Welcome to Port3101.org : Your BES Connection Mark forums read | View Forum Leaders
Port3101.org : Your BES Connection



Reply
LinkBack Thread Tools Display Modes
BES 5 in an Active Directory Environment
 
  #1 (permalink)  
Old 09-09-2010, 05:40 AM
BES Expert
 
Join Date: Feb 2009
Location: UK
Posts: 58
Default BES 5 in an Active Directory Environment

Hi Folks

Currently in the process of building a BES 5.02 Env, Domino.

Our server team have now introduced an AD environment and I have been told I need to move into this.

Trying to find some details on the rights required as although have been given an account for the install, when trying to run the services, it all fails.

Have been told I need to have two separate accounts, one to do the install and the other to run the services. I really have no idea on how AD works so currently at a loss.

Have spoken to a few other BES admins who all say they do not run BES in the AD environment. Beginning to understand why.

Wonder if anyone can point me in the right direction.

Thanks in advance
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 09-10-2010, 03:13 PM
Pelvir's Avatar
BES Administrator
 
Join Date: Jan 2009
Location: New Orleans, La
Posts: 27
Default

you need to create a BESAdmin account in AD and add it to the server will local and domain admin rights. You need to install and start services under this account and no other. there are more detailed write ups here and on the blackberry site. it's all about permissions in AD.
Reply With Quote
  #3 (permalink)  
Old 09-11-2010, 02:04 PM
Cheese Sammich's Avatar
Super Moderator
 
Join Date: Dec 2008
Location: Long Island
Posts: 232
Default

Quote:
Originally Posted by Pelvir View Post
you need to create a BESAdmin account in AD and add it to the server will local and domain admin rights.
This is not entirely correct. The BES service account should NOT be a Domain Admin.
KB02276 - Assigning permissions for a BlackBerry Enterprise Server service account
__________________

Last edited by Cheese Sammich; 09-11-2010 at 02:06 PM.
Reply With Quote
  #4 (permalink)  
Old 09-13-2010, 10:16 PM
BES Administrator
 
Join Date: Aug 2010
Location: Here & There
Posts: 32
Default

For Exchange environments, the BESAdmin account should never be a domain admin. But for Domino environments, it doesn't matter if the BESAdmin account is a user or domain admin. It doesn't need domain admin rights so there's no point giving it domain admin rights. On the server you're installing the BES on, the BESAdmin account must be a local admin and in local security policy, it must have "Allow log on locally" and "Log on as a service". This will give BESAdmin enough rights to run services. Domino mailbox access is granted when you place the Domino server you're installing the BES on in the LocalDomainServers group. Assuming you didn't change defaults, this should give it Manage with Delete documents access.

When installing 5.0.x Domino BES, make sure you select the Use Active Directory Authentication check-box under BlackBerry Administration Service. If you don't initially check it, you should be able to run the installer again and check it but I've seen in some cases where this doesn't work. Only way to resolve it was to perform a clean install with new config db and have this option selected.

Before installing BES, make sure you replicate the BlackBerryAdmins group to the Domino server you're installing the BES on and configure the Server Document (Run unrestricted methods and operations must have LocalDomainServers added). Also, make sure the DIIOP task is running on one of the Domino servers in your environment.
Reply With Quote
  #5 (permalink)  
Old 09-14-2010, 07:07 AM
BES Expert
 
Join Date: Feb 2009
Location: UK
Posts: 58
Default

Many thanks for all the replies, very much appreciated
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
KB18526 - Adding groups from Active Directory into Administrative Roles hdawg Featured BlackBerry KB Articles 0 09-16-2009 09:31 PM
KB15923 - How to restrict address lookups by the Active Directory “Company” ... hdawg Featured BlackBerry KB Articles 0 08-25-2009 09:52 PM
KB12309 - Administration accounts in protected Active Directory groups hdawg Featured BlackBerry KB Articles 2 08-25-2009 09:43 PM
KB15751 - Move the BlackBerry Enterprise Server to a new Active Directory Domain hdawg Featured BlackBerry KB Articles 0 08-16-2009 07:47 PM
KB04557 - Recommended Microsoft Active Directory groups for the Windows account hdawg Featured BlackBerry KB Articles 0 05-25-2009 08:30 PM


All times are GMT -4. The time now is 04:51 PM.
Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2018, vBulletin Solutions, Inc.


 

SEO by vBSEO 3.3.2 PL2