Product Documentation

Hosted Exchange

Jun 05, 2015
Updated: 2014-08-29

The Hosted Exchange service for Services Manager delivers full-featured Microsoft Exchange services from the cloud.

Supported versions

The Exchange service supports the following versions of Windows Server and Microsoft Exchange.
Version Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2
Exchange 2007 SP3 X    
Exchange 2010 SP3   X X
Exchange 2013     X X
Exchange 2013 SP1 X X
Important: For Active Directory forests and domains at the Windows Server 2012 R2 functional level, the Exchange service is supported on Exchange 2013 SP1 only. For more information, refer to the article "Exchange 2013 system requirements" on the Microsoft TechNet web site.

Exchange server requirements

When configuring the server that will run Exchange, perform the following tasks:
  • Install all recommended operating system patches.
  • Enable Remote Desktop Services.
  • Disable User Account Control (UAC).
  • Enable the following IIS 6 and 7+ roles:
    • Web Server > Application Development > ASP.NET
    • Management Tools > IIS Management Console
    • Management Tools > IIS Management Scripts and Tools
    • Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility
  • Install .NET Framework 4.0.
  • Install Microsoft Exchange Management Tools.
  • Exchange User Level Packages are used as templates for Exchange mailboxes. Packages define which protocols are enabled, plus mailbox limits and data storage. The installation process creates one package, which is used to test the installation. This package specifies the mail databases to use (Server / Storage Group). One or more storage groups are created when Exchange is installed; select one to use for the installation test.

Account requirements

Ensure the Services Manager domain logon account has full administration rights to the Exchange deployment. This is required for successful installation of the Exchange web service.

Configuration requirements

How you configure Exchange to work with Services Manager typically depends on whether you are deploying a single version of Exchange or creating a mixed environment where multiple supported versions of Exchange are included.

For single-version deployments of Exchange 2007 SP3, the Services Manager Configuration Tool performs the following tasks:
Task Action Performed
Enable the List Object permission In ADSIedit, the dsHeuristics property, located in the CN=Services > CN=Windows NT > CN=Directory Service container, is set to 001.
Disable the Default Email-Address policy
In ADSIedit, the following properties, located in the CN=Services > CN=Microsoft Exchange > CN=ExchangeOrganization > CN=Recipient Policies > CN=Default Policy container are modified:
  • msExchLastAppliedRecipientFilter: Alias -eq 'NoSuchEmail'
  • msExchQueryFilter: Alias -eq 'NoSuchEmail'
  • Replace the current entry for msExchPurportedSearchUI: Microsoft.PropertyWell_QueryString=(mailNickname=NoSuchEmail)
  • purportedSearch : (&(objectclass=PublicFolder)(!(extensionAttribute15=*)))
Lock down the default global address lists
In ADSIedit, in the CN=Services > CN=Microsoft Exchange > CN=ExchangeOrganization node > CN=Address Lists Container > CN=All Global Address Lists > CN=Default Global Address Lists container properties, the following modifications are performed:
  • Inheritable permissions are not allowed to propagate.
  • The Authenticated Users group has the Read permission of msExchAvailabilityAddressSpace set to Deny. All other permissions are removed.
  • The Everyone group is removed.
Lock down address lists
In ADSIedit, in the CN=Services > CN=Microsoft Exchange > CN=ExchangeOrganization > CN=Address Lists Container > All Address Lists > All Users contain properties, the following modifications are performed:
  • Inheritable permissions are not allowed to propagate.
  • The Everyone and Authenticated Users groups are removed.
  • The Proxy USERS group has the Read permission set to Deny.

These modifications are also performed for All Groups, All Contacts, All Rooms, and Public Folders containers.

Lock down the All Address Lists container
In ADSIedit, in the CN=Services > CN=Microsoft Exchange > CN=ExchangeOrganization > CN=Address Lists > CN=All Address Lists container properties, the Proxy USERS group is added with the following settings:
  • Apply to: This object only
  • List contents: Deny
  • List Object: Allow
Delete the default offline address list In ADSIedit, in the CN=Services > CN=Microsoft Exchange > CN=ExchangeOrganization

> CN=Address Lists > CN=Offline Address Lists container, the CN=Default Offline Address List container is deleted.

Set permissions on the Exchange organization
In ADSIedit, in the CN=Services > CN=Microsoft Exchange > CN=ExchangeOrganization container, the Proxy USERS group is added with the following settings:
  • Read: Allow
  • Apply to: This object only
  • List contents: Allow
  • List object: Allow
  • Read all properties: Allow
  • Read permissions: Allow

For single-version deployments of Exchange 2010 SP3 or Exchange 2013, the Configuration Tool disables the Default Email-Address policy only.

For mixed Exchange deployments that include Exchange 2013 or Exchange 2010 SP3 servers in the same environment as Exchange 2007 SP3 servers, the globalAddressList2 attribute must be populated with entries from the globalAddressList attribute. The globalAddressList2 attribute was introduced in Windows Server 2008 R2. In an environment that includes Exchange 2013 or 2010 SP3, an address list must be populated into the attribute to ensure correct operation. Exchange 2013 and 2010 SP3 manage the globalAddressList2 attribute automatically, but Exchange 2007 SP3 does not. To populate this attribute, perform the following actions:
  1. Copy the globalAddressList attribute into the globalAddressList2 attribute.

    globalAddressList2 attribute

  2. To populate globalAddressList2 with all entries from globalAddressList, run the following PowerShell script:
    $configroot = ([adsi]"LDAP://rootdse").ConfigurationNamingContext
    $MSEXOU = [adsi]("LDAP://CN=Microsoft Exchange,CN=Services,$configroot")
    [array]$gal = $null
    foreach ($dn in get-GlobalAddressList) {	$gal += ($dn.distinguishedname)}
    $gal = '@("' + ([string]::join('","', $gal)) + '")'
    $MSEXOU.putEx(2, 'globalAddressList2', (invoke-expression "$gal"))
    $MSEXOU.setinfo()

Service deployment overview

  1. Install the Exchange web service on a server with the Exchange Management Tools installed.
  2. Configure the service using the control panel.
  3. If required for your deployment, configure the service for importing and exporting PST files.
  4. If required for your deployment, configure Unified Messaging.
  5. Provision the service to customers.

For deployment instructions, see Deploy the Hosted Exchange service.

Provisioning changes in Active Directory

When provisioning requests are issued for the Exchange service, Services Manager enacts several changes in Active Directory.

Customers

When a customer is provisioned with the Exchange service, the following changes occur:
  • The global security group SERVICEADMINS <CustomerShortName> HE is created and all Full Service Administrator users are added as members.
  • The global security group HE <CustomerShortName> <ServiceAccessLevelName> is created for each user plan selected for the customer. No members are added to these groups until users are provisioned with the Exchange service at the corresponding level.
  • The global security group HE <CustomerShortName> NONE is created. No members are added to this group until users are deprovisioned.
  • If public folders are enabled, the public folder is saved in Exchange Management Shell. To view folder details, use the Get-PublicFolder cmdlet.

Users

When a user is provisioned with the Exchange service, the following changes occur:
  • The user becomes a member of the HE <CustomerShortName> <ServiceAccessLevelName>.
  • For customers provisioned with Exchange 2007 services, user mailboxes are created and saved in the Exchange Management Console under Recipient Configuration > Mailbox.

Adding contacts

When contacts are added for a customer, the following changes occur:
  • A Contact Type object is created under the customer organizational unit (OU) using the format <ContactName>_<CustomerShortName>.
  • For customers provisioned with Exchange 2007 services, a contact record is created and saved in the Exchange Management Console under Recipient Configuration > Mail Contact.

Creating distribution groups

When distribution groups are created for a customer, the following changes occur:
  • A universal distribution group is created under the customer OU using the format Distribution <CustomerShortName> <DistributionGroupName>
  • For customers provisioned with Exchange 2007 services, a distribution group record is created and saved in the Exchange Management Console under Recipient Configuration > Distribution Group.