Great write up! I'm working on this too now, thanks to microsoft.. I miss the /hosting switch already. Anyways, if you wanna send me your provisioning script I'll help you test it ;)

Every time I use any of these commands in a powershell instance, I just get errors.

:(

Still no luck:

[PS] C:\Windows\system32>$ou = [ADSI]"LDAP://ou="Microsoft Exchange Tenants,dc=excelwebhost"
Unexpected token 'Microsoft' in expression or statement.
At line:1 char:34
+ $ou = [ADSI]"LDAP://ou="Microsoft <<<< Exchange Tenants,dc=excelwebhost"
+ CategoryInfo : ParserError: (Microsoft:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken

[PS] C:\Windows\system32>

running import-module activedirectory works for me, although I edited the code a bit but am using the same functions.

I must be stupid or something.

I've loaded the import module but I am still getting errors.

It's still telling me that I have invalid characters in the script.

Here's my OU code using the basic activedirectory module.

#### OU Creation
#Need AD Module
import-module activedirectory
#Connect to AD01 LDAP via adsi
$Connect = "LDAP://<AD SERVER>/OU=Hosted Organizations,DC=contoso,DC=com"
$AD = [adsi] $Connect
#User create method...
$OU = $AD.Create("OrganizationalUnit", $TenantOU)
$OU.SetInfo()
#Add UPN suffix so that it can be added to users later
Set-ADForest -Identity tenantdomain.com -UPNSuffixes @{Add=$TenantBaseDomain}

I'm still trying to figure out how to:
- Grant access to ECP to some users.. Figure out which features don't work, disable those, or fix them, or whatnot.
- Remove or disable the emailaddresspolicy that is attaching the install/base organization email address from the default emailaddresspolicy. I've added creating email address policies to my tenant provisioning code so that they all get whatever domains attached that they need to their mailbox.
- Figure out how this should all mesh properly with the Lync hoster pack.. @_@

Hi, I am about to setup a multi tenant server and wondering how you got on making the script?

Hey. Thank you for the guidance .. But how about the Default Address List?

Thanks.

I never could get any of these scripts to work and ultimately abandoned my project.

It actually works fine. One thing is missing here, you need to apply the address list policy to the mailbox before it works. :-)

Hi,

thank you for your clear tuto.
I followed everything, i have the correct result in owa but not in outlook 2010/2007 or 2003 !
Don't find why ?!!!

Agree with above, I followed the steps and even added the address list policy from mailbox settings. Works great in OWA, not Outlook though, they still see everyone.

Hi JDixon,

I have used your script which is lovely and simple. However in Outlook it still shows all users. Is there anything I have missed?
Cheers
Dave

Thanks for the reply, at the moment I have not created any additional users for the test tenant/s. Just using the Administrator account which is created using your script, which as you would know does have the customattribute1 set and the policy applied. OWA works a treat as this user cannot see any of the other 40+ users/groups. However in Outlook the user sees everything.

Thanks for the time you have put into this. Its a great help.

Hello. Mine does exactly the same thing. OWA is OK, but Outlook shows all the other address lists.

Tried your script, error out with this message:

The following exception occurred while retrieving member "Create": "The server is not operational.

That fixed me up. It did everything but now I am a little lost as to where to go next. The admin account it created has no control over that tenant's email address's.

I was able to log in to the ECP with the new admin account which has a Windows 2000 login name of administrator2. but if I try to login with the new tenant domain domain\administrator with password doesn't yield any results. When I log into the ECP, i can only manage the admin's mailbox.

One more thing. My problem is that all the other address lists, is shown in the 'All Address List' container in Outlook. The address list container for all is also only this: "/" and nothing more. What to do?

Yeah I am not using this in a production environment. Just testing stuff.

Hey all. I have just found this:

From Technet:
Do not run CAS role on a Global Catalog - doing so results in Active directory being used for NSPI, not the Address Book Service, bypassing all of the logic built in to the feature

From MSExchange.org:
So you can’t use ABP’s if Exchange is installed on a GC as NSPI is provided by AD, not Address Book Service

Hi JDixon and everyone else.

Sorry in the delay in getting back, I have been busy. As a test I have installed exchange on a hyper-v VM and retested. As per the above post it is working. In Outlook I do not see the other users same with OWA. Exchange cannot be on a GC. Thanks for the script it is really useful and will save alot of time with entering commands.

The only thing I would like to see is a modified script for adding individual users without it creating OU, address lists etc. Just specify a username and password etc and it will autofil the rest.

Thanks for the all the work Jdixon.

Cheers
Dave

Hi,

last year I did setup an exchange 2010 that is behind an TMG sp2 for use in an multi tenency enviorment, and I have to sya that is working as it should.our customers access their mails with OWA, or POP or IMAP.
now we have a new customer that want to use outlook any where, and my question is,
can we do this? I mean becuse there is not an globle address list and each customer has his own GA and OAB, how can we configure the exchange and TMG for autlook anywhere access?
Thanks

It all worked perfectly when i removed the GC role from the Exchange server. Thank you for the script.

Hi jdixon,

I hope all is going good. I was curious if you had a chance to look at the additional scripts you mentioned? It would be a life saver, well time saver. More then happy to pay or donate as it is such a great script you have already provided!

Thanks
Dave
Australia

Hi,
I want to install the exchange server 2010 sp2 in such a way so that i can satisfy multi tenant mode.. can any one help me in this?

my mail id is smooth.munna@gmail.com. please do reply as soon as possible.

regards,
Bhalotia

Thanks Jdixon,

Look like good scripts! I will give them a proper test during this work week and let you know how it all goes. Thanks for doing all that. Let me know how I can donate.

Cheers
Dave

Great article; a HUGE head start making sense out of Exchange multi-tenant provisioning. Thanks!

Consider posting these scripts to TechNet Script Repository; I think lots of folks would be interested in them.

Found one little bug: New-User.ps1 uses $DisplayName for both Display Name & Full Name attributes. If you want your Display Names in Lastname, Firstname format, this causes 2 problems:

1. The Full Name is also in Lastname, Firstname format.

2. AD escapes the "," to become "\," in the DN. The script doesn't escape the comma, and fails when it tries to query AD for the account just created.

I'm modifying it to concatenate Firstname & Lastname to avoid both problems. Don't know if there are other characters that have to be escaped in DNs, however. (And I'm enough of a PS noob that I'm not sure I could handle that yet anyway!)

Supply values for the following parameters:
Domain: ourdomain.net.au
TenantName: John Doe
TenantDomain: example.com
Password: ChangeMe!2012
Created new organizational unit. [OU=John Doe,OU=Hosting]
Added example.com to the forest upn suffixes
Created the Accepted Domain
Couldn't find organizational unit "ourdomain.net.au/Hosting/John Doe". Make sure you have typed the name correctly.
At C:\Users\Administrator.OURDOMAIN\AppData\Roaming\Microsoft\Exchange\RemotePowerShell\win-ex1.ourdomain.net.au\
win-ex1.ourdomain.net.au.psm1:26721 char:31
+ $steppablePipeline.End <<<< ()
+ CategoryInfo : NotSpecified: (0:Int32) [New-GlobalAddressList], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : 47C1C782,Microsoft.Exchange.Management.SystemConfigurationTasks.NewGlobalAddressList

If I run a Get-AcceptedDomain, I see that it's successfully added:

Name DomainName DomainType Default
---- ---------- ---------- -----
ourdomain.net.au ourdomain.net.au Authoritative True
John Doe example.com Authoritative False

So I suspected that the New-GlobalAddressList line is failing to run, however if I run it manually, it works.

Any ideas?

Suggestion:

Use the non-Exchange "Company" field for the tenant name instead of Custom Attribute 1, and modify the EAP (as used in the 3 Mar 2012 version of the script) to make the Company field the Condition that's checked by the EAP. Then call Enable-Mailbox against the user object (instead of New-Mailbox), to mail-enable the user.

In this way, you don't get the default alias@internal.local e-mail address, because the Default EAP will never be applied to the mailbox. This allows use of EAPs in compliance with MS's multi-tenant guidance, while eliminating the default address for which you removed EAPs in the 16 Mar 2012 version of the script.

Another advantage: If you host more than just Exchange, some users might be mail-enabled, while others might not. For non-mail-enabled users, you just programmatically skip the Enable-Mailbox part, or make it a separate script. If the Company field is already filled during initial provisioning, and the customer decides to opt for e-mail, the account is Exchange-ready after you run New-Tenant.ps1.

Hi JDixon,

Thanks for the scripts, I am testing it in my environment and so far so good. This is a very good time saver.

I think the next step would be Room or equipment mailbox and also taking a look into public folders.

Have you had the chance to take a look at theses two things ?

Regards,

Marco

Hi Again,

Public folder segmentation works normally with the Public folder Management console, you can create subfolder and give permissions as you normaly do.

Also for resource mailbox or room mailbox, you can create them manually in the EMC and and the Custom Attibute and it is working fine. I didn't had the time to create a new scripts base on the new-user scripts for resource mailbox. But once the tenant is created you can use the EMC to finish your things.

A few tests and I will put this in prod and let you know guys !

Regards

Marco

Hi mate,

The issue I'm having trouble with is that when the two tenant sends email to each other they are sending internally. Is there a way or work around for the email to be sent externally.

I have also tried the Smarthost to a barracuda and since the tenant's domain is considered like localhost for the exchange server it does send it internally. That is causing an issue with Out of office messages because it does responds with the internal notice instead of the external notice .. Still looking into it ..

There is some third party software for transport between tenants ... but it is too expensive around 3000$

Great post thank you
you saved me from alot of work
Thanks again Keep it coming :)

I would like to know if anyone has tested any of this on an SBS2011 server? SBS2011 has Exchange 2010, but it is a GC and holds ALL FSMO roles.

@Tom Menasco

You've not described your exact requirements. But if they're cozy enough to be willing to split an SBS, they each know that the other exists. So the illusion that each company owns the system, which we need to maintain in true multi-tenancy scenarios, likely doesn't apply here. My guess is that, as far as Exchange is concerned, the most important thing you need is the ability to send and receive for 2 external domains. That's easy. But, ideally, you should also be able to create 2 GALs, and have 2 e-mail address policies. While the techniques have changed, that, too, has been do-able since Exchange 4.0...I've done it with EX 4.0, 5.5 and 2003. (Still working on it with EX2010SP2!)

That said, my SBS multi-tenant experience is limited to supporting 2 external domains, and no other separation, on SBS 2008 R2. But I can't fathom why 2 ABPs and EAPs would be a problem on SBS 2011. The only multi-tenancy feature that's new in EX2010SP2 is multiple ABPs, anyway. So if that didn't work, as long as your clients don't care if they see each others' names on the GAL, it's a problem you don't have to solve. Actually, my 2 clients *liked* having everyone's name in the 2 companies handy because one was a vendor to the other.

As for whether it's supported, well hard to say. My guess is that MS would work with you. But anyone who's ever had a microbusiness client knows that support boundaries have to be viewed as elastic!

Multi-tenancy, in general, is a fuzzy support boundary across all of Microsoft, because every one of their (and others') current products was designed with single-tenancy in mind. Yet MS can't afford to turn its back on multi-tenancy and the cloud.

AD, Exchange, SharePoint, SQL, et al, support very well-defined user and computer objects. But Tenant objects are, today, make-believe. They are syntheses of repurposed, customized, single-tenant objects that we're largely on our own to figure out how to configure and support.

The MS EX2010SP2 multi-tenancy white paper linked to at the top of this page certainly reinforces that view! For that matter, so does the flip-flop on EX2010 /HOSTED vs EX2010SP2. They don't know what they're doing yet, either!

Today, multi-tenancy is an elaborate hack.

I don't think that will change in Microsoft [ProductNameHere] v.Next, but if Microsoft is as serious about the cloud as they say they are, then hopefully, by v.NextAfterThat we'll see baked in multi-tenancy.

In my opinion, then, and only then, can MS afford to tighten support multi-tenancy boundaries. And then, only for v.NextAfterThat.

@Tom Menasco

OK, I've re-read the bit about the GC & ABP's. So you won't be able to use this to separate the GALs on SBS, and MS no longer supports hacking ACLs to do this. So that's something you won't be able to do. If that's a dealbreaker, they'll each need their own system, or else one, or the other, or both, need to use an Exchange cloud provider in lieu of on-premises.

The rest, however, should work.

Anyway of working around the Global Catalog issue. I have a single server setup. Everything works great in OWA but with outlook the gal shows everyone. Also the OAB can't be downloaded. Any suggestions. Thank in advance.

I resetup from scratch new dc as global catalog and exchange as member server. All seems to work accept for downloading offline address book files in outlook when you hit send/recieve. Any luck on solving this issue? Thanks

The scripts are for On-Premises mode and not /hosted mode right?

Just wanted to say we grabbed the scripts today (5/9/12) and they all worked perfectly. After futzing with this for a couple of hours trying to do it by hand, I appreciate the time you put in to build these ... Maybe MS should send you some royalties :)

Let me start by saying THANK YOU! This script is awesome. I am posting this just in case anyone else needs the described functionality.

The script is built for an automatic default of if the user's name is John Doe the e-mail address is set to jdoe@domain.com. In my hosting environment it is important for me to be able to set the alias to JohnD@domain.com or even John.Doe@domain.com if necessary.
So what I did to fix this, is edit the new-user.ps1 file to the following.
--------------------------------------------------------------------------
--------------------------------------------------------------------------

In the upper section I added a parameter called $Alias like so.
--------------------------------------------------------------------------
Param
(
[parameter(Position=0, Mandatory = $true)]
[String] $Domain,

[parameter(Position=1, Mandatory = $true)]
[String] $TenantName,

[parameter(Position=2, Mandatory = $true)]
[String] $FirstName,

[parameter(Position=3, Mandatory = $true)]
[String] $LastName,

[parameter(Position=4, Mandatory = $false)]
[String] $Alias,

[parameter(Position=5, Mandatory = $true)]
[String] $DisplayName,

[parameter(Position=6, Mandatory = $true)]
[String] $Password,

[parameter(Position=7, Mandatory = $true)]
[Bool] $ResetOnLogon
)
--------------------------------------------------------------------------
--------------------------------------------------------------------------
in the function "CreateUser" just below the parameters, I changed "$alias = $FirstName.Trim().Substring(0,1).ToLower() + $LastName.Trim().ToLower()" to this:
--------------------------------------------------------------------------
if (!$alias) {
$alias = $FirstName.Trim().Substring(0,1).ToLower() + $LastName.Trim().ToLower()
}
----------------------------------------------------------------------------------------------------------------------------------------------------
this allows me to specify a "-alias" switch when running the script, or if I don't specify "-alias" it defaults to the original jdoe@domain.com.

Hope this helps anyone who needs it.

I just followed your instructions, skipping the custom attribute usage and everything is working perfectly. Am I missing something, will this break down the road?

Hello again, and thank you for your scripts. I have a problem regarding the Public Folder and the GAL. I have successfully segmented the public folders by CustomAttribute1, but i don't see the folders in the GAL. Have tried the following cmdlet:

Set-GlobalAddressList "GAL" -RecipientFilter {((CustomAttribute1 -eq 'XXX') -and (ObjectClass -eq 'user' -or ObjectClass -eq 'publicFolder'))}

But i still only see the users and not the Public Folders in the GAL. Any thoughts?

Thanks.

I experienced the issue where Address Book Policies worked fine through OWA but would show all address books and all users when using Outlook 2010. My environment consists of 8 servers: 2 DC, 2 CAS, 2 HT, and 2 MB servers. I am not running my CAS servers on a DC/GC but yet I still experienced this problem. I beat my head into the wall for a few hours until I ran across someone saying "Any Client Device or Client Software access Active Directory directly for Directory Access then ABP won’t work." My folly was that I was running Outlook 2010 on one of the DC servers initially and then later installed Outlook on one of the HT servers to test that it wasn't the DC that causing the issue. Once I installed Outlook 2010 on a client workstation, Address Book Policies worked fine. I am therefore assuming that Outlook on a DC uses a GC directly when it is sitting on one, and an HT also uses a GC directly as evidenced under Properties/System Settings of the HT. I spent several hours chasing a problem that wasn't really a problem except for where I was running Outlook. Hope this helps some people as I see a lot of people out there experiencing this issue and everyone blames the "CAS on DC" problem but that is obviously not the only scenario that causes this issue.

hi,
i have just 1 question, White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007 pubished some years ago this guide still valid?,
in Exchange 2010 SP2 can we follow this document for Active Directory Paritoning?

Kind Regards
Artiq

Any body help for following error:

The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.

Please Urgent

hi all,

any body help me on the following resolution,
i am creating user with this scripts, user created successfully with following order
First Name: mekail Last Name: Khan email created mkhan@mycloud.com i want to change email account with following order
First Name: Mekail Last Name: Khan mekail.khan@mycloud.com
any body provide me solution?

Regards
Artiq

Hi,

I get an error when trying to create a new tenant:
"...A value can't be provided automatically for the "Server..."

The full output from the powershell is below, I would appreciate any help:

VERBOSE: Connecting to SERVER10.SMARTITDECISIONS.COM
VERBOSE: Connected to SERVER10.SMARTITDECISIONS.COM.

Security Warning
Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your
computer. Do you want to run C:\Files\TenantScripts\New-Tenant.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): r
Created new organizational unit. [OU=Hosting]
Created new organizational unit. [OU=GannonsLAWLLP,OU=Hosting]
Added gannons.co.uk to the forest upn suffixes
Created the Accepted Domain
Created the Global Address List
Created the All Rooms address list
Created the All Users address list
Created the All Contacts address list
Created the All Groups address list
A value can't be provided automatically for the "Server" mandatory parameter. Specify an explicit value for the paramet
er and try again, or add the Verbose parameter to obtain more information about the failure.
At C:\Users\Administrator.SMARTITDECISION\AppData\Roaming\Microsoft\Exchange\RemotePowerShell\server10.smartitdecisions
.com\server10.smartitdecisions.com.psm1:29658 char:31
+ $steppablePipeline.End <<<< ()
+ CategoryInfo : InvalidData: (:) [New-OfflineAddressBook], InvalidOperationException
+ FullyQualifiedErrorId : 6F83D20B,Microsoft.Exchange.Management.SystemConfigurationTasks.NewOfflineAddressBook

Hi jdixon,

I like your script, it's nice! :)

Is there a reason why you don't add the UPN to the tenants OU?

You can do it like so:
Set-ADObject -Identity 'ou=contoso.com,ou=hosting,dc=cloud,dc=local' -Add @{uPNSuffixes='contoso.com'}

Hi Jacob, thanks AGAIN AND AGAIN for these scripts!

If you do write a GUI for this, I'm sure it will be appreciated. But please keep the scripts available, too, as your project evolves, because they're a good tool for understanding what needs to be done, and for copying snippets of known-working code.

Hello
Thanks for providing the scripts! Pretty nice work you did!

Anyone created distribution groups already? Are there some script availabile for that, how what do I need to take care, if I create a distribution group for a tenant manually?

Thanks
Phil

TIP: MS multi-tenant guidance says to disable scheduled OAB generation, but neither the document nor TechNet tells you how to do so with PowerShell. To disable scheduled OAB generation with PowerShell, append

-Schedule 'Never'

to the New-OfflineAddressBook command in the New-Tenant.ps1 script.

Thanks for all the wonderful script. I have a case with a tenant with multiple internet domain name, within the teanant, some users using @domainA.com and some using @domainB.com, and some with @domainA.com as primary SMTP and @domainB.com as the additional email address. Does the script would cater for this situation and how would be accomplish. Million thanks

Hello,

This is FANTASTIC!

I'm running into two errors when trying to run your script, but with a catch (please note that I've changed the actual param's, this is just an example):

First time I run New-Tenant.ps1 -Domain cloud.local -TenantName "My First Tenant" -TenantDomain "myfirsttenant.com" -Password Password1

I get the error "Failed to create universal group Organization Management"

I run it again...

I get the error "Failed to create universal group All Users"

I run it AGAIN and everything works! Has anyone else experienced this? Thanks in advance!

hello dear

you should run before creating tenant

in exchange management shell
Import-module activedirectort
set-executionpolicy remotesigned
&then run new-tenant.ps1 script

hope this informative.

Artiq

Hi and thanks. I have setup the tenants manually just as you described in the first part of your tutorial. I have two separate domains and they seem to be independant from one another in owa and outlook. I have a question about your scripts. Can i run them now in my existing setup.
Would i run : ./new-tenant newdomain.com and so forth. Sorry if i misunderstood something. Thanks

I absolutely love your script. It was exactly what i needed for a customer who was looking to extend their existing Exchange 2010 environment, to be able to host it to smaller devisions with their own domain. They were not to be allowed to see anything of the productions environment and vice versa, It works great! Thanx a bunch for all your hard work!!!