Building Hosted Exchange – Part II

In my previous blog post I tried to explain why Microsoft is following the partner model for hosted environment. If you fully understand the Microsoft guidance document and really want to build it yourself instead of using a 3rd party Control Panel vendor (which I always recommend) I’ll try to outline the various steps that need to be done.

Please note that this blog post is published ‘as is’ and is my personal belief on how stuff can be done. You still have to test everything in a lab environment before building things in production. I cannot, will not nor take any responsibility about your environment when things go wrong!

Before you do anything hosting specific it’s good to build the entire platform and make sure everything is up and running. This means you have to use multiple CAS Server and configure a CAS Array, multiple Hub Transport Server (if wanted separated inbound and outbound), multiple Mailbox Servers in a Database Availability Group and (optional) multiple UM Servers.


Note. The autodiscoverredirect FQDN is needed for autodiscover functionality when hosting multiple companies on the platform. Please see my blog post Autodiscover redirect and SRV option for more information.

I also recommend using a hardware load balancer in the Exchange environment. It is possible (and I’ve seen hosting customers do this) to use a reverse proxy solution like Microsoft TMG but my personal opinion is that TMG makes hosting life utterly complex.

Active Directory

Multi-tenancy in Active Directory is not very different than it used to be. All tenants have their own Organizational Unit in Active Directory and these have to be fully separated. This means you have to configure Active Directory in list object mode to separate the individual OU’s. This is something that needs to be done only once when building the hosting environments. It is not very different than with HMC or with Address List Segregation in Exchange 2007 and can be done according to this Technet Article.

Using ADSIEdit to open the Configuration Container and navigate to CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Contoso,DC=com.

Right click Directory Service and select Properties. Select the dsHeuristics attribute and change its value to 001. This enables List Object Mode in Active Directory.


Provisioning Organizations and Users

New companies that will be hosted on the platform will be placed inside Organization Units (OU’s) in Active Directory. Every company, sometimes referred to as organizations has its own OU and all OU’s are restricted with permissions so they cannot see each other. These organizations in Active Directory are also called ‘tenants’. Each tenant will have its own Admin (responsible for user and group management within the tenant), one ore more tenant specific group and of course the individual users/mailboxes.


In short, you have to:

  • Create a new OU for every new tenant;
  • Create an Admin user within the tenant;
  • Create one or more Security Groups in the tenant for all users and tenant Admins;
  • Secure the OU by removing default permissions (inherited) and grant permissions to the Security Groups in this particular OU.

Things to be aware of during provisioning:

  • User accounts need to be unique within the entire Active Directory;
  • Create a SamAccountName that is unique. Since users do not use this name it can even be a numerical value;
  • Users logon using their UPN (User Principal Name) which makes them unique. The UPN is set during provisioning of the user account (no need to use Active Directory Domains and Trusts MMC snap-in like in Windows 2000 😉
  • The actual user accounts are not provisioned at this time;
  • Set the proper permissions on the Admin account and the Security Groups and remove the Authenticated Users ACL from the OU in Active Directory.

When provisioning new organizations in Active Directory it has to be secure and repeatable, and preferably using a method that can be rolled back in case of issues during provisioning. This way you prevent ending up with an organization in an unknown state. Creating a new organization can be done manually by using a Powershell script or the standard Active Directory tools. It can also be done using a self-service provisioning portal. New customers go to this provisioning portal and create their new hosted organization. The site in turn calls a number of web services (using the Powershell scripts) that will do the actual creation. The advantage of doing this is of course you can combine this functionality with the billing process, and it’s a user driven action. New customer can be enabled any time without interaction from a hosting company administrator.

Note. Although you can use the manual approach in provisioning new organizations and users it is of course not the recommended approach. It is labor intensive, not consistent and prone to error. Creating (or buying) scripts is much more easy, faster, consistent and less risk for errors. But the hosting company administrator has to fire off the scripts before new customers can start using the service.

The recommended approach is to develop a provisioning process combined with a Customer Self Care portal where new users can logon and create new organizations. This is quite a lot of work, two .NET developers will need a couple of weeks to build a rock solid environment, but from a business perspective it is the best approach.


In this posting I tried to explain the steps that are needed for setting up the Active Directory structure when hosting multiple companies in an Exchange 2010 environment. This can be achieved using manual steps (least wanted approach), using Powershell scripts or using a Customer Self Care portal which is always my recommended approach.

In my next post I’ll try to explain the steps that are needed to create the actual mailboxes for new organizations and users.

3 thoughts on “Building Hosted Exchange – Part II”

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s