KB17325 - BES may encounter issues in a Windows Server 2008 based AD environment
KB17325 - BlackBerry Enterprise Server may encounter issues in a Windows Server 2008 based Microsoft Active Directory environment
Environment
- BlackBerry® Enterprise Server for Microsoft® Exchange (all versions)
- Windows Server® 2008
- Microsoft® Active Directory® environment
Overview
In an environment using exclusively or a majority of Global Catalog servers on Windows Server 2008, it is possible that the BlackBerry Enterprise Server might encounter a range of issues relating to name resolution. In the BlackBerry Enterprise Server debug logs you might see a combination of the following events:
[40206] (12/22 08:58:11.625):{0x1A38} MailboxManager::SubsystemInitialize - Using MAPI profile 'BlackBerryServer'
[50000] (12/22 08:58:11.672):{0x394} Controller: This BES Agent is under control of BlackBerry Agent Controller
[20137] (12/22 08:58:11.719):{0x1A38} MailboxManager::SubsystemInitialize - g_pSession->OpenMsgStore (0x80040111)
[40000] (12/22 08:58:11.719):{0x1A38} Setting PR_PROFILE_CONNECT_FLAGS CONNECT_IGNORE_NO_PF true
[40206] (12/22 08:58:11.719):{0x1A38} MailboxManager::SubsystemInitialize - Using MAPI profile 'BlackBerryServer'
[20137] (12/22 08:58:11.797):{0x1A38} MailboxManager::SubsystemInitialize - g_pSession->OpenMsgStore (0x80040111)
[10277] (12/22 08:58:11.797):{0x1A38} BlackBerry Messaging Agent MERC74 Agent 1 failed to start. Error code 5305
[50106] (12/22 08:58:11.797):{0x1A38} Stopping BlackBerry Mailbox Agent 1 for Server
[40000] (12/22 09:44:49.654):{0x4EC} CDO initializing failure in CDO helper 1046a930 (2)
[30001] (12/22 09:44:49.764):{0x4EC} CDOCalendar::Initialize - Code = 800406f9, WCode = 04f9, Code meaning = IDispatch error #1273,
[30002] (12/22 09:44:49.764):{0x4EC} Server = mercmbx11, Mailbox = Description = The information store could not be opened. [MAPI 1.0 - [MAPI_E_LOGON_FAILED(80040111)]]
[30180] (12/22 09:44:49.764):{0x4EC} {saskit} CDOCalendar::Initialize - Error in call m_spCalendarFolder = m_spCDOSession->GetDefaultFolder
[40000] (12/22 09:44:49.764):{0x4EC} CDO initializing failure in CDO helper 1046a930 (4)
[30181] (12/22 15:04:32.463):{0x1A38} Performing system health check (BlackBerry Mailbox Agent 1 - BESX Version 4.1.6.11)
[30038] (12/22 15:04:32.463):{0x1A38} Worker Thread: *** No Response *** Thread Id=0x1350, Handle=0x7B0, WaitCount=6, WorkingTime=68 min, LastActivity=68 min, Event: NEW_MB_PCKT_RESCAN, User: , Server: , Activity: MAPISendertoRIMSender - RIM_HrGWResolveProxy
[30038] (12/22 15:04:32.463):{0x1A38} Worker Thread: *** No Response *** Thread Id=0x1564, Handle=0x1664, WaitCount=6, WorkingTime=68 min, LastActivity=68 min, Event: NEW_MB_PCKT_RESCAN, User: , Server: , Activity: MAPISendertoRIMSender - RIM_HrGWResolveProxy
[50020] (12/22 15:04:32.463):{0x1A38} Some worker threads have been blocked for 6 health checks
In addition, it is likely that if this article applies, the BlackBerry Manager will return an error when opened regarding being unable to open the default message store.
Note: It is possible that any of these events can occur independently and not be related to this article. For this issue to apply it is likely that at least two or more of the above-listed events will occur.
