Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Exchange 2010 Hosting Part 1 - The Hard Way

Paul Roman [MVP for Exchange, MCSE, MCSA, MCST, MCITP]

Paul Roman [MVP for Exchange, MCSE, MCSA, MCST, MCITP] Photo

Paul is a Microsoft Certified System Engineer since 1999. His experience covers a large number of Microsoft Exchange implementations starting from small infrastructures and going to large hosting infrastructures for thousands of users. Starting with April 1st, 2010, Paul is MVP for Exchange.

Cast your Vote
Poor Excellent

Hosting multiple Organizations on a single Exchange Infrastructure can give significant hardware consolidation advantages. Exchange 2010 has greatly simplified the setup of such an environment, giving us two implementation options, the hard and the easy way. Today we go down the hard way...

2. New Tenant Setup

Now that we completed the preparation steps, we are ready to setup a new Exchange Organization tenant. Here we will use:

  • domain.com as an example domain;
  • addomain.local as the local active directory domain;
  • Exchange ORG as the Exchange Organization
  • Server_name1 is the mailbox server
  • Server_name2 is the Client Access Server CAS. Server_name1 and server_name2 can be the same.
  1. Create a new OU for the new tenant.

    Under the OU created in the previous step, create a new OU with the name of the email domain that you will host:

    • Start Active Directory Users and Computers.
    • At the left pane, right-click the Tenants OU.
    • Click New, and select Organizational Unit.
    • Type domain.com, and click OK.

     

  2. Create a new UPN suffix for the newly created OU

    • Open the ADSI Editor and connect to the Default Naming Context.
    • Right click the OU and select Properties.
    • Select the upnSuffixes attribute and click Edit.
    • Enter the new company UPN suffix and click Add.
    • Click OK twice to close out of the properties

    New UPN Suffix

  3. Create a new security group that will host all the domain.com users.

    Run the following cmdlet from Exchange Management Shell:
    New-DistributionGroup -Name "domain.com Users" -OrganizationalUnit "addomain.local/Tenants/ domain.com" -SamAccountName "domain.comUsers" -Alias "domain.comUsers" -Type "Security"

  4. Create a new accepted domain

    Run the following cmdlet from Exchange Management Shell:
    new-AcceptedDomain -Name 'domain.com' -DomainName 'domain.com' -DomainType 'Authoritative'

  5. Create a new email address policy. The policy will be applied to all email enabled objects located under domain.com OU. The email address will be alias@domain.com. You can use other patterns like name.surname (%g.%s@domain.com) or "first letter from name".surname (%1g.%s@domain.com) and so on.

    Run the following cmdlet from Exchange Management Shell:
    new-EmailAddressPolicy -Name 'domain.com' -RecipientContainer 'addomain.local/tenants/domain.com' -IncludedRecipients 'AllRecipients' -Priority 'Lowest' -EnabledEmailAddressTemplates 'SMTP:%m@domain.com'

  6. Create a new Global Address List. This will contain all the email enabled objects located under domain.com OU.

    Run the following cmdlet from the Exchange Management Shell:
    new-globalAddressList -Name 'domain.com GAL' -RecipientContainer 'addomain.local/tenants/domain.com' -IncludedRecipients 'AllRecipients'

  7. Create a new Address List. This will contain all the email enabled objects located under domain.om OU

    Run the following cmdlet from Exchange Management Shell:
    new-AddressList -Name 'domain.com AL' -RecipientContainer 'addomain.local/ Tenants/domain.com' -IncludedRecipients 'AllRecipients' -Container '\' -DisplayName 'domain.com AL'

  8. Create new Offline Address Book. This will contain all the email enabled objects located under domain.com OU. Here you have to pay attention to:

    • If you are using Outlook 2003 you need to enable the Offline Address Book distribution via public folders (-PublicFolderDistributionEnabled $true)

    • Server_name1 is the name of the mailbox server that will be responsible for Offline Address Book generation

    • Server_name2\OAB (Default Web Site) is the web virtual directory where you want to distribute the Offline Address Book. Server_name2 is the name of the Client Access Server that is hosting the web virtual directory.

