Solved

NEED HELP DEPLOYING EXCHANGE 2010 ON TWO INDEPENDENT SITES (SAME AD DOMAIN)

Posted on 2012-04-03
36
634 Views
Last Modified: 2012-05-29
We have two sites, the Headquarter and a Branch Office, each site is in a different city, both networks are interconnected by a site-to-site VPN, and both networks are in the same Active Directory (AD) Domain.

Each site has its own ISP connection for going to Internet.

I have installed one MS Exchange Server 2010 on each site. Both servers have running the Hub Transport (HT), Mailbox (MB) and Client Access Server (CAS) roles.

The Domain is a Windows 2008 R2 Active Directory on both sites. The Branch Office's Domain was the last to be implemented. Before that, the The Branch Office's workstations were connected to the Domain through the site-to-site VPN.

All the workstations are Windows 7.

The Headquarter's Exchange Server stores the mailboxes of the users that work on the Headquarter office, and the The Branch Office's Exchange Server stores the mailboxes of the users that work on the Branch Office.

On each network (Headquarter and Branch Office) we have an Email Security Gateway (ESG) server, so each Hub Transfort should send the outgoing emails through the ESG of it's own network.

I tried to make this by creating two "Send Connectors":
The first connector has been set up with the Headquarter's ESG as the "Smart Host" and with the Headquarter's Exchange Server as "Source Server".
The second connector has been set up with the the Branch Office's ESG as the "Smart Host" and with the Branch Office's Exchange Server as "Source Server".
Both Connectors have the same cost.

The problems are:
All the outgoing messages are being sent only by the first connector, i.e. the Branch Office's outgoing emails (via SMTP) are being sent from the Branch Office's Hub Transport Serve to the Headquarter's Hub Transport Server through the site-to-site VPN.
The Outlook (2010) clients of the Branch Office are still trying to connect to the Headquarter's Exchange Server.

Please help us with this.
0
Comment
Question by:us-aroc82
  • 18
  • 9
  • 7
  • +1
36 Comments
 
LVL 23

Expert Comment

by:Malli Boppe
ID: 37804721
Are the AD sites services set-up properly.
How can you confirm that branch office users are sending emails through HQ server.
0
 

Author Comment

by:us-aroc82
ID: 37804805
The AD are working properly.
I can see the SMTP connections in my Firewall Logs. So I can see the branch office HT sending the outgoing traffic to the HQ server
0
 
LVL 23

Expert Comment

by:Malli Boppe
ID: 37804827
can you confirm that sites and services are setup properly. I mean correct subnets are linked to the correct sites and DC moved to the correct sites.
The SMTP connections could be internal email between the 2 exchange servers.
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 37804897
Well i assume that you have two mailbox databases, one on each server, correct? the problem here is that you have an attribute on the mailbox databases called rpcclientaccessserver.

run this command on the exchange management shell:

get-mailboxdatabase | ft name, identity, rpcclientaccessserver

see if the mailbox databases on the head quarters have the headquarters server as rpcclientaccessserver on their database, and the same to the branch office.

that explains the fact that outlook on branch office is connecting to the "wrong" exchange server. outlook connects to the server designated on the above attribute of the mailbox database that user is on.

if not configure it and test again. post the result. hope it helps.
0
 

Author Comment

by:us-aroc82
ID: 37804899
Actualy, I have also checked the mail headers of the messages and then I notice the path they follow
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 37804901
Also, and after this configuration is checked/changed, the best way to check the mailflow of a message is to send it to an external recipient and go to the message options on that recipient and see all the servers the message went through.
0
 

Author Comment

by:us-aroc82
ID: 37804910
Yes, each Exchange Server is running the mailbox role, and there is a mailbox DB on each one.
I'll check what you said.
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 37804917
Yes do that. And we can start from there.
0
 

Author Comment

by:us-aroc82
ID: 37804937
These are the results:


Branch Office server (UIOSRV01):

Name                                    Identity                                RpcClientAccessServer
----                                    --------                                ---------------------
Mailbox Database GYE                    Mailbox Database GYE                    AVPSERVER.avp.local
Mailbox Database UIO                    Mailbox Database UIO                    UIOSRV01.avp.local



Headquarter server (AVPSERVER):

Name                                    Identity                                RpcClientAccessServer
----                                    --------                                ---------------------
Mailbox Database GYE                    Mailbox Database GYE                    AVPSERVER.avp.local
Mailbox Database UIO                    Mailbox Database UIO                    UIOSRV01.avp.local
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 37804991
So the users on the GYE mailbox database must be connecting to the AVPSERVER and the users on the UIO database should be connecting to the UIO server. does this matches what you are getting on outlook? If you have a user on the branch office with the outlook connecting to the main office exchange please check if he is on the correct mailbox database.

