Thursday, February 26, 2009

Windows 2008 R2 First Quick Look




I just finished installing Win08-R2 and without losing much time, I have decided to blog about it. The very first thing needs to get done is some schema updates before introducing the R2 DC into existing environment. The updates need to run from another server and the adprep.exe is in the setup CD came with R2 installation CD as shown below. Assuming your CD room is D drive, fallow the below path to get started.

  • D:\support\adprep>adprep32.exe /ForestPrep
  • D:\support\adprep>adprep32.exe /DomainPrep

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2
Service Pack 4 (SP4) or later.
[User Action]
If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER
continue. Otherwise, type any other key and press ENTER to quit.
c
Opened Connection to VMDC1
SSPI Bind succeeded
Current Schema Version is 44
Upgrading schema to version 46
Verifying file signature
Connecting to "VMDC1"
Logging in as current user using SSPI

Importing directory from file "C:\Windows\system32\sch45.ldf"
Loading entries...................................................................
66 entries modified successfully.
The command has completed successfully
Verifying file signature
Connecting to "VMDC1"
Logging in as current user using SSPI
Importing directory from file "C:\Windows\system32\sch46.ldf"
Loading entries....
3 entries modified successfully.
The command has completed successfully
Connecting to "VMDC1.smtp25.org"
Logging in as current user using SSPI
Importing directory from file "C:\Windows\system32\PAS.ldf"
Loading entries..............
13 entries modified successfully.
The command has completed successfully
........................................................................................................................
.........................................................................................................................
.........................................................................................................................
.........................................................................................................................
............................

Adprep successfully updated the forest-wide information.


D:\support\adprep>adprep32.exe /DomainPrep

Running domainprep ...

Adprep successfully updated the domain-wide information.

The new look of R2, is familiar to me from Windows 7, I am one of the beta tester and loving it so far. So with existing confident to Windows 7 , seeing same desktop and look giving me "Thumbs up" right away. Well behind new look, I am noticing fast new MCC called "Active Directory Administrative Center", dsac.exe, it looks very different and promising, I start liking it a lot right of the start. Finally we have much better interface to manage active directory.




If you have not had your hands dirty, I recommend doing it without losing time (-: with R2, I am sure it will surprise you a lot

Oz Ozugurlu

MVP (Exchange)

MCITP (EMA), MCITP (SA)

MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com




Tuesday, February 24, 2009

Create a Restricted Groups policy in a security template



Goal:

Your Company hired contractors to perform hardware refresh on all workstation for your company. Part of the assignment there has to be "Security group" created on the domain and this group needs to be added to "Local administrators group" on all workstations.

Your task is to get the work done.

Solution

Use restricted group's policy to perform the desired results

Prep work

  • Log into your domain controller
  • Create a group called "Local_Admins" *** this is the group we will add to each workstation into the administrators group***
  • Click Start run, type gpmc.msc
  • Under Domains your org, make right click and select (Perform the same steps from the OU, you wish to push the policies from. If you do it from the top of the domain, the GPO will apply to all computers, in this scenario we have OU called ***Migration_Computers*** and we are applying the GPO to this OU and all workstations placed under this OU.
  • Create GPO in this Domain, and link it here
  • Name the policy to *** Local_Admin_Policy*** or anything you like click ok
  • On the right pane right click and select "edit"
  • In the Group Policy MMC, browse as fallow below
  • Computer Configuration
  • Policies
  • Windows Settings
  • Security Settings
  • Restricted Groups
  • On the right pane right click new "Add group" click browse
  • Type ***administrators*** click ok,
  • Members of this group click add, browse, add the group you have created earlier **Local_Admins** click ok and apply
  • You are done go to one of the workstation , command prompt any type
  • Gpupdate /force hit enter
  • Check the administrators group to verify desired group has been added there.
  • ****WARNING**** if you paid attention the default domain administrators are gone from workstation administrators group, simply go back to restricted policy and include domain administrators group same way as the first one

Oz Ozugurlu
MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Blog: http://www.smtp25.blogspot.com

Monday, February 23, 2009

Add AD group to local administrator Group on every workstation




Task:

Your Company hired couple people to perform hardware refresh on all the workstations and you need to create group called "Local_Admins" and include& configure this group into each workstation " local administrator gorup" in your active directory domain.

