I originally wrote this BES setup guide for a friend’s blog at his request. Here it is now on mine for your viewing pleasure! 🙂
This guide goes over how to install BlackBerry Enterprise Server or Blackberry Professional Software Express (the free version of BES). Surprisingly, a lot of people run into trouble installing a BES server because of the many steps and prerequisites you have to go through. You really need to have experience installing and troubleshooting a BES extensively to have a fast successful deployment. I have written this Blackberry Server Install Guide to help anyone install a BES successfully. If you run into any issues, feel free to post a comment and I’ll reply to you.
—–
BES Install Prerequisites:
-Set aside between 45 minutes to 2 hours to allow yourself time to install all pre-reqs and then install and configure the BES server. You will need to reboot the server so make sure you have scheduled downtime on the server.
-Verify you have the correct Blackberry server software, Licenses, and SRP identifier. If not, call RIM.
-Verify that you are not blocking outbound ports in your organization. If you are, you need to make sure TCP port 3101 is allowed outbound from the server you intend to install the BES on. Your BES will communicate to RIM’s servers using this port. YOU DO NOT need to allow port 3101 inbound to your server.
-Verify that your Exchange Server has SP2 (Service Pack 2) applied.
-If you are installing BES on a member server (which is the best pratice), make sure Exchange System Manager has been installed on it.
-Make sure Outlook is not installed on the same server as the BES. A lot of small businesses with SBS 2003 install Outlook on the server. Uninstall it if you plan to install a BES on an SBS server.
-Install the latest Microsoft Data Access Components (MDAC) from Microsoft:
http://msdn2.microsoft.com/en-us/data/aa937730.aspx
-If you have already installed your SQL server, make sure the BESAdmin account has Server Administrator and Database Creator permission to the database instance.
-Make sure your spam firewall has white listed emails from *.blackberry.net. I have seen over aggressive spam firewalls blocking emails required for Enterprise Activation because of .dat attachments in the message.
–Optional: Verify TCP port 4101 is allowed to communicate outbound. This port is used by Blackberry Desktop Manager to do a serial bypass for least cost routing. It is not necessary to open this port unless you need this feature.
—–
Now onto the actual install!
1. Login to your server using a Domain Admin account and create a new user called BESAdmin (and make sure you create a mailbox when you create the account). DO NOT ever use the default Administrator account with a BES. You must create a service account.
2. Verify the BESAdmin user is part of the Domain Users group only. It is not necessary to give the account Domain Admin privileges since we are going to give the account local login access in the next steps but you can give it DA access if you want. It’s best practice to leave the account as a Domain User because you always want to give an account just enough permissions to perform it’s function. Also you have to go back and check Send As/Receive As rights if you give it DA access because they are usually set to deny.
3. Now make the BESAdmin a local admin on the server.
On a Domain Controller or SBS server – This is done in AD via the “Built-in Administrators” group
On a member server – This is done by right mouse clicking My Computer and selecting Manage. From Computer Management expand “Local Users & Groups” and select Groups. From Groups double click “Administrators” and add the BESAdmin account.
4. Now give BESAdmin local rights:
On a Domain Controller or SBS server – “Domain Controller Security Policy” and expand the “Local Policies” and “User Right Assignment”. You need to add BESAdmin to “Log on Locally” and “log on as Service”.
On a member server – “Local Security Policy” and expand the “Local Policies” and “User Right Assignment”. You need to add BESAdmin to “Log on Locally” and “Log on as Service”.
5. Open up Exchange System Manager (ESM) and right click the root “YourDomain (Exchange)”. Click on Delegate Control and add the BESAdmin account as an Exchange View Only Administrator.
6. Drill down in Exchange System Manager until you get to your server name. Right click on the server name and hit properties. Now click the Security tab. Add the BESAdmin account and the following permissions:
a. Administer information store
b. Receive As
c. Send As
7. Open up Active Directory and in the top Menu bar, select “View” and then click on “Advanced Features”. Now go to each user you want to add to the BES server and double click on them. Go to the “Security” tab and add the BESAdmin user. Give the BESAdmin account “Send As’ rights.
