I've been beating my head against the wall for 3 days trying to follow this white paper. I've started over from a fresh install twice now, followed the white paper completely and run into the same problem both times.OWA works absolutely fine for all organizations I create.The end result is the 2nd, 3rd or 4th, etc. organizations I create cannot ever create an Outlook profile. When I try to build it manually in Outlook 2003 or 2007 I get a "The name cannot be matched to a name in the address list" error. From what I can tell this happens when the user cannot read a GAL with their address in it. So I'm assuming the user is somehow being assigned the wrong GAL, but I can't understand why. Strangely, any user I create that's part of the 1st virtual organization can log on just fine. They can see all address lists and users though, which is undesirable as well, but not my biggest problem at this point.For those who have tried this before, are there any steps missing in that document? Many of the hosting documents I found that were published prior to that document mention disabling inheritance using ADSIEDit on the All Address Lists, Global Address Lists and Offline Address Lists, but the white paper has no mention of it.There is one comment that threw me off in the white paper - "All rights assigned to the Authenticated Users, Everyone, and Anonymous Logon groups must be removed." It's mentioned once, but never in detail. Where does this need to happen? The following step removes the non-inherited permissions via a PowerShell command, but the inheritance is left on for all 3 of the containers as far as I can see. Is that correct? This is my initial setup, anything missing?Set dsHeuristics to 001Add UPN suffixes of both orgs Code Snippetget-adpermission "All Address Lists" | Where {($_.User -like 'NTAuthority\Authenticated Users') -and ($_.IsInherited -eq $false)} |Remove-ADPermissionremove-addresslist "All Contacts"remove-addresslist "All Groups"remove-addresslist "All Rooms"remove-addresslist "All Users"remove-addresslist "Public Folders"$galContainer = "CN=All Global Address Lists,CN=Address Lists Container,CN=Confused Amused,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ptown,DC=local"Get-ADPermission $galContainer -user "authenticated users"$container = "CN=Offline Address Lists,CN=Address Lists Container,CN=Confused Amused,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ptown,DC=local"remove-adpermission $container -user "NT AUTHORITY\Authenticated Users" -ExtendedRights 'ms-Exch-Download-OAB'$oabcontainer = "CN=Offline Address Lists,CN=Address Lists Container,CN=Confused Amused,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ptown,DC=local"Get-ADPermission $oabContainer -user "authenticated users"New-DistributionGroup -Name "All Hosted Groups SG"-OrganizationalUnit "ptown.local/Companies" -SamAccountName"AllHostedGroupsSG" -Alias "AllHostedGroupsSG" -Type "Security"Add-ADPermission -Identity "CN=Address Lists Container,CN=Confused Amused,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ptown,DC=local" -User "All Hosted Groups SG" -AccessRights GenericRead -DenyAdd-ADPermission -Identity "CN=Address Lists Container,CN=Confused Amused,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ptown,DC=local" -User "All Hosted Groups SG" -AccessRights ReadProperty -Properties "Open Address List" -Deny

Hi Tom, I suggest that we focus on the check name issue when creating Outlook Profile. I would like to explain that the issue can be caused by several factors, such as Replication latency or Replication issue Incorrect user attributes Incorrect permission settings I suggest you attempt the following method to troubleshoot the issue: Step 1: Please let me know whether several GCs exist in the environment. If several GCs exist, please force replication and check the event log for any error regarding AD replication. Step 2: Please run the Adsiedit tool to check the problem user attributes: ====================================================== Note: I also suggest that you view the attributes on different GCs to check whether any replication issue exists 1. Run Adsiedit and locate the problem user 2. In the user Properties, please check the following attributes: ShowInAddressBook Please ensure that you can locate the specific companys Global Address List for the user msExchHideFromAddressLists Please ensure that the attribute is not set to True Please also ensure that you have run the update-globaladdresslist command to update the Global Address List. If the previous user attributes are correct and no replication issue is noticed, please also check the permission setting on the specific companys Global Address List by using ADSIEdit.msc tool, please ensure Authenticated Users group has Read and Open Address List permissions. I also suggest that you can refer to the following KB to troubleshoot the issue: Troubleshooting check name errors: http://support.microsoft.com/?id=297801 Mike

I don't mean to hijack this thread but I am having some problems working through this whitepaper also. Are there some typo's in some of the code segments. I am having all kinds of syntax problems with a number of the steps. Has anyone been able to work through this article step by step just changing the required info in each command and had them all work? Am I crazy?? Has anyone been able to get the NewCompany.ps1 scripts, etc. to work?

Hi allI have used this whitepaper and got it working allmost 100%.What is working:All users can login just fine from both OWA, MAPI and Outlook anywhereThe Address lists are totally seperate, so the companies can only see their own just as planned.What I did find in the whitepaper is and error when typing this: Add-ADPermission -Identity "CN=Address Lists Container,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "All Hosted Groups SG" -AccessRights GenericRead -DenyThe CN=Contoso is wrong, at least for my part. It should say CN=First Organization - the rest is fine. This goes for the next line as well: Add-ADPermission -Identity "CN=Address Lists Container,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "All Hosted Groups SG" -AccessRights ReadProperty -Properties "Open Address List" -DenyWhen you made the preparations go and edit the PS1 scripts from the whitepaper to fit your needs.I added several things to my setup, but basically it works from the whitepaper.What I have yet to get working:Download offline address book from Outlook anywhere. I need to make some changes to the autodiscover service for this to fit my environment.Hope this helps a little, otherwise feel free to ask for more info.

I must be an idiot. I would really like to use this whitepaper to host email for a couple companies... An HMC deployment seems way overkill. I may reformat the server this weekend and try it again. Do you mind helping me out if I post a question up here?? Thanks in advance!

I wouldn't mind at all, just post here and I will try and help if I can.I used the whitepaper 4 times now, with success all 4 times. Of course the first time was a bit harder, but it did work.If you do need help please note any errors you might see when you run the cmdlets and it is really important that you make the AD changes correct before you start with the scripts.Have a nice weekend and let us know how it goes.Martin

Hi Tom, As mentioned by others the white paper actually does work fine. As you didn't mention anything aboutgroup memberships I would suggest that youcheck the following: 1) All users for a given company/e-maildomainnamemust be members ofa"Company SG" security group 2) All users for a given company/e-maildomainnamemust have the "extensionAttribute1" set to the same valueas you search for in the Address List (setwith-ConditionalCustomattribute1 when you created the Address List) 3) All "Company SG" groups have to be members of the group"All Hosted Groups SG" In order to create an Outlook Profile you users have to be visible on an Address List that they can access with their own credentials (HideFromAddressList must also be disabled). As your administrator account most typically won't be a member of any hosted groups you might however consider a small change in the part of the white paper that describes how to restrict access to the Default Global Address List: In the guide they suggest the following command in order to restrict access to the Default Global Address List: Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "Authenticated Users" -AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True This renders all users (including your administrative accounts) without access to the Default Global Address List Active Directory Object hence it will also show up in ADSIEDIT without a class name -and none of your administrative accounts will be able to create a new Outlook profile as they aren't visible on any existing (readable) Global Address Lists. I would suggest replacing that command with: Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "All Hosted Groups SG" -AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True So you do the deny on "All Hosted Groups SG" instead of "Authenticated Users". (Shouldn't be a problem as all of your hosted users should alreadybe members of "All Hosted Groups SG") If you already executed the commandthatdenies "Authenticated Users" access to "Default Global Address List" you should still be able rename the orphaned "Default Global Address List" object using ADSIEDIT. Do not try to edit or take properties on the object first otherwise you will have to close and reopen ADSIEDIT (the error message in case you tried to edit it first will be This folder or one of its children has one or more property sheets up. Please close the property sheet before continuing with this action.). After you rename the orphaned Default Global Address List you can recreate the Default Global Address List with the following command: New-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))} After a recreation you should issue the before mentioned command doing the deny for "All Hosted GroupsSG" instead of "Authenticated Users". In this way you can still have administrative accounts which arent members of the All Hosted Groups SG and can see the full Default Global Address List. Another benefit if your administrative accounts arent members of any hosted groups they will still be able to create an Outlook Profile as they still have access to the Default Global Address List and are able to resolve their name in the address list when they click on the check name button. The downside of course is that you have to be 100% sure that all of your hosted users actually are members of a domain group and that all domain groups are members of the All Hosted Groups SG but you would probably have to ensure that anyway.

Hi Tom, As mentioned by others the white paper actually does work fine. As you didn't mention anything aboutgroup memberships I would suggest that youcheck the following: 1) All users for a given company/e-maildomainnamemust be members ofa"Company SG" security group 2) All users for a given company/e-maildomainnamemust have the "extensionAttribute1" set to the same valueas you search for in the Address List (setwith-ConditionalCustomattribute1 when you created the Address List) 3) All "Company SG" groups have to be members of the group"All Hosted Groups SG" In order to create an Outlook Profile you users have to be visible on an Address List that they can access with their own credentials (HideFromAddressList must also be disabled). As your administrator account most typically won't be a member of any hosted groups you might however consider a small change in the part of the white paper that describes how to restrict access to the Default Global Address List: In the guide they suggest the following command in order to restrict access to the Default Global Address List: Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "Authenticated Users" -AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True This renders all users (including your administrative accounts) without access to the Default Global Address List Active Directory Object hence it will also show up in ADSIEDIT without a class name -and none of your administrative accounts will be able to create a new Outlook profile as they aren't visible on any existing (readable) Global Address Lists. I would suggest replacing that command with: Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "All Hosted Groups SG" -AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True So you do the deny on "All Hosted Groups SG" instead of "Authenticated Users". (Shouldn't be a problem as all of your hosted users should alreadybe members of "All Hosted Groups SG") If you already executed the commandthatdenies "Authenticated Users" access to "Default Global Address List" you should still be able rename the orphaned "Default Global Address List" object using ADSIEDIT. Do not try to edit or take properties on the object first otherwise you will have to close and reopen ADSIEDIT (the error message in case you tried to edit it first will be This folder or one of its children has one or more property sheets up. Please close the property sheet before continuing with this action.). After you rename the orphaned Default Global Address List you can recreate the Default Global Address List with the following command: New-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))} After a recreation you should issue the before mentioned command doing the deny for "All Hosted GroupsSG" instead of "Authenticated Users". In this way you can still have administrative accounts which arent members of the All Hosted Groups SG and can see the full Default Global Address List. Another benefit if your administrative accounts arent members of any hosted groups they will still be able to create an Outlook Profile as they still have access to the Default Global Address List and are able to resolve their name in the address list when they click on the check name button. The downside of course is that you have to be 100% sure that all of your hosted users actually are members of a domain group and that all domain groups are members of the All Hosted Groups SG but you would probably have to ensure that anyway.

Hi Guys, I too am having some trouble following this white paper. I am able to create organizations manually (so far I have only created one) but am unable to get the NewCompany.ps1 script working. I have modified the script to match my company settings, however, when I run it I get the error below. I have not modified line 98 as it was needed, so I'm not sure why it wouldn't work. Here's line 98 in case you are wondering what it says: "3 of 15, Add a Security Group for $CompanyName" to the "All Hosted Groups SG"Here's the error:[PS] C:\Windows\System32>newcompanyUnexpected token 'to' in expression or statement.At D:\Program Files\Microsoft\Exchange Server\Scripts\NewCompany.ps1:98 char:52+ "3 of 15, Add a Security Group for $CompanyName" to <<<< the "All Hosted Groups SG"Any help is greatly appreciated. Chaim

Hi, The issue is very simple instead of that line please replace with this one "3 of 15, Add a Security Group for $CompanyName to the All Hosted Groups SG " The issue was using the Quotes!!! Have a good day!!! Vinay Reddy.K

Steen, Thank you for including this, I was having such trouble because I could no longer see the Default GAL. I was able to rename the original Default GAL and then create a new one, then added the appropriate permissions for the "All Hosted Groups SG" as you suggested. Do you advise doing the same thing for the "Offline Address Book"? I believe we run a similar command there as well. Everyone, I too am having trouble with the "AddCompany" script from the whitepaper, I was able to resolve the "Line 98 / Char 52" error by removing the extra set of quotes in the string, but now I'm running into another error at "Line 131 / Char 4" .. the line is literally " " .... There isn't a fourth character, I don't understand why its throwing back an error. Error code is as follows; Expressions are only allowed as the first element of a pipeline. At C:\Program Files\Microsoft\Exchange Server\V14\Scripts\AddCompany.ps1:131 char:4 + " " <<<< + CategoryInfo : ParserError: (:) [], ParseException + FullyQualifiedErrorId : ExpressionsMustBeFirstInPipeline ...v

Replace the following line: (#129) Get-AddressList "$companyName AL" -domaincontroller $DC | #Remove-ADPermission -User "Authenticated Users" -accessrights GenericRead -extendedrights "open address list" -deny:$false -domaincontroller $DC With this: Get-AddressList "$companyName AL" -domaincontroller $DC | Remove-ADPermission -User "Authenticated Users" -accessrights GenericRead -extendedrights "open address list" -deny:$false -domaincontroller $DC For some reason the remove statement was commented out, only the person who did it neglected to put the comment BEFORE the pipe. Therefore everything afterwards was considered a part of the pipe.Jesse

I have followed these instructions and everything seems to be working fine except for when a user opens a new email message from OWA and goes to the address book and tries to search for an a name. They get an error message. This error message only appears when they are trying to search for a name. It doesn’t seem to matter if it is last name, first name or email address that they are searching for. They always seem to get this error message. Outlook doesn’t have this issue, only OWA. Did I miss a step or doesn’t this work with Exchange 2010? Below is the error message. “An unexpected error occurred and your request couldn’t be handled.” Error Message: Request Url: https://myexchangeserver.com:443/owa/ev.owa?oeh=1&ns=DP&ev=LoadFresh User host address: xxx.xx.xx.xx User: Ben Johnson EX Address: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Ben Johnson SMTP Address: ben@myexchangeserver.com OWA version: 14.0.694.0 Mailbox server: myexchangeserver.com Exception Exception type: System.NullReferenceException Exception message: Object reference not set to an instance of an object. Call stack Microsoft.Exchange.Data.Directory.SystemConfiguration.AddressBookBase.GetScopedRecipientSession(ADObjectId rootId, Int32 lcid, String preferredServerName, AddressBookBase addressBook) Microsoft.Exchange.Data.Directory.SystemConfiguration.AddressBookBase.PagedSearch(ADObjectId rootId, AddressBookBase addressBookBase, RecipientCategory recipientCategory, String searchString, Int32 itemsToSkip, String& cookie, Int32 pageSize, Int32& itemsTouched, Int32& lcid, String& preferredServerName, PropertyDefinition[] properties) Microsoft.Exchange.Clients.Owa.Premium.Controls.ADListViewDataSource.LoadPagedSearch(Int32 startRange, Int32 itemCount, PropertyDefinition[] properties, Boolean retry) Microsoft.Exchange.Clients.Owa.Premium.Controls.ADListViewDataSource.Load(Int32 startRange, Int32 itemCount, Boolean retry) Microsoft.Exchange.Clients.Owa.Premium.Controls.ADListViewDataSource..ctor(Hashtable properties, AddressBookBase addressBookBase, String searchString, String cookie, Int32 cookieIndex, Int32 lcid, String preferredDC, UserContext userContext) Microsoft.Exchange.Clients.Owa.Premium.Controls.ADListViewDataSource.CreateForSearch(Hashtable properties, AddressBookBase addressBookBase, String searchString, UserContext userContext) Microsoft.Exchange.Clients.Owa.Premium.Controls.AddressBookVirtualListView.CreateDataSource(Hashtable properties) Microsoft.Exchange.Clients.Owa.Premium.Controls.VirtualListView2.LoadData(Int32 startRange, Int32 rowCount) Microsoft.Exchange.Clients.Owa.Premium.Controls.AddressBookVirtualListView.LoadData(Int32 startRange, Int32 rowCount) Microsoft.Exchange.Clients.Owa.Premium.VirtualListViewEventHandler2.InternalLoadFresh(Boolean renderHeaders) Microsoft.Exchange.Clients.Owa.Premium.DirectoryVirtualListViewEventHandler.LoadFresh()

Is there an update white paper for Exchange 2010? Google hasn't found it yet? :)

Well, it doesn't look good. Check Dgoldman's WebLog http://blogs.msdn.com/b/dgoldman/archive/2010/05/10/critical-update-exchange-2010-address-list-segregation-and-current-support-stances.aspx and http://social.technet.microsoft.com/Forums/en/exchange2010/thread/11e8024b-3613-4677-93a1-e2e6d1994c49 :(

New info on this topic with 2010 SP1: Exchange 2010 Multi-Tenant Support Mike Crowley Check out My Blog!

I have followed these instructions and everything seems to be working fine except for when a user opens a new email message from OWA and goes to the address book and tries to search for an a name. They get an error message. This error message only appears when they are trying to search for a name. It doesn’t seem to matter if it is last name, first name or email address that they are searching for. They always seem to get this error message. Outlook doesn’t have this issue, only OWA. Did I miss a step or doesn’t this work with Exchange 2010? Below is the error message. “An unexpected error occurred and your request couldn’t be handled.” Error Message: Request Url: https://myexchangeserver.com:443/owa/ev.owa?oeh=1&ns=DP&ev=LoadFresh User host address: xxx.xx.xx.xx User: Ben Johnson EX Address: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Ben Johnson SMTP Address: ben@myexchangeserver.com OWA version: 14.0.694.0 Mailbox server: myexchangeserver.com Exception Exception type: System.NullReferenceException Exception message: Object reference not set to an instance of an object. Call stack Microsoft.Exchange.Data.Directory.SystemConfiguration.AddressBookBase.GetScopedRecipientSession(ADObjectId rootId, Int32 lcid, String preferredServerName, AddressBookBase addressBook) Microsoft.Exchange.Data.Directory.SystemConfiguration.AddressBookBase.PagedSearch(ADObjectId rootId, AddressBookBase addressBookBase, RecipientCategory recipientCategory, String searchString, Int32 itemsToSkip, String& cookie, Int32 pageSize, Int32& itemsTouched, Int32& lcid, String& preferredServerName, PropertyDefinition[] properties) Microsoft.Exchange.Clients.Owa.Premium.Controls.ADListViewDataSource.LoadPagedSearch(Int32 startRange, Int32 itemCount, PropertyDefinition[] properties, Boolean retry) Microsoft.Exchange.Clients.Owa.Premium.Controls.ADListViewDataSource.Load(Int32 startRange, Int32 itemCount, Boolean retry) Microsoft.Exchange.Clients.Owa.Premium.Controls.ADListViewDataSource..ctor(Hashtable properties, AddressBookBase addressBookBase, String searchString, String cookie, Int32 cookieIndex, Int32 lcid, String preferredDC, UserContext userContext) Microsoft.Exchange.Clients.Owa.Premium.Controls.ADListViewDataSource.CreateForSearch(Hashtable properties, AddressBookBase addressBookBase, String searchString, UserContext userContext) Microsoft.Exchange.Clients.Owa.Premium.Controls.AddressBookVirtualListView.CreateDataSource(Hashtable properties) Microsoft.Exchange.Clients.Owa.Premium.Controls.VirtualListView2.LoadData(Int32 startRange, Int32 rowCount) Microsoft.Exchange.Clients.Owa.Premium.Controls.AddressBookVirtualListView.LoadData(Int32 startRange, Int32 rowCount) Microsoft.Exchange.Clients.Owa.Premium.VirtualListViewEventHandler2.InternalLoadFresh(Boolean renderHeaders) Microsoft.Exchange.Clients.Owa.Premium.DirectoryVirtualListViewEventHandler.LoadFresh() Hi jlj972004, Were you able to find a resolution to this problem? I'm having the exact same issue. Regards, Ryno Coetzee