We have been doing some work for a customer around creating new mailbox databases and moving users around into these new databases.
After moving a number of users we began getting calls from them to say their Blackberry’s had stopped syncing. I had a look around and found the following Blackberry article:
This describes that if you create a new mailbox database you need to ensure the blackberry service account has the following permissions of the mailbox database itself:
Administer information Store
Receive As
View information store status
To check what the other mailbox dbs had I ran:
Get-Mailboxdatabase -identity “*MailboxDatabase*” | Get-ADPermission | where-object { ($_.extendedrights -like “*receive*” -or $_.extendedrights -like “*ms-E xch-Store-Visible*” -or $_.extendedrights -like “*ms-Exch-Store-ad*”) -and ($_.User -like “*BESadmin*”) } | select Identity, User, ExtendedRights, IsInherited | ft –wrap
And sure enough it showed:
You can also check in ADSI Edit too:
Configuration > Services > Microsoft Exchange > FQDN > Administrative Groups > Exchange Administrative Group (F…) > Databases > Properties on the DBs > Security.
So to add the required permission I ran:
Get-MailboxDatabase -identity “NewMailboxDatabase” | Add-ADPermission -User “BESAdmin” -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin, ms-Exch-Store-Visible
After that the service books were resent to the affected user’s devices and all started syncing again.
Hope it helps!
