Exchange 2007 – Service Pack 1 – Service Pack 3 Address List Segregation Tool Version 2.2.0 .NET – Part 1 (Installation and initial Segregation)…

by Andy Grogan on August 3, 2010 · 4 comments

in Address List Segregation, Exchange 2007 (General), Exchange 2007 (Hosting)

Well, it is finally here – after months of development, hard work, swearing, beer, pizza and almost one divorce (mind you if there was two divorces on the cards I would have a lot of explaining to do) – I am very proud to present to you version 2.2.0 of my Exchange 2007 Address List Segregation Tool.

In this article I would like to take you through the process of installing the new version of the Segregation application – and provide you some videos which illustrate how you can segregate your environment and add two companies to the configuration.

Please bear in mind the following considerations before you Segregate your Exchange environment:

Supported (As Per Microsoft):

Companies that want to totally segregate their address lists can do so by removing access to the Default Global Address List and creating two or more address lists or virtual organizations. You can also set up additional functionality to restrict searching via Outlook Web Access to particular organizational units (OUs) or specific address lists using the msExchQueryBaseDN attribute.

Unsupported (As per Microsoft):

This configuration is one where companies may want to totally segregate their address lists and still have access to the Default Global Address List, or try to split the Global Address List (GAL) into two separate address lists. An example of this configuration would be a company with two groups of 500 users that belong to the Sales and Finance departments. Both groups are in the GAL, however the desire is to have everyone access the GAL except one group. If you are going to segregate your address lists, then they will be segregated. Attempting this configuration will cause problems with the check names functionality which will prevent users from creating Outlook profiles, and can also break the OAB Generation Process. This also allows Outlook users to see all of the Address Lists from within Outlook, which cannot be changed.

Again you should also be aware of the following requirements BEFORE you begin the Segregation process:

  • You MUST be running Exchange 2007 at SP1 or later
  • Your Organization should be a native Exchange 2007 Organization (not in Interop mode with 2003 or 2000)
  • It is recommended that your AD configuration is a Single Forest and Single Domain
  • It is recommended that your AD Domain / Forest is operating at Full Windows 2003 Functionality

Assumptions

This article makes the following assumptions (please read them as most are very important):

  • You environment is pure Exchange 2007 SP1 (or above) with Windows 2003 or Windows 20008 and at least 1 Windows 2003 Domain Controller operating in Native Mode.
  • The environment is either a test lab – OR – an Exchange organisation which has been freshly built for the purposes of Segregation. It is possible to Segregate an existing Exchange environment – but that is not something that I want to cover due to the risk involved – if you are planning to do that – please contact Microsoft Product Support services BEFORE you begin
  • You have one Forest and one Domain (although technically possible my Tool and indeed article does not support a multi domain scenario)
  • That you have a single CAS Server (my recommendation is that if you working with a virgin Exchange environment – perform your Segregation with a single CAS in place – and then when you have configured the base infrastructure you can then add in more roles. I recommend this as with one CAS server it is easier to identify which server has the OAB distribution role.
  • You have take a backup of your Exchange Server(s) and Domain Controller(s) – including Active Directory BEFORE you begin – there are some processes that you will go through that are not reversible easily – where a restore from Backup would be the better course of Action

Requirements, New Features & Changes

Before you install the tool – you must ensure that the host platform (this can either be an Exchange Server which you intend to be part of the Segregated Environment or a management server) conforms to the following requirements (no doing so will result in the tool not functioning or causing undesirable output) the following is an overview of the requirements and the new features of the tool which you should familiarise yourself with before continuing:

  • Now written in .NET – requires version 3.5 of the Framework
  • Requires Powershell 2.0, Exchange Management Tools and the Quest AD Cmdlets to be installed on the Segregation Machine (the tool does not support Powershell 1.0)
  • Simple – 2 minute tool installation
  • Segregate a virgin Exchange environment within 10 minutes!
  • Compatible with the x64 versions of Windows 2003, 2008 (including R2) and Exchange 2007 SP1 – 3
  • Automatically detects the basic Exchange 2007 settings of your environment natively (the previous version required a number of scripts to run prior to using the tool)
  • Faster Generation of the required scripts to segregate your environment
  • Export and Import Segregated Environment and Child Company Configurations
  • New, simplified interface layout
  • Configure both OU and Domain UPN Suffixes from within the Tool
  • Configure dsHeuristics from within the Tool
  • Configure users for Segregation within the tool
  • You MUST ensure that you have configured the Execution Policy of Powershell to be set to "Remote Signed" – this can be accomplished by opening a Powershell command window and typing – set-executionpolicy remotesigned

Remember this tool MUST ONLY be used against Exchange 2007 SP 1 and above environments.

Download

You can obtain the latest version of the ALST from the link provided below:

segICo ALAST 2.2 – Installer [ 500K ]

Installation

When you have downloaded the tool from the website to either your Exchange Server or Management machine – double click on the “SetupALST220.exe” file – to begin the setup process – see below

seg22001

The setup wizard will then begin – you will be presented with the welcome screen – click on the “Next” button to continue – see below

seg22002

You will then be presented with the License Agreement screen – the tool is released under the GPL version 3.0, please read (at least some) of the agreement – particularly the part about use at your own risk!, when happy – click on the “Next” button to continue – see below

seg22003

You will then be asked to confirm the name of the entry within the Windows Start menu for the tool – you can also opt not to create a start menu item, when you have made up your mind on the choices that you would like to go with, click on the “Next” button – see below

seg22004

You will then be asked if you would like to create a Desktop and Quick launch icon – make your choices and click on the “Next” button – see below

seg22005

You will then be presented with the summary of the installation options which you have chosen – confirm then and then click on the “Install” button to begin the installation – see below

seg22006

When the installation is completed you will be notified via the screen below – choose if you would like to launch the program and then click on “Finish” – see below

seg22007

When you first launch the tool (and you have the correct pre-requisites installed) you will be presented with the screen below. You will notice that there is not much enabled initially – and you will see that under “Active Directory dsHeruristics Status” there is an entry in Red stating “Not Set” – this is normal and the operation of the tool will be covered in a later section – see below

seg22008

There are two other important items of information on the main screen these are:

  • Exchange Management Tools Status
  • Quest AD Extensions Status

If either of these have Red entries after them – you will NOT be able to use the tool until they are installed – in the example below you can see what will happen if the Quest elements are not installed – see below

seg22009

Using the Tool – Segregation of the Environment & First Company

The tool itself is capable of Segregating an Exchange environment complete with your first child company within 7 minutes (of course this figure has come from testing with a single domain controller in a lab – so some of the steps are dependant on AD replication).

Rather than use the traditional route of “death by screen shots” I have decided to go through the actual process of Segregation using a video run through.

You can watch the video by downloading it for viewing offline:

clip_image008Segregation 2.2.0 Part 1 [51 MB – Windows Media Format ]

The Video takes you through the basic functionality of the tool, how to configure your main and first environment and then add users to the configuration you will need Microsoft Silverlight installed – or if you choose to download the file for offline viewing you will need to ensure that you have Windows Media player installed.

Ensuring that the SMTP Addressing Policy has been applied

After you have Segregated your organisation and created your first company and Segregated in some users you might see that the child company Primary SMTP addressing has not applied to the user objects (this normally happens with pre-existing users whom you add into the environment rather than new users directly into the segregated configuration) – see below

seg22011

Should this happen all you need to do is open the Exchange Management Console and navigate to [ Organization Configuration –> Hub Transport –> Child Companies Address Policy ] – see below

seg22012

Right click on the child companies address list policy, and from the pop up menu which appears choose “Apply” – see below

seg22013

This should fix the issue.

In the next part of the article I will take you through the following elements;

  • How to add a second company to the environment
  • How to Segregate individual users
  • Custom Actions included within the tool
  • Working with the full Outlook client

Social

{ 2 comments… read them below or add one }

sajid August 5, 2013 at 10:09 am

can we use this tool for exchange 2013 GAL segregation ?

Reply

Andy Grogan August 5, 2013 at 5:48 pm

Hiya Sajid,

No, the tool is only compatible with Exchange 2007 SP1 to SP3. The difference in schema and permissions changes between Exchange 2007 SP 1 and Exchange 2010 – meant the tool was not compatible with 2010 RTM and above and should NOT be used.

In Exchange 2010 SP3 Microsoft introduced Address Book Policies – which effectively allow for segregation – see here: http://technet.microsoft.com/en-us/library/hh529948(v=exchg.150).aspx
The link above also applies for Exchange 2013.

Just to be sure – do not use the ALST with any version of Exchange from 2010 RTM and above – doing so will cause significant problems.

Cheers
A

Reply

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: