Exchange Server 2010 SP1 Hosting Deployment - RBAC simplified #3 - Resellers


The concept of Resellers in Exchange Server 2010 SP1 Hosting Deployment, well... let me be really direct here, it doesn't really exist anymore. Remember in HMC world, we have to create resellers before you even create any tenant organization? When you are setting up Exchange Server 2010 Hosting Deployment, very quickly you realize that you don't need to setup reseller at all. You will just have tenant organizations.

In fact, if you look at the Active Directory structure as I blogged about it during the beta timeframe, (Exchange Server 2010 SP1 beta Hosting Deployment First Look), the OU structure in Active Directory only has 2 levels instead of 3 like in HMC (Active Directory in HMC 4.5).

Right below the hosting OU, Microsoft Exchange Hosted Organizations, we will just have tenant organizations.

There is however a concept of Partner Delegated Tenant Management in Exchange Server 2010 SP1. This is a role that enables partner administrators to manage tenant organizations to which they have been delegated administrative access. I took a look at this role and frankly, I am not sure this is meant for everyone. Why? Take a look at the role,

RunspaceId : 66bd1e4c-f674-4a2b-80ea-8f330acb9f55
RoleEntries : {(Microsoft.Exchange.Management.PowerShell.E2010) New-MoveRequest -AcceptLargeDataLoss -ArchiveDomain -ArchiveOnly -ArchiveTargetDatabase -BadItemLimit -BatchName -Confirm -Debug -ErrorAction -ErrorVariable -Identity -IgnoreRuleLimitErrors -Outbound -OutBuffer -OutVariable -PrimaryOnly -Remote -RemoteArchiveTargetDatabase -RemoteCredential -RemoteGlobalCatalog -RemoteHostName -RemoteLegacy -RemoteOrganizationName -RemoteTargetDatabase -Suspend -SuspendComment -SuspendWhenReadyToComplete -TargetDatabase -TargetDeliveryDomain -Ver
RoleType : PartnerDelegatedTenantManagement
ImplicitRecipientReadScope : Organization
ImplicitRecipientWriteScope : Organization
ImplicitConfigReadScope : OrganizationConfig
ImplicitConfigWriteScope : OrganizationConfig
IsRootRole : True
IsEndUserRole : False
MailboxPlanIndex :
Description : This role enables partner administrators to manage the tenant organizations to which they have been delegated administrative access.
IsDeprecated : False
AdminDisplayName :
ExchangeVersion : 0.12 (14.0.451.0)
Name : PartnerDelegatedTenantManagement
DistinguishedName : CN=PartnerDelegatedTenantManagement,CN=Roles,CN=RBAC,CN=ConsolidatedMessenger,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=fabrikam,DC=com
Identity : PartnerDelegatedTenantManagement
Guid : 8a959ce4-1378-41c5-8ae0-ce14c16d56a1
ObjectCategory :
ObjectClass : {top, msExchRole}
WhenChanged : 8/27/2010 1:42:46 PM
WhenCreated : 6/28/2010 11:44:48 PM
WhenChangedUTC : 8/27/2010 8:42:46 PM
WhenCreatedUTC : 6/29/2010 6:44:48 AM
OrganizationId :
OriginatingServer :
IsValid : True

See the highlighted. As you know, write scopes used in role assignments can be implicit or explicit, but read scopes can only be implicit, as taken from the role that is being assigned. This means, while the write scope can be configured and scoped to an OU when we create the assignment, the read scope cannot be modified. Hence, the assignment will 'inherit' the read scope of the entire organization. In another word, the assignee for this role will be able to see everyone.

That's probably not something you would want, right? Perhaps there is a way to get around this or perhaps I wasn't looking things too indepth here but after spending a good few hours on this, I could not find anything out of the box that allows me to scope both the read and the write to just a few tenant organizations (like what we used to have as a resller). If anyone of you find anything, feel free to contact me.

What I can see, however is this. This Partner Delegated Tenant Management model, may work well if your resellers are huge resellers, for example, big enough for you to create a separate Hosted Exchange environment for them. Unlike HMC, where the infrastructure can be overwhelmingly large with additional serves like MPS Backend, Frontend, SQL servers and then you need OAB servers and etc., we are only looking at Exchange servers here. At the same time, that actually brings out a good topic which is if you are designing or developing a control panel solution for Exchange Server 2010 SP1, it may not be a bad idea to think about the capacity of managing multiple Exchange Server 2010 SP1 environments rather than just one for scalability reason. For example, some hosters that I know has a couple of millions users in one HMC environment. Managing that can be a pain because the AD has many millions of objects, finding something can be slow and etc. etc.

If reseller model is something that is very key to your business (say you have a lot of small resellers), it may not be a bad idea in my personal opinion to create an additional reseller layer in your control panel to manage your reseller and to present to them an interface to manage their organizations. IMHO, the fact that the structure is just one flat layer having just the tenant organizations, may give you the flexibilities and maybe easier to build your own resellers' business logic.

You may have something like the above, in which Exchange is just one of the products or components of the full hosted solutions. Your control panel solution will handle resllers, multi-service orchestrations, resource management, billing and etc. Of course, let me also say that the above purely represents my personal finding and opinion, it isn't in any way an official guidance from Microsoft.

My suggestion to you is that as you are planning the migration upgrade from HMC is do spend time to look at the solution or perhaps consider a third party control panel solution if you feel that this is getting too overwhelming. Exchange Server 2010 SP1 isn't the same as HMC solution. Exchange Server 2010 SP1 Hosting Deployment is a component of the full hosted solution (yes, a rather big one, in fact) rather than a full solution itself like HMC. In other words, there are still many components that you may need to build to complete the picture depending on your business requirements and etc. My aim is to provide you with slightly more information and a bit of my thoughts. How you folks find it useful.


Read More on this RBAC Series.

Read all other Exchange Server 2010 SP1 Hosting Deployment blog posts.