As of Windows Server 2008, Microsoft has changed the default behavior of the Domain Controller with regards to Named Service Provider Interface (NSPI) connections. NSPI is the interface that allows Messaging Application Programming Interface (MAPI) to interact with the Global Catalog server to use the Microsoft® Exchange address book and to perform name resolution tasks requiring the information stored in the Global Catalog. Prior to Windows Server 2008, any individual MAPI client could make virtually unlimited number of NSPI connections to a Global Catalog without consequence. In order to more appropriately manage these connections from MAPI clients, Windows Server 2008 introduced a limit of 50 NSPI connections per user. For more details, see Microsoft Knowledge Base article 949469 at the Microsoft Support web site.
This limit has little to no impact on a single user MAPI client; however, the BlackBerry Enterprise Server has to monitor the mailbox for each user that is added to it and therefore requires more NSPI connections than a client, such as Microsoft® Outlook® would. To calculate the number of NSPI connections for your BlackBerry Enterprise Server you will need you will need several pieces of information.
- Number of agents running on the BlackBerry Enterprise Server
- Number of Microsoft Exchange Servers the BlackBerry Enterprise Server provides service for
- The number of users on each Microsoft Exchange Server the BlackBerry Enterprise Server provides service for
Based on this information, a simple formula can be applied for the number of NSPI connections that will be required. Number of NSPI connections = Total Number of agents + (Number of users on Microsoft Exchange Server 1 / 50) + (Number of users on Microsoft Exchange Server 2 / 50) +... (Number of users on Microsoft Exchange Server N / 50)
Any fractional results would count as one full NSPI connection. Therefore, if the BlackBerry Enterprise Server was running two agents, with a total of two Microsoft Exchange Servers and 75 users on each Microsoft Exchange Server, it would require six NSPI connections (1 for each agent, 2 for each Microsoft Exchange Server). If the total number of NSPI required connections exceeds 50, some of the connections will be denied.
It is important to note that the above method of determining the number of required NSPI connections is on per server basis. However, the limit on NSPI connections is on a per user basis. If there are multiple BlackBerry Enterprise Servers in the environment running with the same service account, the number of NSPI connections all those BlackBerry Enterprise Servers require must be added together. In addition, under certain conditions it is possible that extra NSPI bind requests will take place. To account for this, add an additional ten connections to the number arrived at above, this will be the recommended number of connections for your BlackBerry Enterprise Server.
In order to limit the impact of this issue, if there are multiple BlackBerry Enterprise Servers in the environment they can be run under different service accounts. However, if this has already been done it may be necessary to increase the limit on the number of NSPI connections per user. First, get final confirmation that the limit on NSPI connections is the cause of the issue (See the Additional Information section to determine this). Once that has been confirmed, the issue can be worked around by taking the following steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS
- On the Edit menu, point to New, and then click Key.
- Type Parameters, and then press ENTER.
- Click the Parameters key.
- On the Edit menu, point to New, and then click DWORD Value.
- Type NSPI max sessions per user, and then press ENTER.
- Double-click NSPI max sessions per user, type the maximum number of the NSPI connections that you want to have, and then click OK.
- Exit the Registry Editor.
This should be done on any Global Catalog Server that the BlackBerry Enterprise Server may be required to connect to (for example, all Global Catalog Servers in the same site as the service account mailbox). Regarding what to set the limit to, as long as it exceeds the number of required connections found above normal, functionality will be restored. If you anticipate large scale growth in future for BlackBerry smartphone deployment, it would be recommended to account for that BlackBerry smartphone user volume now. If you simply want to emulate the behavior of Windows Server® 2003, set the value high enough that it is unlikely to ever be reached (for example, 1000).
Additional Information
To gather final confirmation of the issue, enable some additional logging on the Global Catalog Server, as outlined in the following steps:
- On the domain controller that is targeted for the NspiBind connection, click Start, click Run, type regedit, and then click OK.
- Locate and then double-click the following registry entry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\4 MAPI Interface Events
- In the Value data box, type 5, and then click OK.
Once this is done, monitor the event log on the Global Catalog Server for the following event:
Event ID: 2820
NSPI max connection limit for the user has reached.
You need to do NSPI unbind on old connections before making new connections.
Additional Data
Max NSPI connections per user:
%1
User:
%2
__________________
http://blog.port3101.org/hdawg/
The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.
|
Linear Mode
