In a change of pace today, I thought I'd blog about a recent work experience as it took me some time to collect all the nuggets of information together to be able to do what I needed to do.
Over the last several months, I've been slowly deploying a new Microsoft infrastructure. We're using Windows Server 2008 R2 as our Active Directory platform and have decided to deploy Exchange 2010 to replace our venerable Exchange 2003 messaging platform.
We will also install BlackBerry Enterprise Server 5.0. In preparation for that, we had to create a service account and grant it all the required permissions in Active Directory and Exchange 2010. While the overall procedure for doing this is nearly identical to how it is usually done with Exchange 2003, there were some slight differences for Exchange 2010.
If your organization is looking to deploy BlackBerry Enterprise Server 5.0 into an Exchange 2010 environment, it is my hope that this post will help those responsible for making it happen in their organization.
So, without further ado, here is the procedure I ended up having to use to configure the service account. I will use the standard BESAdmin account name in these steps.
Account Creation and Configuration
Create a new mailbox-enabled user named BESAdmin.
On an Exchange 2010 Server, open the Exchange Management Shell and execute the following set of commands:
Get-Mailbox Add-ADPermission -User "BESAdmin" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin
Set-ADServerSettings -ViewEntireForest $true
Add-RoleGroupMember "View-Only Organization Management" -Member "BESAdmin"
Open Active Directory for Users and Computers.
From the View menu, ensure Advanced Features is checked.
Right-click the Domain Name or Organizational Unit where Send As permissions are needed and select Properties.
Click the Security tab.
Click the Advanced button at the bottom of the Security tab.
Click the Add button, enter BESAdmin, and click OK.
Select Descendant User Objects from the Apply onto: drop down box.
Check the Allow box for the Send As permission in the permissions list.
Click OK.
Click Apply.
Click OK.
A couple of notes here before continuing.
First, I think that the Set-ADServerSettings cmdlet is only required if you are running Exchange 2010 in a non-root domain of a multi-domain forest; the Exchange 2010 RBAC AD groups are created in the root domain.
Second, if you follow the installation guide from RIM for setting up the permissions in AD from Exchange 2010, they will instruct you to execute a command similar to the following:
Add-ADPermission - InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "DC=example,DC=com"
The big problem with this is that by default the command will result in an error. When authorization is performed, not only is the user account executing the command checked for authorization, but so is the computer account for the Exchange 2010 server from which the command is executed. The group to which the server's computer account belongs does not have the required permissions. RIM's first recommendation, of course, is to grant the Exchange Servers Group full control permissions on all objects in AD. This is completely counter to the concept of least privilege, however, and why I provided the procedure for doing it through Active Directory for Users and Computers.
It's also important to note that the -Identity switch specifies the distinguished name of the domain or organizational unit to which you want to apply the Send As permission. I found forum and newsgroup threads where the administrator specified the distinguished name of the BESAdmin account with this switch and assumed it worked correctly because no error was returned.
Now that the service account is created and permissions have been configured, there are two final activities.
Account Throttling Policy Creation and Configuration
Execute the following commands in the Exchange Management Shell:
New-ThrottlingPolicy BESPolicy
Set-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null
Set-Mailbox "BESAdmin" -ThrottlingPolicy BESPolicy
RIM says this policy is necessary because Exchange 2010 uses throtlling policies to track the bandwidth each user consumes and enforces limits as necessary. That behavior, RIM states, can affect the performance of BES negatively, and so they want it turned off for the BES service account. I find incredible mirth in the apparent contradiction here as I assume Microsoft implemented throttling to protect the performance and availability of Exchange. :)
Address Book Service Configuration
Download the Set-ThrottlingLimit.ps1 script from here.
In an elevated Exchange Management Shell, execute the following commands:
Set-ExecutionPolicy Unrestricted
.\Set-ThrottlingLimit.ps1 -Server [CAS Server] -MaxSessionsPerUser "100000"
Set-ExecutionPolicy RemoteSigned
In place of [CAS Server] use the name of a CAS Server in your Exchange 2010 environment (i.e., -Server MYCASSERVER). You'll have to execute this command for each.
As an alternative to modifying the execution policy of the server, you should also be able to right-click the downloaded script file and Unblock it.
Once again, though, RIM needs to circumvent Exchange performance and availability protection by increasing the default number of sessions opened with the Address Book service on each CAS Server by the BlackBerry Enterprise Server from 50 to 100,000.
And that's it. :)
Resources
BlackBerry Enterprise Server for Microsoft Exchange Installation and Configuration Guide
Unable to assign "Send As" rights to Organization Units in Microsoft Exchange Server 2010
No comments:
Post a Comment