Exchange Server 2010 SP1 Beta Hosting Deployment… Part #2 – Creating New Organization


In my previous blog, Exchange Server 2010 SP1 Beta Hosting Deployment... Part #1 - The First Look, I blogged about some differences in the configuration container as well as in the domain naming context when you deploy Exchange Server 2010 SP1 beta with the /hosting switch. We saw that it created additional OUs. We also saw that it introduced some new cmdlets into the picture and at the same time disabled EMC and a few stuff as I put in my earlier blog post to highlight what is not available, What's not available in Exchange 2010 SP1 Hosting Mode. I saw some of the questions being posted in the forum asking why EMC can't be used and I think it may warrant a different blog post on that.

For now, let's look at how we can create a new Tenant Organization in this Exchange Server 2010 SP1 Beta Hosting Deployment and the things being created in the whole process. Now, before that, let's look at our good old HMC and understand what is involved in creating an Organization. As you know, the Organization creation process includes quite a few things, including OU, groups and etc. etc. In HMC, in order to create an Exchange enabled organization, we need to do the following if you remember,

  1. Use Hosted Active Directory to create a new organization.
  2. Then Subscribe the new organization to an Exchange Organization Plan
  3. Add the SMTP domain to the Organization
  4. Add User Plan/Service Plan to the organization.
  5. Create an organization administrator
  6. Mailbox enable the user using the appropriate user plan.

Now that's all good. The actual HMC's Hosted AD organization creation process does not create an administrator but some control panel will also create the administrator as part of the process and it may or may not mail enable the administrator and hence I added step 5-6 to the above.

Now, let's look at how we do it in Exchange Server 2010 SP1 beta. To create an new Organization, run the following in the Exchange Management Shell,

New-Organization -Name ProvTest -DomainName provtest.com -Location en-US -ProgramID HostingSample -OfferID 2 -AdministratorPassword (get-credential).password

The above cmdlet will first prompt you for a user name and password. Just enter any user name (because it won't be used) and then a password. It will create an admin user called 'Administrator'. After you enter the credential, the cmdlet will proceed to create a virtual organization called ProvTest with the SMTP domain of provtest.com. Location is understood. Now, that's all easy to understand so far, right?

The only 2 things that look sort of strange is the ProgramID and OfferID. When you install Exchange 2010 SP1 beta with /hosting switch, you will notice that it also install an additional folder in the ClientAccess server role (by the way, you should perform /hosting switch in every single server role in that Exchange environment to avoid any confusion. Under the folder, C:\Program Files\Microsoft\Exchange Server\V14\clientAccess\ServicePlans, you will find 1 CSV file and .serverPlan file. Essentially, this is really your organization plan and mailbox plan. If you open up the .serverPlan file, you will find XML file stating the appropriate features that this Organization and the mailbox that it will be adopting. Most of them are quite self explanatory. I won't go into it unless you guys think that i should (just drop me a note).

Now, the CSV file is the key here. It looks something like this,

So, as explained in the comment, the column header is ProgramID, OfferID, ServerPlanName. So, if I put ProgramID is HostingSample, OfferID is 2, I am selecting HostingAllFeatures.servicePlan as the plan that I will be using for this organization. Pretty straightforward, yeah?

That's one thing though, the fact that all these are in file format stored in Client Access server means that this New-Organization cmdlet should only be run on a Client Access Server and if you have multiple CAS, you should make sure that the files in these folders are identical. I personally think this could have been stored in a different place like Active Directory instead having the need to manually maintain those files in all the CAS. Obviously there might be some specific design reason that it is not done that way and I am not going to spend too much time talking about it, it is after all a beta code. 🙂

Now that we understand the cmdlet and that we have executed it, let see what are things created by this cmdlet. From the ADUC, you see this,

You have to say, that's pretty cool. Let me briefly list down what is being created,

  • It created an OU in Microsoft Exchange Hosted Organizations
  • Under the OU, it created the Administrator User
  • It created some security groups like Organization Management, Recipient Management.
  • It automatically put the Administrator into the appropriate groups.
  • It automatically mailbox enable the Administrator
  • It also created some special groups for the purpose of password policy and also a group that hos all the mailbox users.
  • It also created some system objects.

Oh, oh, before I forget, you should be happy to know that, whatever actions that are being executed within this cmdlet seems to work like a one big transaction. Meaning, if it created part of the stuff and then somehow it failed, then nothing is being created, it performed a roll back. Give it a try, run the cmdlet, observe the stuff being created and then half way through, hit a Ctrl-Break. You will see the newly created OU will disappear right in front of your eyes. Pretty neat, eh?

Now, that's not all. It also created it's own organization's configuration container. If you open up ADSIEdit, you will find the following,

Each Organization has their very own configuration unit. It means it has it's own separate Recipient Policies, Mailbox Policies, it's own Accepted Domains and etc. etc. you can see it from there. I am not going to go into detail on this.

What can I say? I think that's the whole purpose of designing Exchange for Hosters from ground up. A  complete segregation for all organizations hosted. I do think it is very well done.

Of course, this is still beta and there are still some codes or some cmdlets that are missing some switches and etc. I like what I am seeing so far. I will be going into some of the components a little bit more next such as how do we handle OOF (which in HMC we sort of deal with it using transport agent) and how do we create a new mailbox, and possibly look at what are some of the possible ways we can see to move from HMC to here and etc. Stay tune. I am out for now.

Previous Article

Exchange Server 2010 SP1 Beta Hosting Deployment... Part #1 - The First Look
http://blogs.technet.com/b/provtest/archive/2010/06/25/exchange-server-2010-sp1-beta-hosting-deployment-the-first-look-part-1.aspx

Continue Reading...

Exchange Server 2010 SP1 Beta Hosting Deployment

http://blogs.technet.com/b/provtest/archive/tags/hosted+exchange+server+2007/

Comments (31)
  1. Anonymous says:

    Yes, the cmdlet is Remove-Organization.

    You have to remove all the mailboxes and etc. first though.

  2. Anonymous says:

    Hi, That will be my next article. Half way through that. Anyway, let me answer your question here so that you can at least move on.

    1. Try this cmdlet,

    New-Mailbox -Organization <Org Name> -Name <User name> -UserPrincipalName <put email here>

    It should then prompt you for password, enter it and then it should create a mailbox in that organization. For example,

    New-Mailbox -Organization Provtest -Name "John Doe" -UserPrincipalName jdoe@provtest.com

    2. When you create a mailbox for that organization, the new-mailbox has to know which context it is in so that it know how to handle the mailbox, things like address list stamped and etc. I don't believe the enable-mailbox cmdlet has that built in yet to allow enabling mailbox for existing AD user.

  3. Anonymous says:

    No, you don't have to but that's definitely one way to do it. 🙂

    Just create the new mailbox and then add the management role to that mailbox.

  4. Anonymous says:

    Hi Anders,

    The Enable-Mailbox works but it will only work if that user has already been associated to the organization. So, if you create a user from ADUC, by default, it isn't associated to any organization and hence your enable-mailbox may not work on that user.

    There is unfortunately no cmdlet that does that at the moment. The only way to do it is that if you script it or manually change the appropriate attributes. I may make a blog out of this but for now, if you are interested, the attributes to look at are,

    userPrincipalName

    msExchCU

    msExchOURoot

    Set that 3 attributes in and try.

    Kip

  5. Anonymous says:

    Hi Peter,

    Sorry I missed that. So, you want to add another mailbox plan to the existing organization, right? Try creating a new service plan with the existing mailbox plan and also the new mailbox plan in it and then do a update-serviceplan for that organization to the new service plan. That should do.

    Kip

  6. Anonymous says:

    Hi Pderover,

    – Is there going to be any guidance offered for people that want to have different features dis-/enabled in their mailplans?

    Kip – Officially, not at the moment. Unofficially, if I find some time, I will blog about it here.

    – Is it possible to assign more than one serviceplan to an org?

    Kip – No, it is not.

    – When is MS going to come out with a new help file, one that is actually completed?

    Kip – The help file is being updated. Check the online version, that's constantly being updated by the Exchange Technical writer.

    – Are you limited to only creating orgs under "Microsoft Exchange Hosted Organizations"? Is it possible to still create "Resellers" or create multiple  "Microsoft Exchange Hosted Organizations" like OUs in the root?

    Kip – Yes, it is only going to be at that OU. No, it is not possible create that 'Reseller' type OU like in HMC, unfortunately.

  7. Anonymous says:

    Hi JK, if you go back up to this article, you will notice my cmdlet is something like this,

    New-Organization -Name ProvTest -DomainName provtest.com -Location en-US -ProgramID HostingSample -OfferID 2 -AdministratorPassword (get-credential).password

    Note the last portion "-AdministratorPassword….." You need that.

  8. Anonymous says:

    Hi Pderover,

    I do not believe this is possible at the moment wih the default setting. However, it isn't impossible. The key lies with the RBAC. If you need to create additional groups and permissions and manually assign them.

  9. Anonymous says:

    I am glad it has helped you. It is my pleasure.

  10. Anonymous says:

    Hi Brian,

    I have no problem inserting multiple mailbox plan into the service plan and create the organization with that. in my SP1 beta. I will be updating to SP1 RTM shortly. Anyway, can you share your ServicePlan?

  11. Anonymous says:

    Hmmm… Ideally, there should be a New-MailboxPlan that should be able to create for the specific organization. However, it seems like this cmdlet isn't exposed to the Administrator and it is being called only in the New-Organization cmdlet. I didn't have a in-depth look into this though. That's why you can add multiple mailbox plan into the service plan and it will create multiple mailbox plan into the Org. We should revisit this to see how this will look like in SP1 RTM which should be soon.

  12. Anonymous says:

    Hi Peter. I was in the midst of compiling a blog post on this. Anyway, the problem has to do with the permissions elements in your second mailbox plan. Only the default one should have the permission element. Remove the permission elements, then you should be able to create multiple mailbox plan. I will explain a little bit in my blog post. Try that.

  13. Anonymous says:

    Yes, I think you hit the nail there on TCO. I do think Microsoft is moving torwards the right direction on this.

    Of course, as I blogged about this in the past, blogs.technet.com/…/planning-to-move-from-hmc-to-exchange-2010-sp1-hosting-deployment.aspx, there are other components that HMC has but it isn't in Exchange Server 2010 beta like Resource Management and Multi-service orchestration.

  14. Mobay says:

    Very Cool stuff!

    It seems that the TCO on exchange 2010 hosting is much lower with the new method of provisioning Organizations. At least to me it looks like you can save quite a few server roles compaired to HMC.

    Can't wait to get started with this! Thanks for sharing the SPLA stuff by the way.

  15. Janåke Rönnblom says:

    Hi,

    Thanks for a great article and look forward to next one!

    I am experimenting with the cmdlets and have a few questions:

    1. When you have multiple organizations how do you create a user in either of them? I tried the new-mailbox but I cant get it to accept the -Organization switch… Maybe Im missing something?

    2. When you have existing users in your AD how do you create a mailbox for them?

    -J

  16. Jose says:

    How do I add a second mbx plan for an organization?

  17. BrianK says:

    Hello, We are not able to add second mailbox plan in service plan and getting the below error. Please suggest what can be done to fix this.

    Service plan XXservicesplanHostingAllFeatures is in an inconsistent state. Service plan dependency check failed. Featur

    e "!PerMBXPlanRoleAssignmentPolicyEnabled" is set to "True". It depends on feature "MailboxPlans", which is set to "Fal

    se".

       + CategoryInfo          : NotSpecified: (:) [Update-ServicePlan], InvalidOperationException

       + FullyQualifiedErrorId : 789AD023,Microsoft.Exchange.Management.Deployment.UpdateServicePlanTask

  18. Peter says:

    Hi Kip,

    We have the same issue here with SP1 RTM. Trying to add a new organization with a modified serviceplan (added an extra mailplan) returns the same error:

    Running cmd:

    New-Organization -Name Test1 -DomainName test1.com -Location en-US -ProgramID HostingSample -OfferID 5 -AdministratorPassword (get-credential).password -Whatif

    Returns:

    ================================================================================

    Service plan HostingAllFeatures_SampleII that matches parameters ProgramId=HostingSample and OfferId=5 is in an inconsistent state.

    Service Plan contains schema errors: "The 'PerMBXPlanRoleAssignmentPolicyEnabled' attribute is not declared."Service plan dependency check failed. Feature "!PerMBXPlanRoleAssignmentPolicyEnabled" is set to "True". It depends on feature "MailboxPlans", which is set to "False".

       + CategoryInfo          : InvalidArgument: (:) [], ArgumentException

       + FullyQualifiedErrorId : 7860EE63

    ================================================================================

    Without the extra mailplan the cmd runs fine. Thanks for your time and support!

    With regards,

    Peter

  19. Peter says:

    Hi Kip,

    Thanks for your answer and fast too.

    I've found the solution in another article of your's. And yes without the permissions parts from any mailbox but not the first everything works fine now.

    Thanks again and keep up posting those blogs. I'll love reading them.

    With regards,

    Peter

  20. JK says:

    Hi, I was playing around with the Hosting feature. When I create a new tenant organization via the New-Organization cmdlet, it didn't prompt me for the Administrator password and as a result, no tenant administrator is created. Any idea what's happening here? I guess I could do it manually via the New-Mailbox cmdlet and then adding in all the required RBAC roles …….

  21. JK says:

    Hi, yup, I just saw that. Thanks for the speedy response. Strange that the technet documentation says that I will be prompted for a password without this parameter. Now I have a tenant organization with no tenant administrator :/ Any quick and easy way to add one in? 😛 (besides the usual RBAC routines …) Perhaps I should just delete the organization and re-create it instead.

  22. lee says:

    Is there a way to remove an organization? If so what is the syntax?

  23. Peter says:

    Hi Kip,

    Let's say i create a Serviceplan with 3 mailbox plans, later on i add 2 more mailboxplans to the ServicePlan, how do i update, so that the Organization contains all 5 Mailboxplans, and not only the 3 from before.

    Thank you again for your time and effort.

  24. Pderover says:

    How do you handle multiple mailplans that have been configured in a single serviceplan, where the feature like active sync is enabled for one but not another?

    "Service plan dependency check failed. Feature "ActiveSyncDeviceDataAccessPermissions" is set to "True". It depends on feature "ActiveSyncEnabled", which is set to "False".

  25. Pderover says:

    Hi Kip,

    Thanks for the response on the previous post:-)

    Couple more questions:

    – Is there going to be any guidance offered for people that want to have different features dis-/enabled in their mailplans?

    – Is it possible to assign more than one serviceplan to an org?

    – When is MS going to come out with a new help file, one that is actually completed?

    – Are you limited to only creating orgs under "Microsoft Exchange Hosted Organizations"? Is it possible to still create "Resellers" or create multiple  "Microsoft Exchange Hosted Organizations" like OUs in the root?

  26. Peter says:

    Hi Kip,

    Did you see my question from 11. October?, do you have a solution for this?

  27. Anders says:

    Any news regarding possibility to use the Enable-Mailbox cmdlet to enable existing AD accounts, or is it "written in stone" that we have to create new users ?

  28. Peter says:

    Hi Kip,

    The setting <RecipientMailSubmissionRateQuota> in the Quota section of a Serviceplan, could this setting in any way be changed through powershell?, or do we have to create a new Serviceplan and update the Organization to the new Serviceplan?

    If i Update a Serviceplan with Update-Serviceplan command, is the users automaitically using the new Serviceplan settings?, and how long doea it take for Exchange to update this value, or is it instantly changed?

  29. Bernd says:

    Really great Articles, thx for this!

    I have a question please:

    How do I add a scond and third (and so on) Domain to a single Organization that can only be seen and used by this Organization. Is this possible? Does "New-AcceptedDomain" adds the Domain to all Orgs, right?

  30. zubair says:

    Server was unable to process request. —> Could not find file 'C:Program FilesMicrosoftExchange ServerV14ClientAccessServicePlansServicePlanRemap.csv'. —> Could not find file 'C:Program FilesMicrosoftExchange ServerV14ClientAccessServicePlansServicePlanRemap.csv'.

    at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)

    at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

    at WebsitePanel.EnterpriseServer.ExchangeHostedEditionController.CreateOrganization(Int32 packageId, String organizationId, String domain, String adminName, String adminEmail, String adminPassword)

  31. Sr Func says:

    There are numerous posts requesting to not use the /hosting switch due to lack of features.  the only issue i am experiencing with the on-premise installation is that the serviceplans folder is missing therefore getting errors:

    "Server was unable to process request. —> Could not find a part of the path 'C:Program FilesMicrosoftExchange ServerV14ClientAccessServicePlansServicePlanRemap.csv'. —> Could not find a part of the path 'C:Program FilesMicrosoftExchange ServerV14ClientAccessServicePlansServicePlanRemap.csv'.

    at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)

    at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

    at WebsitePanel.EnterpriseServer.ExchangeHostedEditionController.CreateOrganization(Int32 packageId, String organizationId, String domain, String adminName, String adminEmail, String adminPassword)

    is there a way around this?

    any info would be greatly appreciated.

    thanks

Comments are closed.

Skip to main content