Shared Hosting with Exchange 2007 (Part 1)
If you would like to read the next parts in this article series please go to:
The topic of shared hosting with Exchange Server is not new. Whether your interest is to accommodate more than 1 company with a simple Exchange configuration, as a result of a merge or acquisition, or to start your own small e-mail hosting business, Exchange Server has all the power to respond to your needs.
Since I like to write about the most common requests I get in my technical community life, I thought it would be interesting to detail the setup configuration for a scenario of an Exchange infrastructure shared by more than one customer/company. So for all of those who would like to start a hosting business, I recommend a further advanced solution, Hosted Messaging and Collaboration (HMC) version 4.0, which I'll cover lightly in this article.
Depending on your needs, there is more than one way of achieving shared hosting: with a simple configuration (Figure 1), with a more complex configuration (Figure 2) or by using the HMC framework (Figure 3). Exchange is really versatile and scales according to your goals.
Figure 1: Simple Exchange Server 2007 Organization
Figure 2: Complex Exchange Server 2007 Organization
Figure 3: HMC Architecture
For the purpose of this article, I'll detail the required steps for the simple configuration with a single server. If you ever need a more complex configuration, the necessary modifications won't be difficult to infer.
The following article series details a configuration which is not officially supported by Microsoft. You can read the official documentation at the following link: Configuring Virtual Organizations and Address List Segregation in Exchange 2007.
The main goals we're trying to accomplish are:
- SMTP Domain acceptance;
- Isolation from other customers/companies;
- Differentiated Address Lists;
- Exchange 2007 connection protocols: MAPI, Outlook Anywhere and OWA.
The tested scenario consisted of a single server with the Client Access, Hub Transport and Mailbox roles. I then used a client computer that belongs to the domain and an external one that simulates access through the Internet.
In order to illustrate the desired configuration, I built a scenario where I was the System Administrator of my own hosting company, and I serviced some of the most famous secret agencies around the world.
For this article I'll use the 2 spy agencies of the old TV series Get Smart: CONTROL and KAOS. These 2 organizations must not know the presence of each other on the same server, so I better do my job right!
Figure 5: CONTROL Agents
Setting Up the Environment
So let's start by organizing our Active Directory. Since probably there will be lots of permissions and rights involved, it's better to create a proper OU hierarchy and I bet a Security Group for each Organization will be very helpful.
I created a top level OU called Hosting, under which we'll create a new OU for every Organization that is supposed to be hosted (Figure 6). Under each Organization OU, I like to separate Users and Groups, but it isn't strictly necessary to do it this way.
Since we need a mail enabled group, we'll use the Exchange Management Console (EMC). Just expand Recipient Configuration, select Distribution Group and on the Actions pane hit New Distribution Group. Select Security as the Group Type and populate the remaining fields according to your Organization. Don't forget to select the right OU (Figure 7). Then just click Next and New. Of course, this and most of the procedures of this article can be done using PowerShell. Just before clicking Finish, the EMC will show you the PowerShell command equivalent (Figure 8).
Since we don't want our hosted companies to use the AD Domain name (mydomain.local), it's better to add the proper UPN suffixes, so that users can use these to log on. Open the Active Directory Domains and Trusts management console, right click Active Directory Domains and Trusts and select Properties. You'll be presented with a window where you can insert all the alternative UPN suffixes you want (Figure 9).
Let's look at how to configure the Hub Transport for the hosting organization. The first thing we want to do is add the hosted SMTP addresses as internal domains.
This can be achieved using the EMC, expanding Organization Configuration, Hub Transport and then clicking on the Accepted Domains tab. Then, on the Actions pane, click New Accepted Domain. This will kick the New Accepted Domain Wizard. Just fill the text boxes accordingly and make sure that Authoritative Domain. E-mail is delivered to a recipient in the Exchange organization is selected (Figure 10).
Click Next, review the completion summary and the PowerShell equivalent command, and close the window by clicking Finish (Figure 11).
Repeat these same steps for the KAOS organization and any other hosted companies you like.
Now that the required SMTP domains are accepted as internal, let's define a new e-mail address policy, so that the new users are automatically assigned their right e-mail address.
Since we want the e-mail addresses to be generated automatically for our recipients, we must figure out some kind of rule to achieve this objective. My first thought was to use a Distribution or Security Group, and make the e-mail address policy apply by group membership. I even built the necessary PowerShell command (Figure 12). Unfortunately, for Exchange 2007 RTM, filtering by group membership does not work in all cases. This is a bug that will be fixed in SP1.
The next logical choice was to use the attribute Company. But since this attribute isn't available for groups, and we also want them to be assigned a proper e-mail address, the final solution was to use Custom Attribute 1.
If you didn't close EMC since the last step, select the E-mail Address Policies tab, and click New E-mail Address Policy from the Actions pane. Give it a name for future reference and click Next (Figure 13).
Select Custom Attribute 1 equals Value, click the specified hyperlink and type the text value that will identify each hosted organization. For the current example we'll use "CONTROL" (Figure 14).
On the next screen, click Add, select the E-mail address local part (I used first name and last name initial) and the E-mail address domain (control.org), as depicted in Figure 15 and Figure 16. Click Next and the Finish on the completion summary (Figure 17). Create another E-mail address policy for KAOS organization and you'll end up with the necessary policies created as illustrated in Figure 18.
Figure 19 shows the 2 CONTROL agents with the correct e-mail address, after we applied the CONTROL e-mail address policy.
Now we want to provision each hosted organization with their own address list. The procedures are somewhat similar to the E-mail address policy creation. We'll use Custom Attribute 1 again to filter the pertinent recipients.
Open EMC, expand Organization Configuration, select the Address Lists tab and then click New Address List on the Actions pane. Give it the name you want (CONTROL AL) and select the recipient type (Figure 20). Click Next.
As I said, we'll use Custom Attribute 1, so once again select Custom Attribute 1 equals Value, click the specified hyperlink and type the text value that will identify each hosted organization (CONTROL or KAOS), as seen on Figure 21. Click Next and then Finish to end the address list creation process (Figure 22).
After you repeat the same steps for KAOS organization, the Address Lists tab will look like Figure 23.
Let's move on to the offline address book creation. With Mailbox selected on the left pane, click on the Offline Address Book tab. From the Actions pane, click New Offline Address Book. This will pop up the New Offline Address Book wizard (Figure 24), where you first must select the generation server, give it a proper name and include an address list you previously created (CONTROL AL in the illustrated case). Click Next, add the OAB virtual directory and select Enable Web-based distribution and Enable public folder distribution (Figure 25). Click Finish to close the wizard (Figure 26).
Figure 27 depicts how Offline Address Book tab looks after creating the OAB for CONTROL and KAOS.
And last but not least, to end our Mailbox configuration, we must create different Global Address Lists (GAL) for each spy agency.
To complete this step we'll use PowerShell. You cannot use the Exchange Management Console to create a GAL. You must use the New-GlobalAddressList cmdlet in the Exchange Management Shell (Figure 28):
New-GlobalAddressList -Name "CONTROL GAL" -ConditionalCustomAttribute1 "CONTROL" -IncludedRecipients AllRecipients
If you have multiple GALs in your organization, only one GAL is displayed in the Outlook Address Book on a client computer. This address list displays as Global Address List, even if you specified a different name when creating it in Exchange Server 2007. We'll see further ahead how to associate each GAL for the different hosted organizations.
This ends part 1 of this 3 part series where we'll cover a step-by-step design of a simple hosting solution with Exchange 2007. The next part will focus on the security configuration and tweaking of the Active directory objects, necessary to achieve our goal.
- Shared Hosting with Exchange 2003 (Part 1)
- Shared Hosting with Exchange 2003 (Part 2)
- Managing Global Address Lists
If you would like to read the next parts in this article series please go to: