How to Install BES Express On a Exchange 2010 Single Sever
By Ian Matthews, Up & Running Technologies Inc, April 22, 2010, Last Updated April 23. 2010
NOTICE: This information is provided without warrenty or guarentee; use at your own risk! Several problems were corrected with the help of the good people at the blackberryforums.com and I suggest you use them if you have issues.
Ok, this is going to be long… not hard, but long. You can build a Space Shuttle with fewer steps, but don’t worry… you can do it.
To make this more difficult, the instructions are for Blackberry Enterprise Server Express on Exchange 2010 Single Sever running on R2 of Windows 2008 64 Bit. Pitter patter, lets get at ‘er:
Download and skim the BES “Installation and Configuration Guide” from HERE.
CREATE A “BESADMIN” ACCOUNT
On the computer that hosts Microsoft Exchange, log in using an administrator account that has the permission to create accounts.
Open the Microsoft Exchange Management Console.
Create an account and mailbox that you name BESAdmin.
To permit the BlackBerry® Enterprise Server to check if a BlackBerry device user has permission to access a public folder ,assign the Owner permission for all public folders to the administrator account.
ADD PERMISSIONS TO BESADMIN
open the Microsoft Exchange Management Shell and type:Get-MailboxDatabase | Add-ADPermission -User “BESAdmin” -AccessRights ExtendedRight –ExtendedRights Receive-As, ms-Exch-Store-Admin where <domain_1>, <domain_2>, and <domain_3> form the name of the domain For example, if the domain name is www.example.com, type www for <domain_1>, example for <domain_2>, and com for <domain_3>.Add-RoleGroupMember “View-Only Organization Management” -Member “BESAdmin”Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User “BESAdmin” -Identity “CN=Users,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>”
NOTE: If you create a new mailbox database in the future for Microsoft Exchange, repeat the first bullet.
ADD SEND AS PERMISSION�
This is apparently not always necessary but it sure was in my case (see THIS for details). Just follow along and if you find that you already have the entries in question, just skip to the next step,
Open ACTIVE DIRECTORY USERS AND COMPUTERS
Select the VIEW menu and ensure ADVANCED FEATURES is checked.
Right mouse click on your domain name and select PROPERTIES
Select the SECURITY tab
Press the ADVANCED button at the bottom on the SECURITY tab
Select AD and enter your Blackberry Service Account name (e.g. BESAdmin) and select OK
When the permissions screen appears change the APLLY ONTO drop down to DESCENDANT USER OBJECTS (if you are running on 2003m which this article does not cover, it would be called USER OBJECTS)
In the Permissions box scroll down and check the ALLOW box beside SEND AS and press OK
Press APPLY and OK to exit
REMOVE THE EXCHANGE 2010 “THROTTLING POLICY”
Note that the instructions in the March 2010 version of the Installation and Configuration guide is WRONG… yup, wrong, read THIS if you want more information.
Open an Exchange Shell and type: Get-ThrottlingPolicy | where {$_.IsDefault -eq $true} | Set-ThrottlingPolicy -RCAMaxConcurrency $null
Display a list of your Throttling Policies using the following command: Get-ThrottlingPolicy
From the “Get-ThrottlingPolicy” output locate and copy the “DefaultThrottlingPolicy” name. Example: “DefaultThrottlingPolicy_a1f84187-7a42-4ece-9276-06c704be21e7”
Now enter the command below but paste in your DefaultThrottlingPolicy name. Set-Mailbox “BESAdmin” -ThrottlingPolicy <Default Policy Name>
SET THE MAXIMUM SESSIONS
On the computer that hosts the Microsoft Exchange CAS server, in <drive>:ProgramFilesMicrosoftExchange ServerV14Bin, in a text editor, open the microsoft.exchange.addressbook.service.exe.config file.
click START, type SERVICES.MSC and Restart the ADDRESS BOOK via
CREATE APPLICATION IMPERSONATION ROLE
Open the Microsoft Exchange Management Shell and type New-ManagementRoleAssignment -Name “BES Admin EWS” -Role ApplicationImpersonation -User “BESAdmin”
CONFIGURE BES EXPRESS TO RUN WITHOUT EXCHANGE ‘PUBLIC FOLDERS’
Note that I don’t have PUBLIC FOLDERS installed on any of the Exchange servers that I run. I am 95% sure you could skip this step if you DO have PUBLIC FOLDERS.
Click START and an type REGEDIT and navigate to HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftWindows Messaging Subsystem
If the CDO registry key does not exist, create a registry key that you name CDO
In the CDO registry key, if the DWORD value does not exist, create a DWORD value that you name: Ignore No PF
Read THIS if you have any questions and make sure your BESAdmin account is NOT a Domain Admin or Enterprise Admin… must a LOCAL Admin
Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
Select the Builtin folder.
Double-click Administrators.
On the MEMBERS tab, click the ADD button.
Type BESAdmin and then click Check Names.
Click OK then click Apply then OK.
LOG IN AS BESADMIN
Using ACTIVE DIRECTORY USERS AND COMPUTERS, reset the BESAdmin password to something you like
Log off
Log into the server using the BESADMIN credentials
TEST YOUR PROGRESS
this step did not go well for me but I think it was because I was running it under my typical Domain Admin login rather than the BESADMIN account. The screen shot to the right was actucally taken after I had completed the BES Express install but according to the docs, this is where you are supposed to try it. The bottom lines is don’t panic if it doesn’t work.
The BlackBerry Enterprise Server requires permission to access each BlackBerry device user’s mailbox to process email messages. The IEMSTest.exe tool runs a test to verify whether the Windows account has the Send As permission in Microsoft® Exchange so that the BlackBerry Enterprise Server can access user accounts. The IEMSTest.exe tool does not verify whether the BlackBerry Enterprise Server can send email messages on behalf of a BlackBerry device user
Copy the BlackBerry Enterprise Server installation files to your desktop (or anywhere else you like 🙂 )
Extract the contents to a folder on the computer
Click START, type CMD
Through the command line, navigate to <extracted_folder>TOOLS folder
type IEMSTEST
create a profile if asked
In the Profile Name drop-down list, select the profile names for the user accounts and click OK
In the left pane, select the user accounts that you want to check
Click SELECT and click OK
When you are done, you can close the CMD/DOS box
GENTLEMEN: START YOUR ENGINES
From the extracted files above double click SETUP
Agree with the first few windows and select the obvious choices including INSTALL SQL 2005 SP3.
Mouse over each of these screens for more details on time delays and issues I had
The CAL SRP, Key page I found to be even more frustrating that the rest of the install because it used terms which do not match the terms RIM email to you. So here is the info: • SRP IDENTIFIER = Serial Number: S7419XXXX • SRP AUTHENTICATION KEY = License Key: bu7v-we76-XXXX-XXXX… • nothing = CAL ID: C0007439625 • KEY = CAL Authentication Key: besexp-b3qXXX-XXXXXX-XX…
You may not see these next screens because I have adjusted my instructions above to hopefully avoid them. If you do see these, you might want to recheck step 4 above (and remember you have to be signed in as domain admin to see ACTIVE DIRECTORY USERS AND COMPUTERS to you are going to have to SWITCH USER). In the end I just skipped past this message and dealt with it (as in step 4) after the install.
and lets get back on track:
LOGIN TO BAS – BLACKBERRY ADMINISTRATION SERVICE
surf to: https://<your host name>.<your domain>.local:3443/webdesktop/login https://<your host name>.<your domain>.LOCAL:3443/webconsole/login
before you even sign in, add the site to your TRUSTED ZONE
Trust and Install the Certificate to elliminate the cert errors
Done. Now all you have to do is figure out how to use it… no biggie!
View Comments