Solved

Exchange 2010 Mailbox Resiliency question

Posted on 2010-11-26
15
890 Views
Last Modified: 2012-05-10
Hi,

We are planning to migrate from Ex 2003 Ent to Exchange 2010 Standard SP1

I am currently getting quotes for licenses and CALs.

We have an Exchange 2003 active-passive cluster for HA.

I have noticed that Exchange 2010 brings something new named Mailbox Resiliency which include a set of features for HA.

I am trying to figure out the number of Exchange 2010 Standard licenses that we need in order to keep the same type of HA solution that we have with Exchange 2003 (active-passive cluster).

I am assuming that with Mailbox Resiliency no matter which path you choose you are going to have a minimun of 2 servers (2 Ex 2010 lic) in order to implmenet HA.

Could someone let me know if that is correct?

Thank you
0
Comment
Question by:llarava
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +2
15 Comments
 
LVL 14

Accepted Solution

by:
BigBadWolf_000 earned 167 total points
ID: 34218777
Yes you will require one license per exchange server and for HA you will need two
Do a basic Exchange install on each server (Mailbox, CAS, and Hub). Setup a CAS Array and assign it to the mailbox

New-ClientAccessArray –Name “CAS Array” –Fqdn “exchange.domain.com” –Site “Default-First-Site-Name”
Set-MailboxDatabase DatabaseName -RpcClientAccessServer “exchange.domain.com”

Setup a DNS record pointing exchange.domain.com to your hardware load balancer. Then setup your DAG, create mailbox copies, and you're all done.

White paper and onfo on MR below....
http://www.microsoft.com/exchange/2010/en/us/mailbox-resiliency.aspx

http://technet.microsoft.com/en-us/library/dd638137.aspx

Calcutator
http://msexchangeteam.com/archive/2009/11/09/453117.aspx
0
 

Author Comment

by:llarava
ID: 34218854
We have about 500 mailboxes in 2 Exchange 2003 (A-P cluster) and then to OWA servers with NLB.

Can we install the Exchange 2010 roles (mailbox, etc.) within 2 servers and implement HA Mailbox Resiliency? So 2 lic of Exch 2010 for this.

Then install CAS for OWA on 2 more severs an use NLB? If we do that we will need to buy 2 more Exch 2010 licenses?

Basically I would like to find a way to mimic what we have in Exchange 2003 in the new installation of Exchange 2010?    

Any suggestions?
0
 

Author Comment

by:llarava
ID: 34218883
Also the CAS server will be on the DMZ so I am not sure if we want to install CAS in the same box we are having the other roles.
0
Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

 
LVL 10

Assisted Solution

by:dhruvarajp
dhruvarajp earned 167 total points
ID: 34219349
2 servers give you  mailbox Mailbox Resiliency,  however when you install all three roles in a dag member
you can not use NLB to load balence cas/ht component on the same server( failover cluster and nlb can not be userd together ) to load balence ca/ht  you might want to a hardeare load balencer

in other words
if you have a "pair of exchange servers will have all three roles installed and dag configured" behind a load balencer you will get high availability for all three components

 
0
 

Author Comment

by:llarava
ID: 34219502
We have the OWA 2003 servers with NLB sitting on the DMZ. But we don't have a reverse proxy solution. We are just NATing the OWA servers from a public IP to an IP on the DMZ.

public IP - NAted to - 172.30.1.X  

I could see that if we go with 2 CAS servers with NLB we could use public IP's and use NAT and place them in the DMZ 172.30.1.X (front end) then connect them to the other servers that will be sitting in our Internal network.

Could the same setup be also implemented with the CAS servers if we decided to go with a HLB and 2 Exchange servers?

0
 

Author Comment

by:llarava
ID: 34219581
Doing some reading I have found that placing CAS servers in the DMZ is not supported. Exchange 2003 was the last version to support putting Front-End/CAS in a DMZ. There cannot be any firewalls between CAS & Mailbox servers.

Unfortunately the buget is not going to be flexibe enough to get a 2 TMG/ISA servers + HDLB + Exchange CALs + Exchange Mailboxes CALs + Office 2010 Cals, etc...

Are there any other alternatives?



0
 
LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 166 total points
ID: 34272546
I am not sure how to continue with this topic.

If you have to a HA on every point and keep your security, you will need

Internal
2 MBX
2 CAS/HB



DMZ
2 ISA/TMG


you can save that 2 ISA server if you decide to compromise it to directly NAT them to the internal


======================

OK, now we know your budget cannot cope it.

so let's explore another option

there is a software out there, called CA Arcserve HA (was called Xosoft)
http://arcserve.com/us/highavailability.aspx


This software will able to let you run everything in one server and mimic it to another server

so

SERVER A
Windows Standard 2008 r2
Exchange Standard 2010  (no enterprise) MBX/HUB/CAS
CA Arcserve D2D


SERVER B
Windows Standard 2008 r2
Exchange Standard 2010  (no enterprise) MBX/HUB/CAS
CA Arcserve D2D





This software will sort out your High Availability with all roles, and of course, you need to test how much "high availability" you want to achieve.


My experience with the product is good so you probably want to try to see whether it fulfil your requirement.



0
 

Author Comment

by:llarava
ID: 34273610

Option A

Internal
2 MBX
2 CAS/HB --> Microsoft NLB configured


DMZ
2 ISA/TMG

OR

Option B

Internal
2 CAS/HB/MBX
1 Hardware Load Balancer

DMZ
2 ISA/TMG

In either option:

I will save that 2 ISA server and directly NAT them to the internal

Note: I prefer not to introduce any other piece of software also Hardware LB solution is suggested in the MS site.

Questions:

A-What are the risks and issues that I can have if I have to go with NATing internally without a Reverse Proxy?
B-Regarless of the Reverse Proxy whcih do you think seems more reliable, why?  
C- We do not own a RP solution - Besides Exchange can you think of any other ways that we could use this in the company?

Thank you!
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 34275413
okay

ISA/TMG will give you a few benefit.
1. your exchange server is not exposed directly to internet.
2. other SSL acceleration  , encryption, bridging, offloading and etc

Refer more to
http://technet.microsoft.com/en-us/library/bb266987%28EXCHG.80%29.aspx

so your question
A: risk is your host is exposed to internet directly, issues doesnt comes in until your host is compromised. But don't think exchange itself is not secure. It is just EXTRA layer of protection

Imagine, you not only protect your OWA/activesync, you also need to protect your hub server as it also directly expose to internet.


B: having exchange to run directly as itself give you less dependency on another piece of software.

I have client that run without Reverse Proxy on CAS and they run fine. but some form of protection on SMTP is provided, you can outsource this "Edge Server" part to others like mailguard.com.au

C. you can utilise ISA in alot of part
like secure smtp filtering
web page publishing.
internal client/web proxy from workstation


more reading refer to
http://technet.microsoft.com/en-us/library/cc526343.aspx
http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/features.aspx



introducing ISA is like introducing another layer of protection as it is a software/application layer firewall
0
 

Author Comment

by:llarava
ID: 34275714
Thanks. We have about 400 mailboxes and we outsourced our mail AV with Postini Services from the options I gave in post  ID:34273610 which option do you think is a better approach? What are your clients generally doing in order to deploy a cost/effective solution?

I don't know if someone here is familiar with Postini but I wonder if using Postini will change anything on the scenarios that were provided before? I would appreciatte if someone can provide some input about this as well?

0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 34277026
i am not a postini experts so i cannot comment on that.

But by reading it, it at least protect your email from internet,



so having website having the internet, you actually reduce a lot of potential intruder knowing your smtp server.


but again, you need to check with postini whether you can do it or not, but by my reading, it says it can.


In this case, you probably can choose not to use ISA.
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 34288939
Hi Luis.

Thankyou for messaging me to come and have a look at this question. I will review it this evening (about 6 hours away) and post back here.

Thanks

Andy
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 34291021
Luis,

I see the question has been answeres correctly and to your satisfaction. I agree with the accepted answer

Andrew
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you have clients or friends from around the world, it becomes a challenge to arrange a meeting or effectively manage your time. This is where Outlook's capability to show 2 time zones in one calendar comes in handy.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question