Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Exchange 2010 Mailbox Resiliency question

Posted on 2010-11-26
Medium Priority
Last Modified: 2012-05-10

We are planning to migrate from Ex 2003 Ent to Exchange 2010 Standard SP1

I am currently getting quotes for licenses and CALs.

We have an Exchange 2003 active-passive cluster for HA.

I have noticed that Exchange 2010 brings something new named Mailbox Resiliency which include a set of features for HA.

I am trying to figure out the number of Exchange 2010 Standard licenses that we need in order to keep the same type of HA solution that we have with Exchange 2003 (active-passive cluster).

I am assuming that with Mailbox Resiliency no matter which path you choose you are going to have a minimun of 2 servers (2 Ex 2010 lic) in order to implmenet HA.

Could someone let me know if that is correct?

Thank you
Question by:llarava
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +2
LVL 14

Accepted Solution

BigBadWolf_000 earned 668 total points
ID: 34218777
Yes you will require one license per exchange server and for HA you will need two
Do a basic Exchange install on each server (Mailbox, CAS, and Hub). Setup a CAS Array and assign it to the mailbox

New-ClientAccessArray –Name “CAS Array” –Fqdn “exchange.domain.com” –Site “Default-First-Site-Name”
Set-MailboxDatabase DatabaseName -RpcClientAccessServer “exchange.domain.com”

Setup a DNS record pointing exchange.domain.com to your hardware load balancer. Then setup your DAG, create mailbox copies, and you're all done.

White paper and onfo on MR below....



Author Comment

ID: 34218854
We have about 500 mailboxes in 2 Exchange 2003 (A-P cluster) and then to OWA servers with NLB.

Can we install the Exchange 2010 roles (mailbox, etc.) within 2 servers and implement HA Mailbox Resiliency? So 2 lic of Exch 2010 for this.

Then install CAS for OWA on 2 more severs an use NLB? If we do that we will need to buy 2 more Exch 2010 licenses?

Basically I would like to find a way to mimic what we have in Exchange 2003 in the new installation of Exchange 2010?    

Any suggestions?

Author Comment

ID: 34218883
Also the CAS server will be on the DMZ so I am not sure if we want to install CAS in the same box we are having the other roles.
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 10

Assisted Solution

dhruvarajp earned 668 total points
ID: 34219349
2 servers give you  mailbox Mailbox Resiliency,  however when you install all three roles in a dag member
you can not use NLB to load balence cas/ht component on the same server( failover cluster and nlb can not be userd together ) to load balence ca/ht  you might want to a hardeare load balencer

in other words
if you have a "pair of exchange servers will have all three roles installed and dag configured" behind a load balencer you will get high availability for all three components


Author Comment

ID: 34219502
We have the OWA 2003 servers with NLB sitting on the DMZ. But we don't have a reverse proxy solution. We are just NATing the OWA servers from a public IP to an IP on the DMZ.

public IP - NAted to - 172.30.1.X  

I could see that if we go with 2 CAS servers with NLB we could use public IP's and use NAT and place them in the DMZ 172.30.1.X (front end) then connect them to the other servers that will be sitting in our Internal network.

Could the same setup be also implemented with the CAS servers if we decided to go with a HLB and 2 Exchange servers?


Author Comment

ID: 34219581
Doing some reading I have found that placing CAS servers in the DMZ is not supported. Exchange 2003 was the last version to support putting Front-End/CAS in a DMZ. There cannot be any firewalls between CAS & Mailbox servers.

Unfortunately the buget is not going to be flexibe enough to get a 2 TMG/ISA servers + HDLB + Exchange CALs + Exchange Mailboxes CALs + Office 2010 Cals, etc...

Are there any other alternatives?

LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 664 total points
ID: 34272546
I am not sure how to continue with this topic.

If you have to a HA on every point and keep your security, you will need



you can save that 2 ISA server if you decide to compromise it to directly NAT them to the internal


OK, now we know your budget cannot cope it.

so let's explore another option

there is a software out there, called CA Arcserve HA (was called Xosoft)

This software will able to let you run everything in one server and mimic it to another server


Windows Standard 2008 r2
Exchange Standard 2010  (no enterprise) MBX/HUB/CAS
CA Arcserve D2D

Windows Standard 2008 r2
Exchange Standard 2010  (no enterprise) MBX/HUB/CAS
CA Arcserve D2D

This software will sort out your High Availability with all roles, and of course, you need to test how much "high availability" you want to achieve.

My experience with the product is good so you probably want to try to see whether it fulfil your requirement.


Author Comment

ID: 34273610

Option A

2 CAS/HB --> Microsoft NLB configured



Option B

1 Hardware Load Balancer


In either option:

I will save that 2 ISA server and directly NAT them to the internal

Note: I prefer not to introduce any other piece of software also Hardware LB solution is suggested in the MS site.


A-What are the risks and issues that I can have if I have to go with NATing internally without a Reverse Proxy?
B-Regarless of the Reverse Proxy whcih do you think seems more reliable, why?  
C- We do not own a RP solution - Besides Exchange can you think of any other ways that we could use this in the company?

Thank you!
LVL 37

Expert Comment

by:Jian An Lim
ID: 34275413

ISA/TMG will give you a few benefit.
1. your exchange server is not exposed directly to internet.
2. other SSL acceleration  , encryption, bridging, offloading and etc

Refer more to

so your question
A: risk is your host is exposed to internet directly, issues doesnt comes in until your host is compromised. But don't think exchange itself is not secure. It is just EXTRA layer of protection

Imagine, you not only protect your OWA/activesync, you also need to protect your hub server as it also directly expose to internet.

B: having exchange to run directly as itself give you less dependency on another piece of software.

I have client that run without Reverse Proxy on CAS and they run fine. but some form of protection on SMTP is provided, you can outsource this "Edge Server" part to others like mailguard.com.au

C. you can utilise ISA in alot of part
like secure smtp filtering
web page publishing.
internal client/web proxy from workstation

more reading refer to

introducing ISA is like introducing another layer of protection as it is a software/application layer firewall

Author Comment

ID: 34275714
Thanks. We have about 400 mailboxes and we outsourced our mail AV with Postini Services from the options I gave in post  ID:34273610 which option do you think is a better approach? What are your clients generally doing in order to deploy a cost/effective solution?

I don't know if someone here is familiar with Postini but I wonder if using Postini will change anything on the scenarios that were provided before? I would appreciatte if someone can provide some input about this as well?

LVL 37

Expert Comment

by:Jian An Lim
ID: 34277026
i am not a postini experts so i cannot comment on that.

But by reading it, it at least protect your email from internet,

so having website having the internet, you actually reduce a lot of potential intruder knowing your smtp server.

but again, you need to check with postini whether you can do it or not, but by my reading, it says it can.

In this case, you probably can choose not to use ISA.
LVL 17

Expert Comment

ID: 34288939
Hi Luis.

Thankyou for messaging me to come and have a look at this question. I will review it this evening (about 6 hours away) and post back here.


LVL 17

Expert Comment

ID: 34291021

I see the question has been answeres correctly and to your satisfaction. I agree with the accepted answer


Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question