Bart's Weblog

Just a blog…

BlackBerry Enterprise Server (Express) 5.x preparation guide for Exchange 2010/SP1

Posted by bartvdw on 1111/0606/2011

This is my personal preparation guide when I install BlackBerry Enterprise Express 5.x in an environment. To understand everything, please read the reference links at the bottom.

Update 13/08/2011: added information about IPv6 and BBConvert events

Update 25/08/2011: added Windows Media Format Package command for Windows Server 2008 R2 SP1

Update 03/09/2011: added netsh commands for Windows Firewall rule and references regarding firewall and connection requirements

 

Firewall and connection requirements

Make sure you have port 3101 TCP open (outbound initiated, bi-directional) on your firewall.

Check the link in the references section if you want to details about connections needed.

 

Preparation

Create a user named BESAdmin in your Active Directory.

Note: Don’t choose a password with exotic characters, see the link ""Error writing to Database" error message is displayed after the LDAP portion of the BlackBerry Enterprise Server 5.0 installation" in the references at the bottom for details about unsopprted characters.

Recommended:
– Install on a separate server, not on the Exchange Server 2010 itself
– Although there is a KB regarding configuration without Public Folders, it’s advised to have them installed and have an Offline Addressbook configured before installing BES

Install "Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1" on the BES server. See download link in references at the bottom.

On the Exchange 2010 server, open the "Exchange Management Shell" and execute the steps below.

 

Delegate control and permissions

Add-RoleGroupMember "View-Only Organization Management" -Member "BESAdmin"
Get-MailboxDatabase | Add-ADPermission -User "BESAdmin" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

 

Configure "Send As" permission

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>"

Note: If you receive following error, use one of both bypasses. Reason is that by default permissions are not granted, you will need to grant additional rights for the group "Organization management" or for your user specific. Easiest is to use the bypasses. If you want to adjust security to overcome the error below, visit Microsoft TechNet for security documentation.

    Active Directory operation failed on Domain ***Controllor Name***. This error is not retriable. Additional information: Access is
    denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    + CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
    + FullyQualifiedErrorId : DA172DD1,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

Workaround 1

Assign Send As permissions to all users via Active Directory, complete following steps (see also Task 2 in the official BlackBerry document).

1. Open "Active Directory Users and Computers"
2. Select "View" menu, select "Advanced Features"
3. Right-click domain name,select "Properties"
4. Select the "Security" tab, click on "Advanced"
6. Select "Add" and enter your Blackberry Service Account name (e.g. BESadmin), select "OK"
7. Select "User Objects" in the "Applies Onto" list (Windows Server 2008 and higher: "Descendant User Objects")
8. Select "Send As" checkbox, click "OK"
9. Press "Apply" and "OK"

Workaround 2

Individually assign the permissions to a user using the Exchange Management Shell:
Add-ADPermission "BES User Mailbox Name" -User "Domain\BESadmin" -Extendedrights "Send As"

 

Turn off client throttling

New-ThrottlingPolicy BESPolicy

Policy for Exchange 2010 without SP1: Set-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null

Policy for Exchange 2010 SP1: Set-ThrottlingPolicy BESPolicy -CPAMaxConcurrency $NULL -CPAPercentTimeInCAS $NULL -CPAPercentTimeInMailboxRPC $NULL -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null

Set-Mailbox "BESAdmin" -ThrottlingPolicy BESPolicy

 

Increase maximum number of connections (Exchange 2010 without SP1 only)

On the Exchange server, browse to the directory C:\Program Files\Microsoft\Exchange Server\V14\bin
Open "microsoft.exchange.addressbook.service.exe.config" file in notepad
Set "MaxSessionsPerUser" to "100000"
Save the file and restart the service "Microsoft Exchange Address Book"

 

Allow BES to manage calendars using "Exchange Web Services"

New-ManagementRoleAssignment -Name "BES Admin EWS" -Role ApplicationImpersonation -User "BESAdmin"
Get-Mailbox -Server "<messaging_server_name>" | Set-CalendarProcessing -ProcessExternalMeetingMessages $true

 

Local Administrator rights

Add the BESAdmin user to the local "Administrators" group on the BES server.

 

Local Security settings

Grant following user rights for the "BESAdmin" user on the BES server:
– Log on Locally
– Log on as Service

 

Windows Server 2008 / R2: disable IPv6

IPv6 is currently not supported, see references. If BES is being installed on separate server then Exchange, disable it.

