Exchange 2013 and BES 5

If you work for a company that supports Blackberry ‘smartphones’ you know that Exchange upgrades need to be planned, make sure you have all your prep work done, and possibly even have some testing done. With previous versions of Exchange the preparation work was very similar, with some minor tweaks for the different version of Exchange (like a throttling policy for Exchange 2010). With all the changes under the hood for Exchange 2013, making BES work with the new is now a bit of an experience. A quick search of tech forums reveal the frustration with the migrating to Exchange 2013 and BES.

I personally experience issues during a recent customer migration from Exchange 2007 to Exchange 2013. Luckily for me I only had 3 Blackberry users who were affect… yet the same users were the owners of the company. This brings us to the meat of this article. Here are the steps, along with information gathered from a support call to RIM because of weird issues we were having.

For this upgrade the customer was upgrading from Exchange 2007 to Exchange 2013. Public Folders existed in Exchange 2007. These folders would be move to 2013 when all users had been moved from Exchange 2007 to Exchange 2013.

So what steps did I initially take to prep Exchange 2013 for the BES users?

These articles provide the base set up for BES. Or so I thought. No joy with the BlackBerry users who were migrated. The BlackBerry Administrative Service (BAS) showed the users as “failed to start” instead of “started”. So what was up? Well, the best place to start with BES, is to double-check your setup. So I reviewed the articles and everything looked correct.

The next step in troubleshooting BES is to review the logs that are on the server. Where are the logs? Usually in “\Program Files\Research In Motion\BlackBerry Enterprise Server\Logs\”. From here you can see that there are a lot of log types to review. Which ones do we look at? “_MAGT_01_20130901_0005.txt” (they key being MAGT_01) will give us a good place to start. On the server I was working with, this is what I was seeing:

MAGST-File


The error I was most concerned with was “OpenMsgStore (0x8004011d) failed”. This seemed to indicate a permissions issue with the BES user with its rights to the user mailbox. Opening up ADUC and checking the security tab on the user account revealed that the BESAdmin account did have SendAs rights like it should have. Verified permissions in PowerShell as well to all the databases (See here for links to the PowerShell commands). So what was going on? The user account was not in any special admin groups, nor was the “Inherit permissions” checkbox unchecked. What do we do next?

Recreate the MAPI Profile

To recreate the profile, open up the “BlackBerry Server Configuration” which is located at Start – All Programs – BlackBerry Enterprise Server. Click on the BlackBerry Server tab and edit the profile. Make sure that Check Name works. In my case it did.

Move the Mailbox to Exchange 2013

I then tried moving the mailbox to the Exchange 2013 server. Once moved over there I changed the MAPI Profile to make sure it pointed to the Exchange 2013 server. Remember that the server name for 2013 is not a nice and easy FQDN or simple name, you need the GUID. If you do not know what it is, open up a mailbox with Outlook that is on 2013 and look to see what the properties of Mailbox Server are. That is the GUID you need. So once you make the move, change the GUID and hit check names, restart the server.

Still no good. Same errors. What next?

Tools

BES has some tools that can be used to check the connectivity of your MAPI profile to Exchange. If you look in the “\Program Files\Research In Motion\BlackBerry Enterprise Server\Utility” directory you will see some tools. IEMSTest.exe is the tool we need for this test. When run, you will be prompted for the MAPI profile you wish to use and then you select the mailbox you want to test. After doing so, it will perform various tests like permission checks and calendar validation. When I ran it I basically received an error that said I did not have the correct permissions in AD. However, I had validated and (not mentioned above) I had also run the RIM tool for setting the SendAs permissions manually.

New BES Admin Account

At this point I decided just to create a new account. Went through all the above steps including a new MAPI Profile. All the same results.

So what was up? Decided to give RIM a call to see what we were missing.

Level 1 support was the typical scripted approach that took 2 hours to get through. We finally gave up and asked for level 2. With level two support they confirmed a lot of the settings we already had, but also suggest a couple of additional ones. Now these were similar to ones I had looked at before with disabling Public Folder look ups, but we had missed some more steps that are not clearly stated in the Exchange 2013 guides that are out there. The article that you need to look at is this one:

How to turn On Global Catalog referrals on BlackBerry Enterprise server.

Once these registry changes were made and also changing the value for RPCHTTPProxyMap_BES setting to look more like smtpdomain=https://owa-fqdn instead of *=https://owa-fqdn everything worked. The key seems to have been the registry entry here for LDAP look up and this particular entry for disabling Public Folders.

Summary of my changes
Upgraded BES to 5.0.4 [5.0 Service Pack 4]
Installed MR 4 [5 was out, but I figure staying back one would be ideal]
Follow this article – http://www.blackberry.com/btsc/KB33406
Follow this article – http://www.blackberry.com/btsc/KB33413
Follow this article – http://www.blackberry.com/btsc/KB16118

Key is making sure BES is using LDAP, EWS and to disable Public Folder looksups.

Upgrade Notes
Let me preface this section with a quick note of warning. Some of the changes we made may disconnect users from the 2007 environment that your users are connected to at the time of your upgrade. To mitigate this, the suggested solution is to build another server, perform the steps above with a new service account. Then use the Transporter Suite from RIM to move your users over to the new BES server.

The other choice is to move to BES 10 or completely abandon BES for ActiveSync with a BYOD policy.

Let me know if you had a different experience with your BES migration to 2013.

Advertisements

5 thoughts on “Exchange 2013 and BES 5

    • Exactly. This is an article that RIM support referenced directly when troubleshooting the Exchange 2013/BES issues a client of mine was experiencing. The article is still apparently valid for Exchange 2013 and not just for Exchange 2010.

  1. We’ve certainly found this process to be troublesome. Some things work for some environments and some work for others. We are also running E2007 & 2013, and have built a new BES for our Blackberrys to be migrated to when their mailbox is moved to E2013.

  2. Thank you for this article – very helpful. I now have BES users co-existing on Ex2010 and Ex2013 with a different BES 5.0.4 server for each. To move users I first assign the new server (via the link to do this in BAS – not using transporter), then migrate the Exchange mailbox from 2010 to 2013 (already have it auto-suspended, just complete the migration job), then run handheldcleanup.exe (to get BES to recognize the new messaging server). In some cases I have found that I need to manually re-push IT policy to the device. So far I have moved about 40 users seamlessly from 2010 to 2013 this way. FYI, during setup of the new BES server and profile I encountered the same error as you in the MAGT log (as you have pictured above) when testing via IEMStest. The processes in the attached articles got me through it. Thanks again.

  3. Thank you for this helpful article, Did you have to reactivate blackberry devices when the migration completed?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s