The task can be accomplish in different ways and I am going to post two of them here in my blog.

Batch file,

Place same directory as VB script below. The below simple batch file will add the group called "Local_Admins" into local administrators group.

net localgroup administrators "smtp25\local_Admins" /add

net localgroup administrators "smtp25\Local_Admins" /delete


VBScript

Copy and paste below into notepad

Please pay attention you only need to change two lines in below script,

  • Change below to your own domain, my domain name is smtp25.org
  • MyDomain = "smtp25.org"
  • ' Change group name to your desired group
  • GlobalGroup = "Local_Admins"


'VBScript to Add an AD Group to a Local Administrators group

' This script will Add an Active Directory Desktop support Group to the Local

' Administrator Group. this can be Used to provide Local Administrator rights

' to any group

' Script modified by oz ozugurlu, change anything you like , no copy rights

Option Explicit

On Error Resume Next

'Define Variables

Dim Mydomain

Dim GlobalGroup

Dim oDomainGroup

Dim oLocalAdmGroup

Dim oNet

Dim sComputer

Set oNet = WScript.CreateObject("WScript.Network")

sComputer = oNet.ComputerName

' Change below to your own domain, my domain name is smtp25.org

MyDomain = "smtp25.org"

' Change group name to your desired group

GlobalGroup = "Local_Admins"

Set oDomainGroup = GetObject("WinNT://" & MyDomain & "/" & GlobalGroup & ",group")

Set oLocalAdmGroup = GetObject("WinNT://" & sComputer & "/Administrators,group")

oLocalAdmGroup.Add(oDomainGroup.AdsPath)

'Nullify Variables

Set Mydomain = Nothing

Set GlobalGroup = Nothing

Set oDomainGroup = Nothing

Set oLocalAdmGroup = Nothing

Set oNet = Nothing

Set sComputer = Nothing

  • Save the script as "Add_Local_Admins.vbs"
  • Log onto your domain controller, click start run type "gpmc.msc"
  • Locate the OU you wish to apply this script too
  • Create a GPO in this domain and link it here , give it a name to the GPO "Add_Local_Admins"
  • Make a right click, select add , expend Computer configurations
  • Policies, windows settings scripts , double click startup, click add , click Browse
  • **** Copy and paste the script into this location*****
  • Select the script , click okay two time exit.
  • Now make sure the computers are located under this OU
  • Next time computers start the GPO will run the script and specified group will be added to the local administrators group on the workstations

Oz Ozugurlu
MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Blog: http://www.smtp25.blogspot.com



Failed to retrieve the Server DN, shutting down



Problem:

We start receiving fallowing message on the BES servers and "Failed to retrieve the Server DN, shutting down"

Cause:

The BB service account is corrupted with un-known reason ( we are un-able to find the cause)

Event Type: Error

Event Source: BlackBerry Messaging Agent SMTP25WINBES01 Agent 200

Event Category: None

Event ID: 10275

Date: 2/23/2009

Time: 10:42:48 AM

User: N/A

Computer: SMTP25WINBES01

Description:

Failed to retrieve the Server DN, shutting down


Event Type: Warning

Event Source: BlackBerry Controller

Event Category: None

Event ID: 20406

Date: 2/23/2009

Time: 10:00:35 AM

User: N/A

Computer: SMTP25WINBES01

Description:

'SMTP25WINBES01' agent 1: will not restart - reached the maximum of 10 restarts per 24 hours


Solution:

This is one of the weird error and researching the cause did not much help to us. So we went ahead and basically performed fallowing steps

  1. Re-start the BES services ( Problems exist)

    If you remember this needs to be done in order, others fallows as you wish in any order.

  • R ( Router)
  • D (Dispatcher)
  • C (Controller)
  1. Reboot the BES server ( problem exist)
  2. Check BES account verified it is not locked
  3. Check server DNS setting TCP/IP made sure DNS IP addresses have not been changed
  4. WINS configured ( if there is one)
  5. Flushed TCP/IP configuration, Un-Registered and registered WINS server
  6. Open BES logs continue to look for errors
  7. Re-start BES services in order
  8. Re-configure the BES profile on the BES server ( Problem persist)
  9. Finally we create new BES service account , configure profile and give proper permission on the exchange 2007 server, made all worked out.