 

Windows Server 2008 / R2: install Windows Media Format SDK

This will prevent BBConvert events from being generated: Unable To Locate Component : This application has failed to start because WMVCore.DLL was not found. Re-installing the application may fix this problem. (System Log – Event ID 26 – Application Popup)

Windows Server 2008 x64: pkgmgr.exe /ip /m:"%windir%\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.0.6001.18000.mum"

Windows Server 2008 x86: pkgmgr.exe /ip /m:"%windir%\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~x86~~6.0.6001.18000.mum"

Windows Server 2008 R2: dism.exe /online /norestart /add-package /packagepath:"%windir%\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum" /ignorecheck

Windows Server 2008 R2 SP1: dism.exe /online /norestart /add-package /packagepath:"%windir%\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum" /ignorecheck

 

Windows Firewall rule to allow remote access to the Administration Service & Webdesktop

Windows Server 2008: netsh firewall add portopening TCP 3443 "BESExpress Management Port"

Windows Server 2008 R2: netsh advfirewall firewall add rule name="BESExpress Management Port" dir=in action=allow protocol=TCP localport=3443

 

References

BlackBerry Knowledge Base: Assign service account permissions for a BlackBerry Enterprise Server for Microsoft Exchange

Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e17e7f31-079a-43a9-bff2-0a110307611e&displaylang=en

Exchange 2010 BES 5.0.x Install Guide
http://www.blackberryforums.com.au/forums/microsoft-exchange/8554-exchange-2010-bes-5-0-x-install-guide.html

BlackBerry Knowledge Base: "Error writing to Database" error message is displayed after the LDAP portion of the BlackBerry Enterprise Server 5.0 installation

Configure the BlackBerry Enterprise Server Express to run without public folders
http://docs.blackberry.com/en/admin/deliverables/14347/Config_Exchange_10_run_wo_public_folders_963029_11.jsp

BlackBerry Enterprise Server support for IPv6
https://bartvdw.wordpress.com/2011/06/23/blackberry-enterprise-server-support-for-ipv6/

BlackBerry Knowledge Base: Firewall and connection requirements for the BlackBerry Enterprise Server

Advertisements

10 Responses to “BlackBerry Enterprise Server (Express) 5.x preparation guide for Exchange 2010/SP1”

  1. Hello Bart,
    We already have Exchange 2010 working with BES Server in our environment. Do I still need to do this if I am just moving my BES Express and SQL DB to another server?

  2. bartvdw said

    Hello Roderick,
    Moving BES Express and SQL DB to another server: depends how you’re planning the move operation? However if using the same BESAdmin account, the user rights on Exchange etc. have already been applied and do not need to be re-applied. Only the BES Express server local stuff needs to be done in that case.

    HTH

  3. Mario Tunes said

    Hello,

    We have one Exchange Organization name and two Exchange sites with different names.

    Each site has CASArray and DAG.

    We are going to install BES 5 Express on each site.

    Is RIM allowed to install two dedicated BES 5 Express servers in one Exchange organization?
    So far as we have only one Exchange organization in two sites, we can create only one Besadmin account.

    Can I install\manage two BES servers in different sites by using one BESadmin account in AD or I should create two different BESadmin accounts BESAdmin1 and BESAdmin2?

    Thank you

  4. bartvdw said

    I can’t answer that question in relation to licensing perspective RIM, but what I do know:
    – 1 Exchange organization with 2 BES installations using same BESAdmin account: it works, no problem there.
    – Regarding the setup met 2 BES installations with 2 different sites: if it’s 1 AD, it should work. I’ve done some migrations using 2 Exchange servers and 2 BES servers without any issues, using the same BESAdmin account.

    HTH

  5. MarioTunes said

    Hello,
    Thank you for your answer.
    I have successfully installed second stand alone bes server using Besadmin2 in the same Exchange organization.
    I can provide step by step instruction if somebody need it.
    And I have question about
    handheldcleanup.exe -u

    When I run it on my second BES server will only users on the second BES server DB will be affected or all BES users on both servers?

    Thank you

  6. bartvdw said

    Great to hear!
    Regarding the second question: no idea actually as I have never installed 2 BES servers using seperate accounts…

  7. Fritz said

    Hi, I need to migrate BES Express users to new Server 2008 R2, The current enviroment is Exchange 2010, everything is woking 100%, implementing new hardware with new BES Express server, can you please guide me.

    • bartvdw said

      Fritz,

      Follow the guide and you should be fine. You can use your current BESAdmin account and install the new server along the old one. 1 thing I didn’t put here yet is the migration itself. For this, you’ll need the BlackBerry Transporter tool (available on their website). With that tool you can migrate users from BES-A to BES-B.

      If you have questions, don’t hesitate…

  8. Chi said

    We are running BIS 5.0 and Exchange 2003. We are also migrating to Exchange 2010, and envision BES connecting to Exchange 2003 and Exchange 2010 server during coexistence. Can point me or provide step by step for adding the second server. So far I have Blcakberry’s excellent article but have left public folder on (http://docs.blackberry.com/en/admin/deliverables/16575/Configuring_Exchange_2010_environ_962756_11.jsp) However I am looking for something taht addresses specifically how to add asecond server. Thanks in adavnce, Chi

    • bartvdw said

      You should be able to simply install it next to the existing one, but give a seperate BlackBerry domain name. Make sure permissions for the BESAdmin are set correctly on both sides. To migrate from old to new BES you can download the transporter tool from the BlackBerry website. As 2003 and 2010 are in coexistence, you should be fine. However I would migrate the public folders from 2003 to 2010 from general point of view.
      HTH

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: