Solved

OWA on Separate Machine from Exchange 2003?

Posted on 2004-09-20
26
563 Views
Last Modified: 2012-06-21
Is there a way to install OWA (merely the front-end) on a separate server to that running Exchange 2003 (such as one with Windows 2003 only and not exchange). We are experiencing performance issues with clients running outlook web access, which accesses the exchange machine in our office.

We have a 2mb leased line, and a sonic to sonic VPN to our other servers, hosted offsite in a datacentre with much better connectivity.

What I wanted to know if it was possible / advisable to do was to move some of the OWA components to our Web sever in the data centre and therefore hopefully resolve the performance issues. I suspect the performance issues are network related as our exchange server is brand new and quite hefty (2x2.8Ghz Xeon, 2Gb RAM, RAID 10). The specific issue we are having is that the login page takes ages (5-10+ seconds) to load, and thus is irritating our users who want to access services from offsite.

I have seen this:

Topology
For the most efficient deployment of the most users per server, it is recommended that Outlook Web Access is moved off the Exchange server and deployed separately on proxy servers, so that requests are forwarded to Exchange. Consider Outlook Web Access and Exchange as two different workloads.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnoutweb/html/owaperf.asp

But no indication of how to offload OWA only to a separate machine.
0
Comment
Question by:jbreg
  • 15
  • 11
26 Comments
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Unlike Exchange 5.5 you need to install a full version of Exchange on to another machine for OWA access, then tell Exchange it is a frontend server. This is known as a frontend/backend scenario. With Exchange 2003 the backend can be standard edition of Exchange - with previous versions it had to be Enterprise.

I tend to put OWA on something like a HP DL140 (cheap 1U server).

How many users do you have accessing that machine? What sort of load is it under?

Simon.
0
 

Author Comment

by:jbreg
Comment Utility
Simon,

Hmm..I don't have another server that I can devote to exchange at the moment. To be honest right now we have 10 users, and only 1 that uses OWA (we plan to grow this). That's why I suspect it's a network problem but am having trouble troubleshooting it. We have a 2mb leased line which goes into a Cisco 1721, which then goes into a SonicWall TZ170 (Standard OS) then our DHCP/file/print AD DC machine, then the Exchange Server. One to one NAT is set up on the SonicWall.

What's the best way to begin to dissect this problem and see what's causing performance issues?

Jay
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
10 users isn't enough to justify a frontend/backend scenario. I have clients with 10 times that many with one server and it is fine.

I would start sniffing through the event logs - specifically looking for timeout issues.
I strongly suspect some traffic is going to the other site. DNS is the first thing to look at (as always).
Is this slow response noticable both on and off network?

Simon.
0
 

Author Comment

by:jbreg
Comment Utility
Simon,

There appear to be performance issues both internally and over the net, although the former is a bit faster. Particularly, I am using forms-based authentication and the login screen takes a good 5 seconds to load, which I don't think should be the case on a server of this power with the connectivity it has.

What in particular ought I be looking for on the event logs, and in which logs (app, system, etc)?
When you say you suspect some traffic is going to the other site what do you mean? I haven't set up a front-back scenerio so there is only one server...although we do run a DNS server on the Domain Controller here--what should i check there?

I really appreciate the help.

Jay
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
You indicated that you have servers in a datacenter offsite. Windows has a habit of talking to domain controllers or other servers that happen to be on the other end of a slower connection. (2mb isn't slow, but it is compared to a LAN). This isn't by design just seems to happen.

Therefore I am wondering if Exchange has attached itself to a GC in the datacenter and is asking that server for authentication. Look in ESM to see which GC the server is currently using.

As for which event logs to look for - that is a little difficult as it is a bit of a "fishing trip". For an experienced Exchange admin a quick scan down the system and application logs will be enough - I can spot an event entry that looks suspicious very quickly. Red and Yellow will be ones that require closer inspection.
 
What you might find is an error about something else, but it gives an indication of the problem. DNS timeouts for example are a good example - looking at the text of the message could point out an error with replication, which could mean there is a problem with the servers talking to each other (that is an example).

I cannot tell you exactly what to look for as there could be any number of causes - it is a little bit of detective work to rule out certain things. One of the problems of using this kind of support.

Simon.
0
 

Author Comment

by:jbreg
Comment Utility
Simon,

The DC is in our office (It's the DC and Exchange both here) the leased line goes out to the net and also connects us via sonic-sonic vpn to SQL/WWW/Mapping/and two red hat machines.

Can you be a bit more specifc about how to find the GC in the ESM--what's a GCV

There are certainly errors in the logs, I will post them shortly...

Jay
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
GC - Global Catalog. If you only have one server doing both Exchange and DC then Exchange will only look at itself for domain information - it will never look elsewhere.

Exchange doesn't like being on a domain controller - it is no longer recommended. The preference is to have Exchange on a member server. However the only way you can change it now is to remove Exchange - it isn't supported to change a machine's role once Exchange has been installed - ie if it was a member server at install point it should stay a member server. If a DC then it must stay a DC.

The event log errors might be interesting to see - make sure you get the text as well - error codes alone aren't much use.

Simon.
0
 

Author Comment

by:jbreg
Comment Utility
Simon,

I should have been more clear--I have 1 Server that Acts as DC in the Office and a separate Exchange box. ESM is showing that it is using only the correct DC and shows no others.

Here are some persistant errors:

The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{35276CBC-EA0B-404B-B03D-884F16A68CBA}. The backup browser is stopping.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

0
 

Author Comment

by:jbreg
Comment Utility
Simon,

There are LOADS of browser errors, (described above) and there are also LOADS of DNS information (white and yellow) indications such as those below:

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

   Adapter Name : {35276CBC-EA0B-404B-B03D-884F16A68CBA}
   Host Name : tbex01
   Adapter-specific Domain Suffix : ecourieruk.local
   DNS server list :
           10.0.10.1
   Sent update to server : 192.175.48.1
   IP Address : 10.0.10.2

 The reason that the system could not register these RRs was because (a) either the DNS server does not support the DNS dynamic update protocol, or (b) the authoritative zone where these records are to be registered does not allow dynamic updates.

 To register DNS pointer (PTR) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

   Adapter Name : {35276CBC-EA0B-404B-B03D-884F16A68CBA}
   Host Name : tbex01
   Adapter-specific Domain Suffix : ecourieruk.local
   DNS server list :
           10.0.10.1
   Sent update to server : 192.175.48.1
   IP Address : 10.0.10.2

 The reason that the system could not register these RRs was because (a) either the DNS server does not support the DNS dynamic update protocol, or (b) the authoritative zone where these records are to be registered does not allow dynamic updates.

 To register DNS pointer (PTR) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Also there is this:

The memory settings for this server are not optimal for Exchange.

 For more information, click http://support.microsoft.com?kbid=815372

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Note that I have added the /3GB /Userva=3030 to boot.ini but have not edited the registry setting that is also reccomended

0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
Comment Utility
What is this: 192.175.48.1? Is that an external DNS server? ISP or something like that?

In AD you should have NO external DNS servers listed. All clients should be pointing to the domain controller. The domain controller should be pointing to itself ONLY. If the Exchange server is trying to ask a remote server for DNS information then that would cause delays.

Can you clarify please?

Simon.
0
 

Author Comment

by:jbreg
Comment Utility
Simon,

The honest answer is I don't know--192.175.48.1 responds to a ping so it's on our network but I can't figure out which computer it is. How do I confirm and change it so that the DC is pointing to itself only and that exchange is not seeking DNS from elsewhere?

Jay
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
The reason you can ping that IP address is because it is a root DNS server. I didn't recognise the IP address to start with.

OK... on to the DNS settings.

In Network settings of your network card on the domain controller, go down to DNS and verify that it is set to the same IP address of the server itself.

For example...
If your server is 192.168.45.1 then the DNS server needs to set to 192.168.45.1
If you have a second domain controller (192.168.45.2) then put that IP address in the secondardy.

On the Exchange server repeat the process. 192.168.45.1  as primary and 192.168.45.2 as secondary.
If you have more servers in the domain then they also need to be set in this way.
If you are using DHCP to assign IP addresses, then adjust the DNS / name server settings as well.

Simon.
0
 

Author Comment

by:jbreg
Comment Utility
1) Should I use forwarders on DNS on the AD machine?
2) Should I list the internal or external NIC Of the AD as the DNS setting, or both? Should I have exchange's both NICS use the AD DNS only?
3) Should I have external DNS configured in the SMTP virtual server properties on exchange?
4) Should clients use only the IP of the in-house AD DNS as their DNS server?

The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with Event IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate.

Is in the DNS log

along with

The DNS server encountered an invalid domain name in a packet from 195.74.102.147. The packet will be rejected. The event data contains the DNS packet.

Jay

0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Answers to questions...

1. No need unless you are having problems with DNS resolution. Windows 200x can do DNS resolution on its quite happily.
2. Exchange has two NICs? That could be causing problems unless they are teamed. I don't think Exchange likes dual NICs. DNS should be the DNS internal IP address only. As for the external NIC - I cannot remember (its late here). I would be tempted to say no, but I cannot recall. Are you using the AD server as a gateway?
3. No
4. Yes

That IP address is allocated to a server on this side of the pond...

Simon.
0
 

Author Comment

by:jbreg
Comment Utility
Simon,

All of our machines have two nics, internal and external. For exchange 10.0.20.6 is the external IP which is one-to-one Nat-ed on our Sonicwall so that external clients can access it.

Should the AD listen for DNS only on the internal adapter or on the external NIC as well?

What is a "teamed" NIC?

Yes, the AD server is a gateway for, inter alia, the exchange machine and other clinets on the network.

So DHCP should not be configured to use the AD DNS as well as external servers? What if the AD goes down?

I have taken off forwarders, and external DNS off the SMTP server.

No idea what that IP addy is trying to do or where it's from--but there are multiple log entries. Is the other entry normal?

Jay
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
A teamed NIC is where two network cards work together as one - same IP address etc. It can increase the network bandwidth to the server. With the increase of gb networking teaming of network cards has become less common.

Having dual NICs in all the machines is certainly a curious installation - not something I would have done.
Multiple network cards can cause problems with Exchange. Default gateways is one of the main problems - it can easily confuse the TCP/IP stack. You have to be so careful with the configuration to get it right.

Take a look at the fixes in this article at Microsoft. While it isn't your problem I think the resolutions might help.
http://support.microsoft.com/default.aspx?kbid=325923

The error message with the IP address could be an attempted virus attack or a misconfigured machine. What you might want to do is use something like www.geektools.com to see who owns the IP address then email them to find out whether there is something wrong.
The other error could be down to the dual NICs.

Simon.
0
 

Author Comment

by:jbreg
Comment Utility
Simon,

I will browse those. In the meantime, I think the page load time for the OWA login page and actual content is still pretty high even with these changes--what else should I look at?

Jay
0
 

Author Comment

by:jbreg
Comment Utility
BTW, the The DNS server encountered an invalid domain name in a packet from 195.74.102.147, the IP address is of our ISP for the leased line...

Jay
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
What is that IP address assigned to? Is it something that could be doing DNS lookups? Firewall, router etc?

This is sounding like the underlying networking is wrong and the servers are getting confused. On a small network like this you shouldn't have problems unless the packets are getting lost or going elsewhere.

Simon.
0
 

Author Comment

by:jbreg
Comment Utility
I have asked our ISP and will post a response...
0
 

Author Comment

by:jbreg
Comment Utility
From my ISP...

The IP Address 195.74.102.147 is one of our Name servers used by customers for DNS lookups on lease line's , Dial up etc. Why you should be getting errors is unclear without understanding how your internal Network is Setup.
I have checked that Name server and have found no errors or configuration problems and no other complaints have been raised with anyone experiencing problems with it.

Any Ideas? OWA performance is still very very slow...
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Have you put that IP address anywhere in your network configuration? Routers, firewalls, servers, DNS config, anywhere at all?

Simon.
0
 

Author Comment

by:jbreg
Comment Utility
Simon,

Since they manage our 1721 router (ie I don't have access to it) I would guess it is probably in there...

Jay
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
I expect it would be, but there is no reason why DNS traffic from the router would be coming inside unless something inside was requesting it.
Have you looked elsewhere on your network? It could be in all sorts of places - don't forget things like networked printers (HP LJs with JetDirect cards) etc.

Simon.
0
 

Author Comment

by:jbreg
Comment Utility
Simon,

I will check everything on the network this weekend and post a response.

Jay
0
 

Author Comment

by:jbreg
Comment Utility
I have checked, found someone had put another ISP's DNS servers in DHCP config, and removed them. Whatever happened in the course of following all the above instructions, performance vastly improved, so, problem solved.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now