Applies to: Exchange Server 2013
Topic Last Modified: 2013-02-12
Deployment Scenarios
The following three scenarios describe possible deployment solutions for three different organization types. Although there are many more scenarios, the most popular ones are covered here. The address lists and global address lists (GALs) in these scenarios were created based on filters, such as Custom Attributes, that grouped the objects logically.
Scenario 1: Two separate companies - one Exchange organization
This scenario is applicable to government agencies, divisions, or departments that share infrastructure, but no reporting chain and have no common employees. In addition, the divisions don't have any special security or privacy concerns. In this scenario, two address book policies (ABPs) are created where employees can only see members of the same organization when the view the GAL or look at membership of other distribution groups. In addition, no users will be members of distribution groups that span the entire organization.
The Contoso and Humungous Insurance ABPs were created using the following address lists, global address lists, room lists, and OABs, which were created using a recipient filter that grouped the objects with a filter such as Custom Attribute. Because the two companies are separate without any interaction between the two, there aren't any address lists in common.
|
|
Contoso |
Humungous Insurance |
|
Address Lists |
AL_CON_Groups AL_CON_Users AL_CON_Contacts |
AL_HI_Groups AL_HI_Users AL_HI_Contacts |
|
Global address list |
GAL_CON |
GAL_HI |
|
Room address list |
AL_CON_Rooms |
AL_HI_Rooms |
|
Offline address book (OAB) |
OAB_CON |
OAB_HI |
Scenario 2: Two companies sharing a CEO
In this scenario, Fabrikam and Tailspin Toys share the same Exchange organization and the same CEO. The CEO is the only common person between the two companies. This scenario requires three ABPs that have the following characteristics:
- The users in Tailspin Toys can only see Tailspin Toys users
when they browse the GAL.
- The users in Fabrikam can only see Fabrikam users when they
browse the GAL.
- In each company, there is a SeniorLeaders distribution group
that includes the senior leaders of that company and the CEO.
- Users who look at the CEO's group membership will only see
groups that belong to the user's company. They won't see groups not
in their own company.
- Three ABPs are created: Fab, Tail, and
CEO.
|
|
Fabrikam |
Tailspin Toys |
CEO |
|
Address lists |
AL_FAB_Users_DGs AL_FAB_Contacts |
AL_TAIL_Users_DGs AL_TAIL_Contacts |
AL_FAB_Users_DGs AL_FAB_Contacts AL_TAIL_Users_DGs AL_TAIL_Contacts |
|
Global address list |
GAL_FAB |
GAL_TAIL |
Default GAL |
|
Room address list |
AL_FAB_Rooms |
AL_TAIL_Rooms |
Default All Rooms |
|
Offline address book (OAB) |
OAB_FAB |
OAB_TAIL |
Default OAB |
When the CEO is added to the distribution groups in each organization and falls within the scope of each company's ABP, then the CEO becomes visible to each company. The CEO can create distribution groups that span both companies and will be visible within each company's GAL, but members of the distribution group will only be able to view the members of the group that are within their own organization.
Scenario 3: Education
This scenario is applicable to schools or universities where a division of class rooms is necessary to ensure the privacy of the students. The Education scenario has the following characteristics:
- Students in each class can only see other students in their
class, their teacher, and the principal.
- Teachers can only students in their own classrooms.
- Teachers can see all other teachers and the principal.
- Distribution groups are created for each class’s parents and
the faculty.
|
|
Students_ClassA |
Teachers_ClassA |
Principal |
|
Address Lists |
AL_ClassAAL_Principal |
AL_ClassAAL_AllTeachersAL_AllGroupsAL_Principal |
AL_ClassA AL_ClassB AL_AllTeachers AL_AllStudents AL_AllGroups |
|
Global address list |
GAL_StudentsClassA |
GAL_TeachersClassA |
GAL_Everyone |
|
Room address list |
AL_BlankRoom |
AL_BlankRoom |
Default All Rooms |
|
Offline address book (OAB) |
OAB_StudentsClassA |
OAB_TeachersClassA |
Default OAB |
Considerations and best practices
Consider the following when using ABPs in your organization:
- For ABPs to work correctly, the user mailbox to which you apply
the ABP must be on an Exchange 2010 SP3 or an Exchange 2013
server.
- Don’t run the Exchange 2010 Client Access server role on the
global catalog server. Doing so results in Active Directory being
used for Name Service Provider Interface (NSPI) instead of the
Microsoft Exchange Address Book service. You can run Exchange 2013
server roles on a global catalog server and have ABPs work
correctly, however we don’t recommend installing Exchange on a
domain controller.
- You can't use hierarchical address books (HABs) and ABPs
simultaneously. To learn more, see Hierarchical Address
Books.
- Any user assigned an ABP should exist in their own GAL.
- If you allow client applications to access Active Directory
directly through LDAP, they will bypass the logic built into ABPs.
Because Outlook for Mac 2011 and Entourage 2008 use direct LDAP
queries to access Active Directory, those client applications won’t
function properly with ABPs if a domain controller or global
catalog server is specified or provided to them by the Autodiscover
service. Outlook for Mac 2011 can use EWS or a local OAB to access
directory information. However, if Outlook for Mac 2011 can
directly access an LDAP service, it will attempt to do so.
- The GAL used in an ABP must, at a minimum, contain all of the
address lists, including the room address list, defined and
specified in an ABP. Don’t create a GAL that contains fewer objects
than any of the address lists in the same ABP.
- We recommend creating distribution groups that don't cross
virtual organization boundaries. Creating distribution groups that
contain members of multiple virtual organizations results in the
following issues:
- If group members request delivery or read receipts when sending
mail to the distribution group, they’ll be able to see the email
addresses of the group members in other virtual organizations
- If an encrypted message is sent to the distribution group and
some group members don’t have valid digital IDs, the sender will
receive a warning message that includes the total number of members
who don’t have valid IDs and a list of their email addresses.
However, if some of those members without valid digital IDs are in
a different organization than the sender, the warning message will
include the correct count but won’t include the email addresses of
the members in the other organization. As a result, the total count
won’t match the list of member addresses.
For example, let’s say a distribution group contains five members total from two organizations, Agency A and Agency B. Three group members are from Agency A, and one of those members has as invalid digital ID. The other two members are from Agency B, and both of them have invalid digital IDs. If a member from Agency A sends an encrypted message to the distribution group, that member will receive a warning message stating that there are a total of three recipients without valid digital IDs. However, only the email address for the recipient from Agency A will be listed in the warning message.
- ABP's don’t apply to the Get-Group cmdlets. Therefore,
any user or process that is able to run Get-Group will see
all members of any group they have access to.
We recommend that you modify the group management settings of the OWA Options so users can’t use Outlook Web App to manage groups. To prevent users from using OWA Options to manage groups, exclude the users from the MyDistributionGroupMembership RBAC role. For details, see MyDistributionGroupMembership Role.
- If you allow users to use Outlook or Outlook Web App to manage
groups, the group owners must have full visibility to the group
membership list.
- If group members request delivery or read receipts when sending
mail to the distribution group, they’ll be able to see the email
addresses of the group members in other virtual organizations
- All ABPs must contain a room address list. However, if your
organization doesn't use room address lists, you can create a
default empty room address list.
- Deploying ABPs doesn't prevent users in one virtual
organization from sending email to users in another virtual
organization. If you want to prevent users from sending email
across organizations, we recommend that you create a transport
rule. For example, to create a transport rule that prevents Contoso
users from receiving messages from Fabrikam users, but still allows
Fabrikam’s senior leadership team to send messages to Contoso
users, run the following Shell command:
Copy CodeNew-TransportRule -Name "StopFabrikamtoContosoMail" -FromMemberOf "AllFabrikamEmployees" -SentToMemberOf "AllContosoEmployees" -DeleteMessage -ExceptIfFrom seniorleadership@fabrikam.com
- If you want to enforce a feature similar to ABP in the Lync
client, you can set the
msRTCSIP-GroupingIDattribute on specific user objects. For details, see PartitionByOU Replaced with msRTCSIP-GroupingID topic.
General deployment steps
Migrating from address list segmentation to ABPs
If your organization configured the Exchange 2007 address list segregation solution in place by using the instructions in the white paper Configuring Virtual Organizations and Address List Segregation in Exchange 2007, you should first migrate to Exchange Server 2010 using the steps outlined in Migrate to Exchange Server 2010 Address Book Policies from Exchange Server 2007 Address List Segregation. This procedure will require some down-time for your organization and you will therefore need to plan accordingly.
New deployment of ABPs
If your organization is deploying Exchange 2013 ABPs and hasn’t used the Exchange 2007 address list segregation, you can use these instructions to deploy ABPs in your organization.
The steps in this section will walk you through Scenario 2: Two companies sharing a CEO. In this scenario, two companies (Fabrikam and Tailspin Toys) are separate but share a CEO and senior leadership team.
Step 1: Install and configure the Address Book Policy Routing agent
If you’re using ABPs, and you don’t want users in separate virtual organizations to view each other’s potentially private information, you can turn on the Address Book Policy Routing agent. The Address Book Policy Routing agent is a Transport agent that runs on the Mailbox server that controls how recipients are resolved in the organization. When the Address Book Policy Routing Agent is installed and configured, users that are assigned different GALs appear as external recipients in that they can’t view external recipients’ contact cards.
For detailed instructions, see Install and Configure the Address Book Policy Routing Agent.
Step 2: Divide your virtual organizations
You'll need to develop a way to divide your organizations. We recommend using the CustomAttribute1-15 property on the mailboxes, contacts, and groups instead of the pre-canned conditional attributes such as Company, Department, or StateOrProvince to divide the virtual organizations for the following reasons:
- Not all recipient types of objects have precanned conditional
attributes in Active Directory. For example, Distribution Group and
Dynamic Distribution Group do not support company, department, or
state attributes.
- Not all precanned conditional attributes are exposed in cmdlets
for some recipients. For example, the Company,
department, and StateOrProvince parameters are not
available on the exposed in cmdlets for mail users, contacts,
distribution groups, and mail-enabled public folders.
- Multiple cmdlets are required to segregate recipient when you
use the pre-canned conditional attribute. For example, you need to
run Set-User to tag Company, Department,
StateOrProvince for a UserMailbox after you run
New-Mailbox or Set-Mailbox cmdlets.
- The CustomAttributeX parameters are all exposed in the
Set-* cmdlet for each recipient type, we can complete all
segregation for that type via single Set- cmdlet
- CustomAttributeX attributes are explicitly reserved for
customization of an organization and are entirely under the control
of the organization administrators.
Another best practice to consider implementing when segregating your organization is to use company identifiers in the names of distribution groups and dynamic distribution groups. Exchange has a Group Naming policy feature that will automatically add a suffix or prefix to the name of the distribution group based on many attributes of the user creating the distribution group including the creator of the distribution group's Company, StateorProvince, Title, and CustomAttribute1 to CustomAttribute15. The group naming policy is especially important if you are allowing users to create their own distribution groups. For more information, see Create a Distribution Group Naming Policy.
Group naming policies don't apply to dynamic distribution groups, so you will need to manually segregate them and manually apply a naming policy.
Step 3: Create the address lists, GALs, and OABs
When you create the address lists and global address lists do not use "IncludedRecipient" and "ConditionalX" parameters, such as ConditionalCompany and ConditionalCustomAttribute5. You should use a recipient filter instead. You must use the Shell to create recipient filters. For more information about Recipient Filters, see Recipient Filtering
In creating the ABP, you will create multiple address lists based on how you want your users to view the address lists in Outlook or Outlook Web App. This organization has four address lists:
- AL_FAB_Users_DGs
- AL_FAB_Contacts
- AL_TAIL_Users_DGs
- AL_TAIL_Contacts
This example creates the address list AL_TAIL_Users_DGs. The address list contains all users and distribution groups where CustomAttribute15 equals TAIL.
| Copy Code |
|
|---|---|
New-AddressList -Name "AL_TAIL_Users_DGs" -RecipientFilter {((RecipientType -eq 'UserMailbox') -or (RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "DynamicDistributionGroup")) -and (CustomAttribute15 -eq "TAIL")}
|
|
For more information about creating address lists by using recipient filters, see Create an Address List By Using Recipient Filters.
In order to create an ABP, you have to provide a room address list. If your organization doesn't have resource mailboxes such as room or equipment mailboxes, we suggest that you create a blank room address list. The following example creates a blank room address list because there are no room mailboxes in the organization.
| Copy Code |
|
|---|---|
New-AddressList -Name AL_BlankRoom -RecipientFilter {(Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))}
|
|
However, in this scenario, Fabrikam and Contoso both have room mailboxes. This example creates room list for Fabrikam by using a recipient filter where CustomAttribute15 equals FAB.
| Copy Code |
|
|---|---|
New-AddressList -Name AL_FAB_Room -RecipientFilter {(Alias -ne $null) -and (CustomAttribute15 -eq "FAB")-and (RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox')}
|
|
The global address list used in an ABP must be a superset of the address lists. Do not create a GAL with fewer objects than exists in any or all of the address lists in the ABP. This example creates the global address list for Tailspin Toys that includes all of the recipients that exists in the address lists and room address list.
| Copy Code |
|
|---|---|
New-GlobalAddressList -Name "GAL_TAIL" -RecipientFilter {(CustomAttribute15 -eq "TAIL")}
|
|
For more information, see Create a Global Address List.
When you create the OAB you should include the appropriate GAL when providing the AddressLists parameter of New- or Set-OfflineAddressBook to ensure no entry is unexpectedly missed. Basically, you can customize the set of entries that a user will see or reduce the download size of the OAB by specifying a list of AddressLists in AddressLists of New/Set-OfflineAddressBook. However, if you want users to see the full set of GAL entries in OAB, make sure that you include the GAL in the AddressLists.
This example creates the OAB for Fabrikam named OAB_FAB.
| Copy Code |
|
|---|---|
New-OfflineAddressBook -Name "OAB_FAB" -AddressLists "GAL_FAB" |
|
For more information, see Create an Offline Address Book.
Step 4: Create the ABPs
After you've created all of the required objects you can then create the ABP. This example creates the ABP named ABP_TAIL.
| Copy Code |
|
|---|---|
New-AddressBookPolicy -Name "ABP_TAIL" -AddressLists "AL_TAIL_Users_DGs"," AL_TAIL_Contacts" -OfflineAddressBook "\OAB_TAIL" -GlobalAddressList "\GAL_TAIL" -RoomList "\AL_TAIL_Rooms" |
|
For more information, see Create an Address Book Policy.
Step 5: Assign the ABPs to the mailboxes
Assigning the ABP to the user is the last step in the process. ABPs take effect when a user's application connects to the Microsoft Exchange Address Book service on the Client Access server. If the user is already connected to Outlook or Outlook Web App when the ABP is applied to their account, they will need to close and restart the client application before they can see their new address lists and GAL.
This example assigns ABP_FAB to all mailboxes where CustomAttribute15 equals "FAB".
| Copy Code |
|
|---|---|
Get-Mailbox -resultsize unlimited | where {$_.CustomAttribute15 -eq "TAIL"} | Set-Mailbox -AddressBookPolicy "ABP_TAIL"
|
|
For more information, see Assign an Address Book Policy to Mail Users.