How to switch BlackBerry Enterprise Server service accounts

Environment

  • BlackBerry® Enterprise Server software version 4.0 or later for Microsoft® Exchange
  • Microsoft® SQL Server™
  • Microsoft® SQL Server Desktop Engine (MSDE)

    Procedure

    To change the BlackBerry Enterprise Server service account for BlackBerry Enterprise Server software versions 4.0 or later for Microsoft® Exchange, complete the following tasks:

    Summary of Tasks

    1. Create a new service account and mailbox.
    2. Set the local permissions.
    3. Assign the new service account to the Local Administrators group.
    4. Add the appropriate Microsoft Exchange Server permissions.
    5. Add the Send As permission in Microsoft® Active Directory® Users and Computers.
    6. Stop all BlackBerry Enterprise Server services.
    7. Configure BlackBerry Enterprise Server services to log in with the new service account.
    8. Export the Research In Motion® (RIM®) folder from the old service account.
    9. Import the Research In Motion folder to the new service account.
    10. If you have a Microsoft SQL Server, assign the Server roles.
    11. Edit the Messaging Application Programming Interface (MAPI) profile.
    12. Start all BlackBerry Enterprise Server services.

    Task 1

    Create a new BlackBerry Enterprise Server service account and mailbox. For detailed instructions, see the BlackBerry Enterprise Server for Microsoft Exchange: Installation Guide.
     

    For information on assigning permissions to the BlackBerry Enterprise Server administration account, see KB02276.


    Task 2

    Depending on where the BlackBerry Enterprise Server is installed, set the local permissions by completing one of the procedures below.

    On a member server

    If the BlackBerry Enterprise Server is installed on a member server, set the local permissions as follows:

    1. In the Microsoft® Windows® Control Panel, go to Administrative Tools > Local Security Policy.
    2. Expand Local Policies, and then select User Rights Assignment.
    3. Depending on the Windows environment, do one of the following:
      • In Microsoft Windows 2003, right-click Allow log on locally, click Properties, and click Add User or Group. Type the domain name of the new service account and then click OK.
      • In Microsoft Windows 2000, right-click Log on locally and click Properties. Select the Local Policy Setting check box next to the new service account name and then click OK.
    4. Also, specify the option Log on as a service.

    On a domain controller

    If the BlackBerry Enterprise Server is installed on a domain controller, set the local permissions as follows:

    Warning: There are performance issues associated with installing the BlackBerry Enterprise Server on a domain controller. This is not a recommended configuration.

    1. In the Microsoft Windows Control Panel, open Administrative Tools > Domain Controller Security Policy.
    2. Expand Local Policies and then select User Rights Assignment.
    3. Depending on the Windows environment, do one of the following:
      • In Microsoft Windows 2003, right-click Allow log on locally, click Properties, and click Add User or Group. Type the domain name of the new service account and then click OK.
      • In Microsoft Windows 2000, right-click Log on locally, and then click Properties. Select the Local Policy Setting check box next to the new service account name and then click OK.
    4. Also, specify the option Log on as a service.

    Task 3

    Depending on where the BlackBerry Enterprise Server is installed, add the new BlackBerry Enterprise Server service account to the Local Administrators group on the BlackBerry Enterprise Server by completing one of the procedures below.

    On a member server

    If the BlackBerry Enterprise Server is installed on a member server, add the new BlackBerry Enterprise Server service account to the Local Administrators group as follows:

    1. Open Administrative Tools > Computer Management, then expand System Tools.
    2. Select Local Users and Groups.
    3. Double-click Groups and then double-click Administrators. The Administrators Properties window appears.
    4. Click Add, type the new BlackBerry Enterprise Server service account name, and then click OK.
    5. Click OK again to close the Administrators Properties window.

    On a domain controller

    If the BlackBerry Enterprise Server is installed on a domain controller, add the new BlackBerry Enterprise Server service account to the Local Administrators group as follows:

    1. Open Administrative Tools > Active Directory Users and Computers, and then select the Builtin folder.
    2. Double-click Administrators, and then select the Members tab.
    3. Click Add, type the new BlackBerry Enterprise Server service account name and then click OK.
    4. Click OK again.

    Task 4

    Depending on the Microsoft Exchange environment, add the appropriate Microsoft Exchange Server permissions by completing one of the procedures below.

