Configuring Microsoft Active Directory authentication in an environment that includes a resource forest

If your organization's environment includes a resource forest that is dedicated to running Microsoft Exchange, you can configure Microsoft Active Directory authentication for BlackBerry device users that have user accounts that are located in trusted account forests.

If a resource forest exists in your organization's environment, you must install BlackBerry Enterprise Service 10 in the resource forest. In the resource forest, you create a mailbox for each user account and associate the mailboxes with the user accounts. When you associate the mailboxes in the resource forest with user accounts in the account forests, the user accounts obtain full access to the mailboxes and the user accounts in the account forests are connected to the Microsoft Exchange server.

To authenticate users who log in to the BlackBerry Administration Service, the BlackBerry Administration Service must read the user information that is stored in the global catalog servers that are part of the resource forest. To configure the BlackBerry Administration Service to authenticate user accounts that are associated with mailboxes in the resource forest, you must create a Microsoft Active Directory account for the BlackBerry Administration Service that is located in a Windows domain that is part of the resource forest. During the installation process, you provide the Windows domain, username, and password for the Microsoft Active Directory account, and, if required, the names of the global catalog servers that the BlackBerry Administration Service can use. You can change the Windows domain, username, and password for the Microsoft Active Directory account and global catalog servers after the installation process completes.

For more information, visit technet.microsoft.com to read Using a Dedicated Exchange forest.