|
|
07-16-2006, 09:38 PM
|
#1
|
New Member
Join Date: Jul 2006
Model: 8800
Carrier: ATT/Cingular
Posts: 4
|
Will BESAdmin = Administrator be a problem?
Please Login to Remove!
Hello - first post, so try to be kind....
Running SBS2003 SP1 Premium (Exchange 2003 SP2, SQL Server 2000 SP4, ISA Server 2004).
Is it technically feasable to use the Administator account as the BES service account? Or is it just not advisable for security reasons?
Anyone have it working using the Administrator account without creating a BESAdmin account? I have it "working", but there are a few outstanding issues that need fixing.
So, just thought I would ask if what I am trying to do is even possible before I roll up my sleeves on the issues.
Thanks in advance.
Keith
|
Offline
|
|
07-16-2006, 10:51 PM
|
#2
|
Knows Where the Search Button Is
Join Date: Jun 2006
Model: 7290
Posts: 39
|
Can you tell us what is the issue? Hopefully we can provide you with the right solution...
|
Offline
|
|
07-16-2006, 11:35 PM
|
#3
|
Retired BlackBerryForums.com Moderator
Join Date: Oct 2005
Location: Columbus, OH
Model: 9700
OS: SID 6.7
Carrier: AT&T
Posts: 4,455
|
Why would you want to use the Administrator account. Best practice is to use the account with the least required rights to do the job, ie. BESAdmin.
|
Offline
|
|
07-17-2006, 03:01 AM
|
#4
|
Talking BlackBerry Encyclopedia
Join Date: Jul 2006
Location: Up North - UK
Model: 8320
Carrier: T-Mobile UK
Posts: 265
|
Quote:
Originally Posted by d_fisher
Why would you want to use the Administrator account. Best practice is to use the account with the least required rights to do the job, ie. BESAdmin.
|
I could not get things working properly when I used a BESAadmin account for the MAPI connection. There was some permission problems. I did some reading and adjusted permissions as suggested but could not get it working.
I tried with the Administrator account and it seems to work ok.
However I realise this may not be the best way to leave it running?
Mike
|
Offline
|
|
07-17-2006, 02:03 PM
|
#5
|
Talking BlackBerry Encyclopedia
Join Date: Feb 2005
Model: 7280
Carrier: cingular, no wait, AT&T
Posts: 300
|
I reccomend creating the user accounts like the manuals say (or used to say, at least... 3.6 specified a few user accounts to create and use)
|
Offline
|
|
07-17-2006, 10:18 PM
|
#6
|
New Member
Join Date: Jul 2006
Model: 8800
Carrier: ATT/Cingular
Posts: 4
|
Quote:
Originally Posted by andidarmali
Can you tell us what is the issue? Hopefully we can provide you with the right solution...
|
The only thing that doesn't work is Calendar sync, but only in one direction. The calendar syncs from Outlook to Handheld, but NOT from Handheld to Outlook.
The BES error log entries, associated with the MS event 20216 "Sync Failed" entries, clearly state "You do not have permission to log on", but I am at a loss as to where to look to resolve this permissions issue.
The BES is performing all the other syncs (contacts, tasks, notes) in both directions and sending and receiving mail on the handheld is flawless.
Given the MS critical updates of May 9 and how that impacted BES permissions, it seems that creating the separate BESAdmin account will end up being the best path to take.
So, even though I would love to resolve this one (so close, yet so far away), I think I will create the BESAdmin account and reinstall, while I still have the chance to do it before this Small Business Server goes into production.
Thanks,
Keith
|
Offline
|
|
07-18-2006, 07:04 AM
|
#7
|
Talking BlackBerry Encyclopedia
Join Date: Apr 2006
Location: Canton, Mi
Model: 9000
Carrier: AT&T
Posts: 218
|
i run BES under the domain admin account. no issues with me. my BES is running on a member server not hosting AD. I have zero issues. RIM told me I should change it, but did not tell me why. Only that it is prefered to do it that way. Supposedly, using the admin account could cause issues if you go over 100 users on BES. Since i have less than 15, i never made the change.
|
Offline
|
|
07-18-2006, 08:11 AM
|
#8
|
Talking BlackBerry Encyclopedia
Join Date: Jul 2006
Location: Up North - UK
Model: 8320
Carrier: T-Mobile UK
Posts: 265
|
Quote:
Originally Posted by KeithWeldon
The only thing that doesn't work is Calendar sync, but only in one direction. The calendar syncs from Outlook to Handheld, but NOT from Handheld to Outlook.
The BES error log entries, associated with the MS event 20216 "Sync Failed" entries, clearly state "You do not have permission to log on", but I am at a loss as to where to look to resolve this permissions issue.
The BES is performing all the other syncs (contacts, tasks, notes) in both directions and sending and receiving mail on the handheld is flawless.
Given the MS critical updates of May 9 and how that impacted BES permissions, it seems that creating the separate BESAdmin account will end up being the best path to take.
So, even though I would love to resolve this one (so close, yet so far away), I think I will create the BESAdmin account and reinstall, while I still have the chance to do it before this Small Business Server goes into production.
Thanks,
Keith
|
Hi Keith,
I had this error at first, I found some info which helped me fix it, I have the document at home (I printed it out!).
It was something to do with adjusting the permissions for the Administrator I seem to recall.
Mike
|
Offline
|
|
07-18-2006, 09:17 AM
|
#9
|
Knows Where the Search Button Is
Join Date: May 2006
Location: Miami, FL
Model: 8700
Posts: 23
|
Quote:
Originally Posted by ld-runner
i run BES under the domain admin account. no issues with me. my BES is running on a member server not hosting AD. I have zero issues. RIM told me I should change it, but did not tell me why. Only that it is prefered to do it that way. Supposedly, using the admin account could cause issues if you go over 100 users on BES. Since i have less than 15, i never made the change.
|
I speak from experience. This is a BAD idea. If you get any corruption in your AD database you are screwed! I recently, last week, had this issue. ALL of my admin accounts were locked out due to security corruption. The besadmin account was the only account I could log in with. It was because it was not a member of the Domain Admins group. I was able to reset my security using a KB article from Microsoft (KB313222) Having the besadmin account at a lower security level kept me from having to restore from backup.
-James
P.S. I am running BES 4.0 SP4 on Windows Server 2003 SP2.
|
Offline
|
|
07-18-2006, 09:23 AM
|
#10
|
Talking BlackBerry Encyclopedia
Join Date: Apr 2006
Location: Canton, Mi
Model: 9000
Carrier: AT&T
Posts: 218
|
if my AD ever took a dump, I'd have bigger things to worry about than BES. lol. The issue with RIM is probably more about security than having a user account that you can log in with in the event of AD corruption.
|
Offline
|
|
07-18-2006, 09:50 AM
|
#11
|
Knows Where the Search Button Is
Join Date: May 2006
Location: Miami, FL
Model: 8700
Posts: 23
|
Quote:
Originally Posted by ld-runner
if my AD ever took a dump, I'd have bigger things to worry about than BES. lol. The issue with RIM is probably more about security than having a user account that you can log in with in the event of AD corruption.
|
LOL, I agree, I did not mean to imply that that was their (RIM's) reasoning. It just was a good thing I did it "by the book." It saved my a** because it was the one account I could use. I am sure you are correct. You do not want the besadmin account or any account for that matter to have higher security than necessary as a best practice anyway.
-James
|
Offline
|
|
07-19-2006, 05:44 PM
|
#12
|
New Member
Join Date: Jul 2006
Model: 8800
Carrier: ATT/Cingular
Posts: 4
|
BES Express on SBS2003 SP1 Premium - Piece of Cake!!
Everyone has been so helpful, I can't begin to thank you all enough.
I thought I would report back on my sucess at installing BES 4.1 Express on a Microsoft Small Business Server 2003 Premium Edition with SP1.
First, I restored the pre-production SBS to just before my ill fated attempt to use the Administrator's account as the BES service account.
Then, as outlined in Section 3 of the BES for MS Exchange Version 4.1 Installation Guide, I created a BESAdmin account with appropriate rights.
The install went as smooth as silk.
Then after adding BESAdmin to my handheld user's security settings to deal with Microsoft's sabotage, I deployed the handheld and voila! A typically wonderful BlackBerry experience.
Gotta just LOVE that BlackBerry Enterprise Server!!
Again, THANKS TO EVEYONE!!
Keith
P.S. anyone interested in a write up of the installation, which includes screen shots, just give me a holler and I would be happy to share.
|
Offline
|
|
07-25-2006, 05:08 AM
|
#13
|
Knows Where the Search Button Is
Join Date: Jul 2006
Location: Bristol - UK
Model: 8800
Carrier: Orange
Posts: 45
|
Keith - IM Sent....
Have IMed you Keith re: your guide
|
Offline
|
|
07-25-2006, 08:26 AM
|
#14
|
New Member
Join Date: May 2006
Model: 8700g
Posts: 4
|
Hi,
I'd love to see a copy of your guide KEith - in particular the permission requirements for the Besadmin account pre BES install.
|
Offline
|
|
07-25-2006, 12:00 PM
|
#15
|
CrackBerry Addict
Join Date: Mar 2005
Model: 8800
Carrier: Rogers
Posts: 597
|
Just so you know, the reason you were getting permissions failures with the Administrator account is because Exchange denies send as/receive as to domain admins.
This is a very common issue. People put BESAdmin in the Domain Admins group and BES no workey. Take them out of Domain Admin and put in local Admin and Domain Users, works fine for setting send as/receive as permissions.
Zro
|
Offline
|
|
07-26-2006, 12:46 AM
|
#16
|
New Member
Join Date: May 2006
Model: 8700g
Posts: 4
|
Hi,
Thanks for that - still having a problem with the installation.
All is ok untill i get to the [Database Setting] step, when it gets to create the db BESMgmt i get an error
"DB upgrade failed. Error executing an SQL statment"
And it lets me get no further - any ideas?
Quote:
Originally Posted by Zro
Just so you know, the reason you were getting permissions failures with the Administrator account is because Exchange denies send as/receive as to domain admins.
This is a very common issue. People put BESAdmin in the Domain Admins group and BES no workey. Take them out of Domain Admin and put in local Admin and Domain Users, works fine for setting send as/receive as permissions.
Zro
|
|
Offline
|
|
07-26-2006, 09:06 AM
|
#17
|
CrackBerry Addict
Join Date: Jun 2006
Model: 7100
Carrier: Rogers
Posts: 615
|
You don't have system admin permissions over SQL most likely. What type of authentications are you using? Windows or SQL?
Quote:
Originally Posted by fushwabo
Hi,
Thanks for that - still having a problem with the installation.
All is ok untill i get to the [Database Setting] step, when it gets to create the db BESMgmt i get an error
"DB upgrade failed. Error executing an SQL statment"
And it lets me get no further - any ideas?
|
|
Offline
|
|
07-26-2006, 02:56 PM
|
#18
|
New Member
Join Date: May 2006
Model: 8700g
Posts: 4
|
Hi,
Excuse me for being thick - how would i know that? I've just done a stanard install of BES with the new besadmin account as specified in the manual - unlike my preious install as admin this one stops with the error - how would i find out what kind of authentication i'm using?
regards
Quote:
Originally Posted by |||||||
You don't have system admin permissions over SQL most likely. What type of authentications are you using? Windows or SQL?
|
|
Offline
|
|
07-26-2006, 05:53 PM
|
#19
|
Thumbs Must Hurt
Join Date: Jul 2006
Model: 7290
Carrier: Rogers In Canada - Cingular in US
Posts: 127
|
"DB upgrade failed. Error executing an SQL statment"
That error typically is displayed if the if the SQL data directory already has besmgmt.mdf and besmgmtlog.ldf created.Delete those files and try again
(Common when using MSDE)
If you are using SQL 2000/2005- Best way to go about giving permissions is to create a security login for the domain/besadmin account
Assign System and Server Admin
After the install is complete only dbowner is required
|
Offline
|
|
07-27-2006, 12:51 AM
|
#20
|
New Member
Join Date: May 2006
Model: 8700g
Posts: 4
|
Thanks chap - that got it - was deleting the mdf file but not the ldf file - seems to be working now!
Many thanks again
Quote:
Originally Posted by blackberry1
"DB upgrade failed. Error executing an SQL statment"
That error typically is displayed if the if the SQL data directory already has besmgmt.mdf and besmgmtlog.ldf created.Delete those files and try again
(Common when using MSDE)
If you are using SQL 2000/2005- Best way to go about giving permissions is to create a security login for the domain/besadmin account
Assign System and Server Admin
After the install is complete only dbowner is required
|
|
Offline
|
|
|
|