    Microsoft Exchange 2000 and 2003

    1. Open Exchange System Manager.
    2. Right-click the Microsoft Exchange administrative group name and then click Delegate Control.
    3. Click Next and then click Add to open the Delegate Control window.
    4. Click Browse to open the Select Users, Computers or Groups window and then select the new BlackBerry Enterprise Server service account.
    5. From the Role drop-down list, select Exchange View Only Administrator and then click OK.
    6. Click Next and then click Finish.
    7. Open Exchange System Manager, expand Administrative Groups > First Administrative Group, and select Servers.
    8. Right-click the Microsoft Exchange Server name, select Properties. Select the Security tab and click the Advanced button.
    9. Select the BlackBerry Enterprise Server service account name.  
      1. If you are not able to locate the BlackBerry Enterprise Server service account name, click Advanced, and then select the Allow inheritable permissions from parent to propagate to this object check box. 
      2. Click Apply and then click OK. You should now be able to find and click the BlackBerry Enterprise Server service account.
    10. Select the appropriate check boxes to allow permissions for Administer information store, Receive As, and Send As.
    11. Click Apply and then click OK.

    Microsoft Exchange 5.5

    In Exchange Administrator, turn on the Service Account Admin permission for the new service account in both the Site and Configuration containers. For more information on setting permissions, see the Microsoft Exchange 5.5 documentation.
    Microsoft Exchange 2007

    1. Open the Microsoft Exchange Shell by going to Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
    2. To set the Exchange View Only Administrator role, type the following command:add-exchangeadministrator BESAdmin -role ViewOnlyAdminWhere BESAdmin is the name of the BlackBerry Enterprise Server service account.
    3. To check the Exchange View-Only Administrator role, type the following command:get-exchangeadministrator | Format-ListThe service account should be displayed with a ViewOnlyAdmin role.
    4. To set the Send As, Receive As, and Administer Information Store permissions, type the following command:get-mailboxserver server_name | add-adpermission -user BESAdmin -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

      Where server_name is the name of the Microsoft Exchange Server 2007 or Microsoft Exchange Cluster and BESAdmin is the name of the BlackBerry Enterprise Server service account.

    5. To check the Send As, Receive As, and Administer Information Store permissions, type the following command in Exchange Management Shell:get-mailboxserver Exchange2007 | get-ADpermission -user BESAdmin | Format-ListWhere Exchange2007 is the name of the Microsoft Exchange Server 2007 or Microsoft Exchange Cluster and BESAdmin is the name of the BlackBerry Enterprise Server service account.

    Task 5

    In Active Directory Users and Computers, add the Send As permission by completing the following steps:

    To grant the Send As permission for a single account on all users in a Microsoft Active Directory domain or container, complete the following steps:

    1. Open Administrative Tools > Active Directory Users and Computers.
    2. From the View menu, select the Advanced Features option. If this option is not selected, the Security page will not be visible for domain and container objects.
    3. Right-click the appropriate domain or container, and then click Properties.
    4. Select the Security tab.
    5. If the BlackBerry Enterprise Server service account that requires the Send As permission is not listed, click Add, and then select the appropriate BlackBerry Enterprise Server service account. Click OK
    6. Select the BlackBerry Enterprise Server service account and then click Advanced.
    7. Under the Permissions tab select the BlackBerry Enterprise Server service account and then select Edit.
    8. Under the Object tab in the Applies Onto list, select User Objects.
    9. Select the Send As check box.
    10. Click Apply, and then click OK.
    11. Close the Properties window, and then close Active Directory Users and Computers.

    Note: For additional methods of assigning the Send As permission, search for article 912918 in the Microsoft Support Knowledge Base.


    Task 6

    Stop all BlackBerry Enterprise Server services by completing the following steps:

    1. Open Administrative Tools > Services.
    2. Right-click each BlackBerry Enterprise Server service and then click Stop for each service.

    Task 7

    Configure any BlackBerry services that use the old BlackBerry Enterprise Server service account to log in with the new BlackBerry Enterprise Server service account by completing the following steps:

    Important: Do not include the BlackBerry Attachment Service, BlackBerry® Mobile Data System services, Apache Tomcat™ service, or BlackBerry Instant Messaging Connector in this procedure. These services are always set to the local system.

    1. Open Administrative Tools > Services, double-click a BlackBerry Enterprise Server service that has a Log On account, and click the Log On tab.
    2. Select the This account option, and then type the new BlackBerry Enterprise Server service account name.
    3. In the Password and Confirm Password fields, type the BlackBerry Enterprise Server service account password.
    4. Click Apply, and then click OK.
    5. Repeat steps 1 to 4 for each of the remaining BlackBerry Enterprise Server services that have a Log On account.

    Task 8

    Export the Research In Motion folder from the old BlackBerry Enterprise Server service account.

    Note: To perform this task, you must be logged on using the account that was initially used to install the BlackBerry Enterprise Server software or service pack.

    Warning: The following procedure involves modifying the computer registry. This can cause substantial damage to the Microsoft Windows operating system. Document and back up the registry entries prior to implementing any changes.

    1. Log in to the old BlackBerry Enterprise Server service account.
    2. In the Registry Editor, go to HKEY_CURRENT_USER\Software\Research In Motion.
    3. Select the Research In Motion folder.
    4. Depending on the Windows environment, do one of the following:
      • For Windows Server 2003, select the File menu, and then click Export.
      • For Windows Server 2000, select the Registry menu, and then click Export Registry File.
    5. Choose a location to save the file, type a file name and click Save.
    6. Close the Registry Editor.

    Task 9

    Import the Research In Motion folder to the new BlackBerry Enterprise Server service account by completing these steps:

    Warning: The following procedure involves modifying the computer registry. This can cause substantial damage to the Microsoft Windows operating system. Document and back up the registry entries prior to implementing any changes.

    1. Log out of the current service account and log in with the new BlackBerry Enterprise Server service account.
    2. Locate the registry file you saved from Task 8.
    3. Double-click the registry file and it will import to the correct location in the registry.
    4. Open the Registry Editor.
    5. Confirm that the HKEY_CURRENT_USER\Software\Research In Motion directory exists.
    6. Close the Registry Editor.

    Task 10

    If you have a Microsoft SQL Server, assign the Server roles by completing the following steps:

    Note: If you are using MSDE, skip Task 10 and go to Task 11.

    1. In the SQL Enterprise Manager, go to Microsoft SQL Servers/SQL Server Group/<SQL_server_name>.
    2. Expand the Microsoft SQL Server and expand security.
    3. Right-click Logins and click New Login.
    4. On the General tab, click the button next to the Name field, as shown below:
    5. Select the new service account name from the Names list, click Add, and click OK.
    6. From the Server Roles tab, select Server Administrators and Database Creators from the Server Role list.Note: If you are running BlackBerry Enterprise Server software version 4.1 or later, add the System Administrators role to add BlackBerry smartphone users in a role-based administration environment. For instructions, see the BlackBerry Enterprise Server for Microsoft Exchange: System Administration Guide.
    7. On the Database Access tab, select the check box for the BlackBerry Configuration Database (for example, BESMgmt).
    8. In the Database Roles for <BlackBerry_Configuration_Database_name> list, select the db_owner check box.

    Task 11

    Edit the MAPI profile by completing these steps:

    1. Make sure BlackBerry Manager is closed.
    2. Click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration.
    3. On the BlackBerry Server tab, click Edit MAPI Profile.
    4. In the Mailbox field, type the new BlackBerry Enterprise Server service account mailbox name.
    5. Click Apply and then click OK.

    Task 12

    Start all BlackBerry Enterprise Server services by completing the following steps:

    1. In BlackBerry Manager, right-click the BlackBerry Enterprise Server name, and then select Service Control > Start Service for each of the following services in the following order:
      • BlackBerry Router
      • BlackBerry Dispatcher
      • BlackBerry Controller
      • all other BlackBerry Enterprise Server services
    2. After starting the services, close BlackBerry Manager.Note: BlackBerry Enterprise Server services can also be started in Administrative Tools > Services.

    Important: Restarting certain BlackBerry Enterprise Server services will delay email message delivery to BlackBerry smartphones. For more information, see KB04789.


    Additional Info

    Please note that if your organization uses a single domain or multiple domains that are trusted in an Exchange organization, one BlackBerry Enterprise Server service account account is sufficient to manage the BlackBerry Enterprise Server.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: