Exchange 2010 SP1 Hosting – Part4 “Multi-tenant Setup”

I started this blog series by giving an overview about Exchange 2010 SP1 Hosting in this post Exchange 2010 SP1 Hosting – Part 1 “Overview” and then I went through Hosting Description in this post Exchange 2010 SP1 Hosting – Part 2 “Hosting Description” , and then I went through Exchange 2010 SP1 Hosting – Part 3 “Hosting Setup”, and in this post I will cover Exchange 2010 SP1 Multi-tenant Setup available in hosting and its features,

First I will start with some definitions:

Service Plan – specifies a list of organization features, a set of mailbox plans, org wide resource limits and RBAC permissions delegated to customer.

Service Plan template – based on requirements, these templates will specify the features and predefined permissions that need to be provisioned for the customer organization and their mailboxes.

Mailbox Plan – defines a set of Exchange features that need to be enabled on the mailbox. A mailbox plan is created by using a service plan template.

RBAC – Role based access control – A permission model that define and grants access to Exchange management tasks.

When Hosting-Exchange 2010 CAS Role is installed, it also install an additional folder in CAS Server role, under this folder “C:Program FilesMicrosoftExchange ServerV14ClientAccessServicePlans”, in this folder you will find file called “ServicePlanHostingRemap.csv”, this file and .serviceplan file contains all available plans and mailbox planes, when you open, serviceplan file, you will find XML file starting the approporiate features, Different available Service Plan templates are as the following:

  • “HostingAllfeatures.serviceplan” This template contains all Exchange features available to tenant organization.
  • “HostingBusinessMapi.serviceplan” This template can be used for provisioning business organization that uses MAPI and other protocols for client access.
  • “HostingBusinessNonMapi.serviceplan” This template can be used for provisioning business organization that use OWA, POP, IMAP, or Exchange Active Sync for client access, without MAPI.

Creating Service Plan:

1) Locate the available service Plans “C:Program FilesMicrosoftExchange ServerV14ClientAccessServicePlans”.

2) Determine which service plan template meets your needs and open the template using Notepad.

3) Save the service plan template with a new name in the same service plan location.

4) If you are going to create multiple Mailbox Plans, copy the mailbox plan section starting with MailboxPlanName and ending with MailboxPlan and paste it after the MailboxPlan end section. Make sure that the mailbox plan is within the MailboxPlans section. You will need to change the following properties for the new mailbox plan:

MailboxPlanName This property specifies the name of the mailbox plan, for example Gold, Silver, Bronze.

MialboxPlanIndex This property must be unique for each mailbox plan.

ProvisionAsDefault This property specifies that this mailbox plan is the default mailbox plan. When new users are created and you do not specify a mailbox plan at that time the default mailbox plan will be applied to the mailbox. You can only have one default mailbox plan.

5) Save the new service plan.

6) Add the service plan to the service plan map, using the following procedure.

Add a Service Plan:

1) Locate the “ServicePlanHostingRemap.csv” on “C:Program FilesMicrosoftExchange ServerV14ClientAccessServicePlans”.

2) Open the csv file using Notpad.

3) Add a new line and provide the following comma separated information for the new service plan:

  • ProgramId – The ProgramID specifies the service level offering that you are providing to your tenant organizations.
  • OfferId – The OfferID specifies a sub-service level offering.
  • ServicePlanName  – The service plan name specifies the file name of the service plan.

4) Save and close the file.

5) Ensure that you have copied the service plan and the serviceplanhostingRemap file across all CAS servers.

Verify Service Plan:

After creating a new service plan, you can validate it by assigning it to a new organization using WhatIf parameter by running the following command on Exchange PowerShell:

New-Orgzniation –Name “Contoso.com” –DomainName “Contoso.com” –location “en-us” –ProgramId “Business” –OfferId “SmallOrg”-Whatif

You should use the same ProgramId and OfferId that you used while adding the service plan in the “ServicePlanHostingRemap.csv” file.

Create New Tenant Organization:

Now we are ready to create new Tenant Organization using New-Organization command, the syntax is as the following:

New-Organization -Name <String> -DomainName <SmtpDomain> -Location <String> -OfferId <String> -ProgramId <String> [-Administrator <WindowsLiveId>] [-AdministratorNetID <NetID>] [-AdministratorPassword <SecureString>] [-AuthenticationType <Managed | Federated>] [-Confirm [<SwitchParameter>]] [-CreateSharedConfiguration <SwitchParameter>] [-EnableFileLogging <SwitchParameter>] [-ExternalDirectoryOrganizationId <Guid>] [-HotmailMigration <SwitchParameter>] [-IsDatacenter <SwitchParameter>] [-IsDirSyncRunning <$true | $false>] [-IsPartnerHosted <SwitchParameter>] [-LiveIdInstanceType <Consumer | Business>] [-PartnerObjectId <Guid>] [-WhatIf [<SwitchParameter>]]

And as an example to create new organization run the following PowerShell Command from CAS Server:

New-Organization -Name ProvTest -DomainName Provetest.com -Location en-US -ProgramID HostingSample -OfferID 5 -AdministratorPassword (get-credential).password

clip_image003

You will be prompt for user name and password, because this will create admin user for the new created organization,

In the above example the “ServicePlanHostingRemap” CSV file should include line for provtestand it’s ProgramId “HostingSample” and OfferID “5” like below,

clip_image005

Once the new Organization created then you can verify the OU creation in AD for the new Tenant Organization under Microsoft Exchange Hosted Organization as in the following diagram:

clip_image007

And under the new Tenant Organization there will be the Organization Administrator, RBAC Management Roles, Default Mailbox Plan, and System Mailboxes required for this organization as in the following diagram,

clip_image009

Also you can find the created accepted Domain, built-in Exchange Roles and Roles Assignment and the following security groups be created under the Tenant Organization OU under “Hosted Organization Security Groups,

clip_image011

Also it is automatically add the tenant’s administrator into the appropriate groups,

clip_image013

And automatically the Administrator user will be Mailbox Enabled, and the following objects be created under Domain Naming Context,

clip_image015

And automatically creates tenant’s Organization Configuration Container,

clip_image017

And to get all information about tenant organization you can use “Get-Organization” command, syntax as below:

Get-Organization [-Identity <OrganizationIdParameter>] [-DomainController <Fqdn>] [-Filter <String>] [-ForReconciliation <SwitchParameter>] [-ResultSize <Unlimited>]

Finally to remove Tenant Organization, you can use Remove-Organization using the following command:

Remove-Organization –Identity Contoso.

In the coming post, I will go into some more provisioning tasks related to managing Tenant Mailbox,

What I want to mention finally in this post that it is very important to know that all these manual tasks should be automated for any enterprise using any of available 3rd party control panel, and in our region in Medill East and Africa we as Microsoft Service provisioned a new MCS Control Panel that we are currently using as a supporting panel in our Microsoft Services Exchange 2010 SP1 Hosting project in MEA, and if anyone already working with Microsoft Service Hosting Project and interested in the control panel just let me know so I can direct him to the proper contact.

 Related Posts:

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.