PS:

Granting BB Permissions Exc07

Change the domain SMTP25 to your own domain

Use the BB Service account you have

  • Domain: SMTP25
  • BB Service account name: svc-besadmin

Get-MailboxServer Add-ADPermission -User SMTP25\svc-besadmin -AccessRights GenericRead,

GenericWrite -ExtendedRights Send-As, Receive-As, ms-Exch-Store-Admin


Oz Ozugurlu
MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Blog: http://www.smtp25.blogspot.com

Friday, February 20, 2009

WHY MY BLACKBERRY USERS COMPLAINING?



This question has been asked several times, why am I having trouble with my BES users and how am I going to troubleshoot this issue?

download .doc version here

Before we start doing anything

  • RIM recommends centralized architecture when it is possible and all the times.
  • MAPI is a heavy protocol and it is not designed for WAN connections
  • RIM also advices to make sure the latency is less than <35 millisecond between the black Berry server and the mailbox server.

So if you did not fallow the best practices and you have mail server in location A and BES server in location B, you know what is causing the issue, you implementation is WRONG!!! (-:

Okay I hear you did not design this, the person who designed the BES architecture took off the company long time ago and you have to live with it. How are you going to explain what is going on wrong to your manager?

Step 1

The MAPI subsystem is being used by BES agents. When a user added to BES server BES uses BB AGENTS (MAPI APIs) to locate the user mailbox on the exchange server and create hidden folders as fallows. The native Exchange APIs being used to create folders below, there is no DLL in the user mailbox unlike SQL database.

  • BlackBerryHandheldinfo
    • BlackBerryCalSyncState
    • BlackBerryICSState
    • BlackBerryMsgOnDeviceSearchFolder
    • BlackBerryRefIDSearchFolder1_7

If you wish to see the folders with your own eyes download MFCMapi and fallow the steps below

  • Download mfcmapi and double click on it ( I assume you are doing this from your workstation where outlook has already been installed and configured for you or others)
  • Click "ok" to continue
  • Click Session "Logon and Display Store Table"
  • Chose your profile click "ok"
  • Make a right click and select "open Store"
  • Expend "Root Container"
  • Expend folder called "BlackBerryHandheldInfo" folder to see all the folders associating with user mailbox

Step 2

After BES folders have been created within the user mailbox BES begins to monitor user mailbox by using AGENTS= MAPI , ***these folders are located under root container on your mailbox***. BES agents keeps track of information status within the user mailbox such as read/unread/moved/deleted/reconciled] and calendar state.

BES agents also copies every single message and pulls back to your BES server to be travel on port 3100 to RIM facilities & Servers on Canada and lets ISP wireless provider to grap the message and place onto your BB handheld device.

So if your user is telling you I received e-mail from my friend to my Black berry and never received on my outlook, you know right of the bat , this is impossible (-:

Now here is first and big problem, MAPI does not like to run in the network where MS is >35 millisecond. So here is the formula to calculate the latency

  • MAPI needs to be <35Milsec , issue extended ping to find out the averaged ping packet
  • If averaged ping packet is 345 the formula is applied as fallows
    • Link Speed = 16000 / (average ping for 2048 byte packet)
    • 16000 / divide into 345 = 46Kbpc
    • The link would be considered slow, the trash hold round-trip time for a fast link (default = 500 Kbps) is 32 ms.
    • If you remember on 100meg LAN connection the Speed would be less than 1ms, if you perform the same test within the LAN
    • From Experience if these ms go above >200 and up, good luck even opening up Outlook. The bandwidth is the culprit and client must get better connection.

Conclusion:

  • RIM recommends centralized architecture when it is possible
  • RIM also advices to make sure the latency is less than 35 millisecond between the black Berry server and the mailbox server.
  • BlackBerry users cause additional overhead that affect the database IOPS of a server.
  • Many customers see a two to four fold increase in database disk I/O.


    If you like to read more about it


    http://smtp25.blogspot.com/2007/10/blackberry-cause-additional-overhead-on.html


    Oz Ozugurlu MVP (Exchange)


    MCITP (EMA), MCITP (EA) MCITP (SA)

    MCSE (M+, S+) MCDST,

    Security+, Server +, Project+

    Blog: smtp25.blogspot.com

    Blog: telnet25.wordpress.com

Sunday, February 15, 2009

DNS Resolver Local Cache

The question was asked on the TechNet DNS forums and I wanted to write about this. When you open CMD window and type YourDomain.Local the reply is coming back from let's say DC3.smtp25.org. Well we have two more domain controllers why ping only talks to DC3 not DC1 or DC2?

This simple question brings a nice DNS explanation some of you might or might not know and I certainly think knowing DNS local resolver cache will help you to troubleshoot issues related to Exchange servers and domain controllers

  • For a DNS name, Netlogon queries DNS by using the IP/DNS-compatible Locator--that is, DsGetDcName calls the DnsQuery call to read the Service Resource (SRV) records and "A" records from DNS after it appends the domain name to the appropriate string that specifies the SRV records.

After the client locates a domain controller, the domain controller entry is cached on the client workstation in the DNS local resolver cache.

When you issue a ping command, the local resolver is used to locate the resource from its cache and therefore when you ping YourDomain.Com whatever is listed in the Resolver cache first is going to be the IP address you will be pinging all the time, this is true until the client DNS resolver cache changes and another authorative domain controller is being cached by the local DNs resolver.

If you want to test this here what you need to do,

Open two separate CMD windows from your workstation side by side. I used my domain name in below example

Ping smtp25.org

  • Pinging smtp25.org [10.10.10.6] with 32 bytes of data:
  • Reply from 10.10.10.6: bytes=32 time=1ms TTL=128
  • Reply from 10.10.10.6: bytes=32 time<1ms TTL=128

Now on the second CMD Window issue fallowing command

  • Ipconfig /DisplayDNS
    as you can see the first record has been cashed in the resolver is 10.10.10.16 , second is 10.10.10.3 third and last one is 10.10.10.2

smtp25.org

----------------------------------------

Record Name . . . . . : smtp25.org

Record Type . . . . . : 1

Time To Live . . . . : 49

Data Length . . . . . : 4

Section . . . . . . . : Answer

A (Host) Record . . . : 10.10.10.6

----------------------------------------

Record Name . . . . . : smtp25.org

Record Type . . . . . : 1

Time To Live . . . . : 49

Data Length . . . . . : 4

Section . . . . . . . : Answer

A (Host) Record . . . : 10.10.10.3

Now regardless how many times you ping your domain. Local --à you will always ping the first DC, which is 10.10.10.6

Now let's change this , on the second window type

  • Ipconfig /FlushDNS
  • Ipconfig /registerDNS
  • IPconfig /DisplayDNS------------à You wont have any entries here yet for the SMTP25.org, it mean on the first DNS query the answer will be cached in your local DNS resolver. So godhead and perform

Ping YourDoamin.local whatever the information you get from DNS will be loaded in your cache and you will use it until it gets flushed. As you see once local Cache is cached the DNS information the Client will not go to DNS server until the local cache gets flushed and new DNS information is cached.

View a DNS client resolver cache

How Domain Controllers Are Located in Windows

Oz Ozugurlu MVP (Exchange)

MCITP (EMA), MCITP (EA) MCITP (SA)

MCSE (M+, S+) MCDST,

Security+, Server +, Project+

Blog: smtp25.blogspot.com

Blog: telnet25.wordpress.com

Wednesday, February 11, 2009

Event ID 1196, 1119 DNS operation refused Cluster Servers





We start seeing many event ID's on the cluster servers (Active passive) configuration on one of our client SQL and Exchange servers as fallow below.


Log Name: System

Source: Microsoft-Windows-FailoverClustering

Date: 2/11/2009 4:41:00 PM

Event ID: 1196

Task Category: Network Name Resource

Level: Error

Keywords:

User: SYSTEM

Computer: MCCNPWINSQL01.smtp25.org

Description:

Cluster network name resource 'SQL Network Name (MCCNPSQLDB00)' failed registration of one or more associated DNS name(s) for the following reason:

DNS operation refused.

Ensure that the network adapters associated with dependent IP address resources are configured with at least one accessible DNS server.


Error:

Event id 1196, 1119 FailoverClustering appearing on the clustered Exchange and SQL servers, although the cluster seems to be fine the errors are annoying. Cluster network name resource 'SQL Network Name (MCCNPSQLDB00)' failed to register DNS name 'MCCNPSQLDB00.smtp25.org' over adapter 'Production VLAN 400' for the following reason: DNS operation refused.

Cause:

The cluster name resource which has been added to the DNS prior to setup active passive cluster ( or any type) need to be updated by the Physical nodes on behalf of the resource record itself. When the active node owns the resources it want to update the A record in the DNS database and DNS record which was created won't allow any authenticated user to update the DNS record with the same owner

Solution:

Delete the existing A record for the cluster name and re-create it and make sure select the box says "Allow any authenticated user to update DNS record with the same owner name "Don't worry about breaking anything , this has "ZERO" impact to cluster simply delete the A record and re-create as it is suggested here.


Oz ozugurlu MVP (Exchange)

MCITP (EMA), MCITP (EA) MCITP (SA)

MCSE (M+, S+) MCDST,

Security+, Server +, Project+

Blog: smtp25.blogspot.com

Blog: telnet25.wordpress.com

Monday, February 9, 2009

MRM (Message Record Management)






Message record management is one of the new futures in Exchange 2007 which consist of 5 steps. MRM is the replacement of previous exchange mailbox policies with new improved capabilities. The goal of MRM is to meet company policies regulations and etc, here read more blow. Two of the most common scenario is either use existing managed default folder or create your own. On the bottom of this post there is a link to MS , MRM video which is very useful, and I will be posting a video of this article in couple days.

Note: If you get used to work with previous versions of exchange message policies, getting started with existing managed folder such in this example might be easy for you to understand the MRM. IF you want to be more creative you can create additional managed folder based on your company requirements.

Goal:

Your Company decided to delete all e-mails in the deleted items folders on all users older than 14 days. You have been tasked out to get the work done. Similar work as in previous versions of exchange but the implementation is entirely different on exchange 2007.

You will select existing managed folder (deleted items), by opening EMC, expending organization configuration, and on the right pane, select "Managed default Folders).

  • Create MFMP (Manage folder mailbox policy) called "Pol-Del-14Days"
  • Link MFMP to existing managed folder (deleted items folder in this task)
  • Create NMCS ( new managed content settings)

    • Name:" Pol-Del-14Days"
    • Message Type ( All Mailbox content)
    • Length of retention periods ( days) , checked in (14 days)
    • Retention period starts: ( when delivered, end date for calendar and recurring task
    • Permanently delete

Steps:

  • Lunch EMC
  • Expend Organization Configuration
  • Select Mailbox and n the right pane click "Managed Folder Mailbox Policy"
  • On the right pane click on "New Managed Folder Mailbox Policy"
  • Managed Mailbox Policy name "Pol-Del-14Days"
  • Click add select deleted items, click okay, new and finish

Note: We have created managed mailbox policy and applied this policy to Default deleted items managed folder.

  • Now Click Manage default folders
  • Select Deleted items, make a right click and
  • New managed Content settings
  • Name it same "Pol-Del-14Days"

    • Message type "all mailbox content"
    • Length of retention period dates ( 14)
    • Retention period starts "When delivered. End date for calendar and recurring tasks
    • Permanently delete
    • Finish the wizard.

Note: remember we are achieving our task, don't forget to make proper adjustment here based on your requirements. With our policy we will delete everything in the deleted items folder older than 14 days.

Now we will apply this to one user and see the results

Open EMS


Get-ManagedFolderMailboxPolicy



  • Name of the policy in this example is "Pol-Del-14Days"
  • Name of the mailbox we will apply this policy is "Odedeal"



Set-Mailbox -Identity odedeal -ManagedFolderMailboxPolicy "Name_of_The_Policy_Goes_

Here"



>>>>>> Set-Mailbox -Identity odedeal -ManagedFolderMailboxPolicy " Pol-Del-14Days "
IF you wish to achieve same results fallow the steps to get it done via GUI.

