Installing BES 5 in an Exchange 2010 environment

Mike SullivanDirector
There are various sources that I've used for this process and I've used it many times and adapted it with my own findings. This process is not meant to be a definitive troubleshooting guide for BlackBerry installation. That needs to be handled elsewhere. This process will allow anyone with a standard server configuration and no prior BlackBerry installation to implement the software with a minimum of fuss.

Note: In an Exchange 2010 environment, the BlackBerry Enterprise Server should NOT be installed on the mail server UNLESS you are using the Express edition which is designed for this purpose. Also, before installing BES, you MUST have public folders enabled and have an Offline Address book configured in Exchange 2010.


BES uses MAPI calls to communicate with Exchange and Collaboration Data Objects to synchronise Calendar data. On the server you have selected to load BlackBerry Enterprise Server, download and install "Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1" (ExchangeMapiCdo.Exe) The latest version 6.5.8211.0 is fully compatible and is available from the Microsoft Download site. The current download link is as follows:

Important Note: BES requires server MAPI tools. Outlook uses a client version of MAPI which is incompatible with BES. You should not install BES on any server that has a version of Outlook installed (e.g. a Terminal server with Office installed).


Log onto your Exchange Server using an account which has permissions to create a new account and also has permission to modify the Exchange configuration. In a small business/small office environment, this will typically be the main 'Administrator' account. Open the Exchange Management Console and create a new account and mailbox for a user called BESadmin.


From the Exchange 2010 server open the "Exchange Management Shell" and run the following two scripts to set the required delegate control and permissions:

Add-RoleGroupMember "View-Only Organization Management" -Member "BESAdmin"

Get-MailboxDatabase | Add-ADPermission -User "BESAdmin" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Copy and paste these commands only if your BES service account created in STEP 2 shares the name "BESAdmin". Make sure that the BES service account is located in the 'Users' Active Directory container to avoid problems with inheritance of Group Policies and possible restrictions applied to the account.


Now you need to set the 'Send As' permissions using the command below:

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>"

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=Experts-Exchange,DC=local"

Copy and paste the example into Notepad and modify the "DC=" entries to match your internal domain naming convention. Then copy and paste it into the Exchange Management Shell.


You need to turn off client throttling in Microsoft Exchange 2010 as it enforces bandwidth limits which will affect the BlackBerry Server. This process is different depending on whether you have Exchange Service Pack 1 installed or not. If you don't, run the following three commands from the Exchange Management Shell:

New-ThrottlingPolicy BESPolicy

Set-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null

Set-Mailbox "BESAdmin" -ThrottlingPolicy BESPolicy

If you do have Exchange Service Pack 1 installed, complete the following two steps:

New-ThrottlingPolicy BESPolicy -CPAMaxConcurrency $NULL -CPAPercentTimeInCAS $NULL -CPAPercentTimeInMailboxRPC $NULL -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null

Set-Mailbox "BESAdmin" -ThrottlingPolicy BESPolicy


NOTE: This step is not required in Exchange 2010 SP1 as it is now managed with the Throttling Policy

By default the maximum number of connections that Exchange 2010 allows to the Address Book service is set to 50. This needs to be increased for BES to function correctly. Navigate to "\Program Files\Microsoft\Exchange Server\V14\Bin" and open the file with Notepad. Change the MaxSessionsPerUser entry to 100000 and then save the file and restart the Address Book service.

Note: If you have trouble editing and saving this file, start Notepad from the Start Menu by right-clicking and choosing 'Run As Administrator' then File > Open and navigate to the file. If you are still logged in as the Administrator account, you shouldn't have a problem.


You have the ability to allow the BES to use Exchange Web Services to manage calendars on the devices, in order to utilize this service you need to configure a management role by running the following command from the Exchange Management Shell:

New-ManagementRoleAssignment -Name "BES Admin EWS" -Role ApplicationImpersonation -User "BESAdmin"

Get-Mailbox -Server "<messaging_server_name>" | Set-CalendarProcessing -ProcessExternalMeetingMessages $true

Copy and paste this into Notepad and change the BES Service account name if required and replace <messaging_server_name> with the internal DNS name for your Exchange server.


The BES service account needs to be able to install the BES software on the local server. To do this, it needs to be a member of the local Administrators group on the server where you will be installing the BES software. This is done by right-clicking on the My Computer icon in the Start Menu and selecting "Manage". From Computer Management expand "Local Users & Groups" and select Groups. From Groups double click "Administrators" and add the BESadmin account from Active Directory.


The BES service account also controls the BlackBerry services on the server. To do this, it needs to have the ability to control services which is not a standard function of a server-based account. On the BES server go to "Administrative Tools" and open "Local Security Policy" (or click Start and type 'secpol.msc' in the search box). Expand the "Local Policies" and "User Rights Assignment" options. Find the "Log on Locally" and "Log on as Service" entries and add the BESAdmin account to both of these.


NOTE: At this point, you should log off as the Administrator and log back on to the BlackBerry server using the BESAdmin account. During this part of the installation, the server will require a reboot. If the server supports any other services or shared functions, please be aware that these will be impacted during the reboot.

Run the BlackBerry executable archive which will extract the install files and automatically run the setup file. Follow the steps in the wizard until prompted to reboot. After the reboot, make sure that the FIRST account that logs back on to the server console is the BESAdmin account. This will allow the BlackBerry installation to continue. If another account logs in before the BESAdmin account, you will need to log that account back out, log in the BESAdmin account and then run the setup program manually. The installation will pick up where it left off. Continue to follow the wizard. When prompted to enter the BlackBerry Administration Service login details, select BAS Authentication rather than Active Directory Authentication for the main administrator login. This will prevent connectivity problems if there are Active Directory issues. During the final part of the installation when you enter your SRP ID, Auth Key and CAL please ensure you select the verify option as, apart from validating the info, it confirms that Port 3101 is opened correctly. If Port 3101 is not opened correctly, BES requires outbound-initiated, bi-directional TCP communication on port 3101 from the BES internal IP to the external BlackBerry routing server IP (e.g.


Once the installation is completed and the services have started, log onto the Blackberry Administration Service. Please note that the BAS-AS services needs to reach approximately 385MB of memory usage (you can check this via task manager) before it can be accessed.

Note: For sites running Exchange 2010 SP1 you must be running BES 5.0.2 MR4 and MAPI\CDO Client 1.2.1 version 6.5.8211.0 or above to prevent latency issues.

Hope this is helpful.

Comments (1)

Albert WidjajaIT Professional

Hi Mike,

Is there any update on how to safely decommission BlackBerry server remnants in the Active Directory ?

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.