Exchange 2010 SP1 has built-in multi-tenant support, which helps service providers to host multiple organizations in a single Active Directory environment. There are few features which are available only in hosting mode and few others which are not available, compared to a normal deployment of Exchange 2010 SP1. 2010 SP1 will form part of the suite of multi-tenant capable products that will replace the Hosted Messaging and Collaboration solution.
Few points to note about installing 2010 SP1 in hosting mode:
- The installation can only be done in command line.
- You need to use /InstallWindowsComponents while running the setup to install all windows components required for Exchange. This will not install the pre-requirements only the windows components! Always install the pre-requirements first.
- You need to use /Hosting switch while running the setup to install Exchange in hosting mode.
- 2010 SP1 is required.
- Exchange Management Console will not be installed.
Exchange 2010 SP1 doesn’t support the following features in Hosting mode (from Technet):
- Exchange Management Console
- Public Folders
- Unified Messaging Server role
- Business-to-Business features such as cross-premises message tracking and calendar sharing
- Outlook 2003 support (EnableLegacyOutlook)
- Edge Transport Server role
- Same forest upgrade from Exchange 2007
- Resource forest
- Parent-child domains
- Discontiguous namespace
- Disjoint namespace
Here is based on the blogs zerohoursleep and howexchangeworks how its done! This step-by-step tutorial that will guide you to installing your first Exchange 2010 SP1 multi-tenant organization to a fully operational mode.
For this lab I am using 2 servers running Microsoft Windows 2008 R2 one of them acting as a domain controller for the lab domain lab.com and the other will be running all roles of Microsoft Exchange 2010 SP1 CAS,HUB and Mailbox.
Of course in a live environment exchange roles will be most probably split among multiple servers but the concept is pretty much the same.
I will assume that the Domain Controller is already installed and that the exchange server to be has already Windows 2008 R2 installed with all the required patches to deploy Exchange 2010 SP1.
Installing Exchange 2010 SP1 in hosting (or multi-tenant) mode
Installing Exchange prerequisites on Windows 2008R2
I am used to this script to automate installation of the prerequisites since I find it very clean.
We will start by running the powershell administrator “right click -> run as administrator” and allow the script execution using
Running the script will then offer you a menu, in my case I need to select option 6 since all roles will be installed on the same server and restart the machine after.
As you may already know Exchange 2010 multi-tenant can only be installed using the command line by adding the /hosting parameter, we will initiate the installation by running
setup.com /m:install /r:m,ca,ht /installwindowscomponents /hosting /on:ExchLab
Let me first explain the above command
- /m stands for /mode and we are running the installation mode
- /r stands for /roles and we want to install the m (mailbox) ca (client access) ht (hub transport) roles. Of course you will need to change this if you don’t want to install all roles
- /hosting is required to tell the setup to run the hosting installation
- /on stands for /OrganizationName and you will define here the name of your Exchange organization. I called mine ExchLab
We will now wait for the installation to finish
A few differences with Exchange not hosted
The first thing I have noticed after the installation is differences in Active Directory Users and Computers like the presence of a brand new Organizational Unit “Microsoft Exchange Hosted Organizations”
Now of course the absence of the Exchange Management Console should have been first however this I was expecting since it is all over the place so I was expecting this.
A look at Service Plans
Before doing a jump start and create an organization we need to take a look at some files located on your CAS server called Service Plans.
Service plans are located by default in “C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ServicePlans” of your CAS server and they define the different services your hosted organization provides to its customer.
We have 2 things to notice here
- Since the files are located on the CAS then editing a file means updating it on all your CAS servers
- You have 2 kinds of files the .ServicePlan files that actually defines all permissions you give to an organization and the .csv file that maps Hosting Plans with Service Plans
Each .SevicePlan above presents a set of permissions/features/quotas etc.. and their names are self explanatory. However if you need to change or create you own ServicePlan the file itself is an xml file, just start with the HostingAllFeatures_Sample.ServicePlan and remove any entry you don’t want and/or change any value.
N.B.: Make sure NOT to use the sample plans if you edit them since they will replaced by any update done on the server.
The other kind of file in this folder is the ServicePlanHostingRemap.csv that is pretty simple as it maps a specific hosting plan name and offerID to a service plan defined above. Nothing really complicated her but definitely worth a look
Creating your first organization
So now that you have grasp the general idea about ServicePlan files let’s create our first organization. We will start by first creating the Serviceplan whitin ServicePlanHostingRemap.csv file we have just discussed. Because i am using the sample i won’t but normaly i would delete the samples and create your own here.
Then running the command.
$c = get-credential
This will prompt you for a username and password, you can input any fake username you want since only need and use the password from this command. The password specified is going to be used for the administrator of the organization you are about to create.
New-organization -name TestOrg -DomainName TestOrg.com -ProgramId HostingSample -OfferId 2 -location en-US -AdministratorPassword $c.password
- Name parameter defines the Organization name you are about to create
- DomainName parameter defines the SMTP domain of this organization, so users in the TestOrg organization will have emails @TestOrg.com
- ProgramID is coming right from the .csv file we have just discussed so this organization will have the HostingSample hosting plan<
- OfferID is also defined in the .csv file above, so we need to match HostingSample with ProgramID 2 we are giving to this organization the HostingAllFeatures_sample ServicePlan
- AdministratorPassword: As you can notice the parameter is only concerned with the password of this organization’s administrator, not the username, so we are using on the password provided in the get-credentials command only by using $c.password
That was not that complicated right ! But what happened on the Active Directory side ?
As you can see a dedicated OU was created for the TestOrg organization with its Administrator user and its own Security groups. Pretty cool hein !
Don’t worry yet about the extra user “Antoine Khater” we will see how to create it in the Part 3 of this tutorial.
Deleting an Organization
To finish today’s article I will go over the process of deleting an organization.
Deleting all mailboxes
You will not be allowed of purging an organization as long as it has mailboxes so we will need to, as a start, delete all the mailboxes of the organization. You will now notice that the “get-mailbox” command has, in hosting mode, an extra parameter -organization. So to delete all mailboxes in the TestOrg organization we will run
get-mailbox -Organization TestOrg | remove-mailbox
Deleting the organization
Now that the organization is empty of all mailboxes it can be deleting using
And as you can imagine in will do all the cleaning from Active Directory as well.
Managing mailboxes as a hosting company
We need to make the difference here between you, as a hosting company, creating users in a specific organization and the Organization Administrator creating users for its own organization.
To create, as a hosting company, users for a specific organization you will need to use the powershell command new-mailbox that, also, got new attribute -Organization.
Assuming I want to create a new mailbox for myself in the Organization “TestOrg” the command will be
New-Mailbox "Antoine Khater" -UserPrincipalName firstname.lastname@example.org -Organization TestOrg
As you can see the mailbox was created with the quotas define in the service plan of the TestOrg organization and with an email address of email@example.com, and you can guess it will be located in the TestOrg organizational unit in Active Directory.
Well this is a really funny one and I think it is a bug actually. The remove-mailbox cmdlet didn’t get the -organization parameter which make it impossible to delete a mailbox unless you use the combination of get-mailbox and remove-mailbox as follows
get-mailbox firstname.lastname@example.org -Organization TestOrg | remove-mailbox
Managing Organization as Organization Admin
Well I know that most hosting companies provide their customers with panels to do the management however exchange 2010 provides a decent management interface which is nothing but the Outlook Web App ECP.
Remember that administrator password we have used when we first created our TestOrg in earlierof this tutorial? Well it is now time to use it …
From the web browser reach https://casserver/ecp and logon with the organization username/password.
(one thing I’ve noticed is that now the OWA authentication page asks by default for the email address instead of Domain\Username)
After logging on you have the option to manage your organization
And there you will presented with the options of Creating new mailboxes/managing Mailboxes/reseting password and even creating SMTP rules and tracking emails
A look at address lists
I would like to add that, even if address list segregation is not supported yet on Exchange 2010 SP1, when installed in hosting (or multi-tenancy) mode each user will only see their Global Address Lists accounts that belongs to the same organization. So a user in the TestOrg organization will not see users in any other organization and vice-versa.
It is well known that if your exchange 2007/2010 is internet facing you will need to add “Anonymous” to the permission groups of the “Default Receive Connector” on your Hub transport server. Exchange 2010 running in hosted mode is no exception however there is no Exchange Management Console anymore to do this change so we will need to do it through powershell by running the following command. Of course don’t forget to replace “Exchange” by your Hub server name.
Set-ReceiveConnector -PermissionGroups 'AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers' -Identity 'Exchange\Default Exchange'
Sending external emails
We also know that Exchange 2007 / 2010 will not send external emails before creating a send connector, so we will create on using powershell also.
To create a Send connector using DNS MX for routing. You will also need to replace “Exchange” by the name of your Hub server
new-SendConnector -Name 'To Internet' -Usage 'Custom' -AddressSpaces 'SMTP:*;1' -IsScopedConnector $false -DNSRoutingEnabled $true -UseExternalDNSServersEnabled $false -SourceTransportServers 'Exchange'
To create a Send connector using smarthost relay for routing. You will also need to replace “Exchange” by the name of your Hub server and 220.127.116.11 by the IP of the smarthost
new-SendConnector -Name 'Using SmartHost' -Usage 'Custom' -AddressSpaces 'SMTP:*;1' -IsScopedConnector $false -DNSRoutingEnabled $false -SmartHosts '[18.104.22.168]' -SmartHostAuthMechanism 'None' -UseExternalDNSServersEnabled $false -SourceTransportServers 'Exchange'
Sending Inter-Organization emails
Well this is where things are new! I started by simply sending an email between 2 users in different organizations and, instead of reaching its destination, it went directly to the unreachable queue !
What does it mean?
Well it means that Users in different organizations are treated as completely independent, the user will not be resolved “locally” in Active Directory and delivered it will use the send connectors just like any other alien domain.
How to solve this?
Well I am sure there are a lot of ways to do this but, since I am in a lab environment with only one server I have created a send connector for all the organizations smtp domains and set it to use the loopback IP address as smart-host connector
new-SendConnector -Name 'TestOrg' -Usage 'Internal' -AddressSpaces 'SMTP:testorg.com;1','SMTP:lab.com;1' -IsScopedConnector $false -DNSRoutingEnabled $false -SmartHosts '[127.0.0.1]' -SmartHostAuthMechanism 'None' -UseExternalDNSServersEnabled $false -SourceTransportServers 'Exchange'