[merlin]

Evening all.

I currently have BES 4 / MSDE installed and am going to upgrade the server so will be doing a fresh install.

I am aware of the things to consider and will also be copying the MSDE databases over to the new machine.

Question is: When I isntalled it on the current server, I logged on using the Administrator account. So all the services etc are running as Administrator

On the new install, I want to install it so everything runs as our domain serviceaccount. Am I right in presuming that if I log on the server as my domain serviceaccount, when I run the setup it will prompt me for the serviceaccount password and install with everything running as serviceaccount.

Also, do I need to make any changes to the BES database files I will be copying from the current install? I am presuming that I will need to add my domain serviceaccount into the local machine administrators group and everything will be ok.

Any comments etc welcome
Merlin

[bfrye]

I was just speaking about this with RIM about 10 mins ago.

As far as running as a domain admin account. This is not recommended. They don't have any documented bugs with doing this, but they do say they have noticed quirky things happening when running this way. Recommended it to run as the local system account.

As far as the BES database files. There is a knowledgebase article on this on RIM's site somewhere. Search for it, I only know about the groupwise one. But you will have to update the database with the new servicename and machinename.

[JRV]

> Recommended it to run as the local system account.

LocalSystem?? I don't see how that could work. LocalSystem won't be able to have required permissions on the mail server, among other things. What the docs recommend is a Domain User account that is a member of the local Administrators group, among other very specific requirements. See "Configuring Required Permissions" in Install.pdf.

I certainly agree with not using Administrator or any account that's a member of Domain Admins...Principle of Least Permissions.

To the OP, yes, you need to log on under the service account credentials whenever you run BES setup, including service packs & hotfixes.

[bfrye]

Quote:

Originally Posted by JRV

> Recommended it to run as the local system account.

LocalSystem?? I don't see how that could work. LocalSystem won't be able to have required permissions on the mail server, among other things. What the docs recommend is a Domain User account that is a member of the local Administrators group, among other very specific requirements. See "Configuring Required Permissions" in Install.pdf.

I certainly agree with not using Administrator or any account that's a member of Domain Admins...Principle of Least Permissions.

To the OP, yes, you need to log on under the service account credentials whenever you run BES setup, including service packs & hotfixes.

It's possible that exchange is different from groupwise then... as groupwise permissions have nothing to do with domain admin rights on a windows network. With groupwise, you setup a trusted application key that is exchanged between BES and the primary domain. That allows BES to be able to access accounts within groupwise, I assume, in the same manner they are accessed in exchange then.

[DoomBringer]

I installed 3.6.2 BES with Exchange 2003 and I followed the directions in the manual, which detailed how to give the correct permissions to the BES accounts for the Exchange server. Only one or two needed certain permissions, none of which were admin rights. The ones I remember were the ability to read and write to the mailbox store. The one account needed local admin, but not domain admin. Runing anything as domain admin would probably be a horribly bad idea.

[jibi]

Quote:

Originally Posted by merlin

Am I right in presuming that if I log on the server as my domain serviceaccount, when I run the setup it will prompt me for the serviceaccount password and install with everything running as serviceaccount.

Yep. Its the next to last step, I believe.

Quote:

Originally Posted by merlin

Also, do I need to make any changes to the BES database files I will be copying from the current install? I am presuming that I will need to add my domain serviceaccount into the local machine administrators group and everything will be ok.

You won't need to make any changes to the database - just copy it over and point the installation to it (and choose Upgrade the database). As for permissions, just make sure you read the Installation instructions. You will add it to the local Administrators group, and you will also add it into the local security policy. This is all specified in the Installation instructions, though.

Keep the BES Virtual Server Name, the BES Service Account, the SRP Identifier, and the SRP Authentication Key the same. Be sure the current server is shut down prior to installing on the new server (no concurrent SRP sessions should be running), and for safety sake, set the BES services to Manual startup on the current server prior to shutting it down.

I'm not sure if you currently have the BES Domain Service Account designated as the BES Admin mailbox. If you do not (instead having the domain Administrator account specified), then you may have some issues with your users and they will have to reactivate (I believe... just keep this in mind). Otherwise, they will not have to do so.

[corey@12mile]

The service account that BES runs under has nothing to do with security on the mail server. That is why you create a BESAdmin account. The BES server uses the BESAdmin account to connect to Domino using NRPC, and to Exchange using MAPI, authenticating as BESAdmin, not what the services are running as.

cd.

[JRV]

Quote:

Originally Posted by corey@12mile

The service account that BES runs under has nothing to do with security on the mail server.

Yes and no. An over-priveleged account is a potential security risk, on the mail server or any other. Within Exchange, in fact, Domain Admins (by default) lack permissions that BES requires. (Can't speak for Domino...no experience with it.) So yes, in that sense, using a Domain Admin account does not compromise Exchange security.

It does, however, compromise overall system security. If you're arguing that using a service account that is a member of Domain Admins is a good idea when Domain Admin privileges are not actually needed by the service in question, a lotta folks in the IS biz are gonna disagree with you!

[jibi]

Quote:

Originally Posted by JRV

It does, however, compromise overall system security. If you're arguing that using a service account that is a member of Domain Admins is a good idea when Domain Admin privileges are not actually needed by the service in question, a lotta folks in the IS biz are gonna disagree with you!

[corey@12mile]

JRV.. My response was directly related to this quote from you. I should have quoted it to begin with. I still don't understand why people just don't follow the install instructions from RIM... do they know more than the people at RIM about what is needed to run BES?

Quote:

Originally Posted by JRV

> Recommended it to run as the local system account.

LocalSystem?? I don't see how that could work. LocalSystem won't be able to have required permissions on the mail server, among other things.

[corey@12mile]

Now that I have read everything again, cause I haven't had a coffee yet... I will once again say... the service account that BES runs under _has nothing to do with security on the mail server_, mail server being the software (Domino, Exchange, GW).

If people followed the instructions to setup BES, the services would run under LocalSystem, which is what nearly every service runs under in Windows. You then create the BESAdmin account for the mail checking, which doesn't need any rights at all in the directory other than a few settings in Exchange, Domino,GW.

cd.

[JRV]

I'm all for running under LocalSystem if that's what a service needs (but, discussed in the context of the Principle of Least Permission, it must be noted that's actually a VERY privileged account within the local computer).

But when I set up BES/Exchange, I didn't specify which services would run under which credentials. BES Setup did. I just furnished the name and password of the BES account when prompted. Setup used it for every service except the Attachment service, which was, in fact, set to LocalSystem.

Further, I just did a search in every PDF furnished with BES 4.0/Exchange for the word LocalSystem. There were zero hits. None. On Blackberry.com, there were 2 hits in the 4.0/Domino & 4.01/Domino release notes, both referring to Domino's service account, not BES's.

So which BES documentation are you referring to, Corey? I read and followed every word.