I started this blog series by giving an overview about Exchange 2010 SP1 Hosting in this post Exchange 2010 SP1 Hosting – Part 1 “Overview” and then I went through Hosting Description in this post Exchange 2010 SP1 Hosting – Part 2 “Hosting Description” , and then I went through Exchange 2010 SP1 Hosting – Part 3 “Hosting Setup”, and in this post I will cover Exchange 2010 SP1 Multi-tenant Setup available in hosting and its features,
First I will start with some definitions:
Service Plan - specifies a list of organization features, a set of mailbox plans, org wide resource limits and RBAC permissions delegated to customer.
Service Plan template - based on requirements, these templates will specify the features and predefined permissions that need to be provisioned for the customer organization and their mailboxes.
Mailbox Plan - defines a set of Exchange features that need to be enabled on the mailbox. A mailbox plan is created by using a service plan template.
RBAC - Role based access control – A permission model that define and grants access to Exchange management tasks.
When Hosting-Exchange 2010 CAS Role is installed, it also install an additional folder in CAS Server role, under this folder “C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ServicePlans”, in this folder you will find file called “ServicePlanHostingRemap.csv”, this file and .serviceplan file contains all available plans and mailbox planes, when you open, serviceplan file, you will find XML file starting the approporiate features, Different available Service Plan templates are as the following:
Creating Service Plan:
1) Locate the available service Plans “C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ServicePlans”.
2) Determine which service plan template meets your needs and open the template using Notepad.
3) Save the service plan template with a new name in the same service plan location.
4) If you are going to create multiple Mailbox Plans, copy the mailbox plan section starting with MailboxPlanName and ending with MailboxPlan and paste it after the MailboxPlan end section. Make sure that the mailbox plan is within the MailboxPlans section. You will need to change the following properties for the new mailbox plan:
MailboxPlanName This property specifies the name of the mailbox plan, for example Gold, Silver, Bronze.
MialboxPlanIndex This property must be unique for each mailbox plan.
ProvisionAsDefault This property specifies that this mailbox plan is the default mailbox plan. When new users are created and you do not specify a mailbox plan at that time the default mailbox plan will be applied to the mailbox. You can only have one default mailbox plan.
5) Save the new service plan.
6) Add the service plan to the service plan map, using the following procedure.
Add a Service Plan:
1) Locate the “ServicePlanHostingRemap.csv” on “C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ServicePlans”.
2) Open the csv file using Notpad.
3) Add a new line and provide the following comma separated information for the new service plan:
4) Save and close the file.
5) Ensure that you have copied the service plan and the serviceplanhostingRemap file across all CAS servers.
Verify Service Plan:
After creating a new service plan, you can validate it by assigning it to a new organization using WhatIf parameter by running the following command on Exchange PowerShell:
New-Orgzniation –Name “Contoso.com” –DomainName “Contoso.com” –location “en-us” –ProgramId “Business” –OfferId “SmallOrg”-Whatif
You should use the same ProgramId and OfferId that you used while adding the service plan in the “ServicePlanHostingRemap.csv” file.
Create New Tenant Organization:
Now we are ready to create new Tenant Organization using New-Organization command, the syntax is as the following:
New-Organization -Name <String> -DomainName <SmtpDomain> -Location <String> -OfferId <String> -ProgramId <String> [-Administrator <WindowsLiveId>] [-AdministratorNetID <NetID>] [-AdministratorPassword <SecureString>] [-AuthenticationType <Managed | Federated>] [-Confirm [<SwitchParameter>]] [-CreateSharedConfiguration <SwitchParameter>] [-EnableFileLogging <SwitchParameter>] [-ExternalDirectoryOrganizationId <Guid>] [-HotmailMigration <SwitchParameter>] [-IsDatacenter <SwitchParameter>] [-IsDirSyncRunning <$true | $false>] [-IsPartnerHosted <SwitchParameter>] [-LiveIdInstanceType <Consumer | Business>] [-PartnerObjectId <Guid>] [-WhatIf [<SwitchParameter>]]
And as an example to create new organization run the following PowerShell Command from CAS Server:
New-Organization -Name ProvTest -DomainName Provetest.com -Location en-US -ProgramID HostingSample -OfferID 5 -AdministratorPassword (get-credential).password
You will be prompt for user name and password, because this will create admin user for the new created organization,
In the above example the “ServicePlanHostingRemap” CSV file should include line for provtestand it’s ProgramId “HostingSample” and OfferID “5” like below,
Once the new Organization created then you can verify the OU creation in AD for the new Tenant Organization under Microsoft Exchange Hosted Organization as in the following diagram:
And under the new Tenant Organization there will be the Organization Administrator, RBAC Management Roles, Default Mailbox Plan, and System Mailboxes required for this organization as in the following diagram,
Also you can find the created accepted Domain, built-in Exchange Roles and Roles Assignment and the following security groups be created under the Tenant Organization OU under “Hosted Organization Security Groups,
Also it is automatically add the tenant’s administrator into the appropriate groups,
And automatically the Administrator user will be Mailbox Enabled, and the following objects be created under Domain Naming Context,
And automatically creates tenant’s Organization Configuration Container,
And to get all information about tenant organization you can use “Get-Organization” command, syntax as below:
Get-Organization [-Identity <OrganizationIdParameter>] [-DomainController <Fqdn>] [-Filter <String>] [-ForReconciliation <SwitchParameter>] [-ResultSize <Unlimited>]
Finally to remove Tenant Organization, you can use Remove-Organization using the following command:
Remove-Organization –Identity Contoso.
In the coming post, I will go into some more provisioning tasks related to managing Tenant Mailbox,
What I want to mention finally in this post that it is very important to know that all these manual tasks should be automated for any enterprise using any of available 3rd party control panel, and in our region in Medill East and Africa we as Microsoft Service provisioned a new MCS Control Panel that we are currently using as a supporting panel in our Microsoft Services Exchange 2010 SP1 Hosting project in MEA, and if anyone already working with Microsoft Service Hosting Project and interested in the control panel just let me know so I can direct him to the proper contact.
very interesting article, but I think something is missing, I think I need to explain how you manage multiple domains with their certificates
In hosted Environment we usually use single Certificate for General Name like Hosted.com and all organization users with different domains use the same Name in the General Certificate.
Hi, I found your article on Exchange multi-tenancy VERY informative. It made me understand what multi-tenancy is for and how to implement it. I have followed it to the T and now have a multi tenant Exchange platform running in the lab. I work for a hosted services providers and have been tasked to develop a hosted Exchange solution for our Partners/Customers. At the end of the article you mentioned that we could contact you if we were interested in trying out the control panel you guys have developed for managing organizations, tenant mailboxes etc. I for one would be very interested in checking it out. We plan to develop our own portal at some point but some pointers would be great as it's hard to tell where to start. If i could see what your control panel looks like and can do, it'd be a great bonus. Any chance you could get me in contact with the relevant party in order to get access to it? Thanks for your help. Looking forward to hearing from you.
Regarding Exchange 2010 SP1 in Hosting Model MEA MCS control Panel, as I mentioned in the blog post that we use this Control Panel in MCS Engagement only (in MEA Region), so if you plan to engage MCS in your Hosting Project then you can ask MCS in your countery to utilize MCS MEA Control Panel, which is free and cost only man days to tune and implement within the MCS engagement,
What I want to mention also that if you still did not move to Exchange 2010 SP1 in Hosting Mode, then it is better to wait for Exchange 2010 SP2 Enterprise that will support new feature called Address Book Policies, this feature will allow GAL segmentation that can be used for Multi-Tenancy while keep using most of Exchange 2010 features that are limited if you use Exchange 2010 SP1 in Hosting Mode.
and as a reference read these posts:
Thanks a lot for the information. much appreciated.
I think we will definitely wait and try out SP2 before rolling this out into production. Sounds promising.
Yes, if no time restriction then waiting for SP2 is the best choice.