I originally wrote this BES setup guide for a friend’s blog at his request. Here it is now on mine for your viewing pleasure!
This guide goes over how to install BlackBerry Enterprise Server or Blackberry Professional Software Express (the free version of BES). Surprisingly, a lot of people run into trouble installing a BES server because of the many steps and prerequisites you have to go through. You really need to have experience installing and troubleshooting a BES extensively to have a fast successful deployment. I have written this Blackberry Server Install Guide to help anyone install a BES successfully. If you run into any issues, feel free to post a comment and I’ll reply to you.
BES Install Prerequisites:
-Set aside between 45 minutes to 2 hours to allow yourself time to install all pre-reqs and then install and configure the BES server. You will need to reboot the server so make sure you have scheduled downtime on the server.
-Verify you have the correct Blackberry server software, Licenses, and SRP identifier. If not, call RIM.
-Verify that you are not blocking outbound ports in your organization. If you are, you need to make sure TCP port 3101 is allowed outbound from the server you intend to install the BES on. Your BES will communicate to RIM’s servers using this port. YOU DO NOT need to allow port 3101 inbound to your server.
-Verify that your Exchange Server has SP2 (Service Pack 2) applied.
-If you are installing BES on a member server (which is the best pratice), make sure Exchange System Manager has been installed on it.
-Make sure Outlook is not installed on the same server as the BES. A lot of small businesses with SBS 2003 install Outlook on the server. Uninstall it if you plan to install a BES on an SBS server.
-Install the latest Microsoft Data Access Components (MDAC) from Microsoft:
-If you have already installed your SQL server, make sure the BESAdmin account has Server Administrator and Database Creator permission to the database instance.
-Make sure your spam firewall has white listed emails from *.blackberry.net. I have seen over aggressive spam firewalls blocking emails required for Enterprise Activation because of .dat attachments in the message.
-Optional: Verify TCP port 4101 is allowed to communicate outbound. This port is used by Blackberry Desktop Manager to do a serial bypass for least cost routing. It is not necessary to open this port unless you need this feature.
Now onto the actual install!
1. Login to your server using a Domain Admin account and create a new user called BESAdmin (and make sure you create a mailbox when you create the account). DO NOT ever use the default Administrator account with a BES. You must create a service account.
2. Verify the BESAdmin user is part of the Domain Users group only. It is not necessary to give the account Domain Admin privileges since we are going to give the account local login access in the next steps but you can give it DA access if you want. It’s best practice to leave the account as a Domain User because you always want to give an account just enough permissions to perform it’s function. Also you have to go back and check Send As/Receive As rights if you give it DA access because they are usually set to deny.
3. Now make the BESAdmin a local admin on the server.
On a Domain Controller or SBS server – This is done in AD via the “Built-in Administrators” group
On a member server – This is done by right mouse clicking My Computer and selecting Manage. From Computer Management expand “Local Users & Groups” and select Groups. From Groups double click “Administrators” and add the BESAdmin account.
4. Now give BESAdmin local rights:
On a Domain Controller or SBS server – “Domain Controller Security Policy” and expand the “Local Policies” and “User Right Assignment”. You need to add BESAdmin to “Log on Locally” and “log on as Service”.
On a member server – “Local Security Policy” and expand the “Local Policies” and “User Right Assignment”. You need to add BESAdmin to “Log on Locally” and “Log on as Service”.
5. Open up Exchange System Manager (ESM) and right click the root “YourDomain (Exchange)”. Click on Delegate Control and add the BESAdmin account as an Exchange View Only Administrator.
6. Drill down in Exchange System Manager until you get to your server name. Right click on the server name and hit properties. Now click the Security tab. Add the BESAdmin account and the following permissions:
a. Administer information store
b. Receive As
c. Send As
7. Open up Active Directory and in the top Menu bar, select “View” and then click on “Advanced Features”. Now go to each user you want to add to the BES server and double click on them. Go to the “Security” tab and add the BESAdmin user. Give the BESAdmin account “Send As’ rights.
8. Logout of the server. Now log back in as the BESAdmin user. Now you can begin the BES server installation. You want to select the “Blackberry Enterprise Server” option. Just double-click on the executable and go through the wizard. Accept all agreements and begin the install. Half way through, it will tell you to reboot. Once the server reboots, you can log back in as the BESAdmin and the installer will automatically start back up and continue the install.
9. Once you get to the database portion of the install, make sure to leave the default name of “BESMgmt” as the database name. You may need to create a new SQL instance for the BES server if you already have other names SQL instances running. Do not put it under once of these are instances. The BES server should run under it’s own SQL instance if at all possible.
10. When you get to the screen to enter the license, just copy and paste it exactly as RIM gave you. Then copy and paste the SRP identifier and SRP authentication key and make sure to Test your connection. If you cannot connect, verify TCP port 3101 is allowed to connect outbound. A simple test is to open a command prompt and type:
telnet srp.us.blackberry.net 3101
If your command prompt goes to a black screen, then you are able to connect.
11. Once the install is done, open up Blackberry Manager. You will get an error saying no MAPI profile has been chosen. Hit okay and type in the name of your server and choose the “BESAdmin” account. Hit “Check Name” and then press OK.
12. Now Blackberry Manager will open up. On the right hand side, you should see that the SRP status is “Connected”. If it is not connected, wait a few minutes and then refresh.
13. Once you verify you have an SRP connection, you can begin adding users. I prefer to use Wireless activation for all handhelds. Just user the Add User wizard in the left hand column to add the user.
14. The user will get an email in his mailbox. Just have the user open Outlook and verify the email has been received from BESAdmin and contains an activation password. The user just needs to go to Enterprise Activation on his/her handheld and type in their email address and this password to activate their account on their handheld. It can take anywhere up to 5 minutes or more to complete an activation depending on the user’s mailbox and speed of connection to their provider’s data network.
NOTE: If the user was using BIS, you may need to wipe the handheld before doing an Enterprise Activation with your new BES server. Otherwise the BIS service books will cause activation to fail.
Always make sure that the date and time are set correctly, the time zone is set to the correct time zone (handhelds default to Casablanca usually), and that the top write corner of the handheld says “EDGE”, “GPRS”, or “3G” in call capital letters and not lowercase.
15. The handheld will tell you when Enterprise Activation is complete. On a new activation (as in this is the first time that particular phone has been added to the BES), it will pull down 14 days worth of email onto the phone. If you had previously had the phone on the BES and you removed it and are reading it, it will not pull down all your old email. Just keep this in mind when doing Enterprise Activations.
-If the user you are adding to the BES is a Domain Admin, you can get them on the BES and their handheld will work for a little while but then it will stop sending email after about an hour. I have seen this happen time and time again when I “inherit” a BES server at a new client. This is because your Send As permission for Domain Admins will revert on the Exchange server unless you explicitly edit the ACL to allow for it. Run the following script from a command prompt using the DsAcls tool on your server after installing Windows Server 2003 Support Tools (http://technet.microsoft.com/en-us/library/cc755938.aspx):
dsacls “cn=AdminSDHolder,cn=System,dc=Yourdomain,dc=local” /G “Yourdomain.local\BESAdmin:CA;Send As”
Fore more info on this, view KB 907434 from Microsoft at http://support.microsoft.com/kb/907434
You can also enable inheritance on the adminSDHolder container by:
1. Right clicking the container and choosing Properties in Active Directory.
2. Click the Security tab.
3. Click Advanced.
4. Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
5. Click OK, and then click Close.
After enabling inheritance on AdminSDholder container, make sure the BESAdmin account is still present on the user account in AD you are adding to the BES with the Send As permission. Wait for Exchange to replicate these permissions (normally takes 20 minutes to 2 hrs) or you can just restartyour Information Store and it should come into effect immediately.
-If you are having trouble activating a device wirelessly, your BES server has tools on it to help your troubleshoot. Run the following tool to test for connectivity:
C:\Program Files\Research In Motion BlackBerry Enterprise Server\Utility\BBSrpTest.exe
-By default, a user’s deletions on his/her handheld are not synched with Outlook. You either have to set the reconciliation on the handheld or you can set it for all users on the Blackberry server itself. RIM has it set this way by default so users don’t accidentally delete important emails on their handhelds. I never change the default unless the user specifically requests it and I only change it on the Blackberry server itself if the point of contact at the organization approves it.
-Blackberry Professional Software Express (aka BPS, BPSE, replacement for BES Express) does not support HTML rendering yet. Only full blown BES supports it starting with SP6 which was released last year. HTML rendering is a pretty new feature so it will eventually trickle down to Professional. Just make sure the user’s phone is running OS version 4.5 and when they release the SP, it should work just fine.
If you ever run into any issues with your Blackberry Enterprise Server and need some help, feel free to contact me or post here and I’ll reply as soon as I can.