Link to home
Start Free TrialLog in
Avatar of pchettri

asked on

Exchange 2013 DAG and CAS LB

Can Exchange 2013 DAG and CAS LB be achieved with three server 1) Exchange server 2) Secondary server with same version of exchange and OS (Does it need additional CAS certificate for LB or it should just have mailbox role 3) Witness server using older Wndows 2008 server.
Avatar of Stuart
Flag of United Kingdom of Great Britain and Northern Ireland image

Ideally you would build 2x multi role exchange 2013 servers with a pair of hardware load balancers. Introduce split DNS if you haven't already and have a single namespace for your environment. this also makes certificates more simplified
Avatar of Leroy Luff
Agreed with stuart - only 2 servers needed. You can however push mailbox role to 3rd server but thats an extra liscense.

Your certificate providider should be able to give you a duplicate certificate for the 2nd CAS server.
Just install Exchange server on all 3 servers with both roles and rest Exchange will take care for you. You don't need FSW with odd numbers. Read quorum models in this KB.
Avatar of pchettri


I only have two server license for Exchange not three. One witness server is just a file server which I am planning to use as Witness server and it Windows 2008 R2. Remaining two Exchange server is Windows 2012.
One already has active exchange with mailbox and front end CAS running and second I am planning to deploy but before I deploy it I want to make sure all possible option.
If I could only use second server for mailbox DAG then I will deploy only mailbox role, however, if is possible to get mailbox and CAS redundancy with two Exchange server then I would certainly like to install both role in second server. I am planning to find a guide and instruction on how the spillover server in Exchange needs to be installed. Is the installation process same as regular or first mail server or it does have some different option that needs to be during the setup.
In that case, install both role on 2nd server. Have your file server work as FSM. You might need to add Exchange subsystem group in local admin group of your file server.

With DAG you will get HA for DB. For CAS you need a HLB.
Agree with Amit. install 2 servers with both the mailbox and CAS roles. Use file server as FSW.  
For balancing CAS role you need a hardware load balancer or software load balancer
As it has already been stated but yes you can accomplis this using your configuration. However if you do not have budget for a HLB, you can get them in VM version which is at a lower cost.

what are the hardware of software load balancer we are talking? Is there any popular third party product? Is something from Dell or HP or VMware appliance version of software appliance for exchange?
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
In other words just change the DNS to redirect CAS traffic if the main server goes down. So installing full feature on second server does not cause any conflict until the traffic is routed to first one from DNS.
Also, do I still need to setup DAG on second server for mail DB replication?
No, if you setup DNS load balancing (an A record for each IP pointing to the Internal URI for your services), then DNS will take care of it for you. If one goes down, they will switch to the other. with 2013, the CAS role is just a redirector, stateless.
 The recommended way is to install both CAS and MBX roles on all servers and setup a DAG. CAS arrays are no longer used. There will be no conflict.
Create a DAG. Add both servers to it. Then add a database copy of your database(s) to the second server.
The issue is that this form of load balancing only covers you for a entire server outage, if server1's service are down but the server is still responding to pings you will see issues on your clients as DNS will still route them to the faulty server.

This may be suitable for a low cost solution but you need to be aware of this while making your decision.

Purpose made load balancers would protect from service outages as well as a host of other features be it required or not :)
Lets be clear, DNS is in no why a method of load balancing and should not be used in a production environment to replace a "true" load balancer.

You need a true Layer4 or Layer7 (preferably Layer7) load balancer which can break down individual services that fail on an Exchange server and can re-route those request to a different Exchange server.

A Layer 4 load balancer is server specific so if a specfic service fails and you are using a Layer4 load balancer it will re-direct all request to the other pool members.

Layer 7 will only redirect to another CAS server for the specific service that fails.

That's why a Layer 7 load balancer is preferred. Because the Exchange server that has an ActiveSync Service fail can still service clients that are connecting to OWA, Outlook etc.

I have one server 2012 R2 with Exchange 2013 SP1 rollup 7 running for around 3 months after migration.
I have second server with 2012 R2 where I am planning to deploy an Exchange 2013 and create DAG and use one of Win 2008 server as Witness.
My existing Exchange server is ESX VM guest and the members I would be adding as DAG member and witness are both physical server.

I am going to install Exchange on second server now.

What are the precaution I should take before installing  Exchange 2013 on second server to avoid any service conflict with existing Exchange server. Is it recommended to install both role like mail server or just keep mailbox? Do I need to create separate DB on second server to replicate from primary or it would just be one DB?
OK ignoring the quips about load balancing. (yes you should not use DNS load balancing for a long term solution. If you can afford a load balancer, I would do it. Kemp are pretty good) Be careful about one thing when using Virtual Servers for Exchange with a DAG. You should not allow them to vMotion. Multiple Exchange servers are by default in a Cluster and vMotion can have some unexpected consequences. So, the precaution. If you are using Outlook 2013 with the latest SP, you should add the second server with all roles but do it off hours. Then, as soon as it is installed, set the Service Connection Point for that CAS role to the same settings as your first server. When you install a server, it usually sets the Autodiscover SCP to https://<servername>/autodiscover/autodiscover.xml. This can cause some certificate prompts with clients. You change it with the cmdlet set-ClientAccessServer -Identity (servername) -AutodiscoverServiceInternalURI
Newer versions of Outlook have the clients looking for the newest AutodiscoverSCP.
For DB, once the server is installed, and you have configured the client Access Virtual Directories, if you have not setup a DAG, you set it up now and join both servers to it.  Then  you can just create a copy of your database using the EAC or the Exchange Shell. Warning. Make sure your drives are setup identically on the second server. You cannot select database and log location when setting a database copy I wants to put the database and logs in the same location on the second server.. It will take care of replication itself.
 For CAS role load balance, although you can use DNS load balancing like I said before, it is not a good production solution. look for a good layer 4 or Layer 7 load balancer. Since CAS is just a connection proxy and a web interface for OWA/Autodiscover, you do not have to do anything else to achieve CAS load balancing. There is not CAS Array like we had in 2007/2010. Lastly, if you are going to allow other servers to send email via your servers, do not load balance SMTP from them. It works but you cannot control who can relay by IP.
You have suggested " When you install a server, it usually sets the Autodiscover SCP to https://<servername>/autodiscover/autodiscover.xml. This can cause some certificate prompts with clients."

Does that mean the client will start sending request to new server, which is supposed to be the backup server instead of main server? Will it stop all OWA and mobile access, when the second physical server is first installed?
My Primary server is the VM and secondary server and the witness would be physical servers.
What you should do is set the Autodiscover URL for the new server right after installing it but before you put it behind the load balancer. It normally takes clients a bit before they will notice it. Some suggest doing it during install ( a complex combination of watching with powershell) but normally, I say, just set it as the first step after the install is complete. Shouldn't affect Mobile access. Then once you have the certificate installed and the vDirs set, then place it behind the load balancer.
Also, that behavior, using the latest Autodiscover URI is mainly Outlook 2013 SP1 and newer.
Does that mean I am better of installing mailbox role on physical server and setup a DAG with witness server without disrupting services on main server installed as VM
I guess that depends on your setup and how much Fault tolerance you want. Do you want to have fault tolerance for CAS? Do you have a load balancer? If you install just the Maibox role, unlike 2010, you cannot add the CAS role later. Personally, I would just install the second server as a multi-role. When it is done, run the command to set the Autodiscover URI for the server. The most you will have is maybe a Certificate prompt if someone is unlucky enough to try to connect at exactly the wrong time and is using Outlook 2013 SP1 or better. Once you set the Autodiscover internal and external URI for the server, then export the certificate from your current server and import it into your new server. Set the Virtual Directories and then add it as a target to your Load Balancer.
  It will automatically add a database for the new server but you can get rid of it after you add the server to the DAG and make copies of your current database(s).
  Also, you should check out This is Paul Cunningham's site and is a treasure trove of Exchange knowledge.
I would like to have fault tolerance for CAS instead of load balancing. On the second server I would like to install CAS role but I do not want to import certificate or setup connection, if it is possible to keep the connection on second server inactive after changing URI, so it does not interfere with primary server. I only need to import the copy of certificate from network drive and apply it whenever the primary server goes down and the standard setup for DAG (primary, secondary,  Witness after creating computer group in AD)
Also, you have sighted the limitation of Vmotion using DAG member. If I just do vmotion from one host to another and avoid storage vmotion does that effect communication with physical DAG member which are installed on physical server?
How does Exchange discover the arbitrary layer of changes from host to netapps storage that are not presented to virtual network and storage?
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
sounds like good solution.. that way clients do not get impacted when I install CAS role on new server which is not using as it does not have DNS record and I will add those record only if I get issue with primary server