UPDATE: We have now released the hotfix that corrects this issue for Exchange 2003 SP2. The article is: 930241 The Exchange 2003 database does not mount, and event IDs 9518 and 9519 are logge...
Updated Jul 01, 2019
Version 2.0
Blog Post
Hi Everyone:
Last night I had the honor of swimming through the sea of Exchange, BES and the DST update and here's what bit me in the butt and how to address it.
First things first, Microsoft really should state that this will impact BES and other apps and not as they've said "May Affect". In my opinion that it's weak writing that they did to not draw attention to the fact that the change they are forcing out will break these other apps.
My first mistake was that I read MS KB article 912918 with the current mindset. The article points out that store.exe version 6.5.7650.xx and later are affected by the Send As permission change. I looked at my server which was running 6.5.7638.xx and felt that I was in the clear. The factor that I left out was that my store.exe version after installing the patch is 6.5.7651.61, which will be impacted.
In reading the articles there is a way to block some of these changes, but as it was a late night, I cannot find it. I do have the solutions from Microsoft on how to deal with this issue.
Grant the BES Service account Send As permissions to all standard users:
Open ADUC and access the properties on the domain mydomain.com and add the BES service account with Send As permissions on User Objects. This should be done on all domains that have BES user accounts.
907434 - Priveledged Accounts settings are applied differently:
If you have a BES account that is a member of a Priveledged group (domain admin, dhcp admin, etc..) the ADMINSDHOLDER is a security template that applies a specific set of security permissions to all Priveledged accounts. This is done to help prevent the admin accounts from being compromised. You will have to run the DSACLS command listed in kb 907434 on each domain to grant the BES service account Send As permissions to the template.
After making these changes you will need to down the BES services for at least 20-30 minutes to clear the cache. Further, it took my environment 2 hours to fully replicate the settings in to the AD, Information Store and BES Router. I don't know why it took so long as the primary systems are in the same site, but it did.
Have patience and I hope this saves all of you the sleep I missed out on.
Good Luck!
Jim
Last night I had the honor of swimming through the sea of Exchange, BES and the DST update and here's what bit me in the butt and how to address it.
First things first, Microsoft really should state that this will impact BES and other apps and not as they've said "May Affect". In my opinion that it's weak writing that they did to not draw attention to the fact that the change they are forcing out will break these other apps.
My first mistake was that I read MS KB article 912918 with the current mindset. The article points out that store.exe version 6.5.7650.xx and later are affected by the Send As permission change. I looked at my server which was running 6.5.7638.xx and felt that I was in the clear. The factor that I left out was that my store.exe version after installing the patch is 6.5.7651.61, which will be impacted.
In reading the articles there is a way to block some of these changes, but as it was a late night, I cannot find it. I do have the solutions from Microsoft on how to deal with this issue.
Grant the BES Service account Send As permissions to all standard users:
Open ADUC and access the properties on the domain mydomain.com and add the BES service account with Send As permissions on User Objects. This should be done on all domains that have BES user accounts.
907434 - Priveledged Accounts settings are applied differently:
If you have a BES account that is a member of a Priveledged group (domain admin, dhcp admin, etc..) the ADMINSDHOLDER is a security template that applies a specific set of security permissions to all Priveledged accounts. This is done to help prevent the admin accounts from being compromised. You will have to run the DSACLS command listed in kb 907434 on each domain to grant the BES service account Send As permissions to the template.
After making these changes you will need to down the BES services for at least 20-30 minutes to clear the cache. Further, it took my environment 2 hours to fully replicate the settings in to the AD, Information Store and BES Router. I don't know why it took so long as the primary systems are in the same site, but it did.
Have patience and I hope this saves all of you the sleep I missed out on.
Good Luck!
Jim