 1111/0606/2011

When you deploy printers using GPP, you can receive following error:

‘0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.’

To prevent this, add following options in your policy:
– Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions – set to "Disabled"
– User Configuration\Administrative Templates\Control Panel\Printers\point and Print Restrictions – set to "Disabled"

Posted in Active Directory, Group Policy | 1 Comment »

BlackBerry Enterprise Server (Express) 5.x preparation guide for Exchange 2010/SP1

Posted by bartvdw on 1111/0606/2011

This is my personal preparation guide when I install BlackBerry Enterprise Express 5.x in an environment. To understand everything, please read the reference links at the bottom.

Update 13/08/2011: added information about IPv6 and BBConvert events

Update 25/08/2011: added Windows Media Format Package command for Windows Server 2008 R2 SP1

Update 03/09/2011: added netsh commands for Windows Firewall rule and references regarding firewall and connection requirements

 

Firewall and connection requirements

Make sure you have port 3101 TCP open (outbound initiated, bi-directional) on your firewall.

Check the link in the references section if you want to details about connections needed.

 

Preparation

Create a user named BESAdmin in your Active Directory.

Note: Don’t choose a password with exotic characters, see the link ""Error writing to Database" error message is displayed after the LDAP portion of the BlackBerry Enterprise Server 5.0 installation" in the references at the bottom for details about unsopprted characters.

Recommended:
– Install on a separate server, not on the Exchange Server 2010 itself
– Although there is a KB regarding configuration without Public Folders, it’s advised to have them installed and have an Offline Addressbook configured before installing BES

Install "Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1" on the BES server. See download link in references at the bottom.

On the Exchange 2010 server, open the "Exchange Management Shell" and execute the steps below.

 

Delegate control and permissions

Add-RoleGroupMember "View-Only Organization Management" -Member "BESAdmin"
Get-MailboxDatabase | Add-ADPermission -User "BESAdmin" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

 

Configure "Send As" permission

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>"

Note: If you receive following error, use one of both bypasses. Reason is that by default permissions are not granted, you will need to grant additional rights for the group "Organization management" or for your user specific. Easiest is to use the bypasses. If you want to adjust security to overcome the error below, visit Microsoft TechNet for security documentation.

    Active Directory operation failed on Domain ***Controllor Name***. This error is not retriable. Additional information: Access is
    denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    + CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
    + FullyQualifiedErrorId : DA172DD1,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

Workaround 1

Assign Send As permissions to all users via Active Directory, complete following steps (see also Task 2 in the official BlackBerry document).

1. Open "Active Directory Users and Computers"
2. Select "View" menu, select "Advanced Features"
3. Right-click domain name,select "Properties"
4. Select the "Security" tab, click on "Advanced"
6. Select "Add" and enter your Blackberry Service Account name (e.g. BESadmin), select "OK"
7. Select "User Objects" in the "Applies Onto" list (Windows Server 2008 and higher: "Descendant User Objects")
8. Select "Send As" checkbox, click "OK"
9. Press "Apply" and "OK"

Workaround 2

Individually assign the permissions to a user using the Exchange Management Shell:
Add-ADPermission "BES User Mailbox Name" -User "Domain\BESadmin" -Extendedrights "Send As"

 

Turn off client throttling

New-ThrottlingPolicy BESPolicy

Policy for Exchange 2010 without SP1: Set-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null

Policy for Exchange 2010 SP1: Set-ThrottlingPolicy BESPolicy -CPAMaxConcurrency $NULL -CPAPercentTimeInCAS $NULL -CPAPercentTimeInMailboxRPC $NULL -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null

Set-Mailbox "BESAdmin" -ThrottlingPolicy BESPolicy

 

Increase maximum number of connections (Exchange 2010 without SP1 only)

On the Exchange server, browse to the directory C:\Program Files\Microsoft\Exchange Server\V14\bin
Open "microsoft.exchange.addressbook.service.exe.config" file in notepad
Set "MaxSessionsPerUser" to "100000"
Save the file and restart the service "Microsoft Exchange Address Book"

 

Allow BES to manage calendars using "Exchange Web Services"

New-ManagementRoleAssignment -Name "BES Admin EWS" -Role ApplicationImpersonation -User "BESAdmin"
Get-Mailbox -Server "<messaging_server_name>" | Set-CalendarProcessing -ProcessExternalMeetingMessages $true

 

Local Administrator rights

Add the BESAdmin user to the local "Administrators" group on the BES server.

 

Local Security settings

Grant following user rights for the "BESAdmin" user on the BES server:
– Log on Locally
– Log on as Service

 

Windows Server 2008 / R2: disable IPv6

IPv6 is currently not supported, see references. If BES is being installed on separate server then Exchange, disable it.

 

Windows Server 2008 / R2: install Windows Media Format SDK

This will prevent BBConvert events from being generated: Unable To Locate Component : This application has failed to start because WMVCore.DLL was not found. Re-installing the application may fix this problem. (System Log – Event ID 26 – Application Popup)

Windows Server 2008 x64: pkgmgr.exe /ip /m:"%windir%\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.0.6001.18000.mum"

Windows Server 2008 x86: pkgmgr.exe /ip /m:"%windir%\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~x86~~6.0.6001.18000.mum"

Windows Server 2008 R2: dism.exe /online /norestart /add-package /packagepath:"%windir%\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum" /ignorecheck

Windows Server 2008 R2 SP1: dism.exe /online /norestart /add-package /packagepath:"%windir%\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum" /ignorecheck

 

Windows Firewall rule to allow remote access to the Administration Service & Webdesktop

Windows Server 2008: netsh firewall add portopening TCP 3443 "BESExpress Management Port"

Windows Server 2008 R2: netsh advfirewall firewall add rule name="BESExpress Management Port" dir=in action=allow protocol=TCP localport=3443

 

References

BlackBerry Knowledge Base: Assign service account permissions for a BlackBerry Enterprise Server for Microsoft Exchange

Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e17e7f31-079a-43a9-bff2-0a110307611e&displaylang=en

Exchange 2010 BES 5.0.x Install Guide
http://www.blackberryforums.com.au/forums/microsoft-exchange/8554-exchange-2010-bes-5-0-x-install-guide.html

BlackBerry Knowledge Base: "Error writing to Database" error message is displayed after the LDAP portion of the BlackBerry Enterprise Server 5.0 installation

Configure the BlackBerry Enterprise Server Express to run without public folders
http://docs.blackberry.com/en/admin/deliverables/14347/Config_Exchange_10_run_wo_public_folders_963029_11.jsp

BlackBerry Enterprise Server support for IPv6
https://bartvdw.wordpress.com/2011/06/23/blackberry-enterprise-server-support-for-ipv6/

BlackBerry Knowledge Base: Firewall and connection requirements for the BlackBerry Enterprise Server

Posted in BlackBerry | 10 Comments »