Many thanks for the input.
In the test enviroment we have a 4.1 Bes setup with MDS running and are testing devices with 4.0 and 4.1. For test purposes the CRL is located locally at the moment.
Thanx for the info about the 2003 ldap queries. It took a little bit of playing around to figure out that anonymous wasn't allowed by default. Somehow when using the "default" LDAP server settings on the devces, we receive an error. Maybe it is due to the simple authentication which is currently required on the 2003 DC. There does not seem to be a setting on the MDS which handles this (authentication type)? When defining the settings for the ldap server directly on the device instead of using the default, it works fine.
Surprisingly enough, there does not appear to be an predefined IT Policy Template which would allow pushing the setting for LDAP, CRL, etc. This would certainly be a big help if it were available.
@jibi; I am not to sure if I understand your question directly, but the S/MIME package mut be installed via the desktop manager (application launcher) on every device which uses S/MIME encryption. There appears to be no possibilty of pushing it OTA.
One thing I was wondering is if there are any advantages to upgrading all BESs to 4.1 prior to deploying S/MIME or it would be ok to continue using the 4.0 servers?