02-03-2013 10:41 AM
Placing a BDS 6.2 server in the same Forest/Domain as Exchange in an environment where the Exchange organisation is in a different AD Forest to the AD user accounts that are linked to the mailboxes does not appear to be a configuration that has been well tested in terms of Email Profiles for the ActiveSync configuration during device activation.
The BDS defaults to only using the Domain name of the Domain where the mailbox resides in its user configuration. This causes a problem during activation when the user is prompted to supply their password for their Work mailbox during the ActiveSync setup. The BDS activation does NOT ask for the password for the user account normally used to access the mailbox, the one in the user account Forest. Instead BDS asks for the password for their disabled user account in the Domain where the mailbox resides in Exchange. This is because BDS has configured the ActiveSync account on the device to use the Domain where the mailbox resides in Exchange. The disabled user accounts in the Domain that Exchange resides in must remain disabled when using linked mailboxes as enabling them can cause problems with mailboxes.
When creating Email Profiles on the BDS for assigning to users so that during activation the ActiveSync configuration is pre-populated there is no Domain field for specifying an entry that will override the default behaviour. To make matters worse although Blackberry Management Studio shows the Domain field for a user under the Email Profile section if you edit the entry to correct the Domain and click Save the entry doesn't change, it stays as the Domain that the mailbox resides in.
This have given me a real dilemma when planning my live BES10 solution for the 40 Blackberry 10 phones my employer is about to purchase. There are only 2 workarounds I have found so far, the first being a poor user experience but from an IT point of view preferable to the second:
Workaround 1 (A PlayBook activation over WiFi is used for this example)
When prompted for the password for the mailbox during device activation, Cancel the dialog box then go to Settings / Accounts, tap the newly created Work account which will be highlighted in red as the credentials are missing, enter the password for the user account normally used to access the mailbox (the one in the user account Forest NOT the disabled account in the Exchange Forest) then tap Advanced Settings, change the entry in the Domain field to the name of the Domain in the user account Forest then tap Save. The entry in the Accounts list should now go grey to indicate that it has the correct credentials to connect to the mailbox.
Install a BDS server in each of the user account Forests that you have in your AD organisation. This will mean that the unchangeable default behaviour will populate the Domain field with the correct Domain for accessing the mailbox during the ActiveSync setup part of device activation. HOWEVER, even though you could manage all devices on the multiple BDS servers through a single Blackberry Management Studio console you would still have the cost of servers to host the multiple instances of BDS and the BDS database which all have to be managed and patched separately when your number of users may only technically require one BDS server. Very wasteful and a headache over time.
So Blackberry, can this design flaw in the ActiveSync setup during activation pleased be fixed so that we can override the default Domain that is pre-populated in to the ActiveSync settings? Ideally we should be able to specify a Domain name in an Email Profile that will override the default.
It makes me shake my head to myself when I find that the Universal Device Service for iOS and Android devices handles ActiveSync Profiles correctly and lets you specify exactly the Domain name you need for its activation process. You know, UDS, the 3rd party solution that you bought so that you could support iOS and Android as opposed to BDS the Mobile Fusion component that you designed for your own devices!
Looking forward to hearing some positive news on this soon,
02-03-2013 12:51 PM
You can override the AD settings for an user through BAS. Manage a user and edit their email profile. There will be a field you can toggle on to override AD settings. I've pointed my ActiveSync profile to a completely seperate user in a seperate forest before.
02-03-2013 05:31 PM
Well that was a well hidden setting!!! But at least it works. Thanks for your help, the setting isn't mentioned in the BDS 6.2 Administration Guide.
It still leaves a problem with Blackberry Management Stuido though. If I have to manually edit a new user's email profile in the BAS for BDS then the BMS is useless for rolling out to support staff for creating new BDS users as when you try to edit the Domain in the Email Profile using BMS it doesn't save the change. Is this a bug or by design?!
This could all be so much simpler if the Email Profiles just contained a Domain field that would override the user's default settings. Then there wouldn't be a need to manually edit anything.
02-05-2013 03:44 AM
02-05-2013 05:35 PM
Thanks, I had read your post when searched for the problem before posting and was pretty sure it was being caused by the same lack of flexibility and functionality in the Email Profiles that I'm experiencing, just from a different point of view. Fingers crossed for a solution in an update for BDS soon.
04-24-2013 03:22 PM
Thanks Johnnyuk for describing the problem.
This is also affecting us.
I noticed the need to override and manually populate the domain field with the User Forest last week, however I just noticed that the Management Studio does not properly write what you wish for in the Domain field, yet reverts it back to the Resource Forest.
I've submitted a case for both issues (separate cases), as I feel the urgency will not be noticed if we just wait for a fix. cases will have weight.
This is a big disappointment as we were planning on using the Management Studio for our Administrators to have one single interface for old and new BlackBerry devices. Now this is not possible for us, at least at the moment.
04-25-2013 02:26 PM
Seems resolved in MR1 for BDS
Can get that here:
04-25-2013 03:15 PM
04-25-2013 03:51 PM
so is it now solved?
04-25-2013 04:15 PM
Yes. I tested it. You can now change the values in Management Studio and they will save correctly.
However for a User Forest / Resource environment, you still cannot pre-populate the Domain field with the User account, which would be needed in that environment, but it can be manually changed.