|
Exchange 2010 Hosting Part 1 - The Hard Way
![Paul Roman [MVP for Exchange, MCSE, MCSA, MCST, MCITP] Photo](authorphoto.aspx?i=12)
Paul is a Microsoft Certified System Engineer since 1999.
His experience covers a large number of Microsoft Exchange implementations starting from small infrastructures and going to large hosting infrastructures for thousands of users.
Starting with April 1st, 2010, Paul is MVP for Exchange.
More from Paul Roman [MVP for Exchange, MCSE, MCSA, MCST, MCITP]...
Hosting multiple Organizations on a single Exchange Infrastructure can give significant hardware consolidation advantages. Exchange 2010 has greatly simplified the setup of such an environment, giving us two implementation options, the hard and the easy way. Today we go down the hard way...
Starting with Exchange 2000, Microsoft had the idea to implement hosting infrastructures based on MS Exchange. To provide support for such implementations MS released Hosted Solutions add-ons, starting with "The Solution for High Volume Exchange version 1.0" based on Exchange 2000.
Up till now, Microsoft released eight versions, with the release of Hosted Messaging and Collaboration HMC version 4.5 in June 2008. HMC 4.5 was working with Exchange 2007 SP1 together with Office Communication Server 2007, SharePoint Services 3.0 and Forefront Security for MS Exchange 2007.
In Exchange 2010 SP1 there is no need for an additional tool to configure a hosting environment. All you have to do is to run the setup for Exchange 2010 SP1 with the /hosting switch. It's an easy way to configure a multi-tenant infrastructure. However some features are missing, namely:
- Exchange Management Console
- Public Folders
- Unified Messaging Server Role
- Federation
- Business-to-Business features such as cross-premises message tracking and calendar sharing
- IRM
- Outlook 2003 support (EnableLegacyOutlook)
- Edge Transport Server role
Note in this article I make extensive reference to the whitepaper:
White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007
Even though this was originally written for Exchange 2007, many of the instructions in this whitepaper are also applicable to Exchange 2010.
1. The Hard Way - Hosting Environment Preparation
If you still need some of the above features and also need to have an infrastructure where every tenant can see or access only its information without knowing that it is sharing the email server with other tenants you have to take the hard way. The hard way means that you have to configure some advanced permissions using mostly the ADSI editor and cmdlets to achieve your goal. Here are the steps:
In the following steps, <domain> is the distinguished name of your AD domain. For example, it could be DC=addomain, DC=local
Install the Exchange servers as you would install them for a normal installation. The configuration can include all Exchange 2010 features like UM Server, Edge Server, DAG infrastructure, etc. -
Configure the dSHeuristics attribute to allow listing of the specific child objects even if the user does not have this right on the parent.
Quoting directly from the referenced whitepaper, Active Directory object visibility is normally controlled by List Contents permissions on the parent object, which is an object that will only be visible to a user if the user has been granted List Contents permissions on the parent object. When a user has List Contents permission on a parent node, he or she can see and browse all objects that are children of that node without any further selectivity. This is not what we want in a hosting environment.
Setting dSHeuristics attribute allows us to control object visibility at a more granular level on a per-object basis.
To set this attribute, open the ADSIEdit console and connect to the Configuration naming context. There you have to edit the attribute dSHeuristics for:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,<Domain>
...and set it to 001. For more information about dSHeuristics check here
-
Remove Anonymous Logon, Authenticated Users and Everyone permissions from the All Address Lists, All Global Address Lists, Offline Address Lists and Default Global Address List, All Contacts, All Groups, All Rooms, All Users, Public Folders and Default Offline Address Book containers. This will help you to hide the existence of all the address lists on the server except the one that the user should see.
The following should not be deleted completely. Otherwise other components would be broken and you might get into trouble:
Default Global Address List - if later you need to configure a Blackberry Enterprise Server infrastructure, the BES account should have rights to access the Default Global Address List in order to be able to function properly. All Rooms - if you delete it, the address book in OWA will no longer work. Default Offline Address Book - can be deleted, but you need to establish a new default offline address list otherwise the Offline Address Book service would not work as expected.
To remove the rights using ADSIEdit, right click and select Properties for each of the following containers:
CN=All Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain> CN=All Global Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain> CN=Offline Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain> CN=Default Global Address List, CN= All Global Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>
Go to the Security tab, click Advanced and deselect Allow inheritable permissions from the parent to propagate to this object and all child objects.
After clicking OK, select Copy in the following message and then click Yes twice at the warning messages.
Then back to the security tab, remove permissions for Anonymous Logon, Everyone and Authenticated Users.
-
Add List Object Permission to the address lists containers using Powershell cmdlets. This permission was enabled at the AD infrastructure in Point 2 of this article section and allows you to list from Address Lists containers only the address lists that the user is allowed to access.
You have to run the following cmdlets from the Exchange Management Shell:
$container = "CN=All Global Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain>"
Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject
$container = "CN=All Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain>"
Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject
$container = "CN=Offline Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain>"
Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject
-
Clear the addressBookRoots and addressBookRoots2 attributes of "CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>" container by using ADSIEdit.
Make sure that you remove the "CN=All Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration, <Domain>" value from both attributes otherwise you may have problems with Offline Address Book creation/replication.
-
Create an organizational unit to contain all of the tenants. Under this OU you will create a new OU for each tenant
- Start Active Directory Users and Computers.
- At the left pane, right-click your domain (the very top object).
- Click New, and select Organizational Unit.
- Type Tenants, and click OK.
|