How to link existing AD accounts to the correct organization in a Microsoft Exchange Server 2010 SP1 multi-tenant environment

  • Article

With Microsoft Exchange Server 2010 SP1 there is a built-in multi-tenant support feature available that replaces many features of HMC. A good overview about the features, limitations, installation and configuration is available at Technet article:

Multi-Tenant Support

https://technet.microsoft.com/en-us/library/ff923272.aspx

The hosting solution available for Exchange 2010 SP1 includes most of the features and functionality available in Exchange 2010 SP1 Enterprise deployments, but also includes features and functionality that will allow you to create and manage tenant organizations. Microsoft Exchange Server 2010 SP1 will form part of the suite of multi-tenant capable products that will replace the Hosted Messaging and Collaboration 4.5 solution.

The account provisioning rollout of new Accounts and new mailboxes works via the new-mailbox cmd:
============================================================================

New-Mailbox -Database "Mailbox Database name" -Name "name" -LinkedDomainController "DCName" -LinkedMasterAccount domain\name -UserPrincipalName name@domain.com linkedCredential:(Get-Credential domain\Administrator) -Organization “tenant or organization name”

The new-mailbox procedure only covers the creation of new accounts and new mailboxes by assigning the appropriate tenant for the particular AD Account.

The –Organization switch is responsible to match the correct tenant. In many customer environments, migrating to Exchange 2010, there already exist the AD accounts that need to be linked to a new mailbox in the appropriate tenant.

To match an existing AD account to a new mailbox we need the Enable-mailbox cmd. Unfortunately the Enable-mailbox cmd syntax options do not include the –Organization option.

This way we cannot connect an existing AD account to a new mailbox in the appropriate tenant.

Solution:
=======

If you want to enable an existing AD user for a mailbox at a specific organization, you can still use Enable-Mailbox cmdlet. There is some extra work to stamp a few attributes correctly in the AD user before running the cmdlet (here as a sample domain name.test.microsoft.com):

===========================================================================

1. msExchCU: CN=Configuration, CN=<tenant name>, CN=ConfigurationUnits,CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=name DC=test, DC=microsoft, DC=com
2. msExchOURoot: OU=<tenant name>, OU=Microsoft Exchange Hosted Organizations, DC=name DC=test, DC=microsoft, DC=com
3. userPrincipalName: Usually it is <user name>@<tenant domain name>

After stamping these attributes the Enable-mailbox cmd automatically links the AD accounts to a mailbox in the appropriate tenant or organization.