Automating Multi-Tenancy in Exchange Server 2010 SP2 (Part 1)

by [Published on 10 Sept. 2013 / Last Updated on 21 Nov. 2013]

In this article series the author explains how to automate the tenant creation process in an Exchange Server 2010 Service Pack 2 organization using System Center Orchestrator.

If you would like to read the other parts in this article series please go to:

Introduction

I have been planning to write about this process using System Center Orchestrator for a while now; however I had a tough time finding a good scenario relevant to this topic. I could’ve come here and given you tons of examples fo how to automate certain tasks but I think it is more important to understand this concept using a good scenario with goals, and from there we then develop the requirements for automation.

This article was created to show how a message administrator can take advantage of Orchestrator. Even if you do not want to automate tenants using Exchange you can use this article series to understand the process and come up with tons of ideas of how you can use the automation benefits to save you time.

From the top of my head, I can foresee areas for automation within an IT department where an administrator sits back and just waits for the results to arrive in a mailbox or any other output set to receive the information. Here are a couple of examples:

  • Generate reports of your Active Directory (Enabled accounts, disabled accounts, etc.) to support your SOX department
  • Document all switches of your network on a monthly basis and save the configurations
  • Run a series of tasks when a user is removed from the network (disable the user in AD, remove home folders, create a backup of everything even PSTs)
  • Add all your servers from any given location to the maintenance mode in your System Center Operations Manager based on your company windows update schedule
  • Generate reports of mailbox usage, exchange configuration, etc.
  • Create a way to monitor the activity of Domain Admins and get notified when a user is added/removed through e-mail (pretty cool, eh?)

Well, all points above are really cool, right? I am sure that I am going to repeat the same sentence during the series but you can only have a successful automation task when you have a procedure in place. If you do not have a procedure or a procedure is not well defined, then my friend you are going to have a hard time to automate things.

Managing multiple customers in a single Exchange organization

In Exchange Server 2010 SP1, Microsoft introduced the /hosting that required a special forest to support multi-tenants. However after Service Pack 2 the Team introduced the Address Book Policies feature which supports any regular organization to deploy GAL (Global Address List) segregation. This feature can be used to separate different teams in the same company or it can be used for multi-tenancy purposes as well.

If you want more information about the future of multi-tenancy in Exchange Server, I would recommend the following article as a primer.

Another good reason to use the Address Book Feature is due to its continuation in the new version of Exchange (Exchange Server 2013) which means that this article applies to the new version of Exchange as well. We may have to change a couple of cmdlets switches but the idea is the same.

By the time we are done with automation, the process to manage a new tenant will be so easy that you can delegate such tasks to a secretary of your office because it’s going to be a matter of typing in two fields and that’s it.

Planning your Exchange Organization to support multiple tenants…

If you are seriously considering offering mail services to your customers I would like to point out a couple of important things that you need to address during your design and/or planning phase, as follows:

  • Reserve at least 2 (two) servers to be Domain Controllers
  • Exchange and Active Directory together is not a good idea
  • High Availability is key, I would recommend at least 4 Exchange Servers (2 for a CAS/HUB and 2 for Mailbox); The Mailbox Server should be using a DAG
  • Depending on your number of customers you may need more servers but 4 seems a reasonable number to start with, especially if you are starting from scratch
  • Make sure that you size your Disk, Memory and CPU of your Exchange Servers. The Storage Calculator is the tool to start the sizing.
  • I would also recommend a load balancer (bear in mind that Exchange Server 2013 requires less Load Balancer complexity and you should keep that in mind when buying a new one even for Exchange Server 2010)
  • If using a Virtualization solution, make sure that servers with the same role stay on separated hosts (for example one DC on each host, the same applies to CAS/HUB and Mailbox)
  • Mail flow: you want high availability in this area as well, right? I would recommend having FOPE (There is an article series that I wrote here for MSexchange.org that probably was published before this series) to filter all incoming messages of your tenants and it can also act as a relay server for all outbound communications from multi-tenant organization.
  • Plan your backup well based on the SLA that you are going to agree with your customers
  • Antivirus: if you go for FOPE you have the mail flow AV covered and it’s up to you to install a AV client on the Exchange Server
  • Use Public Certificates to your servers to avoid certificate error messages
  • Use Autodiscover with Redirection and create a CNAME on each Public DNS of your new tenants
  • In order to make it easier for your customer, you can take control of his DNS as well. You can charge more and it will be easier to manage MX and Autodiscover
  • Read the Scale Guidance for Exchange Server 2010 SP2
  • Keep it simple and avoid SPOF (Single Point of Failure) in your solution

Technical details

In order to create a multi-tenant environment we need to change a few things from a regular exchange organization, as follows:

  • For each new Tenant we will have an Organization Unit with its domain name in our Active Directory
  • For each new Tenant we will have a UPN created for its domain and that will be key to match the authentication process with the e-mail address
  • A series of Address List to support a new tenant will be created as part of the process
  • New mail-enabled objects must be created in their respective Organization Units

One thing that you want to avoid is to manage or allow customers to reach the Exchange Control Panel and we can disable that creating a DWORD entry named OMECPDisabled in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14 (Figure 01) and you need to repeat this procedure on each Client Access Server of your organization where the tenant connects from the outside. After performing such change it is recommended to restart the affected server.

Image
Figure 01

Since we are going to support multiple tenants we don’t want them to log on using DOMAIN\Name format in Outlook Web Access, right? For that reason we are going to configure a UPN for each new domain to make sure that we match the authentication and SMTP for our new tenants.

In order to allow them to authenticate by typing in their e-mail address we need to configure our OWA to use User principal name (UPN) on the Authentication tab of the OWA properties, as shown in Figure 02.

Image
Figure 02

Conclusion

In this first article we went over the multi-tenancy feature of Exchange Server 2010 Service Pack 2 and a couple of items that we need to validate before moving forward with this process.

In the following articles we will start the manual process to create a new tenant, and then we will document the entire process. After that we start the automation part of the series where we are going to install System Center Orchestrator and start the automation process based on our initial articles of this series.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links