After completing the configuration of part 1, your enviroment is ready to procedure with mult-tenant configuration.

As for now, any account that created in either OU are able to see each other. that is fine for now.

You should create at least 2 users and groups for each company and check if the Email Address Policy, Address List, and Global Address List are configured correctly.

If everything is fine, then let's procedure with multi-tenant configuration.

1. Let the hidden attribute visible

Due to the unique configuration and sepecial requirement for security, we need to enable a hidden directory attribute, called "List Object". This is to enable the Exchange Administrator to control what address lists or user or group that the particular user or group is allowed to see.

To do that, you need to modify "dSHeuristics" property using ADSIEdit.msc. It can be found under "CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=yourdomain, DC=local". Right click on it and go to "Properties".

Change the value to "001"

Now you can see "List Object" attribute.

2. Permission inheritance breaking and reassign

Now you are ready to break the inheritance of several containers. This step is the most import step in the whole configuration. However, if at any point, you accidentially miss configured the permission, you can always inherit the permission back from the parent container. I have personally done that for several times before get the P.O.C setup working. :-)

Follow the screen capture shown below.

There are 3 main containers that you have to break the inheritance 1st. They are "All Address Lists", "All Global Address Lists" and "Offline Address Lists".

You can them by using ADSIEdit and select Configuration partition.

CN=Address Lists Container, CN=<your Organization>, CN=Microsoft Exchange, CN=Services, CN=Configuration

Uncheck "Include inheritable permission from this object's parent" and you recieve these warming prompts, just click on the button circled.

You should now return to the security tab of the container, simply remove the following 3 entries,

Anonymous Logon, Everyone and Authenticated Users

Click on "OK" to exit.

Open up an Exchange Command Shell, and perform the following action. The commnad condition "-User" can be used for both user objectsd and group objects

$container="CN=All Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC=com"

Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject

$container="CN=All Global Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC=com"

Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject

$container="CN=Offline Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC=com"

Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject

You have to break the permission inheritance for each individual customer's Address List, Global Address List and Offline Address List

Once it is done, remember to remove "Authenticated Users" entry from the security tab of their properties.

Then perform the follow command in the command shell console for all your customers,

$container="CN=Company A Address List,CN=All Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC=com"

Add-ADPermission $container -User "COA_S_All" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book

$container="CN=Company A GAL,CN=All Global Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC=com"

Add-ADPermission $container -User "COA_S_All" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book

$container="CN=Company A Offline Address Book,CN=Offline Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC=com"

Add-ADPermission $container -User "COA_S_All" -AccessRights GenericRead, ListChildren -ExtendedRights ms-Exch-Download-OAB

3. Assign Offline Address Book

Default Offline Address Book will be assigned to all mailbox user by default. However in our setup, we have specific Offline Address Book for mailbox user of each individual customer. There are various way to assign, eg. manually modify user object's AD attribute, use Exchange command shell and assign Offline Address Book at Mailstore Database level.

I personally recommed to configure the setting at Mail Store Database level. The reason is simple, it will be easier for you to do backup and restoration for each individual customer if they have their own mailstore database.

All you need to do is, using Exchange Management Console, under "Server Configuration", "Mailbox Servers", right click on the database and click on "Properties", click "Browse" button for "Offline address book" in "Client Settings" tab

Now all settings are in place, you can perform a test by login as one of user of Company A and click on "Address Book" in outlook client and check if you can only see users in Company A. If not, re-inherite the permission and redo the permission breaking and assign.

4. OWA Address List permission control and modification

There is one more modification that usually been forget, that is OWA Address List permission control. Althrough the permission is denied to view Company B's users at outlook client level, the unique behavior of OWA will still allow them to see each other. In order to complete this setup, you need to perform the following tweak at user object level.

Modify "msExchQueryBaseDN" attribute

You need to set the value same as the "distinguishedName" of company's OU value.

Now your multi-tenant should work perfectly fine.

In next article, we are going to talk about how to use ISA as reverse proxy to publish OWA, Outlook Anywhere and most importantly Autodiscover for multi-tenant.

Discuss/Post to digWin