Exchange 2010 with two NICS

djpierce54
djpierce54 used Ask the Experts™
on
I just setup a domain server 2008 R2 with two NICS.  Each NIC is on it's own subnet and each has it's own internet connection.  I need to have one Dept on one network and the other on the second.  They both have access to the Active Directory on my Domain Server.
Otherwise, they are mutually exclusive networks using unmanaged switches.
I also have an Exchange 2010 SP2 server 2008 R2 (on the same LAN) that is configured with Subnet A.  It also has two NICs one configured with each subnet.  The problem I am having is that I can plug into Subnet A and get Outlook 2010 connected to Exchange.  But I cannot get outlook 2010 to connect to Exchange when I plug into Subnet B.  I can ping the Exchange server on Subnet B and nslookup shows both subnet IP's.  There must be something in Exchange that will configure it to listen on both subnets.  I would assume I would also need the second subnet to have access to the internet in order for all the users on subnet B to use email.  First I need to get it working internally.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
This is a multirole server yes?  (Mailbox + CAS + Hub/Edge Transport??)

MAke sure that youre receive connector(s) are "listening" on both subnets.

Open the Exchange Management Console (EMC) and expand Server Configuration and click on Hub Transport. Check the properties of your receive connectors.

Commented:
The problem here is that your domain controller should only have one NIC and one IP. It should absolutely not live on two subnets at the same time. Exchange connectivity isn't the only problem you're going to run into with this configuration.

Better to put the DC on a third subnet, and a router (or smart(er) switch) in between each of your other subnets.
DJPierce, can you confirm you have a Domain Controller with two NICs?  I read that your Exchange server does, but I don't see clearly that your Domain Controller has two NICs as well.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Commented:
That's what I read with:

I just setup a domain server 2008 R2 with two NICS. ... They [the two subnets] both have access to the Active Directory on my Domain Server. ... I also have an Exchange 2010 SP2 server ...

Author

Commented:
Yes my DC does have two nics and so does my Exchange 2010.
I had found the problem, apparemtly you need to configure the network adapters on the Exchange 2010 server to be in the correct order.
I just followed the below link and everything is working.  That link is not exactly what I was doing but it pointed me in the right direction.

I have seen this comment before about avoiding two NICs on the DC but so far all my testing shows it works fine.  I only have about 75 users on the domain so the DC is not really pressed for work.
I can plug a laptop that has a Domain account into either subnet and Exchange,DHCP,DNS and AD work just fine.  The only issue I had was printer access as all my printers have  fixed IPs on only one subnet.  I simply turned my server into a printer server and can now access all the printers from both subnets.  Next is configuringe VMware with two NICs.

http://www.msexchange.org/articles_tutorials/exchange-server-2010/high-availability-recovery/uncovering-exchange-2010-database-availability-groups-dags-part2.html

Commented:
One of the things you should expect when your DC is on two subnets, and when those two subnets cannot route to each other, is that when clients in Subnet A get DNS resolution for domain resources to an IP on Subnet B, they won't be able to reach it, and things will fail. Sometimes. Randomly, and intermittently.

Adding an Exchange server with multiple IPs in the same environment will result in random and intermittent disconnections, too.

If it's working for you, great, but it's definitely non-standard, and possibly unsupported by Microsoft. It's probably worth a few minutes to drop MS a note to find out if they'll support the configuration; if they won't, you won't even be able to pay them for incident support. They just won't have anything to do with it. That's another big reason to avoid this configuration in production.

All that said, I'm glad you have it working to your satisfaction.
ckratsch is right - this is a totally unsupported design, and you absolutely WILL continue to have problems with it in the future. Worse, the problems will be random, unpredictable, and will have ambiguous symptoms. There are too many simple ways around having a multihomed domain controller that it just doesn't make sense. Give yourself the best possible advantage for a stable, predictable infrastructure - have as many subnets as you want - but setup simple routers inbetween them so you don't have to multihome any servers.

