Install BlackBerry 5.0.3 in Exchange 2010 SP1 with two BESAdmin users

Quick Step-by-Step Guide


In my example we have Exchange 2010 SP1 organization in two datacenters with two DAGs. Each datacenter has active and passive Exchange DB and Blackberry server with users from active Exchange DB. In this scenario we had to add an supplementary Blackberry server in one datacenter and supplementary Blackberry administrator (BESAdmin2).


This instruction applies only to Exchange 2010 SP1, if there is no SP1 in your Exchange 2010, please ask and I can provide with step-by-step instructions.


BES 5.0.3 is totally compatible with MS Windows 2008 R2 and Exchange 2010 SP1.


In this example we will be installing BES 5.0.3 on the dedicated Windows 2008 R2 server. Prior to installation of BES you MUST have public folders enabled and Offline Address Book configured in Exchange 2010. Make sure you have port 3101 TCP open (outbound initiated, bi-directional) on your Firewall.



Download and install on your dedicated BES Server “Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1” (Exchange 2010 SP1 requires version 6.5.8211.0 or higher). This will install the CDO and MAPI DLLs which is a prerequisite for BES to operate correctly.

Download link: Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1



Create a Windows Account that has a Microsoft Exchange 2010 SP1 mailbox.

Open the Microsoft Exchange Management Console and create an account and mailbox BESAdmin2



Configure Microsoft Exchange 2010 SP1 permission for the Windows Account (BESAdmin2). From the Exchange 2010 server open the “Exchange Management Shell” run the following two commands to set the required delegate control and permissions:


Get-MailboxDatabase | Add-ADPermission -User "BESAdmin2" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin


Get-MailboxDatabase –identity dbname | Add-ADPermission -User "BESAdmin2" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Note: If a new mailbox database is created for Microsoft Exchange, repaet command above for Microsoft Exchange 2010 SP1.


Add-RoleGroupMember "View-Only Organization Management" -Member "BESAdmin2"

Note: If a new mailbox database is created for Microsoft Exchange, repeat command above for Microsoft Exchange 2010 SP1.



To set the Send AS permissions using the command below:


Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin2" -Identity "DC=domain,DC=local"



To turn off client throttling in Microsoft Exchange 2010 SP1 as it enforces bandwidth limits which will affect the BlackBerry Server. To do this run the following command from the Exchange Management Shell.


New-ThrottlingPolicy BESPolicy -CPAMaxConcurrency $NULL -CPAPercentTimeInCAS $NULL -CPAPercentTimeInMailboxRPC $NULL -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null 

Set-Mailbox "BESAdmin2" -ThrottlingPolicy BESPolicy 


To verify run:

Get-Mailbox -ResultSize Unlimited | select name,ThrottlingPolicy | sort ThrottlingPolicy -Descending



To allow the BES to use Exchange Web Services to manage calendars on the devices, in order to utilize this service you need to configure a management role by running the following command from the Exchange Management Shell:


In my case we have to options to solve this.

First one to create two New-ManagementRoleAssignment for two BESAdmins users:


New-ManagementRoleAssignment -Name "BES Admin EWS" -Role ApplicationImpersonation -User "BESAdmin"


New-ManagementRoleAssignment -Name "BES Admin EWS2" -Role ApplicationImpersonation -User "BESAdmin2"


Second one is to create security group and add both BESAdmins users to this group:

For single security group, create the group in AD "BES Impersonation Group", add the BES accounts to the security and create the assignment:


New-ManagementRoleAssignment -Name " BES Admin EWS " -Role ApplicationImpersonation -SecurityGroup "BES Impersonation Group"


 To Remove the current role assignment from BES Admin EWS:


Remove-ManagementRoleAssignment -Identity "BES Admin EWS"




Permit meeting requests from outside of your organization when using Microsoft Exchange Web Services for Microsoft Exchange 2010 SP1.

For each Microsoft Exchange Server that hosts users, type the following command:


Get-Mailbox -Server "<Messaging_Server_Name>" | Set-CalendarProcessing -ProcessExternalMeetingMessages $true


Get-Mailbox -Server "<messaging_server_name>" –ResultSize Unlimited | Set-CalendarProcessing -ProcessExternalMeetingMessages $true -AutomateProcessing AutoUpdate



Configure permissions for the Windows account.

In Windows Server 2008 / R2 for BES Server disable IPv6 and set production NIC in first place.

Make BESadmin a local Administrator of the server where you will be installing the BES software. This is done by right mouse clicking My Computer and selecting “Manage”. From Computer Management expand “Local Users & Groups” and select Groups (or in Server 2008 right click Computer > From Server Manager expand Configuration and select “Local Users & Groups” > Select Groups). From Groups double click “Administrators” and add BESadmin.

On the BES server go to “Administrative Tools” and open "Local Security Policy" and then expand the "Local Policies" and "User Right Assignment". You need to add BESadmin to "Allow log on locally" and "Log on as Service".


Do not forget to add following email to white list on your SPAM filter:

If you still can't activate BB, but user get ETP.DAT file, add email address to "Add Sender to the safe sender list" in Outlook.


Get-Mailbox -Server "<messaging_server_name>" –ResultSize Unlimited | Set-CalendarProcessing -ProcessExternalMeetingMessages $true -AutomateProcessingAutoUpdate
Please enter the code:

Note: Please fill out the fields marked with an asterisk.