Prerequisites: Using the BlackBerry Directory Sync Tool
- The user accounts that you want to synchronize from Microsoft Active Directory groups must have matching user accounts on the BlackBerry Device Service or Universal Device Service. If matching user accounts do not exist on the server instance, add the user accounts manually, or enable provisioning so that the tool can add the user accounts during the synchronization process. For more information about the provisioning feature, see Configure provisioning options.
- The Windows account that you use to run the tool must have read permissions for Microsoft Active Directory.
- The administrator account that you configure the tool to use must exist on every server instance that you want the tool to connect to. The administrator account must have one of the following roles, or a role with equivalent permissions: Security Administrator, Enterprise Administrator, Senior Helpdesk Administrator.
- By default, the tool cannot synchronize changes to BlackBerry Enterprise Service 10 groups that have more than 2000 members. If you want to synchronize changes to groups that have more than 2000 members, change the maximum group size limit in the configuration file (DirectorySync.exe.config). For more information about changing the configuration file, see Change the performance and configuration settings for the BlackBerry Directory Synchronization Tool.
- If your organization uses property names for group names, email addresses, or display names that are not standard, add the property names to the configuration file (DirectorySync.exe.config) so that the tool can retrieve information from Microsoft Active Directory. For more information about adding property names, see Change the performance and configuration settings for the BlackBerry Directory Synchronization Tool.
- If any of the Microsoft Active Directory groups that you want to synchronize have nested subgroups, decide if you want to synchronize the membership of the subgroups as well.
- If you enable provisioning and deprovisioning, it is a best practice to add and remove user accounts from the server instance using the tool only, instead of adding and removing the user accounts manually using the administration console. If you enable deprovisioning and configure the tool to be able to remove user accounts, the tool requires that every user account must exist in a Microsoft Active Directory group that is mapped to a virtual provisioning group. If you enable deprovisioning and do not configure and maintain provisioning mappings, the tool could remove user accounts from the server instance unexpectedly.
- It is a best practice to run the tool during low-usage periods. Depending on the number of changes that must be synchronized, the tool might have a performance impact on your organization's environment.
- It is a best practice to always preview the provisioning and synchronization process so that you can verify that the changes will occur as expected.
Was this information helpful? Send us your comments.