Author

Commented:
I will keep this in mind.  I need to buy some managed switches too.  Then I can do simple DHCP relays and VLANs.
For now I just need to get this up to let some people use the new network connection.

My concern is being able to use DHCP, DNS, Exchange and AD for the one Domain on both subnets. I guess I would need to setup another DC on the second subnet and link?
I have not found a good article outlining the best topology.

Yes I understand about access between the two subnets.  I setup DNS entries for all the servers on both subnets so all the clients have access on either subnet.
It is extremely rare in our environment that a client computer wants to connect to another client computer.  We just use the servers as our standard public storage for the LAN.
Putting another DC somewhere on your LAN/WAN should depend upon the reliability and speed of the network connection between the two or more subnets. If your connection is reliable and fast (for example 10 mbps or better) you can probably get away with not adding another DC. If you _do_ add another DC, you might want to add another AD site for that DC, so you don't defeat the purpose of adding the DC in the first place.

You don't technically need another DC for DHCP, or relay - there are multiple ways around that.

This article has good detail on sites and AD / Exchange topology best practices:
http://technet.microsoft.com/en-us/library/dd638104.aspx

Author

Commented:
I would assume I could just setup two subnets on the current AD and DHCP, but what is not clear is that I still need two NICS on the DC to let AD work for both subnets.  I have a gigabit LAN so speed is not an issue.  I just have this issue where the two subnets need to be kept seperate as I need specific people to use subnet A and others to use subnet B and each to use  their respective internet connection and yet keep both on the same Domain.  Your article is good from the Exchange perspective but not as much the Domain perspective.
There were links in there to get more info on sites, but here's something else to review:
http://technet.microsoft.com/en-us/library/cc782048(v=ws.10).aspx

Essentially, Active Directory Sites - and subnets for that matter are completely independant of Active Directory domains. You can have multiple sites/subnets in a domain, or you can have multiple domains in a site/subnet.

You never need, in any situation whatsoever, two NICs on a single domain controller. There are abundant resources and architectures to avoide that.

If, for example, you created two subnets:
SUBNET A:
network:  10.1.1.0/24

SUBNET B:
network:  10.2.2.0/24

And there is a gigabit connection between the two subnets. You could have one domain spread across the two subnets, one domain controller (although best practice is to have at least two) and a single DHCP server with two scopes; one for each subnet:
http://technet.microsoft.com/en-us/library/cc758865(WS.10).aspx

THe DHCP scope for each subnet will include DHCP options for two different default gateways; one default gateway for each subnet.

Add an Exchange server to the mix; but it on either subnet, it doesn't matter as long as you have some sort of router (cheap and simple) between the two subnets.

Author

Commented:
I was looking at my DHCP server settings and the two scopes but I cannot see where you set the default gateway for each scope.
Just to better understand if I configure only one NIC on the server I would have both IP's (sever at x.x.x.3) included 10.1.1.3 and 10.2.2.3 along with both gateways 10.1.1.1 and 10.2.2.1.  These gateways are my two routers that control access to the internet for each subnet.
Then set the 10.1.1.3 as the first to bind and setup a relay agent between the two subnets so that requests that come in from the 10.2.2.0 subnet will get relayed to 10.1.1.3  and of course people on 10.1.1.0 will just go straight to 10.1.1.3 DHCP server.
Am I on the right track or do I need to do some serious reading.
Scope OptionsUse the Scope Options in DHCP admin to define the gateway (i.e. "Router"), DNS, etc.

I can't be sure if you'e on the right track - I'm confused by your second question.

A relay agent can be another server (with one NIC) or a routing device that is capable of DHCP relay.