Under recipient configuration

Click on mailbox

  • Highlight the user you wish to apply the policy (Pol-Del-14Days)
  • Go to properties
  • Click mailbox settings, highlight messaging records management
  • Click properties
  • Enable managed mailbox policy, click browse
  • Select existing policy ("Pol-Del-14Days")
  • Click okay two times and, say yes to warning click apply.

Now we will need to set the schedule under server configuration go to properties of mailbox server

  • Click messaging record management
  • Click customize, and make the schedule run every day 2AM

The last part is to set the mailbox server

Under server configurations, properties of your exchange servers, message records management , click customize and set the schedule to run accordingly


Now we want to see the result right away so we will need to run, Exchange mailbox assistance to one particular user.

Note: Make sure the service is running on the exchange server (MSExchangeMailboxAssistants)

Set the policy


Set-Mailbox -Identity odedeal -ManagedFolderMailboxPolicy "Pol-Del-14Days"



Remove it


Set-Mailbox -Identity odedeal -RemoveManagedFolderAndPolicy



Start Managed folder assistance right away to see the results


Start-ManagedFolderAssistant -Mailbox odedeal




IF you like to assign the policy to all mail enabled users (which you will most likely)


Get-Mailbox -ResultSize unlimited Set-Mailbox -ManagedFolderMailboxPolicy " Pol-Del-14Days "




To remove it


Get-Mailbox -ResultSize unlimited Set-Mailbox - RemoveManagedFolderAndPolicy


There is a Pipe after unlimited, for some reason I could not get it to publish on my blog, so please include the Pipe after the Unlimited *Pipe here* Set-Mailbox




Get-ManagedContentSettings





Get-ManagedFolderMailboxPolicy





Set-Mailbox -Identity odedeal -ManagedFolderMailboxPolicy "Name_of_The_Policy_Goes_Here"




The most useful information I was able to locate was on
Bharat Suneja, which I am including the link to his blog as well as MS links.


Oz ozugurlu MVP (Exchange)

MCITP (EMA), MCITP (EA) MCITP (SA)

MCSE (M+, S+) MCDST,

Security+, Server +, Project+

Blog: smtp25.blogspot.com

Blog: telnet25.wordpress.com

Sunday, February 8, 2009

Exchange Server Remote Connectivity Analyzer



One of the most common scenario, you got e-mail from your boss saying, I cannot sent e-mail to oz@smtp25.org, (-:, and what you will do? How you will know quickly if the destination SMTP server accepting mails for oz@smtp25.org? Go to below URL, www.testexchangeconnectivity.com

I think it is very useful tool, and if you remember DNS stuff old days when it was free we had similar functions to speed up troubleshooting steps. Seeing this from MS is really nice, and I wish we all are given more tools to test issues related to exchange servers when we needed.

This tool will help you to identify quickly if such SMTP address is able to receive e-mails, the IP addresses for the destination SMTP domain, open relay test and more.


Oz ozugurlu MVP (Exchange)

MCITP (EMA), MCITP (EA) MCITP (SA)

MCSE (M+, S+) MCDST,

Security+, Server +, Project+

Blog: smtp25.blogspot.com

Blog: telnet25.wordpress.com

Thursday, February 5, 2009

How to find 10 Top mailbox users in Exchange 2007

If you are given task to figur out top ten mailbox users in your exchange organization here what you need to do. I have already blog this in the past, and doing it one more time for a request.

  • Log into Exchange server
  • Open EMS (Exchange management shell)
  • Copy paste or type below command in the shell, and hit enter. This command will create CSV file open it and format the csv as you wish.

Get-MailboxStatistics Sort-Object TotalItemSize -Descending select DisplayName,@{expression={$_.TotalItemSize.Value.ToKB()}},ItemCount export-csv MailBoxUsers.csv


Create Custom Address List based on SMTP addresses, the scenario here is you did "contact dump" from another forest and you will need to create custom address list in exchange 2007.

I will post a script soon which can read CSV file and create Contacts in specified OU. This can be useful for one time contact dump (better way is to implement IIFP). After the contact in the OU, you will need to create the address list as below.

  • Change the Custom-AddressList = Name you wish
  • Change @test.smtp25.org to contact you wish to compose this address list.