Also how many mx records do you have? 1 with the external ip of the main office? if that is the case then you should not have mail going out with the IP of the branch office. mail should go out with the same ip that it comes in (mx record)
0
 
LVL 7

Accepted Solution

by:
abdulalikhan earned 500 total points
ID: 37805288
I would like to Explain you the email flow in Exchange 2010. The email flow is based on the Site and Services ADSite links. For sending emails from two different locations to internet. I suggest you create two sites one for HeadQuarter which can be the default site as well and create another site for Branch Office. Assign the appropriate subnets for each site and configure the send connectors the same way you did before. This way you will be able to resolve the email sending problem when sending to internet.

Remember that in 2010 if you are having CAS/HT on same server, the email transmission will be done through the same HUB server from which the Client is connected (user connected to CAS server).

Create Two DNS Host 'A' entries,

- outlook1.domain.com -> pointing to HeadOffice CAS IP
- outlook2.domain.com -> pointing to Branch Office CAS IP

Create two ClientAccessArray for both the CAS server installed.

New-ClientAccessArray –Fqdn “outlook1.domain.com” -Site “HeadOffice” –Name “outlook1.domain.com”
New-ClientAccessArray –Fqdn “outlook2.domain.com” -Site “BranchOffice” –Name “outlook2.domain.com”

Site Name should be same as defined in Site and Services.

Create MDB01 and MDB02 on Mailbox Servers on Head Office and Branch Office, respectively.

Set-MailboxDatabase MDB01 – RpcClientAccessServer outlook1.domain.com
Set-MailboxDatabase MDB02 – RpcClientAccessServer outlook2.domain.com

Try connecting the Outlook and Check if they are connecting to the right RPCClientAccessServer and Check the email flow.

You need to configure the other Virtual Directories appropriately.
0
 

Author Comment

by:us-aroc82
ID: 37821444
Ok, thanks, i'll try to do that change =)
0
 

Author Comment

by:us-aroc82
ID: 37821519
abdulalikhan:

I have done the changes you suggested

But, I have some questions:


1. Respect "Try connecting the Outlook and Check if they are connecting to the right RPCClientAccessServer and Check the email flow."

Do I have to make any change in the clients' outlook settings?

2. Respect "You need to configure the other Virtual Directories appropriately."

Are you referring to the external/internal fqdn address of CAS, OWA, etc.?
0
 

Author Comment

by:us-aroc82
ID: 37821550
Also,

Is that setting useful for a High Availability scheme?

What I mean is that if the Branch Office's CAS fail, the Branch Office's Outlook clients should connect to the Headquarter's CAS; and vice versa.
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 37821764
answer 1: Users outlook will use autodiscover to get from the configuration partition in the active directory the correct clientaccess server or client access array he needs to connect to. so the answer is i dont have to make changes.

answer 2: yes you need to configure internal and external urls for the client access services, like owa, ecp, ews, etc.. using for example set-owavirtualdirectory cmdlet..
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 37821765
The failover process will never be automatic in regards to the CAS servers. You need to change the rpcclientaccessserver parameter on the appropriate mailbox database
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37822567
For your queries,

Ans '1': You dont have to make changes at the client side, if you are using Outlook 2007/2010 it will be done automatically using Autodiscovery feature. This will work if autodiscover has been configured correctly along with the DNS entries for autodiscover.

Ans '2': The internal and external virtual directories have to be configured properly for very  feature OWA, ECP, etc.. on every CAS server.

For your second reply.

In case of CAS failure client cannot connect to other site automatically. You have to manually change the settings to connect to other CAS. This can be done two ways,

1. Change the values in your DNS servers to point to the available CAS. Value need to be changed are of outlook1/outlook2 depending on the failed server.

2. Changing the RPCClientAccessServer value for each Databases at the CAS failure site and set it to the available CAS.
0
 

Author Comment

by:us-aroc82
ID: 37825604
Cloud I configure the CAS Array in the Branch Office Network setting the Branch Office's CAS as the first option, and the HQ's CAS as the second option.
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37826330
You cannot have an automated process for setting the CAS like primary and Backup CAS.

It has to be shifted manually.
0
 

Author Comment

by:us-aroc82
ID: 37828551
OK, got it =)

Please, another question:

The outlook clients are still pointing to the initial server name (uiosrv01.avp.local) insted the new CAS server name defined bye the commands you suggested (uiocas.avp.local).