Author

Commented:
OK thanks I do have the DHCP routing setup correctly. I am sorry for the unclear question.  Let me try to rephrase.  I need to understand what I should be entering on my single NIC that hosts the AD, DHCP and DNS services along with the correct entry for my router relay agent.  I will be setting up the two physical subnets with a router between them.  The router would be purely used as a DHCP relay agent.
So on my server I would enter the following on the one NIC
IP's 10.1.1.3  and 10.2.2.3
Subnet mask  255.255.255.0 and 255.255.255.0
gateway  10.1.1.1 and 10.2.2.1
DNS would just be 10.1.1.3
Now the gateways point to each router that will allow internet access for each subnet.
Or should the second IP 10.2.2.3 not have the gateway assigned?
So the last setting would be to configure the router between the two subnets with a DHCP relay agent pointing to 10.1.1.3
I hope this makes more sense.
Don't assign more than one IP address to your DHCP server, there's no need to. DHCP server has one NIC, one IP address, one default gateway.

DHCP Server:
IP address 10.1.1.3
Subnet Mask:  255.255.255.0
Gateway:  10.1.1.1

DHCP Server SCOPE#1
Start IP address: 10.1.1.50
End IP address:  10.1.1.250
DHCP Option 003: Router (i.e. default gateway) 10.1.1.1
(add DNS server Scope Options too)


DHCP SCOPE#2
Start IP address:  10.2.2.50
End IP address:  10.2.2.250
DHCP Option 003: Router (i.e. default gateway) 10.2.2.1
(add DNS server Scope Options too)

On the switch/router/or separate server, and DHCP relay agent. Point it to the DHCP server. The DHCP server will understand, based on the return route of the DHCP request coming from the DHCP relay agent, and assign the correct IP address from the correct SCOPE.

Author

Commented:
Excellent thanks for detailing that out.  I need to get a router now and I can test.
I will update when I have tested it.  
I guess the question will be how do the clients access the servers from both subnets.
All the servers are on 10.1.1.0 but I am not sure how the clients on 10.2.2.0 will have network access to the servers.  Would I need to setup some static routes in the router between the two subnets?
A router connects two or more networks (i.e. subnets). That being the case, a router has two or more NICs. In your scenario, your router would have two NIC's connected to two subnets (10.1.1.0  and 10.2.2.0 )

The router's NIC on subnet A (10.1.1.0) would be, perhaps, 10.1.1.1
The router's NIC on subnet B (10.2.2.0) woudl be, perhaps 10.2.2.1

THe servers on Subnet A would use, perhaps, the default gateway 10.1.1.1 (which is the closest NIC of the router for that subnet)

The PC's on subnet B would use, perhaps, the default gateway 10.2.2.1 (which is the closest NIC of the router for that subnet)

Router's route - that's their job. So when a PC on subnet B (for example jdoe01 10.1.1.68) tries to connect to server on subnet A (for example SERV01  10.2.2.95) - those packets travel to the default gateway (the router's 10.1.1.1 NIC) and the router automatically routes them to the 10.2.2.0 subnet A. Then they return in the same fashion.

Author

Commented:
You have been very helpfull on all this - and patient.  I'll have a router in a couple days and see if it is all what it should be.

Author

Commented:
Pardon my ignorance but I was looking at routers and the obvious issue is they all have the WAN and LAN connections.
I assume I will not be using the WAN connection as an internet connection but rather a connection to Subnet B.
Then the LAN connections would just be for subnet A.
I assume DHCP relay agent does work between the Wan and LAN and not just on the LAN side- dumb question but just want to be clear on this.
It's hard to make a blanket statement about the use of WAN connectors and native DHCP-relay agent ability. All routers are unique in those regards. It's best to review the router manufacturer's website and analyze the specifications, user/admin guides etc.

Some routers come with multiple LAN interfaces, some don't.

If it were me, I would make a case that justifies the purchase of a more expensive router that does EXACTLY what my company needs. Needs will vary, but you seem to need at least one router with at least two LAN (preferably GIG Ethernet) interfaces. Different routers have different built-in security "software" or "firmware" that causes the router to handle traffic on a WAN interface differently than traffic on a LAN interface - again it depends on the router.

Author

Commented:
Sorry for the long delay in getting back on this.  I did get a simple Cisco gigabit router that supports VLAN and DHCP relay.  I am having issues with the subnet A working seamlessly with the subnet B where my servers are.  I have been told that I will need to do is put static routes on the routers that contain the WAN connections pointing back to the new cisco gigabit router. I am trying to avoid this. I wondered if you could look at this diagram and tell me your thoughts about it working.  I mainly want to change the gateways on the clients and servers to point to the Cisco router and then  have the router point on each VLAN to the respective WAN routers for internet access.  Again I need all users on Subnet A to access Active Directory and shared files on the servers of Subnet B.  They need to login on Subnet A using the Domain information on Subnet B.  Just to clarify the doc2.docx is the original setup where I am required to enter static routes on the WAN routers to point back to the new Cisco router. The docnew.docx is my proposed layout to avoid static routes. Thank you for any suggestions.
Doc2.docx
Docnew.docx
Stick with the configuration depicted in "Doc2", avoid the configuration in "Docnew".

Doc2 shows a more traditional setup, and I would follow that design. I actually have something very similar on two of my networks. Clients on SubnetA use router1 (10.1.1.1) as their gateway of last resort. I don't know what kind of routers "Router 1" and "Router 2" are, (they're not firewalls are they?) but they should be able to handle 'same interface routing'. And yes, in that case, Router 1 and Router 2 need to have static routes that point to the third router (RV180?) as a gateway to the other subnet.

Author

Commented:
Yes the RV180 is the third router and will act as the gateway to the other subnet.
Yes both Router 1 and 2 have firewalls.
OK I have the RV180 router configured with VLAN 1 with IP 10.1.1.10 and VLAN 2 with 10.2.2.10
Just to clear these would be  the static routes for the two other routers?
Router 1
Destination Network 10.2.2.0
Subnet Mask 255.255.255.0
Default Gateway 10.1.1.10
and for Router 2
Destination Network 10.1.1.0
Subnet Mask 255.255.255.0
Default Gateway 10.2.2.10

I updated my diagram to show the updated configuration
Doc2.docx
Yep, that's how I'd do it.
Here's the caveat: I already know my equipment is capable of it. In my mind, the unknown in your case is how Router 1 and Router 2 will behave. With mine, there's no trouble with "same interface routing" - a.k.a. "hairpinning" - which is where ingress traffic on an interface is allowed to turn right around and egress on the same interface. This seems simple enough, but firewall-equipped routers sometimes forbid this.

Are you at liberty to disclose exactly what models of Router 1 and Router 2 you have?

Author

Commented:
Sure I have a Netgear FVX538 Load Balancing Firewall Router and a Sonicwall TZ200 firewall/router.
So far things to be working fine on the Subnet B and I can access Subnet A computers.  Will not know until tomorrow about the otherway around
Good deal.
Which subnet does the Netgear represent, and which does the Sonicwall represent?

Author

Commented:
Netgear is on Subnet B and Sonicwall on Subnet A

Author

Commented:
I may have found an issue that is related to your comments about the firewalls.  I setup a VPN to a server on Subnet A.  I can get in and I can access everything on Subnet A but I cannot get to anything on Subnet B - especially using RDP.  Now when I am at the console for that same server I have full access to both Subnets. So I assume this is an RRAS or firewall configuration issue.

This server has two NICS with one connected to each subnet.  Currently I only have the Subnet A NIC enabled.  If I also enable the NIC for Subnet B I can no longer VPN in.  So I disabled that NIC.  I tried putting a static route in RRAS on the Server on Subnet A but that made no difference.  Am I asking for too much?
Seems I should be able to VPN into a server on either subnet and be able to RDP to either subnet or at a minimum have file access to both subnets.
You shouldn't need to dual-NIC an RRAS server. I've built countless and never need to dual NIC them.

I'd like to see a diagram of this, but I suspect you're running into a "split return" routing issue. This is where packets ingress on a particular route, but attempt to egress out a different "default" route. When that happens, the originating host that sent the packets will drop the reply - because the reply comes from a different source route.

It may be a bit simpler than that - it could be just a simple routing issue. I think 'tracert' here is your friend. Start your VPN connection again. Once established, to a tracert to a destination host with which you're having these issues. See what you get. Then, from the troubled destination host, try a tracert back to the VPN host. Compare the routes; see if they are different.

No, you are definitely not asking too much. It's your network - (so to speak) and you can make it do just about anything if you have the means. You just gotta work out the kinks.

Author

Commented:
The saga continues.  For the short term I resolved the VPN by just making the remote gateway active for the vpn connection.
It will generate more traffic on our RRAS server but we only have 3 or 4 at a time on it.
The two subnets are working great with Win 7 machines but not quite with XP.
XP can never find the DHCP server and when I give it a static IP it works fine on both networks.  The XP also works fine on the same subnet as the DHCP server so I do not think it is a firewall setting.  Seems like XP has problems with relay agent?
I have the static workaround but it would be nice to make this seamless.
I never got an answer on the tracert request above - could be of value.

DHCP is pretty much all-or-nothing, so XP clients should work as well as Win 7 clients. Check to make sure the NIC MAC addresses of the XP clients aren't listed as reservations on the DHCP server. Also, kill and DHCP leases that are already listed for the XP clients - on the DHCP server. Reboot the XP clients and see if that helps.

Author

Commented:
I need to do the Tracerts again.  I had a problem where my home network was on 192.168.1.x and so is RRAS Server at work.
There was confusion about the gateway as it was the same at home as at work.
I have now configured the work with a 192.168.10.x so I'll try again at home.

I have checked all those items you mentioned already and I have tried three different XP machines.  All respond the same.  I smell a rat in the Cisco FV180 router as  the request never reaches the DHCP server when the XP machine is plugged into the subnet w/o the DHCP server.  XP machines all work fine when plugged into the same subnet as the DHCP server.
I need to configure logging on that Cisco router and see if I can see anything.

Author

Commented:
Well I am not sure if you can read Capture files but I did try to isolate the Win 7 machine on one DHCP request and then the XP machine on a seperate DHCP request.  It appears that the XP will not accept the DHCP Offer. The XP is Fujitsu with Mac starting with 00-0B-5D.. and was isolated in file pktfujionly. cap.  Then the pktlponly.cap is the Win 7 machine that connects fine with MAC 48-5B-39...
Guess it is time to dig into why XP will not accept DHCP offer from my server 2008 R2 dhcp server.  BTW the Netgear is the router behind the one LAN.  The Cisco 180 router between the subnets has 192.168.10.99 and 172.168.100.34 with DHCP relay and Inter Vlan turned on.
Please note the attached files are actually *.CAP files.
pktFujitOnly.txt
pktLPonly.txt
Thanks, I'll review.

Author

Commented:
Here is my first attempt at the Tracert tests.  Let me know if I missed something.
traces.txt
Wow, I'm really confused. Were your diagrams earlier inaccurate?  I was familiar with 10.1.1.x and 10.2.2.x - now there appears to be new subnets.

172.168.x.x is a public IP address range - not private IP (RFC 1918). So I'm confused why this would be assigned to your new Cisco 180.

An RRAS server should have ONE NIC, and it should be on the same LAN as your other servers. There's no need to put it on a separate LAN or install two NIC's. It just confuses matters.

The RRAS server, as it assigns IP VPN IP addresses to its clients, can also assign static routes. This should all you to split tunnel (i.e. you don't have to use the remote gateway).

Author

Commented:
I am sorry yes the 192 and 172 networks are actually being used.  The 10.1 and 10.2 was just a representation of the right way to do it.
I came in on the original network already setup with a 172 subnet.  I am in the process of replacing it.  The reasonn the RRAS server is on the opposite subnet from the servers was to be able to use the new 10Mb line for VPN access. It does only have one NIC being used.  I also have an RRAS server on the other subnet that will continue to vpn on the load balanced T1 lines. I have two different departments in the same building/LAN with their specici requirements.

Author

Commented:
Thank you for your time on this.  Other than some minor issues with VPN everything is working as expected.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial