We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Connecting Remote Servers in the same Exchange Forest

perinmike
perinmike asked
on
Medium Priority
579 Views
Last Modified: 2010-05-01
I currently have 3 Exchange Servers in my organization.  There is one main server (the first exchange server in the forest) here at our headquarters.  I then have 2 remote servers at different locations.  We use pix firewalls for security.  The way we have our firewalls configured - each of the remote servers can contact our headquarters server but they cannot contact each other.  Our server at our headquarters can contact both servers.  Since the 2 remote servers cannot contact each other directly, they are unable to send mail to each other.  

What I would like to do is configure our main server at our headquarters to act as a bridgehead server to our remote locations.  I tried this by creating 3 seperate routing groups each with one server.  However I was unable to succesfully configure the 2 remote locations to talk to each other.  I used the routing group connector and tried to link the 2 sites.  However, when I select the routing group that one of the remote hosts is on - it only allows me to select that remote server as a remote bridgehead - not the server at our headquarters.  Since the two remote servers do not have access to each other this does not work.  Please explain to me how to connect everything.  Do I just need to use the SMTP connector instead?
Comment
Watch Question

Let's assume your 3 RGs are Site1RG, Site2RG, and HQRG.

You will have to create an RGC as follows
RGC HQRG to Site1RG
RGC HQRG to Site2RG
RGC Site1RG to HQRG
RGC Site2RG to HQRG
SMTP Connector HQRG to Internet

Since there is not RPC connectivity between sites, you will want to disable public folder referrals (the little checkbox at the bottom).

So, if Site1 needs to get a message to Site2, it will go
Site1 --> HQRG --> Site2

Author

Commented:
OK,

This is what I had orignally minus the SMTP connector.  Two quick questions about setting up these routing groups.  When I setup these Routing Groups I setup the Remote Bridgehead as HQRG right?  Does that mean that all email from Site1RG and Site2RG flows via the RGC to HQRG or is it just email between these sites that flow via the RGC's?  Second question - Since HQRG does have connectivity to both Site1RG and Site2RG why can't it directly send email between Site1RG and Site2RG using its setup VPN connection?  Last, if I do indeed need to setup the SMTP connector to send routed email to the internet - can you let me know how to do so?  Thanks so much for the help and the quick response!

Author

Commented:
Update - Tonight I have tried what you said but am obviously doing something wrong.  I setup the RGC's from site to site.  However when I try to email a user in Site2RG from Site1RG it never leaves Site1RG.  It shows up held in the queue "messages with an unreachable destination."  I would think if the RGC's were setup and working correctley the message should show held, if anywhere, in the HQRG queue.  Let me know what you think.  Thank you!  
Perinmike -

The only thing I can think of is that you may have a link state problem where it was setup earlier.  That gets a little messy.  If you don't mind, download WinRoute and take a look at the bridgehead status for each site.  When you drill down in the tool, after opening one of the servers, you will want to see green arrows.  You will not want to see anything noting that the object was not found in Active Directory.
http://www.microsoft.com/downloads/details.aspx?FamilyID=C5A8AFBF-A4DA-45E0-ADEA-6D44EB6C257B&displaylang=en

Regarding Site1RG to Site2RG...it will go from (Site1RG bridgehead) to (HQRG Bridgehead) then from (HQRG Bridgehead) to (Site2RG Bridgehead).

When you create a routing group connector, it will prompt you to create it on the other side.  I usually rename them and forgot to note that I allow it to create them, but also go back and rename them.  I messed up in my nomenclature.  

So you will see:
RGC HQRG to Site1RG
  Local BH should be the HQRG server and Remote BH should be the Site1RG server
RGC HQRG to Site2RG
  Local BH should be the HQRG server and Remote BH should be the Site2RG server
RGC Site1RG to HQRG
  Local BH should be the Site1RG server and the Remote BH should be the HQRG server
RGC Site2RG to HQRG
  Local BH should be the Site2RG server and the Remote BH should be the HQRG server

This configuration will allow the systems to use the HQRG Exchange server in a hub and spoke type of model.

Each site will require an Active Directory DC and Global Catalog as well as a site with an assigned Active Directory subnet.  My assumption is that those have already been setup and configured.

I assume that you have something front-ending your Exchange system, such as an Ironport, McAfee Webshield SMTP, Trend Scanmail SMTP, or other anti-spam/anti-virus gateway as a smarthost.  You would setup the SMTP connector to only allow the HQRG server to send out (1st tab) to either the IP or DNS name of the smarthost, and then the address space would be * and the default cost is 1.
A brief article on the SMTP connector is here:
http://www.msexchange.org/tutorials/Configuring-SMTP-Connector.html

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
...and, if you have an LST/LSA problem you have two choices:
1)  Shut down all Exchange servers and then boot them back up.
2)  Obtain the remonitor.exe tool from Microsoft PSS and use it to scrub the Link State Table.
I have a question about your network configuration.

Do you have a Site-to-Site VPN connection between the remote sites and the central site?
If the answer is yes, is there a compelling reason not to configure a Site-to-Site VPN connection between the two remote sites or configure the central PIX as a Multipoint VPN Hub and Spoke for the remote sites.

Dean

Author

Commented:
NetoMeter,

Thanks for the question.  Yeah, our security policies prevent remote sites from having VPN connection to each other.  That one comes from above me, so unfortunatley I can't do that.  I am going to try flyguybob's suggestions later today and will post an update.  Thanks again for the responses.

Author

Commented:
flyguybob,

Yeah.... found a bunch of object not founds.  Probably important thing to mention now that I didn't before was there was an Exchange Domain Server setup that someone uninstalled unsuccesfully.  This has been a huge problem.  Had to use an AD tool to clean it out.  Until now, I thought that server not being deleted correctly was finally out of the way.  Have a feeling some of these errors are from that server?  I'm going to be working on this over the weekend so I will have a lot more info then.  Thanks again for the help.  
Take a look at KB82293
http://support.microsoft.com/kb/822931

You may be able to "seize" some of those roles, such as the OAB, RUS, routing group master, etc.  You may have to rebuild the system folders.

Author

Commented:
OK -

Got it figured out.  Thanks for the latest article flyguybob - but I had already done those steps and I would find out later this was not the problem.  What I did was restart all the servers and the no object found errors cleared up.  I then used WinRoute to find that they had the same version information.  I sent an email from one remote site to the other successfully.  However I found that the version information would change quickly but then not update on the other servers - then I couldn't send email between sites anymore.

Looked into this and found it was from the Mailguard funtion being turned on, on our pix firewalls.  According to Microsoft this needs to be turned off.  Turned it off and right away the version's updated.  Appreciate all your help!  Attached is the article from Microsoft on the Mailguard protocol needing to be off in case anyone else needs to reference it.

http://support.microsoft.com/kb/320027/
Doh!
Good catch on the mailguard issues.  We had that between one of our sites and one of our other sites.  It does not like ESMTP, that is certain.  Link state information is Port 691 in the existing site and port 25 (SMTP message) between sites (routing groups).

Thanks,

Bob
cn you please expand on how to make the connector, It seems complicated can I please have it in laymens
I don't monitor EE anymore and this post is 4 months late.  You likely figured it out or found an IT pro to assist.
http://support.microsoft.com/kb/822929
  There is no such thing as laymen's terms in IT, unfortunately, BUT there are how to guides.  It's easy to tell someone that their AC compressor grenaded internally but when you tell them about the impeller shedding a blade, and the impeller is the pump that moves the freon, people's eyes glaze over.


Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.