    • Server_name1 can be the same as Server_name2 if the Mailbox and Client Access Role are located on the same server

    Run the following cmdlet from Exchange Management Shell:
    new-OfflineAddressBook -Name 'domain.com' -Server 'Server_name1' -AddressLists '\domain.com AL' -PublicFolderDistributionEnabled $true -VirtualDirectories 'Server_name2\OAB (Default Web Site)'

  9. Secure the Address Lists by allowing access only to the users from the security group created at 2.3 (domain.com Users)

    Use the ADSI editor to clear Authenticated Users permission from recently created Global Address List, Address List and Offline Address Book as you did in 1.3 for the following containers:

    • CN=domain.com AL, CN=All Address Lists, CN=Address Lists Container, CN=Exchange ORG,CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=addomain, DC=local

    • CN=domain.com GAL, CN= All Global Address Lists, CN=Address Lists Container, CN=Exchange ORG,CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=addomain, DC=local

    • CN=domain.com OAB, CN= Offline Address Lists, CN=Address Lists Container, CN=Exchange ORG,CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=addomain, DC=local

    Run the following cmdlet from Exchange Management Shell to add permissions to the users from the security group created at 2.3 (domain.com Users):

    $container = "CN=domain.com AL,CN=All Address Lists,CN=Address Lists Container,CN=Exchange ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=addomain,DC=local" Add-ADPermission $container -User "domain.com Users" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book

    $container = "CN=domain.com GAL,CN= All Global Address Lists,CN=Address Lists Container,CN=Exchange ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=addomain, DC=local" Add-ADPermission $container -User " domain.com Users " -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book

    $container = "CN=domain.com OAB,CN= Offline Address Lists,CN=Address Lists Container,CN=Exchange ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=addomain,DC=local" Add-ADPermission $container -User " domain.com Users " -AccessRights GenericRead, ListChildren -ExtendedRights ms-Exch-Download-OAB

  10. Create a new Mailbox Database to host the new tenant (This step is optional)

    If using Exchange 2010 Standard Edition, you can create up to 5 databases per server, including the public folder database. In Exchange 2010 Enterprise Edition you can create up to 100 databases per server, including the public folder database.

    Based on this, if the number of tenants that you will host is less than the number of databases supported, it is recommended to create a new database for each tenant. This will help you to easily manage the Offline Address Book for each user by assigning the tenant Offline Address Book for all user only once at the database proprieties. To create a new database, run the following cmdlet from Exchange Management Shell:
    new-mailboxdatabase -Server 'Server_name1' -Name 'domain.com MB' -EdbFilePath '%database path%\domain.com MB.edb' -LogFolderPath '%log path% \domain.com MB'

    For the newly created database, assign the domain.com OAB as the default Offline Address Book by running the following cmdlet from Exchange Management Shell:
    Set-MailboxDatabase "domain.com MB" -OfflineAddressBook "domain.com OAB"

User Comments - Page 1 of 1

Yasu 28 Jun 2012 03:22
This is great! It is working fine within OWA and GAL only shown same tenant users, but when I set outlook for a user, everyone can see everyone at GAL. Is there anyway you can solve this problem? Thanks.
Matthew H. 14 Dec 2011 12:17
Paul: Will there be an Exchange 2010 SP2 "Hosting the Hard Way" guide? Thanks!
Beni 28 Oct 2011 17:37
I cannot get Outlook to work. When I setup Outlook for a new user, I get "The name cannot be resolved - the old ones is ok. The name cannot be matched to a name in the address list." Adding Permissions to the Default GAL solves the problem, but everyone sees everyone. Pls help!
Liam Millar 30 Aug 2011 05:33
I've followed these instrustions and now users are unable to logon, outlook crashes when an account tries to check name?

PLease Help
Paul Roman 24 Aug 2011 03:22
You have UPN and you have User Logon Name (Pre-Windows 2000). The second one needs to be unique within the domain and you can put it whatever you like as long as you will use the UPN for logon purposes.
Levin 20 Aug 2011 04:40
i have an issue, when both the domains need same user for eg. a@abc.com and a@xyz.com. active directory doesn't allow me to create same named user. how to resolve this issue.
Julien 18 Jul 2011 01:35
Hi!thanks for your documentation it's very helpful for me ! I got a question in the third step when you want to remove the permissions from "everyody,ANONYMOUS_LOGON" etc do you speak aout the specials autorisations ? or the classics permissions ?

Thanks again,
Julien
Not Supported 28 Jun 2011 02:04
The above method is not supported by MS and will break Exchange 2010. Only way to do Multi-tenant is via /hosting
Paul Roman 3 Apr 2011 05:51
I am working on "The easy way" . It should be published soon.
Kay 1 Apr 2011 06:25
So what is the easy way? Thanks.
ExAdmin 20 Mar 2011 03:27
Here's an extra tip for you guys.
G/AL Update will update the GAL and AL without having to open the EMS.
www.galupdate.co.uk
Paul Roman 9 Mar 2011 00:17
Hi Mattheus,

Did you delete the Default Global Address List?

Paul
Mattheus 8 Mar 2011 07:00
Very nice and useful guide! I followed this and it works perfectly in OWA, only the company GAL and AL is viewed.

However, I cannot get Outlook to work. When I setup Outlook for a new user, I get "The name cannot be resolved. The name cannot be matched to a name in the address list." Is it permission-related? Any ideas?
Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation