How to Create a Hosted Exchange 2003 System Using Address List Segregation

I’m going to show you how to created a “hosted” Exchange 2003 system.  What this essentially means is how to segregate the system so that you can host multiple companies on the same Exchange Organization, and not have any of them aware of each other.  Microsoft calls this “Address List Segregation”.  Keep in mind that this is not an officially supported setup from Microsoft, they only support it on Exchange 2007.  However, it is a good practice in the use of different permissions in relation to Active Directory and Exchange, as well as uses other techniques that can applied in different area’s.  For instance, the section on creating Multiple Global Address Lists, can be used by a company that wants to create a more toned down, or user friendly GAL to its end users, instead of the default one which lists all mailbox enabled service accounts and what not.

Let’s get down to business.

First, I have created three “companies” in Active Directory:

ScreenHunter_02 Nov. 14 21.06 

The first thing we need to do, is allow each user to log on with their company email domain.  Our Active Directory domain name is “ponzeka.test”.  We don’t want our users logging in with that, we want to give them the idea that they are the only one on the system.  To do this, we need to create User Principal Names or UPN’s.  We do this by navigating to Active Directory Domains and Trusts, right clicking on “Active Directory Domains and Trusts” and selecting properties.  Here, create Alternative UPN suffixes for each email domain and its corresponding company, like so:

ScreenHunter_03 Nov. 14 21.11

Now the next thing we need to do is create users for each company, and then groups, identifying the users in the company.  For each company, I created a group called Companyname Users, and assigned all the users to this company.  When you create a new user, make sure to assign the UPN suffix for their company.  For example, for the Ponzeka.selfip.com company, this would be the user setup:

ScreenHunter_04 Nov. 14 21.13

Notice I’m selecting the @ponzeka.selfip.com UPN so that this user can log on using his username@ponzeka.selfip.com instead of username@ponzeka.test

Once you have all your groups created, you can move on to creating Custom Recipient Update Policies so that each “Company” get’s their own email address. A note on this.

You do not want to remove the default Recipient Policy, or modify it.  In our example it gives every user an email address of @ponzeka.test.  The reason we want EVERY user to have this is because OWA needs it, and it allows us to enable sign on without specifying a domain.

First we will create a Recipient Update Policy for the Ponzeka.selfip.com company.  We need to filter the policy by members of the Ponzeka.selfip.com group that we created earlier.  In Exchange System Manager, navigate to Recipients->Recipient Policies->Right Click and Select Create New Policy.  Select and Email Addresses policy and select OK.  Entitle the Policy “Ponzeka.selfip.com”

ScreenHunter_05 Nov. 14 21.20

Next, go to the Email Address Policy Tab, and assign the SMTP email address and make it the default.  Remember, in Exchange 2003, when you add an email address to a Recipient Update Policy and select the check box for “This Exchange Organization is responsible for all mail delivery to this address”, this is how you tell Exchange that it should accept email for this domain.  When your done your Email Address Policy tab should look like this:

ScreenHunter_06 Nov. 14 21.24

Now comes the tricky part.  We need to change the filter so that it only applies this new policy to members of the Ponzeka.Selfip.com Users group.  For this we need to assistance of ADSIEDIT, because we need to get the Distinguished Name of the group.

In ADSIEDIT navigate to the group, right click and select properties:

ScreenHunter_07 Nov. 14 21.26

Now, under attributes navigate to the “distinguishedname” attribute, select edit, and copy the whole string, DO NOT CHANGE IT!

ScreenHunter_08 Nov. 14 21.27

In my case the value ended up being:

CN=Ponzeka.selfip.com Users,OU=Groups,OU=Ponzeka.Selfip.com,OU=Company’s,DC=ponzeka,DC=test

Now, go back to your Recipient Policy, General Tab, select modify for the filter.  Go to the Advanced Tab, and for Field select User, is a member of, and paste the distinguished name of the group into the value tab.

ScreenHunter_09 Nov. 14 21.29

Press Add to add the filter, and then Find Now to ensure that only the members of that group are found:

ScreenHunter_10 Nov. 14 21.30

Voila, all set!  Save the policy and have it apply!  Set up the same settings for all the remaining company’s.

If we check, the user has the correct email address:

ScreenHunter_11 Nov. 14 21.42

Okay, the next thing we need to do is create different Global Address Lists or GAL’s for the respective company’s.  We don’t want to go through all this work, and then have users from other company’s seeing each other in the GAL.

ScreenHunter_01 Nov. 14 20.59

Here, it lists all the users in the company.  By default, Exchange installs a GAL called the “Default Global Address List”.  The default GAL will list ANY and EVERY mail-enabled object in Active Directory.  This means any of the following:

  1. Mailbox Enabled Users
  2. Mail Enabled Users
  3. Mail Contacts
  4. Mail Enabled Groups
  5. Mail Enabled Public Folders

With Global Address Lists, each user can only have one, and the criteria for the system choosing one goes as follows:

Do they have rights to open the GAL?

Which GAL is the biggest?

Are they a member of the GAL?

The system uses those three criteria to determine which GAL each user gets.  So what we need to do, is disable the members of the three groups from opening the Default GAL.  We do not want to remove it, because certain programs rely on it such as Blackberry Enterprise Servers, and MOM monitoring.

Create a new GAL, and set its filter to be the same as the Recipient Update Policy.  Create a new GAL by navigating to Recipients->All Global Address lists-> New Global Address List

Remember, you are setting the same “User is a member of distinguished name of group” that you set for the Recipient Update Policy as before. Now, we need to stop users from opening the Default GAL, as that is bigger than any of the others we are creating.  Right click the “Default GAL” and select properties, and navigate to the security tab.  Select the advanced button, and then add.  Here, add each company’s group, and deny it the Read Permission (this will in turn deny it several other permissions) and deny it the Open Address List permission.

ScreenHunter_13 Nov. 14 21.57

Now each user in their respective company will only get the users in their company!

ScreenHunter_14 Nov. 14 22.00  ScreenHunter_15 Nov. 14 22.01

The only other thing you need to do is delete all the address lists that come created by default with Exchange.  The system will ask you if you want to delete the address lists, since they were created by default.  Select yes, there is no harm.  Otherwise, users could navigate to the address list and GHAST, see other people!

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s