Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Exchange 2010 Hosting Part 1 - The Hard Way

Paul Roman [MVP for Exchange, MCSE, MCSA, MCST, MCITP]

Paul Roman [MVP for Exchange, MCSE, MCSA, MCST, MCITP] Photo

Paul is a Microsoft Certified System Engineer since 1999. His experience covers a large number of Microsoft Exchange implementations starting from small infrastructures and going to large hosting infrastructures for thousands of users. Starting with April 1st, 2010, Paul is MVP for Exchange.

Cast your Vote
Poor Excellent

Hosting multiple Organizations on a single Exchange Infrastructure can give significant hardware consolidation advantages. Exchange 2010 has greatly simplified the setup of such an environment, giving us two implementation options, the hard and the easy way. Today we go down the hard way...

Starting with Exchange 2000, Microsoft had the idea to implement hosting infrastructures based on MS Exchange. To provide support for such implementations MS released Hosted Solutions add-ons, starting with "The Solution for High Volume Exchange version 1.0" based on Exchange 2000.

Up till now, Microsoft released eight versions, with the release of Hosted Messaging and Collaboration HMC version 4.5 in June 2008. HMC 4.5 was working with Exchange 2007 SP1 together with Office Communication Server 2007, SharePoint Services 3.0 and Forefront Security for MS Exchange 2007.

In Exchange 2010 SP1 there is no need for an additional tool to configure a hosting environment. All you have to do is to run the setup for Exchange 2010 SP1 with the /hosting switch. It's an easy way to configure a multi-tenant infrastructure. However some features are missing, namely:

  • Exchange Management Console
  • Public Folders
  • Unified Messaging Server Role
  • Federation
  • Business-to-Business features such as cross-premises message tracking and calendar sharing
  • IRM
  • Outlook 2003 support (EnableLegacyOutlook)
  • Edge Transport Server role

Note in this article I make extensive reference to the whitepaper:
White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007

Even though this was originally written for Exchange 2007, many of the instructions in this whitepaper are also applicable to Exchange 2010.

1. The Hard Way - Hosting Environment Preparation

If you still need some of the above features and also need to have an infrastructure where every tenant can see or access only its information without knowing that it is sharing the email server with other tenants you have to take the hard way. The hard way means that you have to configure some advanced permissions using mostly the ADSI editor and cmdlets to achieve your goal. Here are the steps:

In the following steps, <domain> is the distinguished name of your AD domain. For example, it could be DC=addomain, DC=local

  1. Install the Exchange servers as you would install them for a normal installation. The configuration can include all Exchange 2010 features like UM Server, Edge Server, DAG infrastructure, etc.

  2. Configure the dSHeuristics attribute to allow listing of the specific child objects even if the user does not have this right on the parent.

    Quoting directly from the referenced whitepaper, Active Directory object visibility is normally controlled by List Contents permissions on the parent object, which is an object that will only be visible to a user if the user has been granted List Contents permissions on the parent object. When a user has List Contents permission on a parent node, he or she can see and browse all objects that are children of that node without any further selectivity. This is not what we want in a hosting environment.

    Setting dSHeuristics attribute allows us to control object visibility at a more granular level on a per-object basis.

    To set this attribute, open the ADSIEdit console and connect to the Configuration naming context. There you have to edit the attribute dSHeuristics for: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,<Domain>

    ...and set it to 001. For more information about dSHeuristics check here

    Change dSHeuristics to 001

  3. Remove Anonymous Logon, Authenticated Users and Everyone permissions from the All Address Lists, All Global Address Lists, Offline Address Lists and Default Global Address List, All Contacts, All Groups, All Rooms, All Users, Public Folders and Default Offline Address Book containers. This will help you to hide the existence of all the address lists on the server except the one that the user should see.

    The following should not be deleted completely. Otherwise other components would be broken and you might get into trouble:

    • Default Global Address List - if later you need to configure a Blackberry Enterprise Server infrastructure, the BES account should have rights to access the Default Global Address List in order to be able to function properly.

    • All Rooms - if you delete it, the address book in OWA will no longer work.

    • Default Offline Address Book - can be deleted, but you need to establish a new default offline address list otherwise the Offline Address Book service would not work as expected.

