NEED HELP DEPLOYING EXCHANGE 2010 ON TWO INDEPENDENT SITES (SAME AD DOMAIN)

We have two sites, the Headquarter and a Branch Office, each site is in a different city, both networks are interconnected by a site-to-site VPN, and both networks are in the same Active Directory (AD) Domain.

Each site has its own ISP connection for going to Internet.

I have installed one MS Exchange Server 2010 on each site. Both servers have running the Hub Transport (HT), Mailbox (MB) and Client Access Server (CAS) roles.

The Domain is a Windows 2008 R2 Active Directory on both sites. The Branch Office's Domain was the last to be implemented. Before that, the The Branch Office's workstations were connected to the Domain through the site-to-site VPN.

All the workstations are Windows 7.

The Headquarter's Exchange Server stores the mailboxes of the users that work on the Headquarter office, and the The Branch Office's Exchange Server stores the mailboxes of the users that work on the Branch Office.

On each network (Headquarter and Branch Office) we have an Email Security Gateway (ESG) server, so each Hub Transfort should send the outgoing emails through the ESG of it's own network.

I tried to make this by creating two "Send Connectors":
The first connector has been set up with the Headquarter's ESG as the "Smart Host" and with the Headquarter's Exchange Server as "Source Server".
The second connector has been set up with the the Branch Office's ESG as the "Smart Host" and with the Branch Office's Exchange Server as "Source Server".
Both Connectors have the same cost.

The problems are:
All the outgoing messages are being sent only by the first connector, i.e. the Branch Office's outgoing emails (via SMTP) are being sent from the Branch Office's Hub Transport Serve to the Headquarter's Hub Transport Server through the site-to-site VPN.
The Outlook (2010) clients of the Branch Office are still trying to connect to the Headquarter's Exchange Server.

Please help us with this.
us-aroc82Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Malli BoppeCommented:
Are the AD sites services set-up properly.
How can you confirm that branch office users are sending emails through HQ server.
0
us-aroc82Author Commented:
The AD are working properly.
I can see the SMTP connections in my Firewall Logs. So I can see the branch office HT sending the outgoing traffic to the HQ server
0
Malli BoppeCommented:
can you confirm that sites and services are setup properly. I mean correct subnets are linked to the correct sites and DC moved to the correct sites.
The SMTP connections could be internal email between the 2 exchange servers.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
Well i assume that you have two mailbox databases, one on each server, correct? the problem here is that you have an attribute on the mailbox databases called rpcclientaccessserver.

run this command on the exchange management shell:

get-mailboxdatabase | ft name, identity, rpcclientaccessserver

see if the mailbox databases on the head quarters have the headquarters server as rpcclientaccessserver on their database, and the same to the branch office.

that explains the fact that outlook on branch office is connecting to the "wrong" exchange server. outlook connects to the server designated on the above attribute of the mailbox database that user is on.

if not configure it and test again. post the result. hope it helps.
0
us-aroc82Author Commented:
Actualy, I have also checked the mail headers of the messages and then I notice the path they follow
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
Also, and after this configuration is checked/changed, the best way to check the mailflow of a message is to send it to an external recipient and go to the message options on that recipient and see all the servers the message went through.
0
us-aroc82Author Commented:
Yes, each Exchange Server is running the mailbox role, and there is a mailbox DB on each one.
I'll check what you said.
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
Yes do that. And we can start from there.
0
us-aroc82Author Commented:
These are the results:


Branch Office server (UIOSRV01):

Name                                    Identity                                RpcClientAccessServer
----                                    --------                                ---------------------
Mailbox Database GYE                    Mailbox Database GYE                    AVPSERVER.avp.local
Mailbox Database UIO                    Mailbox Database UIO                    UIOSRV01.avp.local



Headquarter server (AVPSERVER):

Name                                    Identity                                RpcClientAccessServer
----                                    --------                                ---------------------
Mailbox Database GYE                    Mailbox Database GYE                    AVPSERVER.avp.local
Mailbox Database UIO                    Mailbox Database UIO                    UIOSRV01.avp.local
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
So the users on the GYE mailbox database must be connecting to the AVPSERVER and the users on the UIO database should be connecting to the UIO server. does this matches what you are getting on outlook? If you have a user on the branch office with the outlook connecting to the main office exchange please check if he is on the correct mailbox database.

Also how many mx records do you have? 1 with the external ip of the main office? if that is the case then you should not have mail going out with the IP of the branch office. mail should go out with the same ip that it comes in (mx record)
0
abdulalikhanCommented:
I would like to Explain you the email flow in Exchange 2010. The email flow is based on the Site and Services ADSite links. For sending emails from two different locations to internet. I suggest you create two sites one for HeadQuarter which can be the default site as well and create another site for Branch Office. Assign the appropriate subnets for each site and configure the send connectors the same way you did before. This way you will be able to resolve the email sending problem when sending to internet.

Remember that in 2010 if you are having CAS/HT on same server, the email transmission will be done through the same HUB server from which the Client is connected (user connected to CAS server).

Create Two DNS Host 'A' entries,

- outlook1.domain.com -> pointing to HeadOffice CAS IP
- outlook2.domain.com -> pointing to Branch Office CAS IP

Create two ClientAccessArray for both the CAS server installed.

New-ClientAccessArray –Fqdn “outlook1.domain.com” -Site “HeadOffice” –Name “outlook1.domain.com”
New-ClientAccessArray –Fqdn “outlook2.domain.com” -Site “BranchOffice” –Name “outlook2.domain.com”

Site Name should be same as defined in Site and Services.

Create MDB01 and MDB02 on Mailbox Servers on Head Office and Branch Office, respectively.

Set-MailboxDatabase MDB01 – RpcClientAccessServer outlook1.domain.com
Set-MailboxDatabase MDB02 – RpcClientAccessServer outlook2.domain.com

Try connecting the Outlook and Check if they are connecting to the right RPCClientAccessServer and Check the email flow.

You need to configure the other Virtual Directories appropriately.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
us-aroc82Author Commented:
Ok, thanks, i'll try to do that change =)
0
us-aroc82Author Commented:
abdulalikhan:

I have done the changes you suggested

But, I have some questions:


1. Respect "Try connecting the Outlook and Check if they are connecting to the right RPCClientAccessServer and Check the email flow."

Do I have to make any change in the clients' outlook settings?

2. Respect "You need to configure the other Virtual Directories appropriately."

Are you referring to the external/internal fqdn address of CAS, OWA, etc.?
0
us-aroc82Author Commented:
Also,

Is that setting useful for a High Availability scheme?

What I mean is that if the Branch Office's CAS fail, the Branch Office's Outlook clients should connect to the Headquarter's CAS; and vice versa.
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
answer 1: Users outlook will use autodiscover to get from the configuration partition in the active directory the correct clientaccess server or client access array he needs to connect to. so the answer is i dont have to make changes.

answer 2: yes you need to configure internal and external urls for the client access services, like owa, ecp, ews, etc.. using for example set-owavirtualdirectory cmdlet..
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
The failover process will never be automatic in regards to the CAS servers. You need to change the rpcclientaccessserver parameter on the appropriate mailbox database
0
abdulalikhanCommented:
For your queries,

Ans '1': You dont have to make changes at the client side, if you are using Outlook 2007/2010 it will be done automatically using Autodiscovery feature. This will work if autodiscover has been configured correctly along with the DNS entries for autodiscover.

Ans '2': The internal and external virtual directories have to be configured properly for very  feature OWA, ECP, etc.. on every CAS server.

For your second reply.

In case of CAS failure client cannot connect to other site automatically. You have to manually change the settings to connect to other CAS. This can be done two ways,

1. Change the values in your DNS servers to point to the available CAS. Value need to be changed are of outlook1/outlook2 depending on the failed server.

2. Changing the RPCClientAccessServer value for each Databases at the CAS failure site and set it to the available CAS.
0
us-aroc82Author Commented:
Cloud I configure the CAS Array in the Branch Office Network setting the Branch Office's CAS as the first option, and the HQ's CAS as the second option.
0
abdulalikhanCommented:
You cannot have an automated process for setting the CAS like primary and Backup CAS.

It has to be shifted manually.
0
us-aroc82Author Commented:
OK, got it =)

Please, another question:

The outlook clients are still pointing to the initial server name (uiosrv01.avp.local) insted the new CAS server name defined bye the commands you suggested (uiocas.avp.local).

How can I change this? (attached an image)

casf
0
abdulalikhanCommented:
Please confirm, are you using DAG or not? Also confirm if you have created two sites in AD one for Headoffice and other for Branch office.

If you are not using DAG, Check on which database the user mailbox resides, the user should connect  to the CAS server which is mentioned as RPCClientAccessArray on the database.

I hope the recommendations in ID: 37805288 are already applied.

Also verify if the AD is replicating properly.

If the problem still remain do let me know.

Send me the results of the following commands,

Get-Mailbox -Identity username |ft Name,Database
Send two results for the above command, one for HeadOffice User and other for BranchOffice user.

Get-ClientAccessArray
Get-MailboxDatabase |ft Name,RPC*
0
us-aroc82Author Commented:
1. We're not using DAG
2. Yes, we have defined two sites, one for each network
3. The AD DC's are replicating properly
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
The main question for your last problem is:

whats the rpcclientaccessserver configured on the mailbox database that the user belongs to?

run the get-mailboxdatabase |ft name, rpcclientaccessserver on BOTH servers in BOTH sites and check the results.. the outlook is getting that server name from that attribute, that is stored on the domain controller on the site the user is on.

as simple as that
0
abdulalikhanCommented:
I asked for few results please share.
0
us-aroc82Author Commented:
I'm getting this message when making any settings change:

--------------------------------------------------------
Microsoft Exchange Warning
--------------------------------------------------------
The following warning(s) occurred while saving changes:

Set-OutlookAnywhere
Completed

Warning:
The cmdlet extension agent with the index 0 has thrown an exception in OnComplete(). The exception is: System.InvalidOperationException: Client found response content type of '', but expected 'text/xml'.
The request failed with an empty response.
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.<>c__DisplayClass4.<Invoke>b__3()
   at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NetworkServiceHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
   at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
   at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBinding.FindFolder(FindFolderType FindFolder1)
   at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.EwsMailer.GetAdminAuditLogsFolder(ADUser adUser)
   at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.EwsMailer..ctor(OrganizationId organizationId, ADUser adUser, ExchangePrincipal principal)
   at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.Create(OrganizationId organizationId, ADUser mailbox, ExchangePrincipal principal)
   at Microsoft.Exchange.ProvisioningAgent.AdminLogAgentClassFactory.ConfigWrapper.get_MailboxLogger()
   at Microsoft.Exchange.ProvisioningAgent.AdminLogProvisioningHandler.OnComplete(Boolean succeeded, Exception e)
   at Microsoft.Exchange.Provisioning.ProvisioningLayer.OnComplete(Task task, Boolean succeeded, Exception exception)


--------------------------------------------------------
OK
--------------------------------------------------------
0
us-aroc82Author Commented:
Also,

The Outlook clients are showing a Certificate Validation Warning dialog box when starting the Outlook session.
0
abdulalikhanCommented:
Have you configured the certificate on CAS servers and point the autodiscover to the correct CAS servers?
0
us-aroc82Author Commented:
How can i verify that?
0
us-aroc82Author Commented:
Could I re-generate the Exchange Server's Digital Certificate?
Could I do it without impacting the users's work?

Resetting the Virtual Directoies would help?
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
reseting the vdirs wont help if you have a certificate that does not have all the necessary names.

use the certificate wizard on the EMC to generate a request.
it wont affect the users until you assign the IIS service to the certificate. and if you build a correct certificate the effect should be the error going away.
0
us-aroc82Author Commented:
Thanks, Where can I found the "certificate wizard"?
0
us-aroc82Author Commented:
What should i do first?

to delete the old certificates, and then create the new one; or
create the new certificate, then delete the old certificates
0
us-aroc82Author Commented:
Could you check it by team viewer?
0
abdulalikhanCommented:
We can work. My email ID is abdulalikhan@hotmail.com and I am available today till 6 PM (GMT+5).
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
go to the exchange management console. select server configuration. on the right hand pane select the server. you will be able to see the certificates below on the right hand pane. click create new certificate.
you should first create a new one and afterwards delete the existing.
0
us-aroc82Author Commented:
Hi abdulalikhan i'll add you at msn messenger. My e-mail is aroc.avp@live.com
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.