It is inevitable that more and more organisations will be moving away from Blackberry more and more as the domination of iOS, Android and Windows Mobile continue to dominate the handset market. Well we have come to that point in now, where we have had a BES server running for over a year without a single user connecting to it, and now it is time to remove the server the right way.

After trawling through the labyrinth we call the internet it surprised me that finding all the information simply was not in the one place. Admittedly the uninstallation of BES is quite an easy task there are a number of tasks to do before and after… and ill show you what they are.

The homework

So you know you have Blackberry Enterprise Server infrastructure and you want it gone… where do you start? Well in my scenario it was quite easy as I only had the one BES server for our entire organisation. Should you have more than one, I suggest you find additional articles on high availability as a supplement to this article.

There are a number of pieces of information we need to get in order to clean the network of this infrastructure.

Active Directory account name – even if you know what is being used, double check that the account in question is actually the one. To do this, open Blackberry Server configuration from the BES server with elevated privileges, and click on the Administration Service – AD Settings tab:

In my instance, I used the name besxadmin so I know that is the account I will have to revoke permissions in AD.

Verify that the same account is in the MAPI Profile under Blackberry Server tab. It should look similar to the below screenshot. I cant imagine how the system would work if these two accounts were different but just in case its easy to check.

SQL Database connectivity – Check on the Database Connectivity tab to see where the database lives. In my situation this database lives on a separate SQL server, and i have now documented that I will need to remove the database, and adjust the backup software to no longer look for that database. Verify that there is only one last server in the Blackberry Administration Server website. From my brief reading of other articles, you should decommission all servers one by one before removing BES from the entire organisation. This view displays all the servers present in the BES domain – should there be more than one then I recommend rectifying that first.

Provisioned users – Lastly make sure you still don’t have any provisioned users out there. Simply click on User -> Manage Users to see if there are any provisioned users with devices. It should look something similar to the below screenshot. As you can see I only have the BES account and an administrative account. All other users have been removed.

Verify all devices/systems where you have allowed Blackberry traffic to flow as an exception. Things like SRP data (inbound and/or outbound). In my environment I had two firewalls with Port 3101 allowed for the server address. Document this as you will need to remove it in the clean up stage.

The Uninstallation

Now you should be ready to uninstall you server. This step is very simple, but depends on how you have your environment configured. Here are the scenarios that came to mind:

Dedicated BES server with database on same server

SOLUTION: Shut down the server, and take it off the Active Directory domain Dedicated BES server with Database on different server

SOLUTION: Shut down the server, and take it off the Active Directory domain. Then remove database from your existing database server BES on existing server (like your Exchange server)

SOLUTION: Stop all blackberry services (refer to screenshot). Go to Control Panel -> Add/Remove Programs (or Programs and Features) and uninstall Blackberry Enterprise Server completely.

So in my situation, this was option 2, I simply shut down the server and detached the database from our SQL Server.

The Clean-up

Finally there is the clean-up tasks we need to do. Firstly we will start with removing BES admin account Active Directory Access Control List. These are pretty simple to undo if you followed the BES installation instructions, which suggested delegating rights at the domain level. It makes things easy to undo because the setting should be only in one area. Below is a screenshot of our domain security permissions where the BES account was configured. Simply deleting this will remove all inherited permissions as well.

Once this account is removed, go into Exchange and disable the Blackberry service mailbox. The specific details should have been documented in the homework section. This is very straightforward – I’m sure most know how to do this.



After the mailbox has been disabled, we disable the AD account, change the password and move to a dedicated OU. You may choose to delete the account should you want to.

EDIT: Following Section Added – Thanks to Oliver Weber for pointing out

When implementing BES you need to create a Throttling Policy within Exchange. This policy becomes redundant and is best to clean up Exchange and remove this policy.

Get the Policy Name. You need to get the name of the policy that was created at the time of install. I called mine BESPolicy personally but this was decided at time of installation. Run the following command to find out what the name was, and make sure its not your default policy.

Get-ThrottlingPolicy | fl Name, IsDefault

My results were are here, and I can clearly see my policy for BES was not set to default.

From here we can safely remove the redundant policy. To do this we must remove this policy from all mailboxes, then delete the throttling policy. Run the below script to set the default policy on all users that has your BES policy set (in my case thats BESPolicy) and remove the policy from Exchange.

$policy = Get-ThrottlingPolicy BESPolicy; $mailboxes = Get-Mailbox | where-object {$_.ThrottlingPolicy -eq $policy.Identity}; $defaultPolicy = Get-ThrottlingPolicy | where-object {$_.IsDefault -eq $true}; foreach ($mailbox in $mailboxes) { Set-Mailbox -Identity $mailbox.Identity -ThrottlingPolicy $defaultPolicy; } Remove-ThrottlingPolicy BESPolicy;

Seeing we had a dedicated SQL server for multiple databases, I have to detach the BES database from our SQL server, and remove it from our backup list. Due to the different software/methods of doing this I will not document this as each case may differ slightly.

And lastly we have a firewall rule that we removed. This was a simple firewall rule that allowed the server to talk to the Blackberry servers. You may need to get your networking guys to do this.

End result should be a clean environment with no presence of the BES server or its lingering configuration.

Questions and comments welcome,

Ivan