Deployment Design for Exchange 2010

I have an interesting situation and really could benefit from some serious help.
Background info:
     I admin a 2008 R2 SP1 functional level forest, running a Exchange 2003 server (MAILMAN01) with 300 users mailboxes and 50 system/conference mailboxes.  I have a brand new iSCSI SAN (10TB) on a gig-ethernet network, with 4-Dell R610's with 48GB of RAM-each connected to the SAN.  
     I plan to deploy Exchange 2010 to co-exist with the single, Exchange 2003 server indefinately (for legacy dependancy reasons, I cannot remove Exchange 2003).  I have two Exchange 2010 enterprise licenses.  The current smtp address ( is what's bound to current Exch2003 organization, but the owners want to use a new smtp address ( on the new Exchange 2010 environment.
     Exchange 2010 will be virtualized ("virtually" no limit to guest configurations on memory and vCPU), and I need HA (failover, not load balancing) so I'm thinking about deploying two VMs where each is a combined role server (CAS, HUB & MBX) as part of a two-member DAG.  The Exchange 2003 USER mailboxes only will be moved to the new Exchange 2010 server.  However, the service accounts & conference room mailboxes will remain on MAILMAN.
     Remember that mail coming to the smtp address will continue to be routed to the Exchange 2003 server, while mail coming to will be routed to the new Exchange 2010 architecture.  These two Exchange platforms will be coexisting for the forseeable future.

     Also, there is no DMZ to speak of.  We have a nice-sized cluster of identical, firewall units that isolate us very well from the outside (save for what we allow in-and-out, of course).  I want to employ two Edge servers as well. I realize that the Edge server is designed to be placed into a DMZ, but it can be made to work on the private network too.  Do you see this as a benefit or a problem?  
1) Is the design the most sensical route to take given the small size of my network and the fact that I need HA?
2) After the user mailboxes are moved from MAILMAN01 to the new Exchange 2010 server, how will the design allow for both SMTP addresses to receive and send email?  In other words, how does my design support that and if it doesn't what's the best way to design this?
3) If my current design methodology is wrong, what would be a more efficient design to achieve the same goals? Will someone specify a better way to deploy this so that it meets the goals? Bear in mind that this is all in ESXi 5 hosts managed by vCenter/vSphere 5, by the way.

4) Does having the two, Edge servers provide additional HA benefit in the design?

Thanks, much!
Who is Participating?
pwindellConnect With a Mentor Commented:
It can run inside the LAN just fine.  A lot of people don't have DMZs,...I've been doing this for over a decade and I have never ran a DMZ,...I just "don't believe in them" personally.  You just put it on the LAN like any other machine and do a Reverse-NAT using SMTP with the firewall to the Exchange box.  Same with the other protocols,....POP3, HTML, HTTPS, IMAP, whatever you need.

So it can sit inside the LAN and you treat it just like you would an older "single" Exchange setup like you'd had with Exchange2000 or 2003.   The "Edge" is just a "role",...and it basically means that it will be what everyone used to called the Bridgehead Exchange Server.   An Exchange Server can even run multiple Roles on a single Exchange.  You can deploy an Exchange environment with just a single box if you want, it would basically be "everything", Exchange doing all the "jobs"..
First point: HA with Exchange 2010 can take more than two Exchange servers if you have all the roles installed on just two servers. The reason is that the technology to deploy DAGs interferes with the clustering used for the CASs. Please see

The solution is to continue to separate out your exchange to sets of CAS and DAGs… or get a hardware load balancer to sit in front of the CASs.

A good resource I like on this is


Second question: If you mean that you’re going from ‘” to “” as your new format, you still don’t have to worry about anything. Remember that email addresses are tied to mailboxes. Therefore mail will go to exchange server that houses the mailbox which is assigned that address. You can assign everyone those shiny new formats now and nothing different will happen. And you don’t have to wait until the user’s mailbox is migrated before assigning that person the new format. In fact, you will be making your life more difficult in doing so, since you won’t be using Email Address Policies to enforce a naming convention.

Third question: The old adage “be careful of what you wish for” comes to mind. Especially when you’re going from one exchange server to many exchange servers with lots of new (well, ok not so new.. but new to your email organization) technology. As far as vSphere goes… there is not much that vSphere will provide for server redundancy.. It will provide hardware ‘durability’ if you configure it with vMotion and all that other jaz (not a vmware guru).

Fourth question: Edge servers. I have never deployed edge servers before. I instead use a hosted spam filtering product by my upstream internet access provider for filtering and for email queuing, in the event that something happens to my WAN connection. Perhaps someone else could chime in on that.
MonterioAuthor Commented:
Okay, an HLB is definately out of the question, so what about this for a design?

Use two ESXi5 hosts (host1 and host2), each one has the following:
1) Two virtual W2K8-STD-R2-SP1 guest for the MBX and the other HUB
2) One virtual W2K8-ENT-R2-SP1 guest VM for the CAS server

The database is installed to a mapped share on the iSCSI SAN

--Create a DAG for the MBX servers
--HA for the MBX servers is handled by Exchange
--A CAS array is created during the Exchange install and the clients point to the array's VIP.
--All database info is stored on the SAN, the VMDKs for each of the VMs are also stored on the SAN
--vMotion and HA are turned on

What do you think?
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

MonterioAuthor Commented:
...also, regarding the "Second Question" reply, I mistated.  I'm not changing the username portion of the smtp address.  It is "" right now for the old Exchange 2003 environment.  However, there will be a new address altogether when the Exch2010 install is completed and that will be called "".  The owners just wanted to use a different email address there's no plan to do any AD forest changes...JUST an email address change.  

The plan is to keep the Exchange 2003 server with "" and have new email address messages routed to the Exchange 2010 setup with "".  

I am wondering how this will work?
The design, let me tell you now that I'm going to bow out. I'm still working on a 'more' redundant 2010 organization at my own company... and I chimed in originally because you were following down the EXACT same path I began. :) But I don't have enough experience to tell you if your new proposed design is valid. (Fortunately I do know when I don't have enough experience!)

Regarding the new domain name. That's a piece of cake, and will operate exactly as I described earlier with the username change.

Essentially you will add another “authorative” domain name to your Exchange organization. You will most likely need to also change your Email Address Policy to reflect the new domain and have it update all your mailboxes. (It’s been a while since I’ve made any changes the domains setup, and I don’t have access to my lab at the moment.) Depending on how gung-ho your boss is with the new identity, you will also need to change which domain is default, so that when the employees send out emails, they will go out under the new domain name.

You do not need to wait until you introduce your new 2010 Exchange infrastructure before making this change.
MonterioAuthor Commented:
Good morning!

Thanks, Sommerblink for your contribution.  You've given me a good path to work from regarding the additional SMTP address space.   Thank you for being frank about the design.  I'll take an honest, "I don't know" over a b.s. answer any minute of the day.  I'm eagerly looking for help with the configuration.
You're making it sound more complex than it is.

Both Exchange are just within the same Exchange Organization.  No big deal there.

The fact that one is 2003 and one is 2010 means nothing, is irrelevant.

Exchange (any version) is fully capable of handling multiple Mail Domains (,,

Create the User accounts and let the Recipient Policy create the email address however it wants to.  Users can have multiple addresses, and all of them can be added automatically via the Recipient Policy.  All you have to do is go back to each User Account and designate which address you want to be the Primary Address for that User.

You can move Mailboxes back and forth between the mail servers however you want.  In reality it is totally irrelevant which mail server the mail box exists on.  All Exchange Servers in a single Exchange Organization interoperate together as a single entity.

Note ,...when mixing 2003 and 2010, must use the management tool for 2010 on any changes you make except for Public Folders which are handled by the 2003 management tools.

do not use the Exchange Management tools in Active Directory Users and Computer,...that is from 2003.  I believe in 2010 all that has been moved into the 2010 Management Tools directly and you need to change things there.

You'll want to verify that against documentation,...don't just rely on the fact that I told you that.
Only one Exchange will be the Brdgehead,...meaning all incoming mail regardless of the mailbox location will come into that Exchange first, will then route the mail to the proper Exchange Server afterwards.

Outbound mail will leave directly out from which ever server it originated from unless you set one to be the upstream SmartHost of the other.
MonterioAuthor Commented:
Good day, all!

Pwindell, thank you very much for your input!  Your first comment put things into perspective for me.  Everything is on ESXi5 manged by vSphere 5.  I'm using the Microsoft recommendations for cores and memory.  Everything is being stored on a 10T iSCSI SAN.  

Here's what I have come up with for a design - 2 member DAG, Combo CAS/HUB, CAS array w/ WNLB and dual Edge servers...all as follows:

USMBX01          USMBX02          (MBXDAG01)
USCAH01          USCAH02          (CASARRAY01 w/ WNLB)
USEDG01          USEDG02

On all servers:  C:\ system, D:\Exchange install path
On mailbox servers:  C:\ system, D:\Exchange install path, F:\MailboxDB (This drive is actually space carved out on the iSCSI SAN.  I'm presenting a 2TB LUN to the mailbox servers via iSCSI target)

So I think I can use the suggestion you provided in your first comment, to make it all come together.  Your second and third comments are well noted and I am aware of that already.  Thank you for confirmed what I had already seen.

Anything that I need to do with the Edge servers for SMTP realying?  I discovered that the Exchange 2003 server has an SMTP connection configured.  Is setting that up in the Edge server pretty straight forward or do I need to bother with it at all?
MonterioAuthor Commented:
Any additional help on this would be's been a few days...
MonterioAuthor Commented:
I've already implemented the design, since I couldn't get an update to my question.  So the above described outline is what I'm working with in production.  My question now is how can I deploy the Edge servers, since I have no DMZ?  Do I just NAT to the Edge servers?  How would that work?
Being in VMWare doesn't change anything to me.  I always look at network design from the "logical" perspective, whether virtual or physical really doesn't change anything to me.

A DMZ doesn't mean anything.   It is really irrelevant.  If you have one, fine,....if you don't, fine.  It really doesn't change anything.   To make that even more fuzzy, there is more than one kind of DMZ, saying that you have one (or not have one) doesn't really make anything more clear.  Here is an example of a Back-to-back DMZ (  I don't have an example of a Tri-homed DMZ,..I think those are kind of useless anyway as far as I am concerned

The real question is what do you mean by Edge Servers?,...that could mean anything,...or it can mean nothing.   It just depends.   To me an "Edge Server" is a Firewall,...Servers are then either on the Internal side of,  or the External Side of the Firewall.
MonterioAuthor Commented:
I'm speaking specifically of the Edge server for Exchange 2010.  It's typically deployed in a DMZ, but for SMTP relay I want it on the inside network since we don't have a DMZ.  I wondering if that's going to be a problem from a NIC configuration standpoint.
MonterioAuthor Commented:
Getting an answer to my question proved it usually does on EE.  However once an Admin got me a resource, the information began flowing like a clear water spring.  Thanks!
Could split the points with Sommerblink,...he gave a lot of good info above.  I'm not particularly worried about getting points myself.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.