Below is the information from a post in Blackberry Forums, I used it, so I thought it would be worthwhile to file it:
Note: In an Exchange 2010 environment BlackBerry Enterprise Server should NOT be installed on the mail server. Also before installing BES you MUST have public folders enabled and have an Offline Address book configured in Exchange 2010.
On the server you have selected to load BlackBerry Enterprise Server download and install “Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1” (Exchange 2010 requires version 6.5.8147 or higher and Exchange 2010 SP1 requires version 6.5.8211.0 or higher) which is available from the Microsoft Download site (a.k.a ExchangeMapiCdo.EXE). This will install the CDO and MAPI DLLs which is a prerequisite for BES to operate correctly. This replaces the previous requirement to have Exchange System Manager installed in Exchange 2000 or 2003 environments. The current download link is as follows: Download details: Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1
Log onto your Exchange Server using an account which has permissions to create an new account. Open the Exchange Management Console and create a new account and mailbox for a user called BESadmin.
From the Exchange 2010 server open the “Exchange Management Shell” which can be found in the Exchange program group run the following two scripts to set the required delegate control and permissions:
Add-RoleGroupMember “View-Only Organization Management” -Member “BESAdmin”
Get-MailboxDatabase | Add-ADPermission -User “BESAdmin” -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin
Now you need to set the Send AS permissions using the command below:
Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User “BESAdmin” -Identity CN=Users,DC=<domain_1>,DC=<domain_2>,DC=<domain_3> ”
Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User “BESAdmin” -Identity “CN=Users,DC=bbforums,DC=local”
Note: It is common for this command to fail and you will receive the error below. If this error appears please refer to the workaround provide that is listed under the error code below.
Active Directory operation failed on Domain ***Controllor Name***. This error is not retriable. Additional information: Access is
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : DA172DD1,Microsoft.Exchange.Management.RecipientTa sks.AddADPermission
Assign Send As permissions to all users via Active Directory
1. Open Active Directory.
2. Select the “View” menu and ensure “Advanced Features” is checked.
3. Right mouse click on your domain name and select Properties
4. Select the Security tab
5. Press the Advanced button at the bottom on the security tab
6. Select “Add” and enter your Blackberry Service Account name (e.g. BESadmin) and select OK
7. When the permissions screen appears change “Apply onto:” to “User Objects” (or “Descendant User Objects” on Server 2008)
8. In the permissions box scroll down and check the Allow box beside “Send As” and press OK
9. Press Apply and OK to exit
Individually assign Send As permissions to a user via the Exchange Management Shell:
Add-ADPermission “BES User Mailbox Name” -User “Domain\BESadmin” -Extendedrights “Send As”
Example: Add-ADPermission “Gary Cutri” -User “Domain\BESadmin” -Extendedrights “Send As”
We need to turn off client throttling in Microsoft Exchange 2010 as it enforces bandwidth limits which will affect the BlackBerry Server. To do this run the following three commands from the Exchange Management Shell.
Set-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null
Set-Mailbox “BESAdmin” -ThrottlingPolicy BESPolicy
If the Microsoft Exchange Server is 2010 SP1, complete the following steps:
New-ThrottlingPolicy BESPolicy -CPAMaxConcurrency $NULL -CPAPercentTimeInCAS $NULL -CPAPercentTimeInMailboxRPC $NULL -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null
Set-Mailbox “BESAdmin” -ThrottlingPolicy BESPolicy
NOTE: This step is not required in Exchange 2010 SP1 as it is now managed with the Throttling Policy (i.e. -CPAMaxConcurrency $NULL -CPAPercentTimeInCAS $NULL -CPAPercentTimeInMailboxRPC $NULL)
Now we need to increase the maximum number of connections Exchange 2010 allows to the Address Book service. By default this is set to 50 and to increase this navigate to “\Program Files\Microsoft\Exchange Server\V14\Bin” and open the microsoft.exchange.addressbook.service.exe.config file with Notepad. Now change the MaxSessionsPerUser entry to 100000 and then save the file and restart the Address Book service.
Note: By default you may not have permission to edit this file so edit the permissions > add the administration account you are using > grant this account access to edit the file.
You have the ability to allow the BES to use Exchange Web Services to manage calendars on the devices, in order to utilize this service you need to configure a management role by running the following command from the
Exchange Management Shell:
New-ManagementRoleAssignment -Name “BES Admin EWS” -Role ApplicationImpersonation -User “BESAdmin”
Get-Mailbox -Server “<messaging_server_name>” | Set-CalendarProcessing -ProcessExternalMeetingMessages $true
Make BESadmin a local Administrator of the server where you will be installing the BES software. This is done by right mouse clicking My Computer and selecting “Manage”. From Computer Management expand “Local Users & Groups” and select Groups (or in Server 2008 right click Computer > From Server Manager expand Configuration and select “Local Users & Groups” > Select Groups). From Groups double click “Administrators” and add BESadmin.
On the BES server go to “Administrative Tools” and open “Local Security Policy” and then expand the “Local Policies” and “User Right Assignment”. You need to add BESadmin to “Log on Locally” and “Log on as Service”.
Log onto the server where you will be installing the BES using the BESadmin account. Extract the install files and run the setup file. When making your selection please note that the Monitoring service should be installed on a separate machine and the MDS Integration Service is only required for application development (note: the standard MDS service is installed by default). During the install you will be prompted to reboot, please ensure after the restart you logon as BESadmin again as the installation will continue. During the final part of the installation when you enter your SRP ID, Auth Key and CAL please ensure you select the verify option as apart from validating the info it confirms that Port 3101 is opened correctly.
Note: If you are installing BES onto server with existing services that use port 443 during the BES install change the HTTPS Service Port to a port that does not conflict with any other applications e.g. 643 or 3443. For further information on issues that prevent access to BAS please refer to the link below:
The Unofficial BlackBerry Support Forum – Threads Tagged with bas
Once the installation is completed and the service have started log onto the Blackberry Administration Service. Please note that the BAS-AS services needs to reach approximately 385MB of memory usage (you can check this via task manager) before it can be accessed.
Note: If you are unable to logon to the BAS using Active Directory credentials please run the attached “AddBASAuthentication.sql” script below as this will create a local “BlackBerry Administration Service” account with the username: admin and the password: blackberry.
In order to get you up to speed on adding users and performing activations please refer to the video tutorial below:
Tutorial – BlackBerry Administration Service
Send As Permissions
Unlisted message error or Desktop email program unable to submit message
Note: For sites running Exchange 2010 SP1 you must be running BES 5.0.2 MR4 and MAPI\CDO Client 1.2.1 version 6.5.8211.0 or above to prevent latency issues (More Info: Guide: BES 5.0.2 and Exchange 2010 SP1 Latency Issues)