How to Setup Hosted Exchange 2013 (Multi-Tenancy)

Need some guidance to setup Hosted Exchange 2013? I’ll share my thoughts

Please note that the following information is only guidance and will help you installing a non-productive environment for testing purposes. There might other or different steps be necessary for you to successfully install a productive hosted Exchange environment. This guide should provide help to build the Structures to “isolate” different Tenants on Exchange 2013

Here are some useful resources:

Exchange 2013 Pre-Requisites
Multi-Tenancy in Exchange 2013
Multi-Tenancy and Hosting Guidance for Exchange Server 2013
http://itswapshop.com/tutorial/creating-tenants-exchange-2010-sp2-multi-tenant

In my setup I used two virtual Servers running Windows 2012 Standard. One Server will act as Domaincontroller with all necessary roles while the second server will hold Exchange itself.

 

Domain Controller Requirements

  • Install the latest Windows Updates
  • Make sure server has a static IP address configured
  • Install Active Directory Roles
  • Promote Server to Domain Controller
In my example the Server is called DC2012 and the Active Directory Domain is called hosted.exchange.

Exchange Server Requirements

  • Install Windows Updates
  • Make sure the server has a static IP address
  • Join the newly created domain

Exchange Installation

Before we can start installing Exchange we have to install some Pre-Requisites as described here.

Then we just start the Exchange Setup and make sure we install both, the Mailbox Server Role as well as the Client Access Server Role.
Choose a name for your Exchange Organization. I simply named it “Hosted Exchange”

Let the installation process finish. The rest we can do from the Domaincontroller.

As the Multi-Tenancy and Hosting Guide for Exchange Server 2013 states, the only way to get a supported environment is using cmd-lets to automate your tasks. Any manual modification in Active Directory and/or Exchange Objects is unsupported. So let’s do all the necessary steps from the Windows Power Shell.

 

Creating Active Directory Structure for Tenants

We’re make it simple and Create a OU called Tenants right in the root of the Active Directory Structure

New-ADOrganizationalUnit -Name Tenants

This is a one time step. If you want you can provide more information to this OU using the according parameteres. You can always use Active Directory Users and Computers (ADUC) to verify if your commands have beend completed successfully. You should now see the OU Tenants in ADUC.

 

Creating first Tenant

# 1. create a OU for the first Tenant “Tenant A”

New-ADOrganizationalUnit -Name TenantA -Path “OU=Tenants,DC=hosted,DC=exchange”

# 2.  register the new UPN Suffix

Set-ADForest -Identity hosted.exchange -UPNSuffixes @{add=”tenanta.com”}

This is what need’s to be done in Active Directory. Now let’s continue using the Exchange Management Shell (EMS). We can “load” the EMS directly from this shell (assuming that you’re working with the Domain Administrator now)

# 3. connect to EMS

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ex2013.hosted.exchange/PowerShell/ -Authentication Kerberos
Import-PSSession $Session

make sure you adjust the path according to your setup. PowerShell is now loading the Exchange cmd-lets

# 4. Add a new accepted Domain for the new Tenant

New-AcceptedDomain -Name “TenantA” -DomainName tenanta.com -DomainType:Authoritative

# 5. Create Global Address List for Tenant A

New-GlobalAddressList -Name “TenantA – GAL” -ConditionalCustomAttribute1 “TenantA” -IncludedRecipients MailboxUsers -RecipientContainer “hosted.exchange/Tenants/TenantA”

# 6. Create All Rooms Address List

New-AddressList -Name “TenantA – All Rooms” -RecipientFilter “(CustomAttribute1 -eq ‘TenantA’) -and (RecipientDisplayType -eq ‘ConferenceRoomMailbox’)” -RecipientContainer “hosted.exchange/Tenants/TenantA”

# 7. Create All Users Address List

New-AddressList -Name “TenantA – All Users” -RecipientFilter “(CustomAttribute1 -eq ‘TenantA’) -and (ObjectClass -eq ‘User’)” -RecipientContainer “hosted.exchange/Tenants/TenantA”

# 8. Create All Contacts Address List

New-AddressList -Name “TenantA – All Contacts” -RecipientFilter “(CustomAttribute1 -eq ‘TenantA’) -and (ObjectClass -eq ‘Contact’)” -RecipientContainer “hosted.exchange/Tenants/TenantA”

# 9. Create All Groups Address List

New-AddressList -Name “TenantA – All Groups” -RecipientFilter “(CustomAttribute1 -eq ‘TenantA’) -and (ObjectClass -eq ‘Group’)” -RecipientContainer “hosted.exchange/Tenants/TenantA”

# 10. Create Offline Address Book

New-OfflineAddressBook -Name “TenantA” -AddressLists “TenantA – GAL”

# 11. Create Email Address Policy

New-EmailAddressPolicy -Name “TenantA – EAP” -RecipientContainer “hosted.exchange/Tenants/TenantA” -IncludedRecipients “AllRecipients” -ConditionalCustomAttribute1 “TenantA” -EnabledEmailAddressTemplates “SMTP:%m@tenanta.com”,”smtp:%g.%s@tenanta.com”

You may want to play around with the parameter: -EnabledPrimarySMTPAddressTemplate “SMTP:%g.%s@tenanta.com” that will set Firstname.Lastname@domain.tld for the default Email Address Policy (EAP)

# 12. Create Address Book Policy

New-AddressBookPolicy -Name “TenantA” -AddressLists “TenantA – All Users”, “TenantA – All Contacts”, “TenantA – All Groups” -GlobalAddressList “TenantA – GAL” -OfflineAddressBook “TenantA” -RoomList “TenantA – All Rooms”

 

# 13. Create a Room Mailbox (optional)

New-Mailbox -Name ‘Tenant A Conference Room 1’ -Alias ‘TenantA_ConfRoom1’ -OrganizationalUnit ‘hosted.exchange/Tenants/TenantA’ -UserPrincipalName ‘confroom1@tenanta.com’ -SamAccountName ‘TenantA_ConfRoom1’ -FirstName ‘Conference’ -Initials ” -LastName ‘Room 1’ -AddressBookPolicy ‘TenantA’ -Room
Set-Mailbox TenantA_ConfRoom1 -CustomAttribute1 ‘TenantA’

It is important that Tenant-wide Objects do have the CustomAttribute1 Set to the according Tenant.

Now that we have all the address books and policies configured we can start with the first user mailbox. The new user will have the same password as the account you enter after the first command. You can adjust the New-Mailbox command to your needs.

$c = Get-Credential

New-Mailbox -Name ‘Tenant User 1’ -Alias ‘TenantA_user1’ -OrganizationalUnit ‘hosted.exchange/Tenants/Tenant A’ -UserPrincipalName ‘User1@tenanta.com’ -SamAccountName ‘tenanta_user1’ -FirstName ‘Tenant’ -Initials ‘1’ -LastName ‘User’ -Password $c.password -ResetPasswordOnNextLogon $false -AddressBookPolicy ‘TenantA’

Set-Mailbox user1@tenanta.com -CustomAttribute1 “TenantA”

 

After you’re done, you want to close the Session to the EMS

Remove-PSSession $Session

You can now log on to owa with the user you just created and check the configuration. You will find all the Tenant related Address Lists. You can create another user for this Tenant and find him in your address book. They can share calendars and book conference rooms.

You can repeat the steps above to create another Tenant, with its own accepted domainname, address lists and policies.

to be continued

 

18 thoughts on “How to Setup Hosted Exchange 2013 (Multi-Tenancy)

  1. Chris

    I was testing out the commands in the article but ran into a snag from point # 6. Create All Rooms Address List…

    keep getting

    Cannot bind parameter ‘RecipientFilter’ to the target. Exception setting “RecipientFilter”: “Invalid filter syntax. For a description of the filter parameter syntax see the command help.
    “(CustomAttribute1 -eq `NameHosted’) -and (RecipientDisplayType -eq `ConferenceRoomMailbox’)” at position 24.”
    + CategoryInfo : WriteError: (:) [New-AddressList], ParameterBindingException
    + FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.Exchange.Management.SystemConfigurationTasks.NewAddress
    List
    + PSComputerName : server.namehosted.local

    I can’t work out what is going wrong…?

    Can anyone help?

    Thanks.

    Reply
  2. Steve Gordon

    OK all the address list creation examples run in to the same problem that Chris experienced in step 6
    Does anyone have any clue. Ive tried multiple variations in the code returning failures each time
    Thanks in advance

    Steve

    Reply
    1. Ronny Post author

      Hi Guys,

      sorry I wasn’t able to test this earlier. However, I’m using the exact same commands as on the page with no problem.
      Make sure you don’t take the wrong signs for “)’

      I’m pretty sure its about the syntax. Check out the screenshot below

      Commands

      Reply
  3. Waseem Salma

    Hello,
    the problem with the signs, when you make copy and paste. try this one or do not copy it and try to type it, its working

    New-AddressList -Name “TenantName – All Rooms” -RecipientFilter “(CustomAttribute1 -eq ‘TenantName’) -and (RecipientDisplayType -eq ‘ConferenceRoomMailbox’)” -RecipientContainer “scoutgate.local/Tenants/TenantName”

    Reply
  4. Christoph

    Hi,

    “The only supported way to manage objects that will be used on the platform is by using the built in tools and management interfaces provided by Exchange or Windows.

    For example, creation or management of mail-related objects can only use the built-in Exchange PowerShell cmdlets such as New-Mailbox and New-MailContact. ”

    As stated in the Multi Tenancy Guide – the first sentence says for me – it’s supported to create an organizational unit with the given management tools such as “Active Directory Users and Computers” or to use the Exchange Management Console / Exchange Control Panel (2013).

    I understand that creating objects by using ldifde or adsiedit to change values of attributes not possible to create with supported tools would be unsupported.
    (sounds a bit weird, but i think you get the idea)

    BG Christoph

    Reply
    1. Ronny Post author

      Hi Robert,

      yes there is. I will write another article about that once I’m done!
      But here a couple of useful resources:

      http://technet.microsoft.com/en-us/library/jj552408.aspx
      http://blogs.technet.com/b/exchange/archive/2012/11/08/public-folders-in-the-new-office.aspx
      http://windowsitpro.com/blog/exchange-2013-modern-public-folders
      http://social.technet.microsoft.com/Forums/exchange/en-US/e9062abe-f484-462b-bc5e-ebdcb0862760/public-folder-hierarchy-and-pf-mailboxes-for-hosted-setup
      http://technet.microsoft.com/en-us/library/aa996405(v=exchg.150).aspx
      http://technet.microsoft.com/en-us/library/jj150538(v=exchg.150).aspx
      http://technet.microsoft.com/en-us/library/jj552410(v=exchg.150).aspx

      One Important thing is to understand that Public Folders are now stored in Mailboxes and not in a dedicated Database and there can only be one Primary Hierarchy PF Mailbox

      Cheers
      Ronny

      Reply
  5. Kai

    Hi,
    I Tried it,too. Installation was easy.
    I logged on in the ECP Website with my Tenant User. Where can I create new Users for the Tentant?
    I can’t find…

    Regard,
    Kai

    Reply
    1. Ronny Post author

      Hi Kai,

      you’re not supposed to do this using the ecp.
      A new user should be created using the Exchange Management Shell as you did for your first Tenant User.

      For a productive environment you want to build yourself some tools and scripts to automate this tasks.

      Cheers

      Reply
  6. Kai

    Hi Ronny,
    is there a way to build an “Administrator” for “Tenant”. And this Administrator is able to create new Users for his OU? So that the Tenant can manage it’s OU itself?

    Regards

    Reply
  7. Caesar

    Hi! Thank you for your post.
    I am getting an error when creating the offline address book, it says the “TenantA – GAL” addresslist cannot be found. I can see it when I type get-globaladdresslist, I even copied and pasted it from the command to make sure. It seems like I can only create the OAB based off an AddressList, not a Global AddressList, does this make sense? Am I doing something wrong?

    Reply
  8. Liz

    Hello…!!

    I apply this tutorial to create my tenants and work perfectly, however when I log in the ecp as a TenantA user I noticed than he can see the TenantB user’s, what could I do to restrict the user…? I want to create an administrator like Kai… It’s that possible…??

    Please help…!!

    Reply
  9. Ben

    hi!
    I use this tutorial to setup my hosted exchange 2013 (Multi-Tenancy).
    All is ok for me. thanks to ronny for his work!
    I have just a problem to share calendar an contacts by Outlook. No problems with Owa.
    when i send the invite to a calendar or a contact folder share i have this error : Error preparing to send share.
    Any persons have this problem or solution?
    thanks

    Ben

    Reply
    1. Ronny Post author

      Hi Ben,

      I can confirm this. We haven’t gone productive yet and didn’t test that yet.
      I’m going to look into this. If you find a solution, let me know please

      Ronny

      Reply
  10. Stefan

    Hi,

    I was wondering if having multiple Domains in the same Forest would make things easier or harder.
    Let’s say from an Overall perspective when it’s not only about Exchange having Multi tenant.

    Regards
    Stefan

    Reply
  11. PloP

    Should the syntax in step 6 be changed to this?

    New-AddressList -Name “TenantA – All Rooms” -RecipientFilter {((CustomAttribute1 -eq “TenantA
    “) -and (RecipientDisplayType -eq “ConferenceRoomMailbox”))} -RecipientContainer “hosted.exchange/Tenants/TenantA”

    Otherwise i got the error: Cannot bind parameter ‘RecipientFilter’ to the target. Exception setting “RecipientFilter”: “Invalid filter syntax.

    Reply
  12. Florian

    Hi,

    I had a Problem with a binding Error when i copy & pasted the CMDlet and changed it in Notepad., while using the new-addresslist command.
    However when i typed it directly in the EWS it was executed correct.

    Seemed like the ‘ character was somehow wrong ´ instead of ‘

    Florian

    Great article btw ! Just setting up my Test Server with this.

    Reply
  13. Jacob

    One thing I would change is do not set the UPN Suffixes at the forest level. I would set them at the company’s OU level.

    I wrote the link you posted from ITSwapShop as a start to multi-tenant using address book policies (Before Microsoft released documentation) and there are some mistakes

    If you are going to do multi-tenancy you really be best off using a control panel. I wrote / continuing developing a control panel if you want to give it a try CloudPanel ).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *