Configuring Hosted Exchange 2003 – High Level Steps

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Publishded 2/20/2010


Preface


I compiled this blog in response to questions regarding how to setup Hosted Exchange on 2003. I have not yet compiled one for Exchange 2007, which I will be writing soon enough. The steps outlined are high level steps, and it’s assumed you are familiar with how to configure the actual low-level steps and tools required. If you are not sure about specifics of a step, you can simply search for how to do it, or contact me, and I’ll search and provide links or addendum this blog with the steps and how-tos.


I hope you find it helpful.


Test AD domain name:
exchangehosting.local
Exchange 2003 SP1:
======================
Created multiple Recipient Policies for:
CompanyB.com
The only SMTP address (other than the X.400 address) is:
@CompanyB.com
LDAP Filter to search the Company Name, which is set in the user AD properties, which must be added when each user is created, to:
CompanyB-UserAccount


CompanyA.com
The only SMTP address (other than the X.400 address) is:
@CompanyA.com
LDAP Filter to search the Company Name, which is set in the user AD properties, which must be added when each user is created, to:
CompanyA-UserAccount
======================
Created an OU for each company name. The current ones for the test are:
CompanyA.com
CompanyB.com
In each OU, created a Universal Security Group for the respective company, and only added all users in the company to them. The two


current groups for the test are:
Enmedia.Net Members
CompanyA.com Members
======================
In AD Domains and Trusts:
Created additional UPN suffixes to match the respective customer domain names.
@CompanyA.com
@CompanyB.com
======================
In AD, two users were created, one for each company under their respective OUs:
CompanyB-UserAccount\P@ssw0rd
Email address and UPN is “CompanyB-UserAccount@CompanyB.com
CompanyA-UserAccount\P@ssw0rd
Email address and UPN is “CompanyA-UserAccount@CompanyA.com
======================
Created multiple GALs, one for each company:
Default Global Address List
 – Denied FC from all Universal Security Groups. All other permissions are left default.
CompanyB GAL
 – Denied FC from all Universal Security Groups except the CompanyB.com Members Universal Security Group, and given List and Read
CompanyA GAL
 – Denied FC from all Universal Security Groups except the CompanyA.com Members Universal Security Group, and given List and Read
======================
In DNS, two zones were created:
CompanyB.com
A host record was created called “mail” so customers can access their email and OWA as follows:
FQDN: mail.CompanyB.com
OWA: https://mail.CompanyB.com\exchange

CompanyA.com
A host record was created called “mail” so customers can access their email and OWA as follows:
FQDN: mail.CompanyA.com
OWA: https://mail.CompanyA.com\exchange
======================
In order to allow SSL to function properly for each website created for each customer (required by RPC/HHTPS and recommended for OWA


access) will require an individual IP address and not based on “All Unassigned” in the website properties.
In NIC properties, an IP address was added for each customer domain expected to be used.
Keep in mind in a production environment, this is not recommended on a DC, and therefore a member server is required for Exchange. If multiple IPs are configured on a DC, expect AD problems and issues.
======================
Certificate Services were installed under Add/Remove, Windows Components.
======================
To create multiple HTTP/SMTP domains for OWA and RPC/HTTPS access, multiple HTTP virtual servers were needed to be created:
- In ESM, under Protocols\HTTP, right-click, new HTTP Virtual Server.
- created two virtual servers:
   – CompanyA
   – CompanyB
For each virtual server created, the SMTP domain which it is responsible for must be secified. The system gets this information from the


Recipient Policy SMTP suffixes created.
 – Ensure in ESM, under the HTTP\website properties, in the Exchange Path selection, that “Mailboxes for SMTP domain” is selected.
 – Click on Modify, select the respective SMTP domain name. 


Once the virtual servers have been created, then open IIS.
 – If already open, hit the refresh button.
 – The two domains you created will now show up.
 – However, you will only see one subfolder called “Exchweb” under each respective virtual directory that was created.
 – Next to the IP address, if not already done so, ensure the respective IP has been selected.
 – Click on Advanced, Under the


OWA and RPC/HTTPS will require an “Exchange” virtual folder to be created:
 – Rt-click the new website created, select New, then virtual directory.
 – Provide “Exchange” for the name
 – Copy all property settings from the default “Exchange” subfolder’s properties under the Default Website.


We will now need an SSL cert. To acquire a publicly recognized SSL cert, contact www.verisign.com or www.digicert.com (my preference), and follow the steps they provide. Otherwise, for this test, we will use an SSL certificate provided by our own private CA (Certificate Authority).
======================
 
To get an SSL cert from our private CA:
 – Under the Directory Services Tab, click on Server Certificate
 – Select to request a new certificate and select to send it directly to the local Certificate Authority.
 – Select the defaults for the rest of the requested information, except fo the hostheader, which you want to select the respective website hostheader name that customers will be using to access OWA and RPC/HTTPS. For example, the CompanyA website’s FQDN and hostheader name will be set to mail.CompanyA.com.
 -Click Finish to complete the certificate wizard
 – While still under the Directory Service tab, Under the Secure Communications section, click on on “Edit”.
 – Select “Require Secure Channel”.
 – For the test, 128 bit requirements was not selected.
 – Click ok, and apply to ALL subfolders.
 – If this is the default website, which only be used for adminstrative purposes for OWA and other functions, you MUST de-select the


“EXADMIN” virtual website (subfolder).
 – Repeat for each website.
 – In each website properties, under Web Site tab, click on Advanced, Web Site tab, select an IP for the website,  – click apply.
Restart IIS.


======================


In ESM:
 – Create an Storage Group called “Customer Group 1″.
 – Create a Mailbox store in each group for each customer. A Storage Group will handle 5 stores/customers, since only 5 stores can be created per storage group.
 – Set mailbox limits per store as per the customer’s SLA.
 – In AD, move the users to their respective company’s mailbox store.


======================


Enable Forms Based Authentication to test:
 – Goto ESM, Protocols, HTTP, right-click, properties, Settings tab, click on forms based authentication.
 – In IE, connect to each company’s OWA FQDN.
 – For CompanyA-UserAccount, use:    “https://mail.CompanyA.com/exchange
 – The Forms Authentication page will appear.
 – Username: CompanyA-UserAccount
 – Password: P@ssw0rd
 – Mailbox will open.


======================


For RPC/HTTPS:
 
- IN ESM, Protocols, for each virtual HTTP website, properties, uncheck Forms Based Adminstration.


======================


Each Company needs an Offline Address Book:
In ESM, create additional address books for each company and name them appropriately and associate the newly created address book with the respective company GAL.


======================


Each Company requires their own Address Lists independent of other companies.
How To Use Address Lists to Organize Recipients in Exchange 2003
http://support.microsoft.com/?id=319213


======================


Set a Search point for address book queries for each company. This will be based on OUs.
See http://support.microsoft.com/?id=272197
1. Start the ADSIEdit snap-in, and then click Connect To on the Action menu.
2. Click Domain NC.
3. Click a computer or domain to connect to, or click OK to use the domain or server that you are logged into, and then click OK to accept these settings
In this example, use ASPHosting.com.
4. Click DC=ASPHosting, dc=COM.
5. Locate and click the Customer1.com organizational unit, and then right-click the user to which you want to set viewing restrictions.
6. Click msExchQueryBaseDN in the Select a property to view box. 
7. Copy the LDAP address that represents that user’s organizational unit in the Edit attribute box. For example, ou=customer1, DC=ASPhosting, dc=COM, or ou=CompanyA.com,dc=exchangehosting,dc=local
8. Click Set, and then click OK.  
======================


Related Links


Shared Hosting with Exchange 2003 (Part 1 &2), Jul 20, 2004 … Active Directory and Exchange allows you to provide service to more … the need to build a separate domain / forest for each hosted company. … After setting up the group it is also important to configure it to use the …
http://www.msexchange.org/tutorials/Shared_Hosting_Exchange_2003_Part1.html


 

TechNet Support WebCast: Welcome to Hosted Exchange 2003Discusses Windows-based Hosting, including Hosted Exchange 2003, a Microsoft solution. Tells how Hosted Exchange 2003 helps service providers offer flexible …
http://support.microsoft.com/kb/887284