Exchange 2013 DAG and CAS LB

Can Exchange 2013 DAG and CAS LB be achieved with three server 1) Exchange server 2) Secondary server with same version of exchange and OS (Does it need additional CAS certificate for LB or it should just have mailbox role 3) Witness server using older Wndows 2008 server.
LVL 4
pchettriIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StuartTechnical Architect - CloudCommented:
Ideally you would build 2x multi role exchange 2013 servers with a pair of hardware load balancers. Introduce split DNS if you haven't already and have a single namespace for your environment. this also makes certificates more simplified
Leroy LuffHead of IT & DIgitalCommented:
Agreed with stuart - only 2 servers needed. You can however push mailbox role to 3rd server but thats an extra liscense.

Your certificate providider should be able to give you a duplicate certificate for the 2nd CAS server.
AmitIT ArchitectCommented:
Just install Exchange server on all 3 servers with both roles and rest Exchange will take care for you. You don't need FSW with odd numbers. Read quorum models in this KB.

https://technet.microsoft.com/en-us/library/dd979799(v=exchg.150).aspx
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

pchettriIT DirectorAuthor Commented:
I only have two server license for Exchange not three. One witness server is just a file server which I am planning to use as Witness server and it Windows 2008 R2. Remaining two Exchange server is Windows 2012.
One already has active exchange with mailbox and front end CAS running and second I am planning to deploy but before I deploy it I want to make sure all possible option.
If I could only use second server for mailbox DAG then I will deploy only mailbox role, however, if is possible to get mailbox and CAS redundancy with two Exchange server then I would certainly like to install both role in second server. I am planning to find a guide and instruction on how the spillover server in Exchange needs to be installed. Is the installation process same as regular or first mail server or it does have some different option that needs to be during the setup.
AmitIT ArchitectCommented:
In that case, install both role on 2nd server. Have your file server work as FSM. You might need to add Exchange subsystem group in local admin group of your file server.

With DAG you will get HA for DB. For CAS you need a HLB.
MASEE Solution Guide - Technical Dept HeadCommented:
Agree with Amit. install 2 servers with both the mailbox and CAS roles. Use file server as FSW.  
For balancing CAS role you need a hardware load balancer or software load balancer
Will SzymkowskiSenior Solution ArchitectCommented:
As it has already been stated but yes you can accomplis this using your configuration. However if you do not have budget for a HLB, you can get them in VM version which is at a lower cost.

Will.
pchettriIT DirectorAuthor Commented:
what are the hardware of software load balancer we are talking? Is there any popular third party product? Is something from Dell or HP or VMware appliance version of software appliance for exchange?
AmitIT ArchitectCommented:
Jeff GloverSr. Systems AdministratorCommented:
Sounds like it is being overengineered. 2 Exchange 2013 Servers installed with all roles (CAS/MBX) Server 2008 as Witness. You need 1 certificate with the proper names in it. Install  the certificate on the first server and then use the Exchange Control Panel to export the cert and key and then import it into the other (can be done from the ECP). CAS arrays are no longer used in Exchange 2013. The CAS role is basically just a redirector. Set the internal URL for Virtual Directories correctly and have it resolvable via DNS and it will work..
pchettriIT DirectorAuthor Commented:
In other words just change the DNS to redirect CAS traffic if the main server goes down. So installing full feature on second server does not cause any conflict until the traffic is routed to first one from DNS.
Also, do I still need to setup DAG on second server for mail DB replication?
Jeff GloverSr. Systems AdministratorCommented:
No, if you setup DNS load balancing (an A record for each IP pointing to the Internal URI for your services), then DNS will take care of it for you. If one goes down, they will switch to the other. with 2013, the CAS role is just a redirector, stateless.
 The recommended way is to install both CAS and MBX roles on all servers and setup a DAG. CAS arrays are no longer used. There will be no conflict.
Create a DAG. Add both servers to it. Then add a database copy of your database(s) to the second server.
StuartTechnical Architect - CloudCommented:
The issue is that this form of load balancing only covers you for a entire server outage, if server1's service are down but the server is still responding to pings you will see issues on your clients as DNS will still route them to the faulty server.

This may be suitable for a low cost solution but you need to be aware of this while making your decision.

Purpose made load balancers would protect from service outages as well as a host of other features be it required or not :)
Will SzymkowskiSenior Solution ArchitectCommented:
Lets be clear, DNS is in no why a method of load balancing and should not be used in a production environment to replace a "true" load balancer.

You need a true Layer4 or Layer7 (preferably Layer7) load balancer which can break down individual services that fail on an Exchange server and can re-route those request to a different Exchange server.

A Layer 4 load balancer is server specific so if a specfic service fails and you are using a Layer4 load balancer it will re-direct all request to the other pool members.

Layer 7 will only redirect to another CAS server for the specific service that fails.

That's why a Layer 7 load balancer is preferred. Because the Exchange server that has an ActiveSync Service fail can still service clients that are connecting to OWA, Outlook etc.

Will.
pchettriIT DirectorAuthor Commented:
I have one server 2012 R2 with Exchange 2013 SP1 rollup 7 running for around 3 months after migration.
I have second server with 2012 R2 where I am planning to deploy an Exchange 2013 and create DAG and use one of Win 2008 server as Witness.
My existing Exchange server is ESX VM guest and the members I would be adding as DAG member and witness are both physical server.

I am going to install Exchange on second server now.

