Hosting Multiple Domains
In the simplest topology, you do not need to configure the front-end server beyond designating it as a front-end server. However, if you are hosting multiple domains, organizations, or public folder trees, you may need to create additional virtual servers or directories.
Before Exchange Server 2003 SP1, for each domain you host, you must have a unique virtual server or directory so that users with e-mail addresses from those domains can log on to the appropriate virtual server or directory. There are two methods you can use to configure the HTTP virtual servers when hosting additional domains:
Method one: Create additional virtual servers
Method two: Create additional virtual directories
In the following methods, your default Exchange domain is microsoft.com, and you are hosting mailboxes for adatum.com and public folders for contoso.com. The methods describe how to configure your front-end and back-end servers for these hosted companies.
Note
In Exchange Server 2003 Service Pack 1, you are no longer required to create additional virtual servers and virtual directories for different SMTP domains. However, there may be other logistical or aesthetic reasons for using multiple virtual directories and virtual servers. For more information about the Outlook Web Access logon and SMTP domain, see "Logging on to Outlook Web Access" in Supporting HTTP Access.
Method One: Create Additional Virtual Servers
In this method, you create a virtual server for each domain you host. For example, you have three HTTP virtual servers on each server that is running Exchange: one is the default Exchange virtual server, one is the virtual server for adatum.com's mailboxes, and one is the virtual server for contoso.com's public folder tree. This method allows for maximum flexibility in determining the resources available to each domain.
Each HTTP virtual server must have a unique combination of IP address, host header, and port. The host header is the DNS name of your Web site. For example, if users access your Web site by typing https://www.contoso.com/example in a browser, the host header is www.contoso.com. By specifying the host header for the virtual server, you can host multiple Web sites using the same port and IP address combination because the host header ensures uniqueness. However, if you try to create a virtual server that has the same combination of these settings as another server, the new virtual server will not start.
When additional virtual servers are set up and sessions are non-encrypted, client requests are routed to the correct virtual server as follows:
The client connects to the front-end server.
The server receives a packet that contains the IP address, requested port, and host header.
The server uses this information to find the appropriate virtual server to handle the request.
When a user's request is routed to the correct virtual server, there is no guarantee that the user will be able to successfully access Outlook Web Access. To log on to the virtual server, the user must also have an e-mail address from the SMTP domain that is associated with the virtual server. Each virtual server and each virtual directory that points to mailboxes is associated with a specific SMTP domain. Therefore, when you create additional virtual servers that point to mailboxes, you must associate the virtual server with the appropriate domain. (Exchange Setup associates the default Exchange HTTP virtual server with the default Exchange domain; this default cannot be changed.)
After the user's request is routed to the correct virtual server, the process continues as follows:
The virtual server uses the user's authentication credentials to look up the user in Active Directory.
If the user has an e-mail address from the SMTP domain associated with this virtual server, the virtual server allows access. Otherwise, the virtual server denies access.
Note
Using the authentication credentials to look up the user's SMTP proxy address works only if authentication is enabled on the front-end server. If authentication is not enabled, the server uses the alias specified in the URL (because accessing Outlook Web Access through a front-end server with pass-through authentication requires the user to enter an explicit logon in the format https://server/exchange/user). Then, to form the proxy address, the server combines the alias with the SMTP domain on the virtual server properties.
Note
When SSL is used, the host header is contained in the encrypted part of the packet; only the IP address and port are available in the unencrypted part. To determine which SSL certificate to use to decrypt the data, the server must be able to determine the appropriate virtual server with a unique combination of IP address and port. Therefore, when SSL is used (such as when the front-end server is deployed on the Internet), the IP address must be specifically associated with the appropriate virtual server.
After you create the additional virtual server, you must create the Exchange and Public virtual directories under that virtual server.
For instructions about how to create virtual directories, see How to Add a Virtual Directory Under an HTTP Virtual Server in Exchange Server 2003.
Note
To enable the Change Password feature for your users, you must enable the feature on all virtual servers on the front-end. Each virtual server must contain a virtual directory named IISAdmPwd.
Method Two: Create Additional Virtual Directories
The second method to configure multiple hosted domains is to add a virtual directory for each domain. For access to mailbox stores, you must specify the domain in the properties of the virtual directory. For access to public stores, you must specify the root public folder. For your first hosted company, adatum.com, add a virtual directory under the default Exchange HTTP virtual server, with a name that uniquely identifies the hosted company, such as Adatum. In the properties of the virtual directory, click Modify, and then select adatum.com as the SMTP domain, just as you did for the virtual server. Users from adatum.com will now be able to connect to https://mail.microsoft.com/adatum/ to access their mailboxes.
Add another virtual directory for Contoso, and this time select Public folder and specify the public folder root for Contoso. Users from contoso.com will now be able to connect to https://mail.microsoft.com/contoso/ to access their public folders.
The main advantage to this method pertains to SSL. SSL certificates are issued for a specific host or domain name—in this case, mail.microsoft.com. When you have multiple virtual servers with different domain names (for example, mail.microsoft.com and mail.adatum.com), you need one SSL certificate for each domain, and that costs money. Because, in method two, clients access their data through a single domain—https://mail.microsoft.com—you save on the cost of the certificates in addition to the step of configuring SSL on each virtual server.
For detailed instructions on how to create new virtual directories, see How to Create Virtual Directories.
If you are hosting multiple domains, as explained in the first method for adding virtual servers, where a virtual server is created for each domain, it is recommended that you use the standard virtual directory names—"Exchange" for mailbox access (make sure to specify the domain again) and "public" for public folder store access. Do not create an "exadmin" virtual directory on any additional virtual servers; this is used only by System Manager and is not proxied by the front-end server.