DR for Exchange

In our exchange 2010 infrastructure we have the following servers in primary site:
Two CAS servers
Two Hub transport servers
Two Mailbox servers
One Application Request Routing Server (ARR server)in DMZ for Active Sync client, Outlook Anywhere, Webmail service.
and in the DR site:
One Cas
One Hub
One Mbx
One Edge server (I have installed edge server since we are using Iron port in the primary site and we do not have any Iron port available in the DR site)

Now I need to ensure disaster recovery site will be available in case of primary site failure and users should be able to access email from DR site using Outlook (Mapi client, Active Sync(Mobile Client), Outlook web access, Outlook Anywhere.

Could you please advise:

1. What are the technical steps would be needed to perform site failover.
2. Do I need to publish another MX record with lower priority for DR site or I can use the existing IP to point to DR EDGE server.
3. At present, MAPI clients are directly pointing to CAS01 or CAS02, and should I need to change in DNS to point to DR CAS.
ipsec600Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Amit KumarCommented:
See below are detailed steps for failover a DAG to DR site:

Now as you don't have Iron port in DR site then you have only option to publish Edge as MX record yes you can publish with lower priority but sometimes when even your Iron port is available your mails can come through DR Edge. So better to publish MX at the time of failover or install any Anti-spam software or any appliance which can handle real time Spam. I think your DR site will have separate ISP so it may not be possible for you to publish Same public IP for edge.

I am not sure about ARR server but for sure you will have to publish DNS records at the time of failover for your CAS URLs to get operational ActiveSync and all CAS services.

I know you will be thinking that this process will take at least 30-40 minutes, it is true. DAG failover is major process which takes time and which is standard process and introduced by MS as well. Reason is to avoid split brain syndrome.

For DAG Creation:
---------------------------

Set-DatabaseAvailabilityGroup -id <DAG Name> -WitnessServer <Witness/HTC Server Name> -WitnessDirectory C:\FSW –AlternateWitnessServer <Witness/HTC Server Name from other site> - AlternateWitnessDirectory C:\FSW

Set-DatabaseAvailabilityGroup -Identity <DAG Name>  -DatabaseAvailabilityGroupIPAddresses <Virtual IP from Primary Site,Virtual IP from Secondary Site>

Set-DatabaseAvailabilityGroup -Identity <DAG Name>  -DatacenterActivationMode DAGOnly


To allow RCP Access while database active on secondary site: (After applying Exchange 2010 SP2 RU3/4)
----------------------------------------------

Set-DatabaseAvailabilityGroup -ID <DAG Name>  -AllowCrossSiteRpcClientAccess:$true 


To allow Silent redirection between both sites OWA: (After applying Exchange 2010 SP2)
-------------------------------------------------------------

Set-OWAVirtualDirectory -Identity "Contoso\owa (Default Web site)" -CrossSiteRedirectType <Silent/Manual> - (Exchange Server 2010 SP2)


To block/unrestrict Database Copy automatic active on secondary site’s mailbox servers:
-----------------------------------------------

Set-MailboxServer -Identity <mailbox server 1in passive site> -DatabaseCopyAutoActivationPolicy:<Blocked/unrestricted>
Set-MailboxServer -Identity <mailbox server2 in passive site> -DatabaseCopyAutoActivationPolicy:<Blocked/unrestricted>

“Blocked” can be used while none of site failure and will be used for passive site.
“Unrestricted” will be used to activate Passive site while primary site is failure.


Switchover while primary site is down temporarily or permanently:
----------------------------------------

Set-MailboxServer -Identity <mailbox server 1in passive site> -DatabaseCopyAutoActivationPolicy:unrestricted
Set-MailboxServer -Identity <mailbox server 2 in passive site> -DatabaseCopyAutoActivationPolicy:unrestricted

Stop-DatabaseAvailabilityGroup -Identity <DAG Name>   -MailboxServer <mailbox server 1in failed active site>  -ConfigurationOnly
Stop-DatabaseAvailabilityGroup -Identity <DAG Name>   -MailboxServer <mailbox server21in failed active site> -ConfigurationOnly
Stop-DatabaseAvailabilityGroup -Identity <DAG Name>  -ActiveDirectorySite <Failed Site Name> -ConfigurationOnly

Restore-DatabaseAvailabilityGroup -id <DAG Name> -ActiveDirectorySite <Passive site Name> -AlternateWitnessServer <CAS Server in passive site> -AlternateWitnessDirectory C:\FSW

Set-MailboxDatabase -id <DB Name> -RpcClientAccessServer <CAS Array in passive site>


Switchback to primary site:
----------------------------------------------

cluster node <mailbox server1 in failed active site> /forcecleanup
cluster node <mailbox server2 in failed active site>  /forcecleanup

Start-DatabaseAvailabilityGroup -id <DAG name>-ActiveDirectorySite xavtnd

Set-MailboxDatabase -id <DB Name>-RpcClientAccessServer <CAS Array in Active site>

Open in new window

0
ipsec600Author Commented:
Hi Amit,
Thank you for your clarification, could you please assist to know how outlook clients will connect to DR CAS?

Since all outlook clients are connected to primary CAS server in that case how can i redirect outlook clients to DR CAS without changing outlook profile.
0
Amit KumarCommented:
once you failover primary site to Secondary then you will have to change CAS array from secondary site on all DBs those have been failed over to secondary site.

Command for setting CAS array on DB as below mentioned:

Set-MailboxDatabase -id <DB Name> -RpcClientAccessServer <CAS Array in passive site>

Once you are done this then outlook will need restart and outlook will connect without any issue.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ipsec600Author Commented:
Thank you Amit for your excellent clarification.
0
Amit KumarCommented:
Pleasure is mine.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.