Exchange 2013 – Multi Tenancy setup (Part 1)
Note: Please note that this page is still a “draft”. I just published it due to public demand.
The Draft part is just a lack of expansive explanations and descriptions, but I hope you find it usefull.
In this Post
Here we start preparing our Exchange 2013 server environment to work as a Multi Tenancy setup, meaning we can have multiple firms or Groups of persons with their own Address Lists etc.
During this series, we will setup our environment to accomodate a new Tenant named Tenant0001 with with the mail-domain domain.new, create an Address Book Policy and enable Address Book Policies routing agent (Is not described in this Part1) on our Exchange 2013 server.
The Tenants and users will be filtered by using the CustomAttribute1 and using Address Book Policies.
In this post we will keep it simple and just use one CustomAttribute and one Address Book Policy pr tenant. It is possible to use multiple Custom Attributes and use AND when configuring policies. You can also use multioke Policies to generate different views of the entire organization. Say one for Development, one for research and so on, and one for accounting that encompass all of them.
How, why and what is an Address Book Policy?
At default there is 1 Global Address List (GAL) which contains ALL mailusers (and most mail objects) in your organization.
You can make seperate “Groups” of people by using the Address Book Policies.
Each policy will as a bare minimum need 1 GAL, 1 Address Book, 1 Rooms list and 1 OAB.
We are going to filter these by using Custom attribute(s). You can also filter by OU and other paramenters, and a combinations of these.
If you create a new policy and assign it to 10 people. These people can only see the people in the Gal defined by the policy.
All other people in the organization can see the above mentioned 10 people due to the default GAL.
Best option is not to hide the 10 people, but to create a new policy for the rest instead.
Or more likely: several policies.
You can make nested address books as normal.
Contents on this page:
- Create AD STructure and UPN Suffix
- Setting up Exchange server for new Tenant
- Add a new domain for the new Tenant
- Global Address List (GAL) for Tenant0001
- All Rooms Address List
- All Users Address List
- All Contacts Address List
- All Groups Address List
- Offline Address Book
- Email Address Policy
- Address Book Policy
- Ressource management by creating a Room Mailbox
- Creating a new user for our Tenant0001
1) Creating AD structure and UPN suffix.
We need a container to hold all of our data, created at the root of Active Directory
On your A/D server, via PowerShell:
New-ADOrganizationalUnit -Name Customers
First, create an Organization Unit (OU) to hold the tenant data, I am using the word Tenant with a 5 digit sequence number in my examples. Specifically I am going to use Tenant00001
!Note: In the example you will need to replace domain.dmz with your mailserver/local domain.
On your A/D server, via PowerShell:
New-ADOrganizationalUnit -Name Tenant00001 -Path "OU=Customers,DC=domain,DC=dmz"
Now we need to User Principal Name (UPN) suffixes for later. In this example our customers domain is domain.new
Set-ADForest -Identity domain.dmz -UPNSuffixes @{add="domain.new"}
If you are working remote against the Exchange server then you need to create a connection to EMS as the rest of the configuration is now with Exchange directly instead of A/D.
2) Setting up Exchange server for new Tenant.
Add a new domain for the new tenant.
New-AcceptedDomain -Name "Tenant00001" -DomainName domain.new -DomainType:Authoritative
Global Address List (GAL) for Tenant00001
New-GlobalAddressList -Name "Tenant00001 – GAL" -ConditionalCustomAttribute1 "Tenant00001" -IncludedRecipients MailboxUsers -RecipientContainer "domain.dmz/Customers/Tenant00001"
All Rooms Address List
New-AddressList -Name "Tenant00001 – All Rooms" -RecipientFilter "(CustomAttribute1 -eq 'Tenant00001') -and (RecipientDisplayType -eq 'ConferenceRoomMailbox')" -RecipientContainer "domain.dmz/Customers/Tenant00001"
All Users Address List
New-AddressList -Name "Tenant00001 – All Users" -RecipientFilter "(CustomAttribute1 -eq 'Tenant00001') -and (ObjectClass -eq 'User')" -RecipientContainer "domain.dmz/Customers/Tenant00001"
All Contacts Address List
New-AddressList -Name "Tenant00001 – All Contacts" -RecipientFilter "(CustomAttribute1 -eq 'Tenant00001') -and (ObjectClass -eq 'Contact')" -RecipientContainer "domain.dmz/Customers/Tenant00001"
All Groups Address List
New-AddressList -Name "Tenant00001 – All Groups" -RecipientFilter "(CustomAttribute1 -eq 'Tenant00001') -and (ObjectClass -eq 'Group')" -RecipientContainer "domain.dmz/Customers/Tenant00001"
Offline Address Book
New-OfflineAddressBook -Name "Tenant00001" -AddressLists "Tenant00001 – GAL"
3) Email Address Policy
You’ll also need to create an Email Address Policy. This example also includes [email protected] email aliasing, or you can set the primary email address to [email protected] by using the -EnabledPrimarySMTPAddressTemplate “SMTP:%g.%[email protected]” attribute and data.
