How to decomission Blackberry Enterprise Server Express 5.0 from our Exchange 2010 environment

It is inevitable that more and more organisations will be moving away from Blackberry more and more as the domination of iOS, Android and Windows Mobile continue to dominate the handset market. Well we have come to that point in now, where we have had a BES server running for over a year without a single user connecting to it, and now it is time to remove the server the right way.

After trawling through the labyrinth we call the internet it surprised me that finding all the information simply was not in the one place. Admittedly the uninstallation of BES is quite an easy task there are a number of tasks to do before and after… and ill show you what they are.

The homework

So you know you have Blackberry Enterprise Server infrastructure and you want it gone… where do you start? Well in my scenario it was quite easy as I only had the one BES server for our entire organisation. Should you have more than one, I suggest you find additional articles on high availability as a supplement to this article.

There are a number of pieces of information we need to get in order to clean the network of this infrastructure.

  1. Active Directory account name – even if you know what is being used, double check that the account in question is actually the one. To do this, open Blackberry Server configuration from the BES server with elevated privileges, and click on the Administration Service – AD Settings tab:
    In my instance, I used the name besxadmin so I know that is the account I will have to revoke permissions in AD.
  2. Verify that the same account is in the MAPI Profile under Blackberry Server tab. It should look similar to the below screenshot. I cant imagine how the system would work if these two accounts were different but just in case its easy to check.
  3. SQL Database connectivity – Check on the Database Connectivity tab to see where the database lives. In my situation this database lives on a separate SQL server, and i have now documented that I will need to remove the database, and adjust the backup software to no longer look for that database.
  4. Verify that there is only one last server in the Blackberry Administration Server website. From my brief reading of other articles, you should decommission all servers one by one before removing BES from the entire organisation. This view displays all the servers present in the BES domain – should there be more than one then I recommend rectifying that first.
  5. Provisioned users – Lastly make sure you still don’t have any provisioned users out there. Simply click on User -> Manage Users to see if there are any provisioned users with devices. It should look something similar to the below screenshot. As you can see I only have the BES account and an administrative account. All other users have been removed.
  6. Verify all devices/systems where you have allowed Blackberry traffic to flow as an exception. Things like SRP data (inbound and/or outbound). In my environment I had two firewalls with Port 3101 allowed for the server address. Document this as you will need to remove it in the clean up stage.

The Uninstallation

Now you should be ready to uninstall you server. This step is very simple, but depends on how you have your environment configured. Here are the scenarios that came to mind:

  1. Dedicated BES server with database on same server
    SOLUTION: Shut down the server, and take it off the Active Directory domain
  2. Dedicated BES server with Database on different server
    SOLUTION: Shut down the server, and take it off the Active Directory domain. Then remove database from your existing database server
  3. BES on existing server (like your Exchange server)
    SOLUTION: Stop all blackberry services (refer to screenshot). Go to Control Panel -> Add/Remove Programs (or Programs and Features) and uninstall Blackberry Enterprise Server completely.

    Stop highlighted Blackberry services before uninstalling

So in my situation, this was option 2, I simply shut down the server and detached the database from our SQL Server.

The Clean-up

Finally there is the clean-up tasks we need to do. Firstly we will start with removing BES admin account Active Directory Access Control List. These are pretty simple to undo if you followed the BES installation instructions, which suggested delegating rights at the domain level. It makes things easy to undo because the setting should be only in one area. Below is a screenshot of our domain security permissions where the BES account was configured. Simply deleting this will remove all inherited permissions as well.

Notice how the permissions only apply to descendant User objects.

Once this account is removed, go into Exchange and disable the Blackberry service mailbox. The specific details should have been documented in the homework section. This is very straightforward – I’m sure most know how to do this.

After the mailbox has been disabled, we disable the AD account, change the password and move to a dedicated OU. You may choose to delete the account should you want to.

EDIT: Following Section Added – Thanks to Oliver Weber for pointing out
When implementing BES you need to create a Throttling Policy within Exchange. This policy becomes redundant and is best to clean up Exchange and remove this policy.
Get the Policy Name. You need to get the name of the policy that was created at the time of install. I called mine BESPolicy personally but this was decided at time of installation. Run the following command to find out what the name was, and make sure its not your default policy.

Get-ThrottlingPolicy | fl Name, IsDefault

My results were are here, and I can clearly see my policy for BES was not set to default.

powershell bespolicy

From here we can safely remove the redundant policy. To do this we must remove this policy from all mailboxes, then delete the throttling policy. Run the below script to set the default policy on all users that has your BES policy set (in my case thats BESPolicy) and remove the policy from Exchange.

$policy = Get-ThrottlingPolicy BESPolicy;
$mailboxes = Get-Mailbox | where-object {$_.ThrottlingPolicy -eq $policy.Identity};
$defaultPolicy = Get-ThrottlingPolicy | where-object {$_.IsDefault -eq $true};
foreach ($mailbox in $mailboxes)
{
Set-Mailbox -Identity $mailbox.Identity -ThrottlingPolicy $defaultPolicy;
}
Remove-ThrottlingPolicy BESPolicy;

Seeing we had a dedicated SQL server for multiple databases, I have to detach the BES database from our SQL server, and remove it from our backup list. Due to the different software/methods of doing this I will not document this as each case may differ slightly.

And lastly we have a firewall rule that we removed. This was a simple firewall rule that allowed the server to talk to the Blackberry servers. You may need to get your networking guys to do this.

End result should be a clean environment with no presence of the BES server or its lingering configuration.

Questions and comments welcome,
Ivan

Leave a comment ?

13 Comments.

  1. WOW! You really must know your sh*t. Wanna come work for me?

  2. Hi Ivan, will the uninstallation require a reboot or downtime for exchange users? In my environment BB Express server 5 installation is on the same server as the exchange 2003. Cheers, james

    • Hi James,
      I believe that an uninstall of BES when on the same server as Exchange will require a reboot, however the only reason for the reboot is to successfully uninstall the BES software, and remove any port bindings\system level configure that it has created and needs a reboot to complete removal.

      If I were you I would decommission the BES server, and at the stage of uninstalling I would simply open services.msc, and disable the services for BES. When you plan your next outage you could go ahead an uninstall the software to clean it up. My next recommendation (not sure how you go with licensing though) is to migrate to Exchange 2010 – you will not be disappointed.

      Cheers,
      Ivan

  3. Hi Ivan,
    Super thank you. The uninstall is actually part of the move to Exchange 2010. I was planning to uninstall BES cleanly and then introduce 2010 into the exchange 2003 organisation, move mailboxes over, public folders etc, decommission 2003 out of the organisation then install BES cleanly onto the new exchange server. I would then provision the handsets to the new server. Not bothered about doing an actual BB migration as such as there were only ever a couple of test handsets on the server anyway. There will be many more on 2010.

    Cheers for the info,
    James

  4. Oliver Weber

    I think at least in Exchange 2010 SP1, there is a BES throttling policy that you most likely want to remove…

  5. Filip Szymarek

    There is another thing you may want to remember in the clean up section. The FullAccess permission to mailboxes for BESXadmin user. In my case it was added at mailbox database level and inherited to all mailboxes. You may want to remove that permission as it is obsolete with BESXadmin user disabled.

  6. If I just delete the BESAdmin account will it clean everything up for me?

    • Hi Rob,
      No, you will still have the objects in AD/Exchange configured. If you deleted the account they would represent as a SID instead of their name, and it makes it difficult to resolve.
      The guide really is not difficult to decommission completely. Keep in mind, if you simply turn off the server then it wont work anymore. If you leave the config as it is it wont affect any other system, but it will be messy in years to come. Best practice is to undo what you have done, so that none of those custom configs can cause issues in the future.
      Cheers,
      Ivan

  7. Hi, excuse for my english.
    I am a new administrator, and we leave blackberry for another OS.
    I read this post with attention, but I just want if is it safe to copy and past the powershell script and I run it. I still do not know powershell and I am afraid to crash server with this script.
    Thanks in advance,
    José

    • Hi Jose,
      The PowerShell is a simple script. Firstly you run the first line of code. This will list all throttle policies you have. Here you should see only a couple\few for a simple environment. Record the name of the one for BES, chances are it has BES in the name, or Blackberry.
      Once you have that name, replace the last word of the fist line of the script in this post. The script will do some simple steps to get all users who have a this policy set, and change it to the default policy that the rest of users are on.
      this is a simple script that wont affect the server functionality or stability. This task can only be changed using PowerShell. Think of it as an automated way of clicking on each user and removing the setting, clicking ok and doing the process a 100 times. All the script does is automate it.
      Hope it helps – if you are still hesitant feel free to contact me directly and ill be happy to help.
      Ivan

Leave a Reply

QR Code Business Card
%d bloggers like this: