Blackberry Enterprise Server 4.1 with Exchange. Can receive mail from BB but cannot send

Give him Full maibox rights.

the user? or the besadmin account?

BESAdmin - if it has worked prior and there is another user that is working at his site (off the same server) I would mimick the permission settings of the other user.  Then I would resend the service books.  If that does not work then I would give BESAdmin full rights to the mailbox and if that fails wipe the handheld and reload.

i made the BESADmin account full control of this mailbox and resent service book but he still cannot send mail. Keep in mind that his mailbox is on another mail server in the same forest. He is the first user from this mail server that we added to the BES. The users from the mail server in the same domain as the BES is fine. He can receive mail, but he still cannot send. I did also notice that in the Blackberry Manager all the device information is not listed for this user. It shows received mail but nothing for sent.

Are the exchagne servers in the same exchange orginization?
If they are not then BB does not support a single server you would require one BES per Orginization
The BES Admin account that accesses the US exchange server does it have the equivalent permissions on the UK server?
If the BES admin is not at the root of the forest and is a member of a child domain you can have issues attaching to servers in other child domains.

The exchange servers are in the same organiztion. The permissions are the same on both US and the UK mail servers. The BESAdmin account was created in the root domain but the mailbox is located in the US child domain. what memberships should I confirm? If I am able to receive mail then it should be able to send mail.

No forwarding is done the same as if a user is sending mail through the exchange server.   The MAPI profile you configured on the BES is used to send and forward mail as required.  Make sure that in the AD the rights are properly propagating down to the user in questions - I think you may have checked this before already but it is important you have verfied that security,  The BES Admin requires the Send as Receive As right on the user account in question.

Is the user a member of any administrative group?
If so then more than likely this could be the issue detailed here http://www.blackberry.com/btsc/articles/157/KB04707_f.SAL_Public.html
MS revoked the send as permission in a service pack on the admin

When the user sends a message do you see any errors in the App log onthe BES?
Typically a security issue will show up in the App log on the BES.

its been awhile but the problem did not go away. This is what I constantly get in the app logs on the BES:


event id 20174 ReloadPagerStats() failed

Have you verfied that your BESAdmin does have the rights in question on the user.  Also look in Advanced under security to ensure that there is no Deny permission.  Your BES admin might be getting a deny from another user group it is a member of.  The error you are referring to is generally acompanied with the email address it is related to, if not then it usually represents a failure by the BES  to get info from the exchange server it is talking to, again a permission issue.

You can run a check on the effective permissions on the user's mailbox, from the Exchange AD MMC, for your BESAdmin account, to be 100% sure what the permissions are on the account.  Make sure Send As is chaecked in the results, I suspect it is probably not.

I checked advanced under security for this user and there is no deny permission for the besadmin account or any group that the besadmin is in. I ran the effective permissions on this users mailbox and the besadmin pretty much has access to do everything including "send as". I am at a loss. Please help.

I did notice something that may or may not be the problem. The users email address on the BES is wrong. the BES is in the company.com domain when most of my blackberry users are in. this user is in a child domain called nl.company.com. most of my users have addresses like username@company.com but this users email address is username@company.hmi.nl. Could this be the problem? if yes, how do I change email addresses on the BES? The weird thing is he receives mail on his blackberry with no problem but when sending, it fails.

BES should be picking up the default SMTP of the user.  You can do a little test to see if this is the issue
Download SMTPDiag from MS and run it on your BES.  Use the users email address that BES has listed and see what kind of response you get in sending a message to a user.  then try the address that it is supposed to be and see if they differ.  If you get an error here then it would have to be something in the SMTP relay permissions that is stopping the mail sent from the BB.  This would be something you would have to address on the SMTP service in exchange.

The forwarding mechanism is entirely different from the sending as the forwarding just picks up inbound mail to an exchange mailbox.  When sending the standard rules and security permissions for exchange apply so if the user does not have permission to send using the connection they are processing through it will not allow the forward the mail

I downloaded and ran SMTPDiag with the address the BES has for this user and it passed all test. Now what?

Is that the address that the user uses on his Blackberry?

no it is not. the domain that the BES is using is from the master domain where all the other BES users are located. his domain is child of this master and his exchange is in the same organization as the main exchange.

If you do the SMTPDiag with his email address that he uses on the BB what happens?

I should found out that the BES is using the right address. Even though the user is in a child domain at nl.company.com, his default smtp address is company.com which is what the BES is using.

Anything else I can try? Should I reload the user? The address that the BES is using for this user is correct.

I have been reviewing the thread again and based on the research I have conducted it is most likely a security issue in the way the root and child domains acts in the exchange organization.  Because the user is a member of another child domain ultimately there is a security relation that comes into play and BES does not support this kind of infrastructure.  From what you said previously

'The BESAdmin account was created in the root domain but the mailbox is located in the US child domain.'
and
'this user is in a child domain called nl.company.com. most of my users have addresses like username@company.com but this users email address is username@company.hmi.nl.'

To me it sounds as if your BES server is working within the US Child Domain and not the at the root domain level.  In this case Blackberry does not support users in another child domain, and even with a machine on the root level it then depends on the exchange organization and its structure within the forest.  Blackberry's official position is that a BES is required per domaim supported.  So to support multiple domains in a forest you would need to have your exchange organization structured at the root, with the BES at the root as well, or have mutiple BES deployed at the various child domain levels within the forest.  

To go futher we would have to look at your forest structure and how exchange organization is setup as well.  If you want we can continue to investigate but I suspect the issue is as I described above, and if so, the solution will be to deploy a BES for the NL domain.

Thank you so much for this detailed analysis of my problem. I figured it might not work the way it is setup. I want just quickly review with you my setup so we are on the same page and tell me for sure that it works or does not work.
I have a master domain called company.com where there is a root mail server but no BES users on it. then we have a child domain callled us.company.com and this is where my BES is and with all working BES users. Then I have another child domain called nl.company.com where the user in question is located in. It makes sense what your saying but why is he able to receive mail?

Thanks Shane for all your help. Are you saying if the BES was in compant.com, then users in both us.company.com and nl.company.com would work?

It is more likely to work but this depends on the exchange org at that point