Shared Exchange Hosting Ideas

This is really the tricky part of a hosting solution with Exchange 2007. Exchange Server 2007 scales very well to thousands of mail enabled objects, so it's not a question of size. The difficult part is isolating each hosted organization in order to give them a user experience as if they were the only organization on the server.

What we did in Part 1 of this article was to create different address lists and to assign each mail enabled object its own e-mail address policy. If we did nothing else, the user would see everyone else hosted on the server when he or she used Outlook (Figure 1). The desired scenario is a complete isolation of the address lists. We want our Maxwell Smart to only see the other CONTROL Agents, as illustrated in Figure 2.

And how do we accomplish this? By playing around with ADSI Edit and ACLs and using some non-standard procedures that Microsoft neither recommends nor supports. But since I'm writing for academic purposes, I'll show you how.

Figure 1

Figure 2

Active Directory Object Permissions Quick Tutorial

The most common read permissions (List Contents, Read All Properties, and Read Permissions) are usually enough to cover most scenarios, but for our slightly advanced configuration we'll need to use a less known permission: List Object. Figure 3, taken from ADSI Edit, illustrates the advanced security properties of an Active Directory object.

Figure 3

To enable the List Object functionality, you must modify the dSHeuristics property (using ADSI Edit,) of the object CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=mydomain, DC=local (Figure 4). The property uses string syntax and by default the value is not set, but its internal default is 0. The dSHeuristics is a Unicode string in which each character contains a value for a single domain-wide setting. The third character from left controls the List Object functionality. In other words, to enable it, you must write 001 into the dSHeuristics property (Figure 5).

Figure 4

Figure 5

While the List Contents permission allows viewing of all immediate child objects, using List Object allows hiding some of them. If someone doesn't have List Contents to the parent object, List Object can be used to grant him permission to see the existence of individual child objects. That user sees only those child objects for which he has the List Object permission and the remaining child objects are invisible to him.

Note:
For the List Object permission to work, you must grant it also for the parent object. Consequently, you must block permission inheritance of those child objects that you want to make invisible by removing List Object from them. Modifying the dsHeuristics property can greatly increase the number of access check calls that are made, and can have a significant negative effect on performance.

For more information on this subject, please read Controlling Object Visibility.

Modifying Permissions for the Address Lists Containers

WARNING!:
THE FOLLOWING PROCEDURES ARE NEITHER SUPPORTED NOR RECOMMENDED BY MICROSOFT!

We'll use ADSI Edit from the Windows 2003 Support Tools to tweak the permissions of the Address Lists containers (All Global Address Lists, All Address Lists and the Offline Address Lists) and sub containers.

The procedure consists of the following steps:

Containers

• Remove Permissions Inheritance for All Address Lists, All Global Address Lists, Offline Address Lists;
• In the Security tab, remove the Anonymous Logon, Everyone and Authenticated Users;
• Add Authenticated Users and grant them List object so they can access the folders below containing their own address lists (using PowerShell).

Address Lists

• Remove Permissions Inheritance for each Address List, GAL and OAB we created;
• Remove Authenticated Users from the Security tab;
• Add the appropriate permissions for each list, so that only one organization can read them.

1. So, let's start by running ADSI Edit, expand Configuration | CN=Configuration,DC=mydomain,DC=local | CN=Services | CN=Microsoft Exchange | CN=My Organization | CN=Address Lists Container, right click CN=All Address Lists and select Properties (Figure 6).

Figure 6

2. Go to the Security tab, click Advanced and deselect Allow inheritable permissions from the parent to propagate to this object... (Figure 7). After clicking OK, select Copy on the Security warning (Figure 8). Some other warnings will pop up, select Yes in all of them (Figure 9, Figure 10).

