Solved

Blackberry users cannot send emails when their email accounts are on the BES (so, same machine)

Posted on 2006-10-30
8
27,514 Views
Last Modified: 2011-08-18
I recently migrated our BES to a new server.  The BES used to be installed on a secondary Exchange Server and is not located on a tertiary Exchange Server.  Basically, we have 3 Exchange Back-end Servers due to one of them being screwed up, the other being a desktop, and the new third one is an actual server box that is going to replace the other 2 (hopefully soon).

I am having problems with the new server when it comes to Blackberry users.  Simply, they cannot send emails from their Blackberry.  They can receive emails and Outlook works great for them via RPC-o-HTTP, or however else they want to check emails and send, just not when it comes to their Blackberry.  Now, my Blackberry users on the other two Exchange Servers have no issues.  

I have read up on Microsoft Service Packs causing problems and some other issues out there but I think this one is unique and therefore a tough one to solve (500 points).

I have included the eventlog information that is generated when a Blackberry user tries to send an email.  Some of these could contain error messages related to the mailbox move.  The ones that seem to be unrelated to the move are the top 3.  Meaning, I have tested the users Blackberry and ability to send messages and kept getting the top 3 messages.  The bottom 3 were right around the time the maibox was being moved over.  I should also add.  That if I were to move this user back to one of the other Exchange Servers then their Blackberry would work perfectly again.  

Blackberry Messaging Agent <instance> Agent 2     20000 Send() failed: SUCCESS, Tag=47751
Blackberry Messaging Agent <instance> Agent 2     20265 MAPIMailbox::Send(ppMAPIMessage) - SubmitMessage (0x80070005) failed
Blackberry Messaging Agent <instance> Agent 2     20301 (Unable to save configuration settings or statistics)
======================================================================================
BlackBerry Synchronization Service                         26026 [SYNC-DSession] Received empty Add for Backup's Recipient Cache.
Blackberry Messaging Agent <instance> Agent 2     20174 ReloadPagerStats() failed
Blackberry Messaging Agent <instance> Agent 2     20273 GetNewDeletedMessages() failed


Please help!  Half the company email accounts are actually running on desktop, with 1 80GB HDD, and a single processor -- which...just isn't right.  I can't move people over until this new server is 100%

Thanks everyone for your help


0
Comment
Question by:draracle
  • 3
  • 3
  • 2
8 Comments
 
LVL 4

Assisted Solution

by:KPCarl
KPCarl earned 100 total points
ID: 17838594
Have you checked the permissions of your Blackberry service account on the new Store? Does it have "send as" and receive as"?
0
 
LVL 4

Assisted Solution

by:KPCarl
KPCarl earned 100 total points
ID: 17838605
... and "administer information store" permission - all at the server level in ESM.
0
 
LVL 26

Accepted Solution

by:
Gary Cutri earned 400 total points
ID: 17838749
This is very easy to fix. All you need to do is stop the "BlackBerry Router" service, then go into Active Directory and from the "View" menu select "Advanced Features", then go to every BlackBerry user in AD and open their properties. For their properties window select the "Security" tab, from here add your BES account (normally BESadmin) and only add the permission "Send As". You will have to repeat this for all users on your BES, wait 20 minutes after you have done all the users and then start the "BlackBerry Router" again.

If you have any admin users with BlackBerry devices it will inherited permissions from the "Admin" group and it will remove the BESadmin "Send As" permission". So all you need to do is closely note down any inherited permission to the user in the security tab, then go to the advanced option and untick “Allow inheritable permissions from the parent …”. Once you have done this ensure any required permissions are added back to the admin user then add BESadmin with “Send As” permissions again. Once again wait 20 minutes before restarting the “BlackBerry Router” service.

If anyone want to know the relevance of stopping the router service for 20 minutes it the amount of time the BES server takes to clear it cache locally and on the relay.

Other things to also check is that the BESadmin user has delegate control within Exchange on all the servers that the BES will be accessing.  Basically BESadmin only needs to be an "Exchange View Only Administrator" and on the server level the BESadmin user needs to following extra permissions added "Administer Information Store", "Send as" and Receive as".
0
 

Author Comment

by:draracle
ID: 17842161
I added the BESadmin account to all Blackberry users.  I added "Send As" permission but left the other default ones checked.  Should I have removed the extra permissions in this case?  

I noticed that in ESM that the Administrator account is denied Send/Receive As but the BESadmin does have the correct settings.  In the past, on the old BES the administrator account was used instead of the BESadmin.  

Currently, I have the same problem I was having before and now a new problem: accounts on the new email server are unable to receive emails.  This must be one big authentication problem invovling the BESadmin account and the administrator account, perhaps group memberships as well.  Should I be check "inheritable rights in ESM for the Exchange Servers?  What would happen if I gave BESadmin full admin control under the Delegation tab?  Is there a way to remove the deny Send/Receive As for administrator and could that fix this problem?

I knew this was as definite 500 point question :)
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 26

Assisted Solution

by:Gary Cutri
Gary Cutri earned 400 total points
ID: 17848208
Should I have removed the extra permissions in this case?  No that's fine.

Can you confirm that your BES is using the correct MAPI client?  It may be using the admin account still.

Personally I would create a new BESadmin account on the new mail server, if you do this you will have to redo all the permissions locally on the BES server and on the ESM.

What would happen if I gave BESadmin full admin control under the Delegation tab? Your BES account would have dangerous permissions such as delete and change etc which I sure you can image the possibilities if something went wrong.
0
 
LVL 26

Expert Comment

by:Gary Cutri
ID: 17848212
How many users do you have on this BES?
0
 

Author Comment

by:draracle
ID: 17849804
Okay, things are looking a little brighter today.  I came across a script that corrected the problem Blackberry user.  This Blackberry user is a member of Administrators and although the BESAdmin account was added to the Security tab the AdminSDHolder account would keep removing it.  What I had to do was add the BESAdmin account with "Send As" permission so that Administrator members would be allowed to have the BESAdmin security rights.  
 
Here is the script that corrected the AdminSDHolder actions that would screw up Administrator Blackberry users.  Note, the "dsacls" utility is part of the Windows Support Tools kit.
dsacls "cn=AdminSDHolder,cn=System,dc=domain,dc=com" /G "domain\BESAdmin:CA;Send As"

Also, I was getting tired of adding the BESAdmin account to every Blackberry's Security tab so I took this little step.  Go into Active Directory Users and Computers, right-click your domain, properties, security.  Click on Advanced, Add BESAdmin, Edit BESAdmin. Change the Apply To: <pulldown box> to "User objects" and opt to allow "Send As".  Now, everyone has the BESAdmin account and there is less room for error.  However, it's important to run the above script so that BESAdmin is inherirted to your Administrators.  Some people apparently tried editing the ADminSDHolder through the GUI and were not success until they used the script.

Couple other notes:
I have around 35 Blackberry users that are still on the old Exchange Server(s) that I want to turn off.  I moved one person over to test them on the new Exchange server and although their email worked their Blackberry did not.  All of the other users are on the old Exchange Server(s) and their Blackberry's work fine.  Seeing how the new Exchange Server is also the BES I am still not 100% certain my problems are completely gone.  I would not be surprised if my other users are not working now because they are not Administrators .  

I'd like to note that the two old Exchange Servers are also Domain Controllers and Global Catalog servers whereas the new one is neither.  

And the strangest thing so far....All of these steps were recommended due to a HOTFIX by Microsoft and...I don't appear to have that HOTFIX installed!!!!

My Exchange Server 2003 version is: 6.5.7638.1 Service Pack 2

I would also like to recommend these articles:
Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003 @  http://support.microsoft.com/kb/912918
and
BES 4.1 (SP1) - Cannot send mail.  @ http://blackberryforums.pinstack.com/4875-bes_4_1_sp1_cannot_send.html (the thread continued on several pages)


Anyways, I am now at the point where I am going to try and migrate a user over who is not a member of Administrators.  If they fail misserably today.  I'll be back here later =)
0
 

Author Comment

by:draracle
ID: 17851746
Everything is working now the way it should be.  

Thanks for your help
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

When a user’s mailbox is first created and his Blackberry account enabled how do we provision the device and what happens in the background? Stage 1 – Activation The user of the BlackBerry device types the email address and activation password i…
I felt secure communicating on the BBM... Till some time back!! It was probably the fact that the BBM messages do not travel over the internet was making me feel 'secure' about it, or was it the fact that BBM only works on a BlackBerry Devices a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now