What are the precaution I should take before installing  Exchange 2013 on second server to avoid any service conflict with existing Exchange server. Is it recommended to install both role like mail server or just keep mailbox? Do I need to create separate DB on second server to replicate from primary or it would just be one DB?
Jeff GloverSr. Systems AdministratorCommented:
OK ignoring the quips about load balancing. (yes you should not use DNS load balancing for a long term solution. If you can afford a load balancer, I would do it. Kemp are pretty good) Be careful about one thing when using Virtual Servers for Exchange with a DAG. You should not allow them to vMotion. Multiple Exchange servers are by default in a Cluster and vMotion can have some unexpected consequences. So, the precaution. If you are using Outlook 2013 with the latest SP, you should add the second server with all roles but do it off hours. Then, as soon as it is installed, set the Service Connection Point for that CAS role to the same settings as your first server. When you install a server, it usually sets the Autodiscover SCP to https://<servername>/autodiscover/autodiscover.xml. This can cause some certificate prompts with clients. You change it with the cmdlet set-ClientAccessServer -Identity (servername) -AutodiscoverServiceInternalURI https://Autodiscover.yourdomain.com/autodiscover/autodiscover.xml.
Newer versions of Outlook have the clients looking for the newest AutodiscoverSCP.
For DB, once the server is installed, and you have configured the client Access Virtual Directories, if you have not setup a DAG, you set it up now and join both servers to it.  Then  you can just create a copy of your database using the EAC or the Exchange Shell. Warning. Make sure your drives are setup identically on the second server. You cannot select database and log location when setting a database copy I wants to put the database and logs in the same location on the second server.. It will take care of replication itself.
 For CAS role load balance, although you can use DNS load balancing like I said before, it is not a good production solution. look for a good layer 4 or Layer 7 load balancer. Since CAS is just a connection proxy and a web interface for OWA/Autodiscover, you do not have to do anything else to achieve CAS load balancing. There is not CAS Array like we had in 2007/2010. Lastly, if you are going to allow other servers to send email via your servers, do not load balance SMTP from them. It works but you cannot control who can relay by IP.
pchettriIT DirectorAuthor Commented:
You have suggested " When you install a server, it usually sets the Autodiscover SCP to https://<servername>/autodiscover/autodiscover.xml. This can cause some certificate prompts with clients."

Does that mean the client will start sending request to new server, which is supposed to be the backup server instead of main server? Will it stop all OWA and mobile access, when the second physical server is first installed?
My Primary server is the VM and secondary server and the witness would be physical servers.
Jeff GloverSr. Systems AdministratorCommented:
What you should do is set the Autodiscover URL for the new server right after installing it but before you put it behind the load balancer. It normally takes clients a bit before they will notice it. Some suggest doing it during install ( a complex combination of watching with powershell) but normally, I say, just set it as the first step after the install is complete. Shouldn't affect Mobile access. Then once you have the certificate installed and the vDirs set, then place it behind the load balancer.
Jeff GloverSr. Systems AdministratorCommented:
Also, that behavior, using the latest Autodiscover URI is mainly Outlook 2013 SP1 and newer.
pchettriIT DirectorAuthor Commented:
Does that mean I am better of installing mailbox role on physical server and setup a DAG with witness server without disrupting services on main server installed as VM
Jeff GloverSr. Systems AdministratorCommented:
I guess that depends on your setup and how much Fault tolerance you want. Do you want to have fault tolerance for CAS? Do you have a load balancer? If you install just the Maibox role, unlike 2010, you cannot add the CAS role later. Personally, I would just install the second server as a multi-role. When it is done, run the command to set the Autodiscover URI for the server. The most you will have is maybe a Certificate prompt if someone is unlucky enough to try to connect at exactly the wrong time and is using Outlook 2013 SP1 or better. Once you set the Autodiscover internal and external URI for the server, then export the certificate from your current server and import it into your new server. Set the Virtual Directories and then add it as a target to your Load Balancer.
  It will automatically add a database for the new server but you can get rid of it after you add the server to the DAG and make copies of your current database(s).
  Also, you should check out http://www.exchangeserverpro.com. This is Paul Cunningham's site and is a treasure trove of Exchange knowledge.
pchettriIT DirectorAuthor Commented:
I would like to have fault tolerance for CAS instead of load balancing. On the second server I would like to install CAS role but I do not want to import certificate or setup connection, if it is possible to keep the connection on second server inactive after changing URI, so it does not interfere with primary server. I only need to import the copy of certificate from network drive and apply it whenever the primary server goes down and the standard setup for DAG (primary, secondary,  Witness after creating computer group in AD)
pchettriIT DirectorAuthor Commented:
Also, you have sighted the limitation of Vmotion using DAG member. If I just do vmotion from one host to another and avoid storage vmotion does that effect communication with physical DAG member which are installed on physical server?
How does Exchange discover the arbitrary layer of changes from host to netapps storage that are not presented to virtual network and storage?
Jeff GloverSr. Systems AdministratorCommented:
Ok, So even though you say Fault tolerance, you mean more like Disaster Recovery. First off, you would setup the server just like you would be using a Load balancer but just have DNS point to the first one. Then, if it goes down, you would change DNS record and, after a small period of downtime, clients would connect to the other one. You can have 20 CAS roles setup but if DNS only points to one, that is the only one used. If you think this is a course for you , I would recommend a very short TTL for the DNS record.
  The limitation of vMotion (or the Hyper-V equivalent) was mentioned by several Exchange Microsoft Certified Masters as a reason not to use Virtualization in a DAG since You would be fault tolerancing a fault tolerant setup and if multiple Exchange servers got on the same host, then it might be an issue. However, since you want to have only one server as virtual, and the other physical, it probably won't matter.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pchettriIT DirectorAuthor Commented:
sounds like good solution.. that way clients do not get impacted when I install CAS role on new server which is not using as it does not have DNS record and I will add those record only if I get issue with primary server
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.