Shared Hosting with Exchange 2003
Party I Create multiple domains on Exchange
Consider the following scenario: You are the Exchange administrator of a company that buys some other companies that are supposed to work together but still retain their own domain name. All the companies your company bought move to your own campus. Management decided to save on IT costs so these companies no longer have their own IT staff, so they have to use your infrastructure.
For a brief period you consider installing two domain controllers for each company (for redundancy) and have a big forest you might not actually need and install a separate Exchange server for each company and start managing backups and restores for each server. Some of the merged companies have old servers that you cannot really use and management will not approve buying new servers.
So, instead you opt for hosting these companies on your own domain and Exchange server. This allows you to easily prune, graft and add companies dynamically which pleases management.
Setup a Company in Active Directory
To illustrate this I'm going to assume your company bought another company called Dogfood. All Dogfood employees will be put in the same Organization Unit.
A Universal Security group is required to both grant permissions and be able to send mail to all Dogfood employees.
After setting up the group it is also important to configure it to use the company's domain e-mail address, dogfood.com. Microsoft's documentation usually offers to use extension attributes to identify which object belongs to which company. I find it more elegant to the mail attribute which by default specifies the reply-to SMTP mail address of a mail enabled object.
Once our group is in place we can create a recipient policy using Exchange System Manager so that users belonging to the Dogfood Employees group get the e-mail address dogfood.com as well. This is done by creating a custom filter rule that uses the memberOf attribute.
Note that another bogus SMTP address, @hosting.farm, is added for all users. We need this because Outlook Web Access requires all users in the domain to have a common e-mail domain.
Now we can create an Address List so that Outlook users can find Dogfood users more easily instead of needing to wade through the entire Global Address List. This address list will include all users with the @dogfood.com e-mail addresses.
Since Dogfood employees might want to log in using their own domain name, a UPN suffix can be added to the dogfood Organizational unit by using the ADSIEdit tool.
Now is the time to create some Dogfood users using Active Directory Users and Computers in the Dogfood Organizational Unit.
The user needs to be added to the Dogfood Employees, so after while when the recipient policy is a activated the user gets a @dogfood.com SMTP address.
Party II Hiding addresses in GAL and OWA
Exchange 2003 provides a compelling environment for hosting messaging services. Improvements in access using the Internet both using Internet Explorer and Exchange 2003 as well as built-in mobile services can provide state-of-the art service for customers who want to explore working on the Internet. This can be useful for companies where users work at home, move around a lot or just don't want to have an internal mail server.
The first part of this article explained how to host a few companies on the same server where users get their e-mail address by using group membership and each company gets its own address list. This part will focus on the means for hiding the companies from each other. This means that on the client side users will only be able to see other users from their own company, effectively creating an Exchange virtual organization, also sometimes referred to as "Provisioning".
Exchange 2003 and Active Directory do not have built-in wizards or other mechanisms to achieve this. Implementing this kind of solution requires some knowledge of the inner workings of Exchange Active Directory and preferably programming since creating an virtual Exchange organization can be tedious, especially if you need to create a lot of users at the same time.
To fully implement hosting with Exchange 2003 you would need Windows 2003, Exchange 2003 SP1, Outlook 2003 and Windows XP SP2. This allows clients to connect using RPC over HTTP to the hosted environment. Originally I had tried to write this article early in 2004 when the latest service packs of Exchange 2003 and Windows XP were not yet out and some features did not work. I unofficially confirmed this with Microsoft.
You can use ISA server to protect the hosted environment while allowing customers to connect using regular MAPI that is not encapsulated using HTTP. This means clients do not have to upgrade their operating systems and Outlook applications. However, please note that on most WAN connections RPC based MAPI is slow and suffers from time outs which can cause connections to fail. In any case Outlook 2003 is recommended seeing that it compresses information when working with Exchange 2003 and employs a useful Cache mode that works offline and synchronizes in the background with the server, better utilizing WAN lines.
If you're just hosting Outlook Web Access your clients should have at least Internet Explorer 5.5 though Internet Explorer 6.0 SP1 is recommended.
The Exchange hiding game is done mostly by implementing permissions. Outlook will use the first Global Address List and Offline Address list that the user has permissions for. As for "regular" address lists they can be hidden too but to simplify matters I've deleted the address lists from my server.
The first step for ensuring that each company gets its own Global Address List is removing the permissions from All Global Address Lists container for the Authenticated Users and Everyone groups. Since Global Address Lists (GALs) which Outlook clients use to resolve e-mail addresses inherit their permissions from the All Global Address Lists container this might save you some work since you now don't have to delete these groups from every GAL that you create.
The All Global Address Lists container inherits its security so Inheritance must be disabled before removing permissions.
All kinds of warning messages are a part of messing with security in a Windows 2003 environment.
In the Security tab, remove the Anonymous Logon, Everyone and Authenticated Users.
Then re-add Authenticated Users and grant them List object so they can access the folders below containing their own GAL.
The same needs to be done to the All Address Lists and the Offline Address Lists container. However, security for the latter can only be altered using the Support Tools' ADSIEdit tool to edit it.
To ensure users don't access other users' properties, access also has to be denied to Active Directory OUs. To do so open the property pages of the Hosting OU created in Part 1 of the series and remove permissions for the Per-Windows 2000 Compatible Access and leave only "list" permission for Authenticated Users.
Adding permissions to a company address list or GAL is a similar process except you need to add security for the appropriate Universal Security Group.
Now is the time to create a virtual Exchange organization that has the following components: , Organizational Unit, Universal Security Group, Recipient Policy, Global Address List, Address List, Offline Address List and Users.
You will find screen shots for all of these in the first part of the series. However, here is a quick re-cap, with some added steps to ensure companies are completely separate:
- Create OU for the company in Active Directory.
- Using ADSIEdit set the uPNSuffixes property with the company's Internet domain name. This will be used by users to logon using their UPN logon name, for example: email@example.com.
- Create a Universal Security Group for the company in the company OU. Manually add an e-mail to the Group that has the company's suffix, for example: firstname.lastname@example.org
- Using Exchange System Manager, Create a recipient policy that sets two e-mail suffixes for each user: The hosting general address used to access OWA and the company's e-mail suffix set as default. The recipient policy uses a custom Filter based on group membership, for example: (&(&(ObjectCategory=*)(memberOf=CN=Dogfood Employees,OU=Dogfood,OU=DC=hosting,DC=farm)))
- Create a company address list and a global address list with a custom search based on mail suffix, for example: (&(&(objectCategory=*)(email@example.com)))
- On the security tab of the address lists just created add the company's Universal Security Group and allow the "Read" permission.
- Create users in the company OU
- Using ADSIEdit, for each user set the msExchQueryBaseDN property to be equal to the distinguishedName value of the OU, to limit Outlook Web Access search.
- Add users to the company Universal Security Group.
Offline Address List
The Offline Address List is created based on the company's Address List. Using ADSIEdit, On the security tab of the Offline Address List just created add the company's Universal Security Group and allow the "Read" permission.
To complete this you need, using ADSIEdit, to set the msExchUseOAB property for each user to equal the distingushedName of the relevant Offline Address Book. This tells Outlook which Offline Address Book to use.
Having done all that you are now ready to connect.
Clients should logon using their Active Directory style login name, originally introduced with Windows 2000 which looks a lot like an e-mail address. This ensures that even if you host a lot of users you will have fewer problems with duplicate usernames also hides the hosting Active Directory name.
Please note that Outlook 2003 installed on Windows XP with no SP2 installed cannot login to Exchange using this type of logon name. It is actually a Windows XP bug and has been unofficially confirmed with my Microsoft sources. As far as I know there is no patch for Windows XP SP1 that resolves this.
When you open the Global Address List, this is what you get:
Please note that the Administrator user does not appear in the GAL seeing that it is not an employee of Dogfood.
Microsoft Provisioning System
Microsoft provides a custom solution for this called Microsoft Provisioning System. This is not just an Exchange solution but also provides services for other Microsoft services and is extendable. The services is available to companies which deal with hosting and have a special SPLA agreement with Microsoft which allows for licensing Microsoft applications on a monthly basis.
This article shows the foundation for providing hosted Exchange services. Even if you have customized Microsoft of any other commercial solution, knowing what happens behind the scenes can be useful for diagnosing and troubleshooting problems and perhaps sometimes going one step further then a customized solution might offer. Understanding how Outlook clients access the GAL and how Address Lists are created and used can help you do more and cater to unforeseen demands.