    To remove the rights using ADSIEdit, right click and select Properties for each of the following containers:

    • CN=All Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>

    • CN=All Global Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>

    • CN=Offline Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>

    • CN=Default Global Address List, CN= All Global Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>

    Address List Rights

    Go to the Security tab, click Advanced and deselect Allow inheritable permissions from the parent to propagate to this object and all child objects.

    Disallow Inherit Permissions

    After clicking OK, select Copy in the following message and then click Yes twice at the warning messages.

    Copy Permissions

    Warning 1

    Warning 2

    Then back to the security tab, remove permissions for Anonymous Logon, Everyone and Authenticated Users.

  4. Add List Object Permission to the address lists containers using Powershell cmdlets. This permission was enabled at the AD infrastructure in Point 2 of this article section and allows you to list from Address Lists containers only the address lists that the user is allowed to access.

    You have to run the following cmdlets from the Exchange Management Shell:

    $container = "CN=All Global Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain>"

    Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject

    $container = "CN=All Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain>"

    Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject

    $container = "CN=Offline Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain>"

    Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject

  5. Clear the addressBookRoots and addressBookRoots2 attributes of "CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>" container by using ADSIEdit.

    Make sure that you remove the "CN=All Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration, <Domain>" value from both attributes otherwise you may have problems with Offline Address Book creation/replication.

    Clear addressBookRoots, addressBookRoots2 attributes

  6. Create an organizational unit to contain all of the tenants. Under this OU you will create a new OU for each tenant

    • Start Active Directory Users and Computers.
    • At the left pane, right-click your domain (the very top object).
    • Click New, and select Organizational Unit.
    • Type Tenants, and click OK.

2. New Tenant Setup

Now that we completed the preparation steps, we are ready to setup a new Exchange Organization tenant. Here we will use:

  • domain.com as an example domain;
  • addomain.local as the local active directory domain;
  • Exchange ORG as the Exchange Organization
  • Server_name1 is the mailbox server
  • Server_name2 is the Client Access Server CAS. Server_name1 and server_name2 can be the same.
  1. Create a new OU for the new tenant.

    Under the OU created in the previous step, create a new OU with the name of the email domain that you will host:

    • Start Active Directory Users and Computers.
    • At the left pane, right-click the Tenants OU.
    • Click New, and select Organizational Unit.
    • Type domain.com, and click OK.

     

  2. Create a new UPN suffix for the newly created OU

    • Open the ADSI Editor and connect to the Default Naming Context.
    • Right click the OU and select Properties.
    • Select the upnSuffixes attribute and click Edit.
    • Enter the new company UPN suffix and click Add.
    • Click OK twice to close out of the properties

    New UPN Suffix

  3. Create a new security group that will host all the domain.com users.

    Run the following cmdlet from Exchange Management Shell:
    New-DistributionGroup -Name "domain.com Users" -OrganizationalUnit "addomain.local/Tenants/ domain.com" -SamAccountName "domain.comUsers" -Alias "domain.comUsers" -Type "Security"

  4. Create a new accepted domain

    Run the following cmdlet from Exchange Management Shell:
    new-AcceptedDomain -Name 'domain.com' -DomainName 'domain.com' -DomainType 'Authoritative'

  5. Create a new email address policy. The policy will be applied to all email enabled objects located under domain.com OU. The email address will be alias@domain.com. You can use other patterns like name.surname (%g.%s@domain.com) or "first letter from name".surname (%1g.%s@domain.com) and so on.

    Run the following cmdlet from Exchange Management Shell:
    new-EmailAddressPolicy -Name 'domain.com' -RecipientContainer 'addomain.local/tenants/domain.com' -IncludedRecipients 'AllRecipients' -Priority 'Lowest' -EnabledEmailAddressTemplates 'SMTP:%m@domain.com'

  6. Create a new Global Address List. This will contain all the email enabled objects located under domain.com OU.

    Run the following cmdlet from the Exchange Management Shell:
    new-globalAddressList -Name 'domain.com GAL' -RecipientContainer 'addomain.local/tenants/domain.com' -IncludedRecipients 'AllRecipients'

  7. Create a new Address List. This will contain all the email enabled objects located under domain.om OU

    Run the following cmdlet from Exchange Management Shell:
    new-AddressList -Name 'domain.com AL' -RecipientContainer 'addomain.local/ Tenants/domain.com' -IncludedRecipients 'AllRecipients' -Container '\' -DisplayName 'domain.com AL'

  8. Create new Offline Address Book. This will contain all the email enabled objects located under domain.com OU. Here you have to pay attention to:

    • If you are using Outlook 2003 you need to enable the Offline Address Book distribution via public folders (-PublicFolderDistributionEnabled $true)

    • Server_name1 is the name of the mailbox server that will be responsible for Offline Address Book generation

    • Server_name2\OAB (Default Web Site) is the web virtual directory where you want to distribute the Offline Address Book. Server_name2 is the name of the Client Access Server that is hosting the web virtual directory.

    • Server_name1 can be the same as Server_name2 if the Mailbox and Client Access Role are located on the same server

    Run the following cmdlet from Exchange Management Shell:
    new-OfflineAddressBook -Name 'domain.com' -Server 'Server_name1' -AddressLists '\domain.com AL' -PublicFolderDistributionEnabled $true -VirtualDirectories 'Server_name2\OAB (Default Web Site)'

  9. Secure the Address Lists by allowing access only to the users from the security group created at 2.3 (domain.com Users)

    Use the ADSI editor to clear Authenticated Users permission from recently created Global Address List, Address List and Offline Address Book as you did in 1.3 for the following containers:

    • CN=domain.com AL, CN=All Address Lists, CN=Address Lists Container, CN=Exchange ORG,CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=addomain, DC=local

    • CN=domain.com GAL, CN= All Global Address Lists, CN=Address Lists Container, CN=Exchange ORG,CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=addomain, DC=local

    • CN=domain.com OAB, CN= Offline Address Lists, CN=Address Lists Container, CN=Exchange ORG,CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=addomain, DC=local

    Run the following cmdlet from Exchange Management Shell to add permissions to the users from the security group created at 2.3 (domain.com Users):

    $container = "CN=domain.com AL,CN=All Address Lists,CN=Address Lists Container,CN=Exchange ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=addomain,DC=local" Add-ADPermission $container -User "domain.com Users" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book

    $container = "CN=domain.com GAL,CN= All Global Address Lists,CN=Address Lists Container,CN=Exchange ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=addomain, DC=local" Add-ADPermission $container -User " domain.com Users " -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book

    $container = "CN=domain.com OAB,CN= Offline Address Lists,CN=Address Lists Container,CN=Exchange ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=addomain,DC=local" Add-ADPermission $container -User " domain.com Users " -AccessRights GenericRead, ListChildren -ExtendedRights ms-Exch-Download-OAB

  10. Create a new Mailbox Database to host the new tenant (This step is optional)

    If using Exchange 2010 Standard Edition, you can create up to 5 databases per server, including the public folder database. In Exchange 2010 Enterprise Edition you can create up to 100 databases per server, including the public folder database.

    Based on this, if the number of tenants that you will host is less than the number of databases supported, it is recommended to create a new database for each tenant. This will help you to easily manage the Offline Address Book for each user by assigning the tenant Offline Address Book for all user only once at the database proprieties. To create a new database, run the following cmdlet from Exchange Management Shell:
    new-mailboxdatabase -Server 'Server_name1' -Name 'domain.com MB' -EdbFilePath '%database path%\domain.com MB.edb' -LogFolderPath '%log path% \domain.com MB'

    For the newly created database, assign the domain.com OAB as the default Offline Address Book by running the following cmdlet from Exchange Management Shell:
    Set-MailboxDatabase "domain.com MB" -OfflineAddressBook "domain.com OAB"

3. New User or Group setup

  1. In order to create a new user for the domain.com tenant, you have to create the user in the correct OU and mailbox database (if you followed the step 2.10). The new user can be created from the Management Shell or the Management Console. The best approach is to use Shell because you can automate the process.

    First of all you have to create a new password:
    $password = Read-Host "Enter Password" -AsSecureString

    And enter the new password. The password must fulfill the domain password complexity requirements.

    To create a new user:
    New-mailbox -UserPrincipalName name.surname@domain.com -database "domain.com MB" -Name "Name Surname" -OrganizationalUnit "ou=domain.com,ou=tenants, dc=addomain,dc=local" -password $password -FirstName Name -LastName Surname -DisplayName "Name Surname" -ResetPasswordOnNextLogon $false -alias name.surname

  2. If you didn't follow the optional step 2.10, you have to assign the Offline Address Book for each user (This step is optional related with step 2.10). To do that, run the cmdlet:
    Get-User -Filter { userPrincipalName -like "*@domain.com " } | Set-Mailbox -OfflineAddressBook "domain.com OAB"

    This cmdlet must be run always after you create a new user.

  3. Add the new user to the company security group (2.3)
    Add-DistributionGroupMember -Identity "domain.com Users" -Member name.surname@domain.com

  4. To create a new distribution group you should run the same cmdlet as in step 2.3

  5. Update all the address lists and the email policy to reflect the new changes.

    After a new object is created you should run the following cmdlets to be sure that all the address books contain it.

    update-EmailAddressPolicy -Identity "domain.com"

    update-GlobalAddressList -Identity " domain.com GAL"

    update-AddressList -Identity "domain.com AL"

    update-OfflineAddressBook -Identity " domain.com OAB"

THE EASY WAY

In the second part of this article we will be back with a procedure regarding hosting environment setup using Exchange 2010 SP1 /hosting switch. Since there is no graphical Management Console, all configurations will be based only on cmdlets.

Reference

White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007

User Comments - Page 1 of 1

Yasu 28 Jun 2012 03:22
This is great! It is working fine within OWA and GAL only shown same tenant users, but when I set outlook for a user, everyone can see everyone at GAL. Is there anyway you can solve this problem? Thanks.
Matthew H. 14 Dec 2011 12:17
Paul: Will there be an Exchange 2010 SP2 "Hosting the Hard Way" guide? Thanks!
Beni 28 Oct 2011 17:37
I cannot get Outlook to work. When I setup Outlook for a new user, I get "The name cannot be resolved - the old ones is ok. The name cannot be matched to a name in the address list." Adding Permissions to the Default GAL solves the problem, but everyone sees everyone. Pls help!
Liam Millar 30 Aug 2011 05:33
I've followed these instrustions and now users are unable to logon, outlook crashes when an account tries to check name?

PLease Help
Paul Roman 24 Aug 2011 03:22
You have UPN and you have User Logon Name (Pre-Windows 2000). The second one needs to be unique within the domain and you can put it whatever you like as long as you will use the UPN for logon purposes.
Levin 20 Aug 2011 04:40
i have an issue, when both the domains need same user for eg. a@abc.com and a@xyz.com. active directory doesn't allow me to create same named user. how to resolve this issue.
Julien 18 Jul 2011 01:35
Hi!thanks for your documentation it's very helpful for me ! I got a question in the third step when you want to remove the permissions from "everyody,ANONYMOUS_LOGON" etc do you speak aout the specials autorisations ? or the classics permissions ?

Thanks again,
Julien
Not Supported 28 Jun 2011 02:04
The above method is not supported by MS and will break Exchange 2010. Only way to do Multi-tenant is via /hosting
Paul Roman 3 Apr 2011 05:51
I am working on "The easy way" . It should be published soon.
Kay 1 Apr 2011 06:25
So what is the easy way? Thanks.
ExAdmin 20 Mar 2011 03:27
Here's an extra tip for you guys.
G/AL Update will update the GAL and AL without having to open the EMS.
www.galupdate.co.uk
Paul Roman 9 Mar 2011 00:17
Hi Mattheus,

Did you delete the Default Global Address List?

Paul
Mattheus 8 Mar 2011 07:00
Very nice and useful guide! I followed this and it works perfectly in OWA, only the company GAL and AL is viewed.

However, I cannot get Outlook to work. When I setup Outlook for a new user, I get "The name cannot be resolved. The name cannot be matched to a name in the address list." Is it permission-related? Any ideas?
Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation