I need to apologise to you all for what has been an really long time in finishing this series. I hadn’t forgotten about it, I just got a little busy, and found a couple of other things that I wanted to write about before I forgot about them – the long and short of the situation is that I am a bone head and should have completed before now.

The previous parts to this series are located here:

• Part 1 - Exchange 2007 Service Pack1 and Address List Segregation - Part 1 (Getting Started)…
• Part 2 - Exchange 2007 Service Pack1 and Address List Segregation - Part 2 (Configuring the Organization)…

In the last part we covered the installation and configuration of my custom tool (The Address List Segregation Tool) which generates a number of Powershell scripts which are required to Segregate your Exchange 2007 environment. If you have completed all of the step in Part 2 you will now have 15 scripts which are ready for execution.

In this (the final) part I would like to go through the execution order of each script – configuring the first user of your first segregated company, then how you can add a second company.

I need to apologise to you all for what has been an really long time in finishing this series. I hadn’t forgotten about it, I just got a little busy, and found a couple of other things that I wanted to write about before I forgot about them – the long and short of the situation is that I am a bone head and should have completed before now.

The previous parts to this series are located here:

• Part 1 - Exchange 2007 Service Pack1 and Address List Segregation - Part 1 (Getting Started)…
• Part 2 - Exchange 2007 Service Pack1 and Address List Segregation - Part 2 (Configuring the Organization)…

In the last part we covered the installation and configuration of my custom tool (The Address List Segregation Tool) which generates a number of Powershell scripts which are required to Segregate your Exchange 2007 environment. If you have completed all of the step in Part 2 you will now have 15 scripts which are ready for execution.

In this (the final) part I would like to go through the execution order of each script – configuring the first user of your first segregated company, then how you can add a second company.

Script 1 – Create the Hosting Companies OU:

Logon to your Exchange Server and open the Exchange Management Shell [ START –> Programs –> Microsoft Exchange Server 2007 –> Exchange Management Shell ]  - when the shell open type in the the following command:

cd <Path To Seg Tool\Scripts – therefore if you have used the installation defaults the command would be cd c:\segtool\scripts

To execute the first script type in the following:

./<script1 name.ps1> and then press enter – therefore if you have followed the naming convention from part 2 the script name is Step1-CreateHostingOU.ps1 so the command would be ./Step1-CreateHostingOU.ps1

You can check to see if the script has been successful by check to see if the correct OU has been created in Active Directory (which for the purposes of this article would be “MaverickHosts”)

Script 2 – Modify Permissions on the All Address Lists Container:

Using the same method as above to execute scripts – run script 2 – you will be prompted to confirm – see below

Please enter in a value of “A” to confirm the changes.

Script 3 – Delete All the default Address Lists:

Using the same method as above to execute scripts – run script 3 – you will be prompted to confirm – again choose “A” – you will notice that the membership of the Address Lists will be recalculated during the process.

Scripts 4 – 15:

Executing scripts 4 through to 15 will perform the following tasks:

• Script 4 – Restrict Access to the GAL
• Script 5 – Restrict Access to the Offline Address List Container
• Script 6 – Create a Security Group for all Hosted Groups
• Script 7 – Create the OU within the Hosting OU for the first company
• Script 8 – Create a new security group for the users of the first hosted company
• Script 9 – Create a new accepted domain for the first hosted company
• Script 10 - Create a new e-mail address policy for the first hosted company
• Script 11 - Create a new address list for the first hosted company
• Script 12 – Modify Permission on the new address list
• Script 13 - Create a new Global Address for the first hosted company
• Script 14 - Create a new offline address book for the first hosted company
• Script 15 – Modify permissions on the Offline Address book

Creating a user within your first hosted company:

Now that we have setup the parent hosting company and the first hosted environment within Exchange and Active Directory - we are now ready to add a user.
In order for the user to appear correctly we will to modify the following attributes on the users account within Active Directory:

• Memberof
• msExchUseOAB
• msExchQueryBaseDN
• CustomAttribute1

The above values can be modified from within Powershell - but obviously before we can do this we need a user to play with - therefore either via the Exchange Management Shell or indeed the Management Console created a new user (whom for the purposes of this article will be part of the "TopSpin" company - if you have created your own company then you will need to change the values accordingly).

Remember when you create your new user to place them within the Hosted Companies OU - this would be under [ MaverickHosts -> TopSpinToys-OU ]

For this example - I have created a user with a mailbox called "TopSpin Postmaster"  with a username (or alias) of "TopSpin".

In order to create the user I used the Exchange Management console to create the new recipient - this allows for you to create the Windows account and the mailbox - whilst also allowing you to place the new user within the correct OU.

When the user is setup within Active Directory it requires a number of changes to be made which will make is function correctly as part of the Hosted company that you have set. These changes can be a little fiddly - therefore I have provided the following script which you can run against your new user once created:

ConfSegUser.ps1 [2KB]

In order for the script to work you will need to download and install the following tools on your Exchange Server (these tools are harmless to an Exchange installation and in some cases might already be present):

• PowerGUI Script Editor: http://www.powergui.org
• Quest Active Roles Directory Extensions: http://www.quest.com/powershell/activeroles-server.aspx

When you have downloaded and installed the above you will need to ensure that the Quest Libraries are activated within PowerGUI - this can be done open running the PowerGUI Script Editor [ START->Programs->PowerGUI->PowerGUI Script Editor ] and then navigating to [ File->PowerShell Libraries ] then making sure that the "Quest.ActiveRoles.ADManagement option is ticked".

When you have the above tools installed you can download the script (I recommend that you place it within the Scripts Directory of the Segregation Tool - this should be c:\segtool\scripts) - when you have completed that open the PowerGUI Script Editor (using the instructions above) and open the script file.

When the file is open in the Editor window navigate to [ Debug->Run in External Powershell Window ] - see below

Upon execution the script will ask you the following questions:

• The samAccountName of the user that you
• The Distribution (or Security Group) for the hosted company
• The OAB for the hosted company
• The Name of the OU for the Hosted Company
• The name of your Hosted Company

Provide the answer to each input to configure the recipient for your first hosted company and example output is given below:

Your recipient should now be configured - in order to test your configuration logon to OWA with the user and open the Global Address Book - you should only see the user and the Distribution Group for your first hosted company - see below:

You can use this script for all new mailboxes which are to be placed within a company OU.

Tidying up the Configuration

Before we head off into the subject of adding in a second company - there are a few things that we need to tidy up within the configuration.
Microsoft recommends that additional uPNSuffixes are added at both the domain and OU level - this helps with the correct stamping of e-mail addresses for your recipients - again this involves some changes at the Active Directory level - therefore I have provided the following script to make the process easier:

SEG_ConfigureUPN.ps1 [2KB]

Download the script to your Exchange Server again as per above I recommend that you download it to the SegTool scripts directory. When you execute the script (which should be done from the PowerGUI script editor) you will be presented with the screen which looks like the following:

Choose Option 1 from the menu.

You will then be asked to provide the uPNSuffix for the domain of the first company that you have added:

As per above type in the domain name of the first company that you have configured (in my example this is "topspin.com") when done hit the <Enter> key.

Run the script again - only this time when prompted choose Option 2:

You will then be prompted for the Domain Name which will be the UPN for you hosted companies OU - again in this example it will be topspin.com - when you have entered in the value press Enter.

You will then be prompted for the name of the OU which the UPN value should be applied to - this will be the name of the hosted companies OU.

When you add additional Hosted companies to your configuration you should run this script and repeat the steps above. 

Configuring your second company:

In order to add another company to your segregated Infrastructure you will need to Fire up the Address List Segregation Tool and complete the following:

Complete the following fields:

Hosting Company OU:  In my example this was MaverickHosts (It is VERY important that this remains the same as previously configured)

New Company Name: Your Second Company Name (in my example this is TwinTwistToys)

Company SMTP Domain: The SMTP Domain of your Second Company

All other values will self populate - see below for an example configuration:

When you are happy with the details above - from the "Step By Step Actions" section of the program run scripts 7 - 15 again (saving them to a separate area to the previous scripts) - then when ready execute them as previously discussed.

Adding users to this new company is the same as first and you can use the scripts provided above to configure users.

Summary:

Ok this has indeed been a very long article - spread over a lengthy period of time - however I am quite proud of it I hope that those of you whom are interested in Segregating Exchange find it useful.
Given the time scales invloved I have placed a downloadable PDF of the entire series here:

Exchange 2007 Address List Segregation - all parts [1.10 MB]