- The user accounts that you want to synchronize from Microsoft Active Directory groups must have matching user accounts on the BlackBerry Enterprise Server. If matching user accounts do not exist on the BlackBerry Enterprise Server, add the user accounts manually, or enable provisioning so that the tool can add the user accounts to the BlackBerry Enterprise Server during the synchronization process. For more information about the provisioning feature, see Configure provisioning options.
- The Windows account that you use to run the tool must have read permissions for Microsoft Active Directory.
- The administrator account that you configure the tool to use must exist in every MDM domain that you want the tool to connect to. In a BlackBerry Enterprise Server or BlackBerry Enterprise Server Express environment, the administrator account must have a role with permissions to view and edit groups, and to create and delete user accounts.
- By default, the tool cannot synchronize changes to BlackBerry Enterprise Server groups that have more than 2000 members. If you want to synchronize changes to BlackBerry Enterprise Server groups that have more than 2000 members, change the maximum group size limit in the configuration file (DirectorySync.exe.Config). For more information about changing the configuration file, see Change the performance and configuration settings for the BlackBerry Directory Synchronization Tool.
- If your organization uses property names for group names, email addresses, or display names that are not standard, add the property names to the configuration file (DirectorySync.exe.Config) so that the tool can retrieve information from Microsoft Active Directory. For more information about adding property names, see Change the performance and configuration settings for the BlackBerry Directory Synchronization Tool.
- If any of the Microsoft Active Directory groups that you want to synchronize have nested subgroups, decide if you want to synchronize the membership of the subgroups as well.
- If you enable provisioning and deprovisioning, it is a best practice to add and remove user accounts from the BlackBerry Enterprise Server using the tool only, instead of adding and removing the user accounts manually using the BlackBerry Administration Service. If you enable deprovisioning and configure the tool to be able to remove user accounts, the tool requires that every user account on the BlackBerry Enterprise Server exists in a Microsoft Active Directory group that is mapped to a virtual provisioning group. If you enable deprovisioning and do not configure and maintain provisioning mappings, the tool could remove user accounts from the BlackBerry Enterprise Server unexpectedly.
- It is a best practice to run the tool during low-usage periods. Depending on the number of changes that must be synchronized, the tool might have a performance impact on your organization's environment.
- It is a best practice to always preview the provisioning and synchronization process so that you can verify that the changes will occur as expected.
Was this information helpful? Send us your comments.