In my earlier blog posts Building Hosted Exchange Part I (overview) and Building Hosted Exchange Part II (Active Directory) I explained the basics and how to configure Active Directory for a multi-tenant environment. In this posting we’re going to continue with the Exchange part of the multi-tenant environment.
Exchange 2010 SP2
In the previous post I used a simple Powershell script to create the Organization Units in Active Directory for three different companies that will be hosting in our sample environment. Besides the creation of the OU’s the script also sets the appropriate permission on the OU’s. The structure looks like this:
When the AD structure is created the new organization can be setup in Exchange 2010 SP2.
Address Book Policies
To give every organization their own Address Book, the Address Book Policies (ABP) can be used. An ABP should be created for each new company and should contain (at least) Address Books for Mailboxes, Contacts, Distribution Groups and Resource Mailboxes. All depending on your own hosted offering of course. I have written a blog on ABP’s earlier which can be found here: Address Book Policies in Exchange 2010. You can do this manually by using the Exchange Management Shell (using a script) or by using the Exchange Management Console (very labor intensive and extremely prone to error!). Again the best solution is to build this into your provisioning site to give new customers the possibility to create a new company on the fly. But it should be consistent, repeatable and preferably billable!
When the ABP’s are created you can create the actual users and mailboxes and stamp the appropriate ABP on it so users can only see their own Address Books and not other organizations Address Books!
Don’t forget the Offline Address Book though. This should be created during provisioning and updated every time a change is made to recipients in the organization. Since creating an OAB is resource intensive you might want to distribute this across multiple Mailbox Servers in your Exchange 2010 environment.
Note. In Exchange 2007 (and earlier) this was achieved by setting ACL’s on various Address List objects in Active Directory. In Exchange 2010 this information is supplied by the Address Book Service, running on the Client Access Server. This is a major difference between Exchange 2007 and Exchange 2010. If you fiddle around with ACL’s on Address List objects in Exchange 2010 things will go horribly wrong. Believe me, beyond repair!
One special thing to note is that the location where the OAB’s need to be secured to prevent unauthorized downloading of other organization’s OAB’s (this has to be done only when building the platform). Since this location is accessible to all users in the entire Exchange 2010 organization (i.e. all users in all tenants) the download location has to be secured and all individual OAB’s have to be secured as well (this is where the AllUsers@Company1 Security Group comes into play). The 2nd step has to be done for every OAB that’s created.
Again I’m using a Powershell script to create all Address Lists and the Offline Address Books. Be aware that the filtering of the Address Lists and the GAL needs to be right to prevent mailboxes from one organization to show up in an Address List of another organization. The best solution for this is to filter on a CustomAttribute.
Clearly visible are four Address Lists plus a Global Address List per customer. Since PowerShell is used there are consistent results during creation. Also the Address Book Policies now show up in the Exchange Management Console:
The last step is create the actual users and mailboxes. Make sure a unique SAMAccountName is used for the user. It does not have to a readable name (like HOSTING\JoeSixpack) but a complete random number will do as well since the user only uses the UPN to logon to the mailbox. Add the user to their respective security groups and don’t forget to set the ABP on the new user:
Logon as the user (using OWA) and check the Address Book. Only the Address Book of the user’s company should be clearly visible.
Now that user is successfully provisioned there’s yet another issue you have to be aware of: calendar permissions. By default calendar information (i.e. free/busy) is shared across all mailboxes in the entire organization. This is not a desired situation in a hosting environment where all tenants are individual entities. You have to design a strategy where sharing information is limited that suits your hosting company and at the same time suits the customers that are using your hosting environment.
In short you have to:
- Secure the Offline Address Book download location to prevent unauthorized browing;
- Create an Accepted Domain for the new tenant;
- Create multiple Addrest Lists, an Offline Address Book and an Address Book Policy for the newly created tenant;
- Create new users in the newly created tenant;
- Mailbox enable the users and stamp them with the correct ABP;
- Create mail-enabled groups;
- Set calendar permissions;
- Update the Offline Addres Book when all mailboxes are created.
Note. Please be aware that only the standard Microsoft tools like Active Directory Users and Computers MMC snap-in and Powershell (including the Active Directory module) are supported by Microsoft for (bulk) creating organizations, users and mailboxes.
Summary Part III
In this blog post I’ve outlined how to create an organization in Exchange 2010 SP2 and how to create the mailboxes for users in a hosting environment. Since a repeatable process is needed (I assume you want to host thousands of users) using tools like Active Directory Users and Computers, ADSIEdit or the Exchange Management Console are not an option. At least you need some Powershell scripts that will do the plumbing for your. Hosting System Integrators like implement.com have worked through all the details and have guidance documents and (sample) scripts available to save you all the hassle.