New-AddressList -Name Custom-AddressList -RecipientFilter {(ExternalEmailAddress -like '*@test.smtp25.org')}


Oz ozugurlu MVP (Exchange)

MCITP (EMA), MCITP (EA) MCITP (SA)

MCSE (M+, S+) MCDST,

Security+, Server +, Project+

Blog: smtp25.blogspot.com

Blog: telnet25.wordpress.com

Monday, February 2, 2009

Blackberry Enterprise Server Wireless Activation Process

There were some questions in regards to blackberry and its enterprise activation, when one of my bodies had problems when he tries to activate blackberry for a company they support. The story was activation e-mail held by postini and never had chance to hit the user mailbox. Understanding the process how black berry work with user mailbox conjunction with handheld device for sure makes administrators more comfortable and shortens the time to do the troubleshooting.

If you wish here is the word version of this article

Short story I asked one of my peers at work to put some document together explaining the process. Thanks to Jeff Bakin for taking this time and providing this article.

Wireless Enterprise activation provides administrators a method of enabling Blackberry devices without a network connection or having the Blackberry Administrator physically get his hands on the Blackberry Device. This is especially useful in larger enterprise environments where the Blackberry Enterprise Servers are in a centralized location, but the user base is dispersed throughout the country/world. The only caveat is that the user must be in a location of sufficient wireless coverage in order to perform a wireless activation.

A good example is, remote users in the field can have newly purchased Blackberry handheld devices sent directly to them. The user can contact the Blackberry System Administrator, who then can provide activation instructions and the activation password over the phone. The user can perform the activation process, the proper security parameters and service books will be negotiated and pushed to the handheld device, and users can begin to send and receive emails using their corporate email account from their device handheld.

The Blackberry Enterprise Activation Password

The Enterprise Activation password can only be used once initially to activate a handheld device. It must be set every time a new activation is performed. The protocol ensures that an offline dictionary attack cannot be performed, and therefore a short password can be used. Typical activation passwords are between 4 and 8 characters, but is limited to 32 characters.

The Enterprise Activation Process


  1. The system administrator adds a new Blackberry Device user account to the Blackberry Manager

    Picture1






  1. The Blackberry Enterprise Server begins to monitor the appropriate mailbox on the messaging server.

    Picture2






  1. The system administrator creates an enterprise activation password for the new account using either the manual or automatic method.


    Picture3








  2. The system administrator or user initiates the enterprise activation process on the blackberry device by going to Options > Advanced Options > Enterprise Activation. The system administrator or user will key in their email address and the appropriate activation password.


    Picture4






  3. Once the Email address and password is entered, open the Option menu on the Enterprise Activation screen, and select "Activate"

    Picture5







  4. The Blackberry Device sends activation data to the wireless service provider, which passes the data to the Blackberry Infrastructure.

    Picture6




  5. The Blackberry Infrastructure identifies the data as an activation request and packages it into an ETP.DAT file. This file is then attached to an email message and sent to the email address you typed on the Enterprise Activation screen.

    Picture7




  1. The Blackberry Enterprise Server notes that a new email message has arrived to the mailbox to be activated. The Blackberry Enterprise Server is designed to recognize this email message as a request for Enterprise Activation, and remove it from the mailbox to be processed by the Blackberry Enterprise Server.

    Picture8



  2. Using the data from the ETP.DAT file, the Blackberry Enterprise Server contacts the Blackberry Device to acknowledge that the enterprise activation request has been received.

    Picture9





  3. The Blackberry Enterprise Server verifies the Activation password.

    Picture10




  1. If the activation password is correct, the Blackberry Enterprise Server begins to push activation information and Service Books to the Blackberry Handheld device.

    Picture11



  2. The Blackberry Enterprise Server and the Blackberry device begin the synchronization process.

    Picture12




  3. The enterprise activation process completes, and the handheld device is ready for use with the Blackberry Enterprise Server.


    Picture13


Oz ozugurlu

Oz ozugurlu MVP (Exchange)

MCITP (EMA), MCITP (EA) MCITP (SA)

MCSE (M+, S+) MCDST,

Security+, Server +, Project+

Blog: smtp25.blogspot.com

Blog: telnet25.wordpress.com