Almost two years ago I wrote a couple of blog posts regarding Hosted Exchange 2010 SP2 (or later):

• Building Hosted Exchange Part I (overview)
• Building Hosted Exchange Part II (Active Directory)
• Building Hosted Exchange Part III (Exchange and ABP’s)
• Building Hosted Exchange Part IV (Global Settings)
• Building Hosted Exchange Part V (SMTP routing in a multi-tenant environment)

When building Hosted Exchange 2013 things are not very different. You have to prepare Active Directory for hosting purposes and set the permissions in Active Directory on OU level. When it comes to Exchange 2013 itself, address list segregation is still achieved by using Address Book Policies. One thing that is fundamentally different is SMTP routing in a hosted Exchange. In Exchange 2010 3^rd party Routing Agents were used, but in Exchange 2013 there’s an Address Book Policy Routing agent that respects the Address Book Policies that are provisioned for every tenant.

Guidance document

Microsoft has updated its guidance document for multi-tenancy and hosting and you can download it here: http://www.microsoft.com/en-us/download/details.aspx?id=36790

It is an overview document on the things you have to be aware of when building a hosted Exchange 2013 environment and thing you have to do get have a supported hosting environment. Please note that this document is not a “step-by-step” document for building Hosted Exchange.

Scalability testing

Microsoft has done some multi-tenant scalability tests and this can be found on TechNet as well: Multi-Tenant Scalability Guidance for Exchange Server 2013 – http://www.microsoft.com/en-us/download/details.aspx?id=39941.

When you open this document and navigate to page 9, you can find interesting information regarding performance when using a large number of tenants. If you have 10,000 tenants for example, it takes approx. 74 seconds to create a new tenant. This is feedback I get from other customers as well, it just takes quite some time when your environment grows.

Total tenants provisioned	Total transport rules created	Total OABs created	Average time to provision tenant	Outlook Web App Test	Outlook Test
1,000	1,000	1,000	9 seconds	Success	Success
5,000	5,000	5,000	30 seconds	Success	Success
10,000	10,000*	10,000	74 seconds*	Success	Success
20,000	5,000	20,000	64 seconds	Success	Success
25,000	5,000	25,000	74 seconds	Success	Success
30,000	5,000	30,000*	88 seconds	Success	Failed**
40,000	5,000	25,000	109 seconds	Success	Success
50,000	5,000	25,000	135 seconds	Success	Success

Active Directory

Preparing Active Directory, creating the Hosting Organizational Unit (OU=Hosting) and creating the various tenants for each hosted company is not that difficult. It didn’t change either with Exchange 2010 or Exchange 2013.

You create an OU structure that typically starts with OU=Hosting. In the OU=Hosting the various tenants are created and each tenant has its own OU. A tenant can have an admin account, user accounts and group accounts like ‘admins’ or ‘allUsers’ as shown in the following Figure where WoodGroveBank is a tenant under OU=Hosting:

Creating a tenant like this can be achieved with PowerShell, use a command something like this:

New-ADOrganizationalUnit -Name WoodGroveBank -Path “OU=Hosting,DC=Contoso,DC=com” -OtherAttributes @{uPNSuffixes="WoodGroveBank.com"} -ProtectedFromAccidentalDeletion $false
New-ADGroup -Name "AllUsers@WoodGroveBank" -SamAccountName "AllUsers WoodGroveBank " -GroupCategory Security -GroupScope Universal -Path "OU= WoodGroveBank .com"
New-ADGroup -Name "Admins@ WoodGroveBank " -SamAccountName "Admins@WoodGroveBank" -GroupCategory Security -GroupScope Universal -Path "OU=WoodGroveBank .com"

More information can still be found in the original Microsoft whitepaper about Exchange 2007 Address List Segregation. This whitepaper contains a wealth of information on how to create a hosting structure in Active Directory. But beware, this whitepaper is old and not all information should be copied directly to Exchange 2013. It’s just about the information regarding OU’s etc. which is very useful but it’s up to you to decide what’s implemented and how.

Exchange 2013 Configuration

When it comes to Exchange you have to create an Accepted Domain and maybe you want to create an Email Address Policy, but you can also opt for not using an EAP but stamp the email addresses during provisioning. In EMS you can use PowerShell commands like this:

New-AcceptedDomain –Name “WoodGroveBank” –DomainName “WoodGroveBank.com” –DomainType authoritative  New-EmailAddressPolicy -Name "WoodGroveBank " -IncludedRecipients "AllRecipients" -ConditionalCustomAttribute1 "WoodGroveBank" -RecipientContainer "OU=WoodGroveBank,OU=Hosting,DC=Contoso,DC=Com" -EnabledEmailAddressTemplates "SMTP:%m@ WoodGroveBank.com"

Per tenant you need to create a Global Address List, a Users Address List and an Offline Address Book. All lists are filtered on the CustomAttribute1 that’s stamped with the tenant name. in EMS you can use PowerShell commands like this:

New-GlobalAddressList -Name "WoodGroveBank GAL" -RecipientContainer "OU=WoodGroveBank" -RecipientFilter "((Alias -ne '`$NULL') -and (CustomAttribute1 -eq ' WoodGroveBank '))"  New-AddressList -Name “WoodGroveBank All Users AL" -Container "\" -DisplayName " WoodGroveBank All Users" -RecipientFilter "((Alias -ne '`$NULL') -and (objectClass -eq 'user') -and (CustomAttribute1 -eq ' WoodGroveBank '))"  New-OfflineAddressBook –Name " WoodGroveBank OAB" -AddressLists "\ WoodGroveBank GAL" –VirtualDirectories "CASServer\OAB (Default Web Site)"

Just like Exchange 2010 Address Book Policies are used in Exchange 2013 when creating your own hosted Exchange solution and you can create these in EMS. To create a new Address Book Policy and use the Address Lists we created in the previous step you can use a PowerShell command like this:

New-AddressBookPolicy –Name "WoodGroveBank ABP" –GlobalAddressList "\WoodGroveBank GAL" –OfflineAddressBook "\WoodGroveBank OAB" –AddressLists "\WoodGroveBank All Users AL"

When you create a Mailbox make sure the Mailbox’s CustomAttribute1 is stamped with the correct name since this determines in which ABP the Mailbox will show up. If you mess up the Mailbox will most likely show up nowhere, or in an Address List of another tenant, something you most likely want to avoid. Also make sure that the Mailbox is stamped with the correct Address Book Policy. In EMS you can use a PowerShell command like this:

New-ADUser –Name "$Name@$TenantID" –SamAccountName $SAMAccountName –DisplayName "$FirstName $LastName" -AccountPassword $SecurePW –Path "OU=$TenantID,$BaseADPath" -otherattributes @{userPrincipalName=$UPN} –Server $PreferredDC

Enable-ADAccount -Identity $SAMAccountName Add-ADGroupMember –Identity "AllUsers@$TenantID" –Members "CN=$Name@$TenantID,OU=$TenantID,$BaseADPath" -Server $PreferredDC Enable-Mailbox –Identity "$Name@$TenantID" –PrimarySMTPAddress $UserName -Alias $SAMAccountName –DomainController $PreferredDC Set-Mailbox –Identity "$Name@$TenantID" –EmailAddressPolicyEnabled $false –customAttribute1 "$TenantID" –AddressBookPolicy "$TenantID ABP" –DomainController $PreferredDC Update-Recipient –Identity "$Name@$TenantID" -DomainController $PreferredDC

Important note. This blog post is not meant as a hitchhiker’s guide to hosted Exchange, it’s more to show you a guideline on how to implement this. You are still responsible for building a rock solid provisioning system, implement a roll back scenario and create something to disable or delete users in your system. You also have to work on security to make 100% sure that users in one tenant cannot see any information from other tenants. The guidance document as mentioned in the beginning of this blog post has more information about common pitfalls.

Control Panel vendors

Another interesting article regarding hosting and multi-tenancy can be found on TechNet (Exchange Server 2013 hosting and multi-tenancy solutions and guidance – http://technet.microsoft.com/en-us/exchange/jj720331.aspx) and focusses on Control Panel vendors.

The choice is yours of course; do you want to spend your money on buying a 3^rd party solution (which also support it, and is responsible for keeping it up-to-date when Microsoft releases new Cumulative Updates or Service Packs) or do you want to invest your money in an in-house Microsoft .NET development department that will build it for you? The latter is tempting but be aware, you need a couple of senior developers for a couple of months, and this isn’t cheap either.

I have been working both with Ensim Exchange Manager and ExtendASP as a Control Panel Vendor. One of the things Control Panel vendors do is using a Resource Database. All services that are in use by customers are controlled by the Resource Database so you never can sell more resources than you actually have available, unless you start to use oversubscription of course. When designed and implemented properly they prevent the services to become unavailable because of lack of resources, for example running out of disk space, or Mailbox database becoming too large, or too many Sharepoint sites in your organization. Provisioning with these vendors is also transactional which means that all transaction can be rolled back. For example, when a customer subscribes to a particular service and something goes wrong during provisioning, all transaction are rolled back, leaving Active Directory in a state as it was before this customer subscribed. You may think ‘big deal’ but when you have 10,000 tenants in your hosting organization things go wrong, and it’s quite some work to troubleshoot these kinds of issues and cleaning them up. And don’t forget, customer tend to try it a couple of time before they give up, leaving even more mess in Active Directory and Exchange 2013 😉

Another thing, these vendors also do the Active Directory preparation for you. Their install application creates the OU structure in Active Directory, set the appropriate permissions in Active Directory, create and manage Address Book Policies in Exchange 2013 etc. without the hassle of you having to figure out what’s wrong and what not. This can also save you a tremendous amount of time.

Office 365

Don’t’ forget… if you want to start with hosted Exchange, Sharepoint and Lync, Office 365 is your biggest competitor. Microsoft has thousands of people working on Office 365 and it’s difficult to compete. Not only from a technical perspective, but also from a financial perspective. Office 365 is a bargain, it’s really cheap and hard to compete against!

Why do customers want to host their Exchange and other stuff not at Microsoft? This is very interesting for non-US based hosters, but customer want their data not hosted at an American hosting company and they don’t want (or are not allowed) to leave their data in another country. This is something that’s important for European customers for example.

Instead of hosting your own Exchange/Lync/Sharepoint environment you can choose for reselling Office 365. You can do this by helping your customers, but in this case Microsoft has the relationship with your customers, and that’s not a desirable solution. Microsoft also has this syndication program, where you have to relationship with your customer. Customer do the provisioning via your Portal and you provision the Office 365 environment. At the same time you start billing the customer, and Microsoft is billing you!

At this moment the Microsoft Syndication program is focusing on large Telco’s around the world (hosting multiple hundreds of thousands Mailboxes) but during last Hosting Summit Microsoft also announced a Syndication Light program focusing on smaller hosting companies. Your local Microsoft account team should be able to tell you more about this.

Summary

When it comes to hosted Exchange 2013 it’s not very different than hosted Exchange 2010. The scalability is a bit different, the User Interfaces are different but they are very similar. The only thing that’s fundamentally different is the routing in a hosted Exchange 2013 environment. I will write another blog post on this very soon.

But besides hosting your own Microsoft solution you can opt for reselling Office 365. Less profitable, that’s true, but don’t underestimate the cost related to building your own solution, let alone the cost for maintaining your own hosting environment.

Microsoft knows it’s difficult for (smaller) hosters to resell Office 365 and is working on solutions in this area so stay tuned (more information is expected at the Word Wide Partner Conference this summer). At this moment I would recommend not start building your own hosting environment blindly but evaluate your options and make a right decision, a decision for the short term and the long term.