How can I change this? (attached an image)

casf
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37831231
Please confirm, are you using DAG or not? Also confirm if you have created two sites in AD one for Headoffice and other for Branch office.

If you are not using DAG, Check on which database the user mailbox resides, the user should connect  to the CAS server which is mentioned as RPCClientAccessArray on the database.

I hope the recommendations in ID: 37805288 are already applied.

Also verify if the AD is replicating properly.

If the problem still remain do let me know.

Send me the results of the following commands,

Get-Mailbox -Identity username |ft Name,Database
Send two results for the above command, one for HeadOffice User and other for BranchOffice user.

Get-ClientAccessArray
Get-MailboxDatabase |ft Name,RPC*
0
 

Author Comment

by:us-aroc82
ID: 37834578
1. We're not using DAG
2. Yes, we have defined two sites, one for each network
3. The AD DC's are replicating properly
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 37834861
The main question for your last problem is:

whats the rpcclientaccessserver configured on the mailbox database that the user belongs to?

run the get-mailboxdatabase |ft name, rpcclientaccessserver on BOTH servers in BOTH sites and check the results.. the outlook is getting that server name from that attribute, that is stored on the domain controller on the site the user is on.

as simple as that
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37836250
I asked for few results please share.
0
 

Author Comment

by:us-aroc82
ID: 37847695
I'm getting this message when making any settings change:

--------------------------------------------------------
Microsoft Exchange Warning
--------------------------------------------------------
The following warning(s) occurred while saving changes:

Set-OutlookAnywhere
Completed

Warning:
The cmdlet extension agent with the index 0 has thrown an exception in OnComplete(). The exception is: System.InvalidOperationException: Client found response content type of '', but expected 'text/xml'.
The request failed with an empty response.
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.<>c__DisplayClass4.<Invoke>b__3()
   at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NetworkServiceHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
   at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
   at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBinding.FindFolder(FindFolderType FindFolder1)
   at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.EwsMailer.GetAdminAuditLogsFolder(ADUser adUser)
   at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.EwsMailer..ctor(OrganizationId organizationId, ADUser adUser, ExchangePrincipal principal)
   at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.Create(OrganizationId organizationId, ADUser mailbox, ExchangePrincipal principal)
   at Microsoft.Exchange.ProvisioningAgent.AdminLogAgentClassFactory.ConfigWrapper.get_MailboxLogger()
   at Microsoft.Exchange.ProvisioningAgent.AdminLogProvisioningHandler.OnComplete(Boolean succeeded, Exception e)
   at Microsoft.Exchange.Provisioning.ProvisioningLayer.OnComplete(Task task, Boolean succeeded, Exception exception)


--------------------------------------------------------
OK
--------------------------------------------------------
0
 

Author Comment

by:us-aroc82
ID: 37847697
Also,

The Outlook clients are showing a Certificate Validation Warning dialog box when starting the Outlook session.
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37850760
Have you configured the certificate on CAS servers and point the autodiscover to the correct CAS servers?
0
 

Author Comment

by:us-aroc82
ID: 37925325
How can i verify that?
0
 

Author Comment

by:us-aroc82
ID: 37925359
Could I re-generate the Exchange Server's Digital Certificate?
Could I do it without impacting the users's work?

Resetting the Virtual Directoies would help?
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 37925402
reseting the vdirs wont help if you have a certificate that does not have all the necessary names.

use the certificate wizard on the EMC to generate a request.
it wont affect the users until you assign the IIS service to the certificate. and if you build a correct certificate the effect should be the error going away.
0
 

Author Comment

by:us-aroc82
ID: 37925418
Thanks, Where can I found the "certificate wizard"?
0
 

Author Comment

by:us-aroc82
ID: 37925436
What should i do first?

to delete the old certificates, and then create the new one; or
create the new certificate, then delete the old certificates
0
 

Author Comment

by:us-aroc82
ID: 37925451
Could you check it by team viewer?
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37927806
We can work. My email ID is abdulalikhan@hotmail.com and I am available today till 6 PM (GMT+5).
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 37928098
go to the exchange management console. select server configuration. on the right hand pane select the server. you will be able to see the certificates below on the right hand pane. click create new certificate.
you should first create a new one and afterwards delete the existing.
0
 

Author Comment

by:us-aroc82
ID: 37999981
Hi abdulalikhan i'll add you at msn messenger. My e-mail is aroc.avp@live.com
0

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video discusses moving either the default database or any database to a new volume.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now