BlackBerry Forums Support Community

BlackBerry Forums Support Community (http://www.blackberryforums.com/)
-   BES Admin Corner (http://www.blackberryforums.com/bes-admin-corner/)
-   -   Unable to create users on BES10 (http://www.blackberryforums.com/bes-admin-corner/263691-unable-create-users-bes10.html)

Claidheamhmor 03-06-2013 05:40 AM

Unable to create users on BES10
 
I have a bit of a strange one here that's annoying me terribly.

I've installed BES10 (BDS 6.2) successfully. Port 3101 is open, SRP is connected. We're still on the 60-day trial, and I'm hoping we'll figure out sometime where I can actually buy a server licence (but that's besides the point). Port 443 has been opened too.

When I try to add a user to BES10, I can successfully find the user, but when I add the user, with or without activation password, I get the following error:
The BlackBerry® Administration Service was unable to create the required external authenticator for the user.

Searching for that error yields this page: KB32589-Unable to add specific Active Directory users to BlackBerry Device Service 6.2
After looking at that page, I checked the msExchMasterAccountSid; it exists on our user accounts in our resource domain, but the accounts are disabled, as they should be, and the mailboxes are linked to enabled accounts in our user domain which doesn't have that msExchMasterAccountSid attribute, so in theory, this is not applicable. The only accounts I can create on BES10 are for mailboxes that do not have the msExchMasterAccountSid attribute.

Does anyone have any idea about this?

Our environment:
BES 5.04 working 100% on a different server.
BES10 loaded on a Windows 2012 server on VMWare.
A user domain for user accounts.
A resource domain in a separate forest, where Exchange and mailboxes are hosted. Each mailbox has its own disabled account in the resource domain, and a user account from the user domain has rights to the mailbox.
Exchange 2010.

AbidingSeraph 03-06-2013 09:42 AM

Re: Unable to create users on BES10
 
We are having the exact issue as well. We are running exchange in a resource forest with all accounts disabled (except a few service accounts) too. We have a ticket open with RIM currently for this issue, but they haven't gotten back to us yet, and its been a few days. When I first spoke to RIM about it, they gave me the same kb article and instructed me to remove msExchMasterAccountSid attribute, to which I said "are you crazy"?? They said they will get back with me. I will update you when I hear back.

AbidingSeraph 03-06-2013 03:31 PM

Re: Unable to create users on BES10
 
Quick question: Does your resource forest have a one, or two way trust with the active user account domain? (Not sure that it matters) Also, does the service account used to install BDS have access to both domains?

Claidheamhmor 03-07-2013 06:37 AM

Re: Unable to create users on BES10
 
Quote:

Originally Posted by AbidingSeraph (Post 1800193)
Quick question: Does your resource forest have a one, or two way trust with the active user account domain? (Not sure that it matters) Also, does the service account used to install BDS have access to both domains?

I'd appreciate any reportback from RIM.

We have a two-way trust with the resource forest. The computer running BES10 is on the user domain, but BES was installed with an account from the resource domain that has all the appropriate rights on the resource domain.

I wonder if I shouldn't give it rights on the user domain too...

smoothadmin 03-07-2013 08:01 PM

Re: Unable to create users on BES10
 
Try this;

Give your BDSAdmin (or whatever you called it) account Administrators access. I have had more success with giving BDSAdmin both Administrator and Domain Users group access.

Claidheamhmor 03-08-2013 05:35 AM

Re: Unable to create users on BES10
 
Found the issue:

In BDS Admin, user Microsoft Active Directory Integration, Manage Microsoft Active Directory Access, I had to edit Active Directory Configuration.

The "Microsoft Active Directory Access" section requires the BDS Admin account details for the resource domain.

The "Microsoft Active Directory Login" section requires the account details on the account/user domain for an account with (presumably) account operator rights.

AbidingSeraph 03-08-2013 09:47 AM

Re: Unable to create users on BES10
 
Thanks for the update: I am still awaiting to hear back from rim, for final update. I am trying to implement your resolution, but unfortunately my BDS admin account only has rights into the resource domain and not the user domain (which I suspect is the problem). This was historically sufficient for BES 5.0 and earlier, but apparently has changed. I guess i will need to wait for RIM to give me the official word so that I can put in the change request to grant the BDS admin account access to both domains.

Claidheamhmor 03-11-2013 07:37 AM

Re: Unable to create users on BES10
 
Quote:

Originally Posted by AbidingSeraph (Post 1800353)
Thanks for the update: I am still awaiting to hear back from rim, for final update. I am trying to implement your resolution, but unfortunately my BDS admin account only has rights into the resource domain and not the user domain (which I suspect is the problem). This was historically sufficient for BES 5.0 and earlier, but apparently has changed. I guess i will need to wait for RIM to give me the official word so that I can put in the change request to grant the BDS admin account access to both domains.

The BDSAdmin account doesn't necessarily need rights in the user domain; I used an account with rights in the user domain but no rights to the account domain.

mjozwiak1856 03-25-2013 09:25 PM

Re: Unable to create users on BES10
 
Can you be more specific, I am having the same issue, but don't know what to actually change. Thanks.

AbidingSeraph 03-26-2013 01:52 PM

Re: Unable to create users on BES10
 
It depends on your environment...do you have an exchange resource forest? If so does the service account with which you installed BDS have permissions in both the resource forest as well as your user domain. Using a service account that had permissions into both domains solved this issue for me. This was the case for me, because there is only a one way trust between domains, i suppose if there was a two way trust, you wouldn't necessarily need permissions into both. I hope this helps you.

MSLIT 04-15-2013 08:59 AM

Re: Unable to create users on BES10
 
I have had the similar issue during the initial setup and then i "un-ticked - Associated external account" tab under the Mailbox rights which solved that issue!

shox974 04-30-2013 04:35 AM

Re: Unable to create users on BES10
 
Hi guys, I am having the same issue, i have tried this "In BDS Admin, user Microsoft Active Directory Integration, Manage Microsoft Active Directory Access, I had to edit Active Directory Configuration.

The "Microsoft Active Directory Access" section requires the BDS Admin account details for the resource domain.

The "Microsoft Active Directory Login" section requires the account details on the account/user domain for an account with (presumably) account operator rights."

But nothing change, I'm actually reinstalling everything from 0.

I will let you know.

in additional I used the besadmin account for the first install. Now for the new installation, I created also a new user with a mailbox.

shox974 04-30-2013 05:12 AM

Re: Unable to create users on BES10
 
So new install all services up, new sql database called BDS all is UP.
Same problem with one user impossible to add but I tested to add other users and everything is ok.
I checked the AD account of the user and he has an information in the attribute of msExchMasterAccountSid
referring to this kb KB32589-Unable to add specific Active Directory users to BlackBerry Device Service 6.2
Someone knows the effect of cancelling this information ?

knottyrope 04-30-2013 09:26 AM

Re: Unable to create users on BES10
 
is user a mamber of any groups in AD?

Also is user set to inherit permissions in Exchange?

shox974 04-30-2013 02:07 PM

Re: Unable to create users on BES10
 
I solved my problem the mailbox of the user was a link mailbox, I used this KB How to Convert a Mailbox: Exchange 2007 Help to convert it as a standard mailbox and per miracle the attribute msExchMasterAccountSid disappeared. After this I was able to add my user and activate his Z10 and his playbook on his account without problem.

Thanks for your help.

Cheers.


All times are GMT -5. The time now is 06:52 PM.

Powered by vBulletin® Version 3.6.12
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.