How to Install BES Express on Exchange 2010 Single Server | Commodore.ca

How to Install BES Express On a Exchange 2010 Single Sever
By Ian Matthews, Up & Running Technologies Inc, Aoril 22, 2010, Last Updated April 23. 2010

NOTICE: This information is provided without warrenty or guarentee; use at your own risk!
Several problems were corrected with the help of the good people at the blackberryforums.com
and I suggest you use them if you have issues.

Ok, this is going to be long... not hard, but long. You can build a Space Shuttle with fewer steps, but don't worry... you can do it.

To make this more difficult, the instructions are for Blackberry Enterprise Server Express on Exchange 2010 Single Sever running on R2 of Windows 2008 64 Bit. Pitter patter, lets get at 'er:

Download and skim the BES "Installation and Configuration Guide" from HERE.
CREATE A "BESADMIN" ACCOUNT
- On the computer that hosts Microsoft Exchange, log in using an administrator account that has the permission to create accounts.
- Open the Microsoft Exchange Management Console.
- Create an account and mailbox that you name BESAdmin.
- To permit the BlackBerry® Enterprise Server to check if a BlackBerry device user has permission to access a public folder ,assign the Owner permission for all public folders to the administrator account.
ADD PERMISSIONS TO BESADMIN
- open the Microsoft Exchange Management Shell and type:
  
  Get-MailboxDatabase | Add-ADPermission -User "BESAdmin" -AccessRights ExtendedRight –ExtendedRights Receive-As, ms-Exch-Store-Admin
  
  Add-RoleGroupMember "View-Only Organization Management" -Member "BESAdmin"
  
  Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>"
  
  where <domain_1>, <domain_2>, and <domain_3> form the name of the domain
  For example, if the domain name is www.example.com, type www for <domain_1>, example for <domain_2>, and com for <domain_3>.
  
  NOTE: If you create a new mailbox database in the future for Microsoft Exchange, repeat the first bullet.
ADD SEND AS PERMISSION
- This is apparently not always necessary but it sure was in my case (see THIS for details). Just follow along and if you find that you already have the entries in question, just skip to the next step,
- Open ACTIVE DIRECTORY USERS AND COMPUTERS
- Select the VIEW menu and ensure ADVANCED FEATURES is checked.
- Right mouse click on your domain name and select PROPERTIES
- Select the SECURITY tab
- Press the ADVANCED button at the bottom on the SECURITY tab
- Select AD and enter your Blackberry Service Account name (e.g. BESAdmin) and select OK
- When the permissions screen appears change the APLLY ONTO drop down to DESCENDANT USER OBJECTS (if you are running on 2003m which this article does not cover, it would be called USER OBJECTS)
- In the Permissions box scroll down and check the ALLOW box beside SEND AS and press OK
- Press APPLY and OK to exit
REMOVE THE EXCHANGE 2010 "THROTTLING POLICY"
- Note that the instructions in the March 2010 version of the Installation and Configuration guide is WRONG... yup, wrong, read THIS if you want more information.

Open an Exchange Shell and type:
Get-ThrottlingPolicy | where {$_.IsDefault -eq $true} | Set-ThrottlingPolicy -RCAMaxConcurrency $null
Display a list of your Throttling Policies using the following command:
Get-ThrottlingPolicy
From the "Get-ThrottlingPolicy" output locate and copy the "DefaultThrottlingPolicy" name. Example: "DefaultThrottlingPolicy_a1f84187-7a42-4ece-9276-06c704be21e7"
Now enter the command below but paste in your DefaultThrottlingPolicy name.
Set-Mailbox "BESAdmin" -ThrottlingPolicy <Default Policy Name>

SET THE MAXIMUM SESSIONS
- On the computer that hosts the Microsoft Exchange CAS server, in <drive>:\ProgramFiles\Microsoft\Exchange Server\V14\Bin, in a text editor, open the microsoft.exchange.addressbook.service.exe.config file.
- Change the value of the MaxSessionsPerUser key to 100000.
- Save and close the file.
- click START, type SERVICES.MSC and Restart the ADDRESS BOOK via
CREATE APPLICATION IMPERSONATION ROLE
- Open the Microsoft Exchange Management Shell and type
  New-ManagementRoleAssignment -Name "BES Admin EWS" -Role ApplicationImpersonation -User "BESAdmin"
CONFIGURE BES EXPRESS TO RUN WITHOUT EXCHANGE 'PUBLIC FOLDERS'
- Note that I don't have PUBLIC FOLDERS installed on any of the Exchange servers that I run. I am 95% sure you could skip this step if you DO have PUBLIC FOLDERS.
- Click START and an type REGEDIT and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Messaging Subsystem
- If the CDO registry key does not exist, create a registry key that you name CDO
- In the CDO registry key, if the DWORD value does not exist, create a DWORD value that you name: Ignore No PF
- Change the DWORD value to 1
INSTALL MAPI and CDO
- Download it from HERE
- Install it on the server.
SET BESADMIN TO BE A LOCAL ADMIN ON YOUR SERVER
- Read THIS if you have any questions and make sure your BESAdmin account is NOT a Domain Admin or Enterprise Admin... must a LOCAL Admin
- Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
- Select the Builtin folder.
- Double-click Administrators.
- On the MEMBERS tab, click the ADD button.
- Type BESAdmin and then click Check Names.
- Click OK then click Apply then OK.
LOG IN AS BESADMIN
- Using ACTIVE DIRECTORY USERS AND COMPUTERS, reset the BESAdmin password to something you like
- Log off
- Log into the server using the BESADMIN credentials
TEST YOUR PROGRESS
- this step did not go well for me but I think it was because I was running it under my typical Domain Admin login rather than the BESADMIN account. The screen shot to the right was actucally taken after I had completed the BES Express install but according to the docs, this is where you are supposed to try it. The bottom lines is don't panic if it doesn't work.
- The BlackBerry Enterprise Server requires permission to access each BlackBerry device user's mailbox to process email messages. The IEMSTest.exe tool runs a test to verify whether the Windows account has the Send As permission in Microsoft® Exchange so that the BlackBerry Enterprise Server can access user accounts. The IEMSTest.exe tool does not verify whether the BlackBerry Enterprise Server can send email messages on behalf of a BlackBerry device user
- Copy the BlackBerry Enterprise Server installation files to your desktop (or anywhere else you like :) )
- Extract the contents to a folder on the computer
- Click START, type CMD
- Through the command line, navigate to <extracted_folder>\TOOLS folder
- type IEMSTEST
- create a profile if asked
- In the Profile Name drop-down list, select the profile names for the user accounts and click OK
- In the left pane, select the user accounts that you want to check
- Click SELECT and click OK
- When you are done, you can close the CMD/DOS box
GENTLEMEN: START YOUR ENGINES
- From the extracted files above double click SETUP
- Agree with the first few windows and select the obvious choices including INSTALL SQL 2005 SP3.
- Mouse over each of these screens for more details on time delays and issues I had
- The CAL SRP, Key page I found to be even more frustrating that the rest of the install because it used terms which do not match the terms RIM email to you. So here is the info:
  • SRP IDENTIFIER =                         Serial Number: S7419XXXX
  • SRP AUTHENTICATION KEY =   License Key: bu7v-we76-XXXX-XXXX...
  • nothing =                                           CAL ID: C0007439625
  • KEY =                                              CAL Authentication Key: besexp-b3qXXX-XXXXXX-XX...
- You may not see these next screens because I have adjusted my instructions above to hopefully avoid them. If you do see these, you might want to recheck step 4 above (and remember you have to be signed in as domain admin to see ACTIVE DIRECTORY USERS AND COMPUTERS to you are going to have to SWITCH USER). In the end I just skipped past this message and dealt with it (as in step 4) after the install.
- and lets get back on track:
LOGIN TO BAS - BLACKBERRY ADMINISTRATION SERVICE
- surf to:
  https://<your host name>.<your domain>.local:3443/webdesktop/login
  https://<your host name>.<your domain>.LOCAL:3443/webconsole/login
- before you even sign in, add the site to your TRUSTED ZONE
- Trust and Install the Certificate to elliminate the cert errors
Done. Now all you have to do is figure out how to use it... no biggie!