WinDeveloper IMF Tune

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Exchange 2010 Hosting Part 1 - The Hard Way

Paul Roman [MVP for Exchange, MCSE, MCSA, MCST, MCITP]

Paul Roman [MVP for Exchange, MCSE, MCSA, MCST, MCITP] Photo

Paul is a Microsoft Certified System Engineer since 1999. His experience covers a large number of Microsoft Exchange implementations starting from small infrastructures and going to large hosting infrastructures for thousands of users. Starting with April 1st, 2010, Paul is MVP for Exchange.

Cast your Vote
Poor Excellent

Hosting multiple Organizations on a single Exchange Infrastructure can give significant hardware consolidation advantages. Exchange 2010 has greatly simplified the setup of such an environment, giving us two implementation options, the hard and the easy way. Today we go down the hard way...

Starting with Exchange 2000, Microsoft had the idea to implement hosting infrastructures based on MS Exchange. To provide support for such implementations MS released Hosted Solutions add-ons, starting with "The Solution for High Volume Exchange version 1.0" based on Exchange 2000.

Up till now, Microsoft released eight versions, with the release of Hosted Messaging and Collaboration HMC version 4.5 in June 2008. HMC 4.5 was working with Exchange 2007 SP1 together with Office Communication Server 2007, SharePoint Services 3.0 and Forefront Security for MS Exchange 2007.

In Exchange 2010 SP1 there is no need for an additional tool to configure a hosting environment. All you have to do is to run the setup for Exchange 2010 SP1 with the /hosting switch. It's an easy way to configure a multi-tenant infrastructure. However some features are missing, namely:

  • Exchange Management Console
  • Public Folders
  • Unified Messaging Server Role
  • Federation
  • Business-to-Business features such as cross-premises message tracking and calendar sharing
  • IRM
  • Outlook 2003 support (EnableLegacyOutlook)
  • Edge Transport Server role

Note in this article I make extensive reference to the whitepaper:
White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007

Even though this was originally written for Exchange 2007, many of the instructions in this whitepaper are also applicable to Exchange 2010.

1. The Hard Way - Hosting Environment Preparation

If you still need some of the above features and also need to have an infrastructure where every tenant can see or access only its information without knowing that it is sharing the email server with other tenants you have to take the hard way. The hard way means that you have to configure some advanced permissions using mostly the ADSI editor and cmdlets to achieve your goal. Here are the steps:

In the following steps, <domain> is the distinguished name of your AD domain. For example, it could be DC=addomain, DC=local

  1. Install the Exchange servers as you would install them for a normal installation. The configuration can include all Exchange 2010 features like UM Server, Edge Server, DAG infrastructure, etc.

  2. Configure the dSHeuristics attribute to allow listing of the specific child objects even if the user does not have this right on the parent.

    Quoting directly from the referenced whitepaper, Active Directory object visibility is normally controlled by List Contents permissions on the parent object, which is an object that will only be visible to a user if the user has been granted List Contents permissions on the parent object. When a user has List Contents permission on a parent node, he or she can see and browse all objects that are children of that node without any further selectivity. This is not what we want in a hosting environment.

    Setting dSHeuristics attribute allows us to control object visibility at a more granular level on a per-object basis.

    To set this attribute, open the ADSIEdit console and connect to the Configuration naming context. There you have to edit the attribute dSHeuristics for: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,<Domain>

    ...and set it to 001. For more information about dSHeuristics check here

    Change dSHeuristics to 001

  3. Remove Anonymous Logon, Authenticated Users and Everyone permissions from the All Address Lists, All Global Address Lists, Offline Address Lists and Default Global Address List, All Contacts, All Groups, All Rooms, All Users, Public Folders and Default Offline Address Book containers. This will help you to hide the existence of all the address lists on the server except the one that the user should see.

    The following should not be deleted completely. Otherwise other components would be broken and you might get into trouble:

    • Default Global Address List - if later you need to configure a Blackberry Enterprise Server infrastructure, the BES account should have rights to access the Default Global Address List in order to be able to function properly.

    • All Rooms - if you delete it, the address book in OWA will no longer work.

    • Default Offline Address Book - can be deleted, but you need to establish a new default offline address list otherwise the Offline Address Book service would not work as expected.

    To remove the rights using ADSIEdit, right click and select Properties for each of the following containers:

    • CN=All Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>

    • CN=All Global Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>

    • CN=Offline Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>

    • CN=Default Global Address List, CN= All Global Address Lists, CN=Address Lists Container, CN=<Exchange Org>, CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>

    Address List Rights

    Go to the Security tab, click Advanced and deselect Allow inheritable permissions from the parent to propagate to this object and all child objects.

    Disallow Inherit Permissions

    After clicking OK, select Copy in the following message and then click Yes twice at the warning messages.

    Copy Permissions

    Warning 1

    Warning 2

    Then back to the security tab, remove permissions for Anonymous Logon, Everyone and Authenticated Users.

  4. Add List Object Permission to the address lists containers using Powershell cmdlets. This permission was enabled at the AD infrastructure in Point 2 of this article section and allows you to list from Address Lists containers only the address lists that the user is allowed to access.

    You have to run the following cmdlets from the Exchange Management Shell:

    $container = "CN=All Global Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain>"

    Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject

    $container = "CN=All Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain>"

    Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject

    $container = "CN=Offline Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration,<Domain>"

    Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject

  5. Clear the addressBookRoots and addressBookRoots2 attributes of "CN=Microsoft Exchange, CN=Services, CN=Configuration, <Domain>" container by using ADSIEdit.

    Make sure that you remove the "CN=All Address Lists,CN=Address Lists Container,CN=<Exchange Org>,CN=Microsoft Exchange,CN=Services,CN=Configuration, <Domain>" value from both attributes otherwise you may have problems with Offline Address Book creation/replication.

    Clear addressBookRoots, addressBookRoots2 attributes

  6. Create an organizational unit to contain all of the tenants. Under this OU you will create a new OU for each tenant

    • Start Active Directory Users and Computers.
    • At the left pane, right-click your domain (the very top object).
    • Click New, and select Organizational Unit.
    • Type Tenants, and click OK.

User Comments - Page 1 of 1

Add New Comment...

Yasu 28 Jun 2012 03:22
This is great! It is working fine within OWA and GAL only shown same tenant users, but when I set outlook for a user, everyone can see everyone at GAL. Is there anyway you can solve this problem? Thanks.
Matthew H. 14 Dec 2011 12:17
Paul: Will there be an Exchange 2010 SP2 "Hosting the Hard Way" guide? Thanks!
Beni 28 Oct 2011 17:37
I cannot get Outlook to work. When I setup Outlook for a new user, I get "The name cannot be resolved - the old ones is ok. The name cannot be matched to a name in the address list." Adding Permissions to the Default GAL solves the problem, but everyone sees everyone. Pls help!
Liam Millar 30 Aug 2011 05:33
I've followed these instrustions and now users are unable to logon, outlook crashes when an account tries to check name?

PLease Help
Paul Roman 24 Aug 2011 03:22
You have UPN and you have User Logon Name (Pre-Windows 2000). The second one needs to be unique within the domain and you can put it whatever you like as long as you will use the UPN for logon purposes.
Levin 20 Aug 2011 04:40
i have an issue, when both the domains need same user for eg. a@abc.com and a@xyz.com. active directory doesn't allow me to create same named user. how to resolve this issue.
Julien 18 Jul 2011 01:35
Hi!thanks for your documentation it's very helpful for me ! I got a question in the third step when you want to remove the permissions from "everyody,ANONYMOUS_LOGON" etc do you speak aout the specials autorisations ? or the classics permissions ?

Thanks again,
Julien
Not Supported 28 Jun 2011 02:04
The above method is not supported by MS and will break Exchange 2010. Only way to do Multi-tenant is via /hosting
Paul Roman 3 Apr 2011 05:51
I am working on "The easy way" . It should be published soon.
Kay 1 Apr 2011 06:25
So what is the easy way? Thanks.
ExAdmin 20 Mar 2011 03:27
Here's an extra tip for you guys.
G/AL Update will update the GAL and AL without having to open the EMS.
www.galupdate.co.uk
Paul Roman 9 Mar 2011 00:17
Hi Mattheus,

Did you delete the Default Global Address List?

Paul
Mattheus 8 Mar 2011 07:00
Very nice and useful guide! I followed this and it works perfectly in OWA, only the company GAL and AL is viewed.

However, I cannot get Outlook to work. When I setup Outlook for a new user, I get "The name cannot be resolved. The name cannot be matched to a name in the address list." Is it permission-related? Any ideas?
Copyright © 2005 - 2014 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation