Category Archives: BlackBerry

Why are whole countries banning BlackBerrys when US’ Barry insists on keeping his?

“It’s official: Saudi Arabia bans BlackBerrys

By Nate Anderson | The rumors are true: Saudi Arabia has become the second country inside of a week to block access to Research in Motion’s BlackBerry devices on grounds of national security.”

http://arstechnica.com/gadgets/news/2010/08/its-official-saudi-arabia-bans-blackberries.ars

Barry on Berry – http://fightidentitytheft.com/blog/obamas-blackberry-security-strategy

“When Barack Obama famously refused to relinquish his treasured BlackBerry, he became the first president in American history to use email while in office. He will also be the first to have to worry about personal internet security.”

BES, BESX, BESE, BPS …user with admin rights

subtitle “Send As issue with Administrator accounts
(users who are Enterprise and/or Domain Administrator accounts)”

for a long while there has been a known issue whenever BlackBerry Server (whatever flavor) is configured for a user with admin rights.  The workaround is below and is primarily credited to awesome Aussie Gary Cutri’s work:

GaryCutri clip_image002 Moderator

Join Date: Sep 2006, Location: Melbourne, Posts: 1,895

To correct the "Send As" issue I have outlined the steps I use to quickly resolve this issue:

1. Stop the Blackberry Router service.

2. Open Active Directory and from the View menu select "Advanced Features". Then go to each user that will be added to the BES and open their properties, go to the security tab and add the user BESadmin and add the security permission "Send As".

3. Run the following script logged on as Administrator

Note: Only use this step if you have BlackBerry users that are members of Admin groups. Using best practice methods it is recomended that mobile user accounts aren’t members of any administration groups.

dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=com" /G "DOMAINNAME\BESadmin:CA;Send As"

Example 1: dsacls "cn=adminsdholder,cn=system,dc=experts-exchange,dc=com" /G "EXPERTS_EXCHANGE\BESadmin:CA;Send As"

Example 2: dsacls "cn=adminsdholder,cn=system,dc=blackberryforums,dc=com,dc=au" /G "BLACKBERRYFORUMS\BESadmin:CA;Send As"

Example 3: dsacls "cn=adminsdholder,cn=system,dc=mobilenetwork,dc=local" /G "MOBILENETWORK.local\BESadmin:CA;Send As"

NOTE: dsacls can be found in the Windows Server 2003 SP1 Support Tools pack: Download details: Windows Server 2003 Service Pack 1 32-bit Support Tools

4. Wait 20 minutes and then restart the BlackBerry Router service.

5. Restart the BES server.

Pasted (with minor edits) from <http://www.blackberryforums.com.au/forums/microsoft-exchange/1178-unlisted-message-error-desktop-email-program-unable-submit-message.html>

**** so why all the waiting and restarting needed above?  …read more****

Re: AdminSDHolder

The AdminSDHolder container is a special container object inside of the System container in Active Directory. The basic function of AdminSDHolder is exactly what it says it does – it holds the Access Control List (ACL) for every admin account. This container is just a template. Once every hour, the DC that holds the PDC Emulator role goes through every account that is in built-in Administrators group and checks the ACL for each user object. It compares this ACL to that of the AdminSDHolder container and if any Access Control Entry (ACE) is different, it rips out the old ACL and copies the ACL from the AdminSDHolder over to it.

The purpose of AdminSDHolder is to prevent against a specific attack scenario. Active Directory is extremely flexible down to it’ s most granular level. Because of this, a user can have ‘write access’ to anything inside of a specific OU. If an admin account is moved to an OU that a non-admin has rights to, he could give himself privileged access to the admin account. AdminSDHolder tries to prevent this from happening by continuously refreshing the ACL on an admin account.

Re: Stopping the BlackBerry Router Service

Stopping the BlackBerry Router allows the Exchange Servers to clear the cached permissions for the BlackBerry Enterprise Server administration account. I am currently investigating various methods to expedite this process (e.g Restarting the Information Store Service).

Pasted from <http://www.blackberryforums.com.au/forums/microsoft-exchange/1178-unlisted-message-error-desktop-email-program-unable-submit-message.html>

BESX – BlackBerry Enterprise Server Express

Subtitled – Woh! BESE

Going through a BESE installation I’ve noticed a few things I wished someone had shared with me beforehand and so I’ll share them for anyone who hasn’t installed this software so you can be better prepared.

First don’t use the BlackBerry written instructions but only as a supplement if at all.  Instead use the new BlackBerry step by step video; it covers in details the steps that are vague or inaccurate in the written tutorial.  Both are found off the BESX software page’s link for documents.  Also you can specifically choose a SBS installation walkthrough which isn’t covered at all in the written version.

  • The written instructions leave a lot of information out (If you never did this before you would be scratching your head in the configuring Exchange System Manager parts)
  • The instructions are not written for SBS where Exchange sits on the Domain Controller
    • not a Workgroup computer
    • no Local Admin group (use Built In -> Administrators instead)
    • cannot set Log on Locally or Run as Service in Secpol.msc (use the Domain Controller Security Policy found through Administrator Tools)
  • Java hasn’t been at version 6 v15 for some time and the installer didn’t detect that the current 6 v20 was there
    • so stupid installer installs an insecure version of Java anyway (which I’ll have to remove)

BESE install

Once through with the database portion of the checklist the server has to reboot.  Once back up and signed in with the newly created BB account you created then you finish it up.  The SRP info and BlackBerry CAL information were given to you previously online at the time you registered for the download.  If you didn’t follow those directions to record it then you will have to go back online and attempt to retrieve them.

When I got to the Start Services portion nothing was starting up.  I manually went into the Services.msc console and started each and every service successfully.  It took awhile for the BB installer to recognize that all the services were running and then I was given the option to Finish.

Following this you will hopefully succeed in seeing a web based UI to add a User so you can use this crappy program.  Did I say that?  sorry

For my first go it was a 3 hour ordeal.   BlackBerry needs to continue to improve the initial installation/activation process on their software IMHO or they will get forgotten by the very simple to configure I-phone/Android phone w/ Exchange Active Sync.

Blackberry Server Software, MDS, & Java Update Mayhem

A fundamental relationship exists between BlackBerry server software and Java Runtime Engine software.  This relationship specifically relates to the BlackBerry MDS Connection Service.   This becomes very apparent if ever on the related server you update Java to a current version and remove the older version(s).  Now Java does this cleanup of older versions automatically with the introduction of Java version 6.10.  Without the correct pointer to the latest changed Java version, the BlackBerry MDS Connection Service will become effectively broken.  The pointer is a registry entry that refers to the associated jvm.dll file of a version of Java you have installed.  Note – if you have multiple versions of Java then you have multiple jvm.dll files on your system.

It’s been a little while since I originally posted on this; in fact, since then RIM has introduced some new server products that are basically all the same code foundation.  This means that the same solution still applies wherever MDS is involved.  Perhaps in the future RIM will find a way to automatically make the adjustment, but for now you will have to do the steps yourself.  The nice thing, as you will see below, is that Java may help by using a consistent path with updates of the same version.

The path to the Java jvm.dll file has been changed; the new path is:

C:\program files\java\jre6\bin\client\jvm.dll

image

Use this link to the previous article for the outline of the registry editing steps involved:

http://duitwithsbs.wordpress.com/2008/08/05/bmds-errors-galore-after-removing-old-java-version-from-bes-server/

How to troubleshoot the POP3 Connector in Windows Small Business Server 2003

Since occasionally conversation bubbles up on new SBS clients who use POP and transition to SMTP you likely will on occasion see errors in the monitoring reports related to the POP Connector.  This article expounds on this subject.

How to troubleshoot the POP3 Connector in Windows Small Business Server 2003

One interesting point I discovered while reading this today is that CDO (Collaborative Data Objects)  is used to retrieve and transfer the POP mail to the SMTP side of Exchange.  CDO is also mentioned in BlackBerry documentation for the current 4.1.6 upgrade under the directions of Windows patches recommended to be installed in preparation.

Exchange 2003 CDO Patch 6980.3 KB823343-x86

POP3 Connector overview

When you use the POP3 Connector to retrieve e-mail, the following mail-flow process occurs:

1.
The Connector for POP3 Mailboxes service connects to and logs on to the remote POP3 server.

2.
The Connector for POP3 Mailboxes service downloads e-mail messages and stores them in the following folder:

%PROGRAMFILES%\Microsoft Windows Small Business Server\\Networking\POP3\Incoming Mail

3.
When all the e-mail has been downloaded from the remote POP3 server, Collaborative Data Objects (CDO) on the Windows Small Business Server-based computer retrieves the e-mail messages from the Incoming Mail folder. The headers of these e-mail messages are modified to indicate that the e-mail messages will be directed to a local Exchange mailbox, and then the e-mail messages are saved to the following folder:

%PROGRAMFILES%\Exchsrvr\Mailroot\vsi 1\PickUp

4.
If CDO cannot move an e-mail message to the PickUp folder, the e-mail message is put in the following folder instead:

%PROGRAMFILES%\Microsoft Windows Small Business Server\\Networking\POP3\Failed Mail

5.
If an e-mail message is corrupted, it may not be moved to the Failed Mail folder. In this scenario, the corrupted e-mail message remains in the Incoming Mail folder.

6.
All the e-mail messages that are in the PickUp folder are processed by the local SMTP service and are delivered to the appropriate recipient.

When you use the POP3 Connector to retrieve e-mail messages, those e-mail messages are not processed by any of the following Microsoft Exchange Server 2003 components:


Recipient Filtering


Sender Filtering


Connection Filtering


The Intelligent Message Filter add-in

Because the POP3 Connector uses CDO to transfer e-mail messages to the SMTP PickUp folder, these e-mail messages bypass the filtering mechanisms that Exchange 2003 contains.