Problem with Exchange 2010 using two Client Access Servers

I'm having some exchange problems on a new install and was wondering about the client access role.  I'm setting up a second server at a different site to make a DAG.  Whenever I power on the other server within a few minutes clients can no longer send email and it gets stuck in the outbox.  Shutting down the second server and restarting the primary eventually resolves the issue.  I can't really troubleshoot this effectively since when I turn the other server on it kills email.

While researching this I came across the get-clientaccessserver command.  When I run it I see both servers listed when I'd only expect to see one.  I don't want the users to connect to the other exchange server yet, especially when it hasn't been fully configured with the DAG.

I suspect this is at least part of my problem and would very much appreciate any feedback.
First LastAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
Install a server with the Client Access Role and clients will use it immediately.
There is nothing you can do to stop that. They will get the information about the second server from Autodiscover.

However if you have an RPC CAS Array that would allow you to force traffic to just a single server, and when you have multiple servers in place you can then point the RPC CAS Array at a load balancer.
If you don't have an RPC CAS Array then you have some work ahead of you.

The DAG only protects the mailbox data, it does nothing for the clients. If you failover the clients will continue to point at the existing client access server. Only an RPC CAS Array is going to get your clients to another server.

Do all of the Exchange services start without error on the second server? Is it patched to the same level as the existing server?

Check your send/receive connectors. Sounds like one is configured improperly and isn't letting outbound mail go. Might also check your firewall to make sure it's allowing traffic to and from both ip addresses.
First LastAuthor Commented:
The second server has the same send/receive connector configured, it automatically filled in all the details when I installed it.

There is no firewall between the two servers but they are connected via a point-to-point Cisco VPN.  I don't see any traffic being stopped there but its possible.

I was wondering if there is a command I can run that would restrict the users to only one of the two servers.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Does your MX record point to both IPs, or does it just point to one and then replicate to the other?

Also, why are you running 2 exchange servers?
First LastAuthor Commented:
MX record points only to the original server at the moment.  I am running two exchange servers so I can setup basic database redundancy using a DAG.  Unfortunately I can't actually add the other server to the DAG for two reasons.  The first is the problem described above.  The second is an error I get when I attempt to add the second member:

An Active Manager operation failed. Error An error occurred while attempting a cluster operation. Error: Cluster API '"AddClusterNode() (MaxPercentage=12) failed with 0x800706d3. Error: The authentication service is unknown"' failed.. ---> System.ComponentModel.Win32Exception: The authentication service is unknown

For now I need to know why mail stops sending when I turn on the second server.  Then I would like to move on to the second issue.  Who knows, maybe solving the first issue will also resolve the second.  :)
What roles are both servers doing? Are they both DC's? DNS? DHCP?

Also: Since DAGs rely on Windows failover clustering, they can only be created on Exchange 2010 Mailbox servers running the Windows Server 2008 Enterprise operating system or Windows Server 2008 R2 Enterprise operating system.
First LastAuthor Commented:
They are just Exchange 2010 servers with the CAS/MB/HT roles installed.  They do not provide any other network services.  The primary server is working fine and is currently the only member of the DAG.
First LastAuthor Commented:
Hi Simon, good to hear from you!  I see what you are saying and understand that I'll need to setup a CAS array then hit all the clients to reconfigure their profile.  I didn't understand that going in otherwise I would have set that up from the beginning.  :)  After doing a great deal of research I think I actually have two problems here.

The first is likely a communications issue with the VPN...I think some of the ports are being blocked for exchange.  This would explain the emails getting stuck in the outbox and that I can't join it to the DAG.  I'm working on that today with our Cisco guy.  In order to troubleshoot this I need to force the clients to use the primary server for now so I can bring the other one online.  To do that I found this command:

Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://LocationOfCAS/Autodiscover/Autodiscover.xml

This shoudl force the clients all onto the working server and also allow me to work on the problem.  Does that look right to you?

We're mostly on Outlook 2010 and I've read that when properly patched the autodiscover feature can update the profile automatically.  Has this been your experience?

Thank you everyone for your help on this one, its been a challenge.
Simon Butler (Sembee)ConsultantCommented:
With multiple servers you would usually configure the AutodiscoverServiceInternalURI to be the same, as it would need to match the SSL certificate. If you deploy a load balancer then the URL would be generic and point there instead of directly to the server.

Autodiscover will not pick up the implementation of the RPC CAS Array, because the CAS role server currently being used is still valid - it requires manual intervention.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.