Figure 7

Figure 8

Figure 9

Figure 10

3. Back at the Security tab, remove the Anonymous Logon, Everyone and Authenticated Users and click OK.
4. Repeat steps 1-3 for All Global Address Lists and Offline Address Lists.
5. Add the List Object permission for Authenticated Users. In order to automate this task, let's use some PowerShell commands (Figure 11):
   
   $container = "CN=All Global Address Lists,CN=Address Lists Container,CN=My Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local"
   Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject
   
   $container = "CN=All Address Lists,CN=Address Lists Container,CN=My Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local"
   Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject
   
   $container = "CN=Offline Address Lists,CN=Address Lists Container,CN=My Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local"
   Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject

Figure 11

6. Let's move on to the lists we previously created. Repeat steps 1-2 for each Address List, Global Address List and Offline Address List created for our spy agencies.
7. For each of the previously mentioned lists, remove Authenticated Users from the Security tab.
8. Add appropriate permissions for each list, so that only one organization can read its own list. We can use the following PowerShell commands (Figure 12):
   
   $container = "CN=KAOS GAL,CN=All Global Address Lists,CN=Address Lists Container,CN=My Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local"
   Add-ADPermission $container -User "KAOS Agents" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book
   
   $container = "CN=KAOS AL,CN=All Address Lists,CN=Address Lists Container,CN=My Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local"
   Add-ADPermission $container -User "KAOS Agents" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book
   
   $container = "CN=KAOS OAB,CN=Offline Address Lists,CN=Address Lists Container,CN=My Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local"
   Add-ADPermission $container -User "KAOS Agents" -AccessRights GenericRead, ListChildren -ExtendedRights ms-Exch-Download-OAB

Figure 12

Additional Active Directory Tweaks

With the right permissions in place, the correct Global Address List for each hosted company will be displayed. But for the general Address List and Offline Address Book, further Active Directory tweaking is necessary.

For the Address Lists, we must add each distinguished name to the addressBookRoots attribute of CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=mydomain, DC=local.

In order to do this, we can edit the properties of each address list and copy the distinguishedName attribute value (Figure 13). Next, right click CN=Microsoft Exchange, select Properties (Figure 14) and add the previously copied value to addressBookRoots. Repeat these steps for each address list. Figure 15 depicts all the address book roots that Exchange will use (All Address Lists, CONTROL AL and KAOS AL).

Figure 13

Figure 14

Figure 15

As for Offline Address Books, since we use multiple OABs, we must determine which users download which OAB. There are three ways to specify that:

• Per-Mailbox Database: By using the Exchange Management Console or the Exchange Management Shell, you can specify the public folder database and the OAB that recipients download by linking the OAB to the mailbox database.
• Per-Recipient: By using the Set-Mailbox cmdlet in the Exchange Management Shell, you can specify which OAB recipients will download by linking the OAB to the recipient's mailbox.
• Per Multiple Recipients: By using a pipelined command in the Exchange Management Shell, you can specify multiple OAB recipients to download a specific OAB based on common attributes.

For our hosted scenario, there's no specific requirement to separate the different organizations in different Database stores. Nevertheless, I would say that it would be a best practice. In this case, we can determine the specific OAB by using EMC. Expand Server Configuration, select Mailbox, right click the database store you want to modify and select Properties. Go to the Client Settings tab and Browse the desired OAB (Figure 16). Click OK.

Figure 16

If you prefer, we can use multiple recipient filtering and set the OAB with PowerShell:

Get-User -Filter { userPrincipalName -like "*@control.org" } | Set-Mailbox -OfflineAddressBook "CONTROL OAB"

Get-User -Filter { userPrincipalName -like "*@kaos.org" } | Set-Mailbox -OfflineAddressBook "KAOS OAB"

After using either method (EMC or PowerShell), you can check the attributes of one of our secret agents and see that the msExchUseOAB value points to the right Offline Address Book (Figure 17).

Figure 17

We could also have used ADModify.NET to perform the attribute change. We'll use this tool a little bit ahead to illustrate its potentials.

Our last AD tweak is necessary to restrict OWA address view searches. In Outlook Web Access, you can view all address lists in Active Directory, regardless of the permissions that are set on the address list. Without this restriction, all users could see everyone else's address lists, as depicted in Figure 18.

Figure 18

To restrict access so that OWA users can only view the address lists for which they have permission, you can configure the msExchQueryBaseDN attribute for the OWA user.

This time we'll use ADModify.NET. Start by running this tool and clicking Modify Attributes (Figure 19).

Figure 19

From the drop down list, select a domain and a domain controller and click the big green button. This will add the domain to the lower pane, which you must expand by double clicking it. Select the OU that contains your users and click Add To List. The users will be displayed in the right pane (Figure 20). Click Next.

Figure 20

Select the Exchange General tab and modify the attributes you want (Figure 21). For Control Agents we want to limit the OWA address list search to their own OU, so the value of msExchQueryBaseDN will be OU=CONTROL,OU=Hosting,DC=mydomain,DC=local. Note that this could also have been used to modify msExchUseOAB.

 

2008 Virtualization

Server virtualization, also known as hardware virtualization, is a hot topic in the IT world because of the potential for serious economic benefits. Server virtualization enables multiple operating systems to run on a single physical machine as virtual machines (VMs). With server virtualization, you can consolidate workloads of underutilized server machines onto a smaller number of fully utilized machines. Fewer physical machines can lead to reduced costs through lower hardware, energy, and management overhead, plus the creation of a more dynamic IT infrastructure. To learn more about Microsoft and virtualization, please visit the Virtualization Web site, or the Virtualization TechCenter.

With Windows Server 2008, everything needed to support server virtualization is available as an integral feature of the operating system as Windows Server 2008 Hyper-V. With Hyper-V as a role, plus simple licensing policies, it's now easier than ever to take advantage of the cost savings of virtualization through Windows Server 2008:

Microsoft has reached another key milestone in the development of Hyper-V, with a feature-complete version now available for download as a release candidate (RC). You can download the update for Hyper-V RC here and experience the improved stability, usability and performance and also test the support for additional guest operating systems.

Introducing Windows Server 2008 Hyper-V

Windows Server 2008 Hyper-V, the next-generation hypervisor-based server virtualization technology, allows you to make the best use of your server hardware investments by consolidating multiple server roles as separate virtual machines (VMs) running on a single physical machine. With Hyper-V, you can also efficiently run multiple different operating systems—Windows, Linux, and others—in parallel, on a single server, and fully leverage the power of x64 computing.

Core Scenarios for Hyper-V

Hyper-V provides a dynamic, reliable, and scalable virtualization platform combined with a single set of integrated management tools to manage both physical and virtual resources, enabling you to create an agile and dynamic data center. Hyper-V enables:

·         Server Consolidation

Businesses are under pressure to ease management and reduce costs while retaining and enhancing competitive advantages, such as flexibility, reliability, scalability, and security. The fundamental use of virtualization to help consolidate many servers on a single system while maintaining isolation helps address these demands. One of the main benefits of server consolidation is a lower total cost of ownership (TCO), not just from lowering hardware requirements but also from lower power, cooling, and management costs.

Businesses also benefit from server virtualization through infrastructure optimization, both from an asset utilization standpoint as well as the ability to balance workloads across different resources. Improved flexibility of the overall environment and the ability to freely integrate 32-bit and 64-bit workloads in the same environment is another benefit.

·         Business Continuity and Disaster Recovery

Business continuity is the ability to minimize both scheduled and unscheduled downtime. That includes time lost to routine functions, such as maintenance and backup, as well as unanticipated outages. Hyper-V includes powerful business continuity features, such as live backup and quick migration, enabling businesses to meet stringent uptime and response metrics.

Disaster recovery is a key component of business continuity. Natural disasters, malicious attacks, and even simple configuration problems like software conflicts can cripple services and applications until administrators resolve the problems and restore any backed up data. Leveraging the clustering capabilities of Windows Server 2008, Hyper-V now provides support for disaster recovery (DR) within IT environments and across data centers, using geographically dispersed clustering capabilities. Rapid and reliable disaster and business recovery helps ensure minimal data loss and powerful remote management capabilities.

·         Testing and Development

Testing and development are frequently the first business functions to take advantage of virtualization technology. Using virtual machines, development staffs can create and test a wide variety of scenarios in a safe, self-contained environment that accurately approximates the operation of physical servers and clients. Hyper-V maximizes utilization of test hardware which can help reduce costs, improve life cycle management, and improve test coverage. With extensive guest OS support and checkpoint features, Hyper-V provides a great platform for your test and development environments.

·         Dynamic Data Center

Hyper-V, together with your existing system management solutions, such as Microsoft System Center, can help you realize the dynamic data center vision of providing self-managing dynamic systems and operational agility. With features like automated virtual machine reconfiguration, flexible resource control, and quick migration, you can create a dynamic IT environment that uses virtualization to not only respond to problems, but also to anticipate increased demands.

Key Features of Hyper-V:

·         New and Improved Architecture. New 64-bit micro-kernelized hypervisor architecture enables Hyper-V to provide a broad array of device support methods and improved performance and security.

·         Broad OS Support. Broad support for simultaneously running different types of operating systems, including 32-bit and 64-bit systems across different server platforms, such as Windows, Linux, and others.

·         Symmetric Multiprocessors (SMP) Support. Ability to support up to four multiple processors in a virtual machine environment enables you to take full advantage of multi-threaded applications in a virtual machine.

·         Network Load Balancing. Hyper-V includes new virtual switch capabilities. This means virtual machines can be easily configured to run with Windows Network Load Balancing (NLB) Service to balance load across virtual machines on different servers.

·         New Hardware Sharing Architecture. With the new virtual service provider/virtual service client (VSP/VSC) architecture, Hyper-V provides improved access and utilization of core resources, such as disk, networking, and video.

·         Quick Migration. Hyper-V enables you to rapidly migrate a running virtual machine from one physical host system to another with minimal downtime, leveraging familiar high-availability capabilities of Windows Server and System Center management tools.

·         Virtual Machine Snapshot. Hyper-V provides the ability to take snapshots of a running virtual machine so you can easily revert to a previous state, and improve the overall backup and recoverability solution.

·         Scalability. With support for multiple processors and cores at the host level and improved memory access within virtual machines, you can now vertically scale your virtualization environment to support a large number of virtual machines within a given host and continue to leverage quick migration for scalability across multiple hosts.

·         Extensible. Standards-based Windows Management Instrumentation (WMI) interfaces and APIs in Hyper-V enable independent software vendors and developers to quickly build custom tools, utilities, and enhancements for the virtualization platform.

Note: Microsoft believes that most customers now expect virtualization capabilities in their server OS. However, based on customer demand, Windows Server 2008 will be able to be licensed without Hyper-V. To learn more, please visit the Licensing without Hyper-V page.

System Center Virtual Machine Manager

System Center Virtual Machine Manager is a comprehensive heterogeneous management solution for the virtualized data center. Virtual Machine Manager enables increased physical server utilization, centralized management of virtual machine infrastructure and rapid provisioning of new virtual machines by the administrator and authorized end users. Virtual Machine Manager provides the best solution for leveraging existing IT administrative skills and processes for managing the virtual and physical environment.

 To learn more, please visit the System Center Virtual Machine Manager Web site.

 

Multiple Domains with Exchange Server 2007

Exchange Server 2007 Recipient Policies and Accepted Domains

The e-mail address recipient policy concept in Exchange 2003 is separated into two concepts in Exchange 2007: E-mail Address Policies (EAP) and Accepted Domains. This blog post covers the relationship of EAP and accepted domains in Exchange 2007 and how the functionality of e-mail address recipient policies in Exchange 2003 maps to EAP and Accepted Domains in Exchange 2007.

Relationship of EAP and Accepted Domains in Exchange 2007

EAP defines the e-mail proxy addresses that are stamped onto recipient objects. Accepted domains define the SMTP namespaces for which an Exchange organization routes e-mail. Any accepted domain added to the system can be linked to an EAP so that it will generate recipient e-mail addresses for this accepted domain. And every EAP must link to an existing accepted domain so that e-mails sent to e-mail addresses that are defined by the EAP can be routed by Exchange 2007 transport servers.

In Exchange 2007, authoritative and relay domains are managed together as accepted domains. In Exchange Management Console, the Accepted Domains tab of Hub Transport node under Organization Configuration work center is used to manage all accepted domains defined in the organization.

E-Mail Address Policy wizard provides the console GUI used to select an accepted domain for which a new e-mail address policy applies. Only accepted domains defined in the Exchange 2007 organization can be added to the list in the EAP.

PowerShell cmdlets can also be used to manage accepted domains and e-mail address policy.

E-Mail Address Recipient Policies in Exchange 2003

In Exchange 2003, there are two kinds of recipient policies: e-mail address recipient policies and mailbox manager recipient policies. Mailbox manager recipient policies are not the focus of this blog post and will not be discussed further. E-mail address recipient policies combined the concepts of EAP and accepted domains in Exchange 2007. Below is the ESM GUI to configure a domain to be stamped with recipient e-mail addresses. Notice that there is an option (highlighted with a red rectangle) to set this domain as an authoritative domain or not – the accepted-as-authoritative-domain equivalent in Exchange 2003.

There are three problems with this combined e-mail address recipient policy concept:

1. If a domain is specified for an e-mail address recipient policy but not set as an authoritative domain, e-mails sent to recipients with e-mail addresses defined by the policy will not be routed within the Exchange organization for this domain. This is an invalid scenario, but the ESM GUI doesn’t block this.
2. The authoritative domain concept is hidden under the e-mail address recipient policy GUI, which is not very discoverable.
3. Relay domains are managed through Connector GUI; a completely different location than authoritative domain management, which increases managing complexity. Below is the snapshot of managing relay domains through Connectors ESM GUI.

For these reasons, the e-mail address recipient policy concept in Exchange 2003 is separated into EAP and Accepted Domains for better discoverability and management in Exchange 2007.

- Jared Zhang

Published Thursday, November 16, 2006 5:14 PM by Exchange
Filed Under: Administration, All Posts, Exchange 2007

Comments

	KW said: In the most recent E2K7 release I have, the EAP can only be filtered based upon a limited set of parameters through the GUI (Company, Department, etc.).  Is this the plan long term or will this be extended?  In 2003 the LDAP method could be problematic if people were tempted to try and get too fancy without understanding the LDAP queries they used, but it also provided a way to apply a policy or policies based on group membership or OU structure.  This does not appear to be an option at this point. November 23, 2006 2:32 AM
	Jared (Ji-Chao) Zhang said: For E2K7 RTM, we support a set of attributes (Company, Department, State or Province and custom attributes) in the precanned filter for EAP/AL/DDG in GUI. This avoids OPATH syntax filter to make it easier to understand. PowerShell cmdline can be used to create custom OPATH filters for EAP/AL/DDG.   November 23, 2006 3:05 AM
	MartinW said: So, hypothetically speaking, if I had a domain that was only partially hosted in the exchange organization, how would I forward emails out of it to another organization.  I can do this in 2000 and 2003 by doing this: http://support.microsoft.com/kb/321721/ I'm a bit confused about the difference between the 'Internal Relay Domain' and 'External Relay Domain' options for accepted domain.  Would I select one of those options an set up a send connector to forward it out to the second organization? December 1, 2006 1:35 AM
	PeterL said: I have the same question as MartinW, is there an answer? December 7, 2006 9:22 AM
	You Had Me At EHLO... said: Policies in Exchange are designed to enable flexible administration of large numbers of Exchange objects.... January 22, 2007 12:21 PM
	Evan Dodds - Microsoft Exchange Server Blog said: I have previously listed the progress we've been making in posting ITPro focused Systems Management blog January 23, 2007 6:44 PM
	Johan said: Hi Is there possible to enter a LDAP Query as i E2K3? I base my Recipient Policies on member Of... For example; (&(objectCategory=*)(memberOf=CN=GroupName,OU=TestCustomer,OU=Customers,DC=contoso,DC=com)) /Johan February 4, 2007 3:46 PM
	Josh43 said: In reply to MartinW, since I found his question while searching for my own answer: I found the documentation here: http://technet.microsoft.com/en-us/library/d6b37212-1fec-4b47-b4dc-8e1ad43f438a.aspx That basically hints at the solution: " Internal Relay Domain: To specify that recipients in this domain do not have mailboxes in this Exchange organization but do have contacts in the address book and that mail will be relayed for this domain through Hub Transport servers in this Exchange organization, select this option." Which states that email for this domain will go through the hub transport servers (standard send connectors); so, set the domain as an internal relay This is working flawlessly in the test config I have, though a hint: you need an external DNS server manually specified, and probably the external IP or FQDN specified as the reply to EHLO. February 7, 2007 3:17 PM
	Dave Baird said: I have an issue with multiple EAPs using Custom Attributes to stamp mailboxes with an appropriate SMTP address.   My environment needs to accept email for several domains, and a large number of users need more than one email address. I used Custom Attributes to specify strings for the users (i.e. dept1, dept2) but have found it only stamps the mailboxes with the highest one in the order. i.e. Policy 1 has the highest priority and uses Custom Attrib1, Policy 2 has priority 2 and uses Custom Attrib2.  If I enter both Custom Attribs only the SMTP address for Policy1 gets stamped on the mailbox. I have found through elimination that I need to apply the custom attributes in reverse order and let the lower priority/lower attrib number SMTP address be stamped before applying the next attribute, or I only get the highest priority policy address. This is very time consuming. For users with only one Custom Attrib, it works fine. Has anyone else seen anything similar? February 8, 2007 7:07 PM

 

Top 6 Ways To Go Green With Computing

D&K Enterprise LLC provides the highest quality consulting for computer network setup and support programs in your area. We are eager to help you transition to a Microsoft domain, paperless system, or virtualize your servers. Our favorite thing to do is help our customers save money!

This goal is accomplished in a plethora of ways:

                1. Use less electricity, hardware, paper and toner

                2. Providing networking systems that are easier to maintain (much less time and resources needed)

                3. Setting up a remote management system for faster resolution of trouble tickets leading to increased productivity and employee satisfaction

                4. Virtualizing the work environment so anyone can do their work from home, answer phones etc... as if they are in the office(saves gas too)

                5. Setup content filters on the Internet to increase staff productivity

                6. Cut your phone bill in half and increase the amount of features.

-Please call us at your earliest convenience and we would be happy to discuss options that will meet your companies needs and hopefully go beyond your expectations.

Toll Free: (866) 760-8298    -   Email: info@dandkenterprise.com

Headquartered downtown Fort Lauderdale: (954) 622-8424

 

Editing a PDF from Office 2007

Question: I have and installed the above referenced program but apparently the version I have will not function with Office 2007.    Version 7.0.7

 

Specifically, it will not create .pdfs.  It will only manipulate existing .pdfs created with previous versions of Office.

 

I did attempt to save a Word document as previous Word document version using Office 2007 and then open the .doc with the Adobe application.  I was unable to open said.  (screen capture attached)

 

This position will require the creation of .pdfs on a regular basis.  Would you happen to have an Adobe application that could be installed on this machine that would allow .pdf creation and manipulation from Office 2007?  Or, is there a patch for this version of Adobe?  I was unable to determine this from reading online.

 

Answer: You should try to use the built-in Save As function in Office 2007 which allows you to choose the save as .PDF file type.

 

Then you can open it and attempt to edit with Adobe Acrobat 3D.