One of the great things about the OU structure is that allows you to have a top level organisation (which is called the hosting company), a second level organisation/s (the resellers) and a third level organisation/s (the customers). The second level is very exciting as this is actually the level at which sales are done and due to the structure the multiple resellers can exist and can work with their customer base but are secured away from other customers and resellers. If you thinking of white boxing a hosting solution, this is how it is done.

Security is obviously taken into account by the HMC engine will let a administrator on a hosting company level manage anyone within the system, on the reseller level you can work add accounts to your own account and any of your customer via the web interface. But does this mean you will spend your admin days in the web interface? Definitely not! Your AD skills still apply and you can still manage users, computers, set group policies and reset passwords etc... But you should be doing provisioning (creation of items) through the web interface or the engine as it will save you from having to edit AD properties manually later on for instance. If you aren't looking at white boxing it then you would just have your hosting company and one reseller and then various organisations as customers.

You may have picked up that I said you can use the engine to provision and you may have thought that meant you need to use the SDK and write code, well you don't have to! Microsoft have actually included a tool called Provtest which is a command line tool on your HMC server which you pass an XML file to. It takes the file and parses it and pushes it to the engine and displays the result. This is actually the same way the SDK works, in that you pass XML to the web services or COM+ object to do things. Microsoft also includes many samples with HMC, and even more in the SDK. So what you may find yourself doing it a lot of that, especially when you get to Exchange management.

One of the ways HMC also modifies the AD object properties is that the login name gets set in such a way that it allows each customer to have their own domain name (sort of) however it's just on the AD account name. This isn't an easy concept to grasp without an example, so lets say the hosting company domain is Contoso.local, and lets say that a customer named Northwind signs up with one of their resellers (who the reseller is, is not important). The Northwind guys decide they want their domain to be Northwind.com, so via the web interface they add Fred and set his login to be [email protected]. What HMC does is set the AD account name to [email protected], however in the background it sets the SAM account name (or the pre-Windows 2000 name) to be contoso.local\fred_northwind.. Yes, it should be dot-dot, the first dot for the SAM account and second for the grammar. So all customers are on the same domain at the core but the account name is what they would use to login to OWA, their machine or an application like MSCRM.

The SAM account name is vitally important still as most applications don't like using account name internally. For example MSCRM allows you to login with the account name, but when adding users individually you cannot use the account name, you must use the SAM account name. Odd though the multiple user add option does work with the account name. This is a annoying problem as it means you need to expose the (ugly) SAM name to your customers and if you have named you hosting level with something distinctive it could limit your white box ability!

This disconnect between account name and SAM account is a massive pain in ass for service accounts too, as I lost way too much time during the deployment on many services just retyping passwords and resetting them because I thought I was losing my mind. Only to realise that the application didn't like something in the username and wanted the SAM account name. The worst experience I had with passwords during all of this was with Forefront, where it not only didn't like the account name but also didn't like the fact the domain name (on the hosting company level) had a dot in it.

The security isn’t perfect though as there are times when you can see all users in the system. In an earlier version of HMC, there was a problem with the address books where everyone could see everyone but that has been corrected. For MSCRM though the add multiple user interface shows all users when you hit the lookup if you have not configured MSCRM correctly. I’ll come back to this point later in the series when I take about MOSS.

Next is web based management console for the system, however the web based management console is a prototype and comes with no official support from Microsoft. The advantage of the web based management console is all the source code is provided so you can either use it as a base for building your own or for samples to build integration into your existing management system. As a side note there are a number of third party management consoles out there, which I would highly recommend looking into if you are reading this for building your own system.

The last part of the package is documents, documents and more documents. The SDK provided goes over all the systems in the engine and how to expand it and is really useful (I’ll cover why in part 5). However more useful than that is the deployment guide which takes you step by step in how to deploy the solution for an sample company. The only piece of documentation I would add to those is the unofficial consolidated deployment guide which is additive to the actual guide but provides details on how to do HMC without the 20+ needed servers you normally need and only use 8!

To deploy HMC you really just step through the guide however it will take a number of days and a lot of diverse skills to get it right (expect to need a .Net developer, an AD expert, an Exchange expert and someone with clustering experience would be bare minimum skills) and you should have a working system which is the same as all others.

Expect severe punishment though for not following the guide word for word. For example we initially tried to have a pure Windows 2008 Server x64 environment despite what the guide said and we were punished. Unfortunately all that work had to be scrapped as HMC did not not work. In the end the call to change the servers to match what the guide said, enabled a semi-normal sleep life again.

Another example of not following the guide to the is that HMC is built on .Net 2.0 RTM, however a fix included in 2.0 SP1 actually breaks HMC. That means you cannot install .Net 3.0 or 3.5 on any key HMC server as they will install the service pack for you and bork HMC :( Patches do exist for this bug but it may be worthwhile to wait for the upcoming 4.5 release of HMC if you are thinking about deploying this anytime soon.

Finally an update on when HMC 4.5 is supposed to be released (last bit of information, which came out in March, said end May) and it is… A few more weeks :(

*sigh* still latest news on the 4.0 to 4.5 upgrade is +60 days after release…

I had a great chance to write some kick ass Silverlight code last week as a proof of concept for a potential new business venture the company I work at is thinking about, and hopefully in 6 months to a year I will be able to talk about it. The final solution won’t be Silverlight based but for the POC it provided the delivery method, functionality and UI that gets the message across.

Part of that POC was to be able to have a local XML file (local as on the server) loaded when the application was open and parsed. So the only way to do that is to use the WebClient class and call the DownloadStringAsync method with the URI to the XML file and then parse that in an XDocument. Not rocket science at all, but when I tried it I kept getting a message “An exception of type ‘System.NotSupportedException’ occurred in System.Windows.dll but was not handled in user code Additional Information: Specified method not supported.”

No matter what I tried I could not get it to work :( Eventually I figured out that it only was occurring when debugging/running from within Visual Studio. Publishing it to an actual web server and running it as a user would worked perfectly. This is a big issue for me, since it makes ad-hoc testing and debugging very difficult. Thankfully for me it was just a POC, but this could be a big pain for serious projects.

Well there is a solution for that now besides going to the web site and downloading them, it’s called Live! Yip, Microsoft’s hosted solutions, have the solution in two forms. Firstly there is a file listing page http://live.sysinternals.com which just lists all the files so in one click you can get the tool you need, but even better, it’s also published as a file share! So if you open \\Live.sysinternals.com\tools you can actually browse a file share for the tool you need.

• User Management: Active Directory
• Email: Microsoft Exchange Server 2007
• Portal/Intranet: Microsoft Office SharePoint Server
• CRM: Microsoft Dynamics CRM
• Database: Microsoft SQL Server
• ERP: Microsoft Dynamics GP

This shouldn’t be a shocker of a list, in fact it’s kind of the standard shopping list for any Microsoft based solution but the problem is that some of these products don't easily allow multiple organisations to use them. So lets just start with the most commonly used item on that list: Active Directory, which in my view is also the like the least able to cope with multiple organisations.

Based on what I have seen most large companies, which have a need for multiple organisations in a single deployment, seem to set up a forest and trusts and connect multiple domains together in the forest. This lets each domain be individually named and managed and provides the security for central administration and prevents each domain from doing anything to other domains. The problem with this is that it is multiple domains, which means that the administration overhead is very high, I think I would need a server at least per domain, and I really only want one because I don’t want to deploy everything multiple times. Each service should be deployed once and used many.

Well Microsoft has actually solved this with an interesting solution named Hosted Messaging and Collaboration (HMC), which is currently in version 4.0. HMC is developed by the same division as developed one of my other favourite technologies, Customer Care Framework (CCF). HMC shares the same thought leading as CCF.  What I mean by this is they are are taking very new or different ideas and providing a solution to deliver them. The solution for HMC is delivered in the same way as CCF, in that it is a guidance package.

Next time I will jump into what is HMC and then after that we’ll get back to how HMC allows us to to take one AD domain and put multiple companies into it.