8. Logout of the server. Now log back in as the BESAdmin user. Now you can begin the BES server installation. You want to select the “Blackberry Enterprise Server” option. Just double-click on the executable and go through the wizard. Accept all agreements and begin the install. Half way through, it will tell you to reboot. Once the server reboots, you can log back in as the BESAdmin and the installer will automatically start back up and continue the install.
9. Once you get to the database portion of the install, make sure to leave the default name of “BESMgmt” as the database name. You may need to create a new SQL instance for the BES server if you already have other names SQL instances running. Do not put it under once of these are instances. The BES server should run under it’s own SQL instance if at all possible.
10. When you get to the screen to enter the license, just copy and paste it exactly as RIM gave you. Then copy and paste the SRP identifier and SRP authentication key and make sure to Test your connection. If you cannot connect, verify TCP port 3101 is allowed to connect outbound. A simple test is to open a command prompt and type:
telnet srp.us.blackberry.net 3101
If your command prompt goes to a black screen, then you are able to connect.
11. Once the install is done, open up Blackberry Manager. You will get an error saying no MAPI profile has been chosen. Hit okay and type in the name of your server and choose the “BESAdmin” account. Hit “Check Name” and then press OK.
12. Now Blackberry Manager will open up. On the right hand side, you should see that the SRP status is “Connected”. If it is not connected, wait a few minutes and then refresh.
13. Once you verify you have an SRP connection, you can begin adding users. I prefer to use Wireless activation for all handhelds. Just user the Add User wizard in the left hand column to add the user.
14. The user will get an email in his mailbox. Just have the user open Outlook and verify the email has been received from BESAdmin and contains an activation password. The user just needs to go to Enterprise Activation on his/her handheld and type in their email address and this password to activate their account on their handheld. It can take anywhere up to 5 minutes or more to complete an activation depending on the user’s mailbox and speed of connection to their provider’s data network.
NOTE: If the user was using BIS, you may need to wipe the handheld before doing an Enterprise Activation with your new BES server. Otherwise the BIS service books will cause activation to fail.
Always make sure that the date and time are set correctly, the time zone is set to the correct time zone (handhelds default to Casablanca usually), and that the top write corner of the handheld says “EDGE”, “GPRS”, or “3G” in call capital letters and not lowercase.
15. The handheld will tell you when Enterprise Activation is complete. On a new activation (as in this is the first time that particular phone has been added to the BES), it will pull down 14 days worth of email onto the phone. If you had previously had the phone on the BES and you removed it and are reading it, it will not pull down all your old email. Just keep this in mind when doing Enterprise Activations.
Additional Notes:
-If the user you are adding to the BES is a Domain Admin, you can get them on the BES and their handheld will work for a little while but then it will stop sending email after about an hour. I have seen this happen time and time again when I “inherit” a BES server at a new client. This is because your Send As permission for Domain Admins will revert on the Exchange server unless you explicitly edit the ACL to allow for it. Run the following script from a command prompt using the DsAcls tool on your server after installing Windows Server 2003 Support Tools (http://technet.microsoft.com/en-us/library/cc755938.aspx):
dsacls “cn=AdminSDHolder,cn=System,dc=Yourdomain,dc=local” /G “Yourdomain.local\BESAdmin:CA;Send As”
Fore more info on this, view KB 907434 from Microsoft at http://support.microsoft.com/kb/907434
You can also enable inheritance on the adminSDHolder container by:
1. Right clicking the container and choosing Properties in Active Directory.
2. Click the Security tab.
3. Click Advanced.
4. Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
5. Click OK, and then click Close.
After enabling inheritance on AdminSDholder container, make sure the BESAdmin account is still present on the user account in AD you are adding to the BES with the Send As permission. Wait for Exchange to replicate these permissions (normally takes 20 minutes to 2 hrs) or you can just restartyour Information Store and it should come into effect immediately.
-If you are having trouble activating a device wirelessly, your BES server has tools on it to help your troubleshoot. Run the following tool to test for connectivity:
C:\Program Files\Research In Motion BlackBerry Enterprise Server\Utility\BBSrpTest.exe
-By default, a user’s deletions on his/her handheld are not synched with Outlook. You either have to set the reconciliation on the handheld or you can set it for all users on the Blackberry server itself. RIM has it set this way by default so users don’t accidentally delete important emails on their handhelds. I never change the default unless the user specifically requests it and I only change it on the Blackberry server itself if the point of contact at the organization approves it.
-Blackberry Professional Software Express (aka BPS, BPSE, replacement for BES Express) does not support HTML rendering yet. Only full blown BES supports it starting with SP6 which was released last year. HTML rendering is a pretty new feature so it will eventually trickle down to Professional. Just make sure the user’s phone is running OS version 4.5 and when they release the SP, it should work just fine.
If you ever run into any issues with your Blackberry Enterprise Server and need some help, feel free to contact me or post here and I’ll reply as soon as I can.
Jason Samuel is a visionary product leader and trusted advisor with a proven track record of shaping strategy and driving technology innovation. With extensive expertise in enterprise end-user computing, security, cloud, automation, and virtualization technologies, Jason has become a globally recognized authority in the IT industry. His career spans consulting for hundreds of Fortune 500 enterprises across diverse business sectors worldwide, delivering cutting-edge digital solutions from Citrix, Microsoft, VMware, Amazon, Google, and NVIDIA that seamlessly balance security with exceptional user experiences.
Jason’s leadership is amplified by his dedication to knowledge-sharing as an author, speaker, podcaster, and mentor within the global IT and technology community. Recognized with numerous prestigious awards, Jason’s contributions underscore his commitment to advancing technology and empowering organizations to achieve transformative results. Follow him on LinkedIn.
Vernon Maxwell
February 21, 2009 at 4:40 PM
Nice posting, good read
Fabio
November 5, 2009 at 12:34 PM
Hi
Thank you for the info above
I have a SBS 2003 server with ISA 2004 and exchange 2003 loaded. I have installed BPS on it everything seems to work correctly except for the activation part I send the activation mail to the device 8310 click on the setup wizard to create a new email account, select Enterprise install – insert the email address and the key that was generated. It tells me that its activating but does nothing. I run the monitor on isa to see if any traffic comes from the device and nothing. What port is it supposed to come in on?
I would really appreciate some insight
Thanking you in advance
Jason
November 5, 2009 at 1:35 PM
Hi Fabio,
First verify that you have a good connection to the SRP (just go the main page and verify it says “Connected”). Then make sure port 3101 is allowed outbound on the ISA server. You must create a new outbound TCP rule on the ISA from the BES server IP to all external. Also verify there are no other firewalls in your organization that may be between the two that could possibly be blocking outbound on this port.
Have you tried telneting to the SRP like I show above? You can also use the bbsrptest tool to check connectivity. It is located in your install path at “C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Utility”.
Let me know if this works for you.
Jason
Fabio
November 5, 2009 at 2:21 PM
@Jason
Hi
Many Thanks For the prompt reply
I have checked the following previously, my apologies for not adding it to the initial question.
SRP status is Connected
Port 3101 is enabled through ISA
Bbsrptest works 100%
From what I understand the validation process is a mail that is sent back to the server?
Its almost as if the blackberry device cannot get the mail to the server or doesn’t recognise it
Jason
November 5, 2009 at 3:14 PM
Excellent. This is not related to the SRP or ISA at all then. This is because the BESAdmin account does not have the correct permissions to the user’s mailbox you are trying to add. You are correct, a validation email will be sent to the user from the BESAdmin email account. But this all takes please on the Exchange server and nothing ever goes out and back in through your ISA server. If it isn’t working, it is because of permissions. Look at the Blackberry server logs and you can verify this.
Here is a test you can do. Go to “https://localhost/exchange” and log into OWA using the BESAdmin account. Then in the address bar, change the URL to “https://localhost/exchange/nameofuser” and press enter. You should now be viewing the user’s mailbox that you are trying to add to the BES server. If you get an error, then this means you do not have Read privilges to the mailbox.
Remember, the BESAdmin needs to have access in Exchange & AD in 3 places:
1. To the root (see #5 in the guide)
2. To the information store (see #6 in the guide)
3. To the user or OU (see #7 in the guide)
Also please verify that the user you are trying to add is not a Domain Admin or Power User. If they are, you are going to have to apply the permissions to the AdminSDholder in the bottom part of the guide.
Jason
TheWorldBB
May 10, 2011 at 4:58 AM
Nice job visit my site please…..
bbthemesx.blogspot.com