Note: strictly speaking, you don’t need to create an email address policy.
New-EmailAddressPolicy -Name "Tenant00001 – EAP" -RecipientContainer "domain.dmz/Customers/Tenant00001" -IncludedRecipients "AllRecipients" -ConditionalCustomAttribute1 "Tenant00001" -EnabledEmailAddressTemplates "SMTP:%g.%[email protected]","smtp:%[email protected]" -EnabledPrimarySMTPAddressTemplate "SMTP:%g.%[email protected]"
Set-EmailAddressPolicy -Identity "Tenant00002 - EAP" -EnabledPrimarySMTPAddressTemplate "SMTP:%g.%[email protected]"
4) Address Book Policy
The Address Book Policy is what ties everything together. Here we create a policy cointaining all the different Address Lists and Books we created in Step 2. This Address Book Policy can then be assigned to individual users.
New-AddressBookPolicy -Name "Tenant00001" -AddressLists "Tenant00001 – All Users", "Tenant00001 – All Contacts", "Tenant00001 – All Groups" -GlobalAddressList "Tenant00001 – GAL" -OfflineAddressBook "Tenant00001" -RoomList "Tenant00001 – All Rooms"
5) Ressource management by creating a Room Mailbox.
This step is not needed, but you might need it for your setup.
Here we create a new Room Mailbox for ressources. Note how the Adress Book Policy is assigned to the new mailbox using the -AddressBookPolicy parameter.
New-Mailbox -Name 'Tenant00001 Conference Room 1' -Alias 'Tenant00001_conf1' -OrganizationalUnit 'domain.new/Customers/Tenant00001' -UserPrincipalName '[email protected]' -SamAccountName 'Tenant00001_conf1' -FirstName 'Conference' -LastName 'Room 1' -AddressBookPolicy 'Tenant00001' -Room
It is vital that we set a Custom Attribute for the mailbox, or it will not be included by the Address Book Policy we just created.
Set-Mailbox Tenant00001_conf1 -CustomAttribute1 'Tenant00001'
Here we set up how requests for our ressources are processed.
Set-CalendarProcessing -Identity Tenant00001_conf1 -AutomateProcessing AutoAccept -DeleteComments $true -AddOrganizerToSubject $true -AllowConflicts $false
6) Creating a new user for our Tenant0001
In creating the new User with a mailbox, we specify location location in AD and assign the Address Book Policy we created.
The password is entered using the popup that shows using the first line $c = Get-Credential
For the ‘username’ field you can type anything you want as it is the password attribute we want for the mailbox being created.
$c = Get-Credential New-Mailbox -Name 'Morten Nielsen' -Alias 'tenant00001_morten' -OrganizationalUnit 'domain.dmz/Customers/Tenant00001' -UserPrincipalName '[email protected]' -SamAccountName 'tenant00001_morten' -FirstName 'Morten' -LastName 'Nielsen' -Password $c.password -ResetPasswordOnNextLogon $false -AddressBookPolicy 'Tenant00001'
As with a room mailbox we need to also set a custom attribute to the tenant. This step cannot be performened in the same step as when you create the mailbox.
Set-Mailbox [email protected] -CustomAttribute1 "Tenant00001"