Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.
Solved
Implementing a DAG in exchange
Posted on 2016-08-03
I currently have a single exchange 2013 server. As part of this years upgrades to the domain we are looking to build in failover for all major services.
Currently i am looking at creating a DAG however i had a few questions i wanted to double check to make sure i am understanding the recommended setup properly.
I will be migrating to an exchange 2016 server before looking to create the DAG. I have been reading through this site http://msexchangeguru.com/2015/07/14/e2016allyouneed2/ so most my questions come from here.
Every datacenter should be a separate AD site so DAG should expended to 3 AD Sites - currently we are a single site domain. We were going to install a second Exchange 2016 in Azure with a VPN connection between azure and our head office. There was no plans to use a seperate site for azure, is this something i should do?
Microsoft has recommended to have separate namespace internalurl and externalurl for outlook anywhere and mapi/http so that separate authentication can be used for intranet (Kerberos) and internet (NTLM or Basic) connection. But it is only useful when we have internalurl which in not available on Public DNS. I have explained namespace requirement here. http://msexchangeguru.com/2015/06/09/e2013_2010_2007-casurls/ - My domain has a .local domain name (dont blame me), so i can no longer get a certificate to create both an external and internal domain name. Will i have any issues using mail.domain.co.uk for both internal and external? From reading i presume its just a security issue but i just want to make sure.
As we will only have 2 locations, i was planning on putting the witness on my internal domain so that if we lose internet connectivity the internal server still operates as the primary sever. However if we have a building disaster the Exchange server in Azure will only ever recieve 1 vote. Is there a way for me to "promote" it manually from failover to the main server?
Thanks in advance for any help.
Currently i am looking at creating a DAG however i had a few questions i wanted to double check to make sure i am understanding the recommended setup properly.
I will be migrating to an exchange 2016 server before looking to create the DAG. I have been reading through this site http://msexchangeguru.com/2015/07/14/e2016allyouneed2/ so most my questions come from here.
Every datacenter should be a separate AD site so DAG should expended to 3 AD Sites - currently we are a single site domain. We were going to install a second Exchange 2016 in Azure with a VPN connection between azure and our head office. There was no plans to use a seperate site for azure, is this something i should do?
Microsoft has recommended to have separate namespace internalurl and externalurl for outlook anywhere and mapi/http so that separate authentication can be used for intranet (Kerberos) and internet (NTLM or Basic) connection. But it is only useful when we have internalurl which in not available on Public DNS. I have explained namespace requirement here. http://msexchangeguru.com/2015/06/09/e2013_2010_2007-casurls/ - My domain has a .local domain name (dont blame me), so i can no longer get a certificate to create both an external and internal domain name. Will i have any issues using mail.domain.co.uk for both internal and external? From reading i presume its just a security issue but i just want to make sure.
As we will only have 2 locations, i was planning on putting the witness on my internal domain so that if we lose internet connectivity the internal server still operates as the primary sever. However if we have a building disaster the Exchange server in Azure will only ever recieve 1 vote. Is there a way for me to "promote" it manually from failover to the main server?
Thanks in advance for any help.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2
2
5 Comments
Active today
Regarding the AD Sites. The reason three Data Centers are recommended is due to the placement of the witness server in a multi-site DAG deployment. If you only have two Data Centers, the witness server will have to be placed in one of the two sites. If the site with the witness server ever goes offline for whatever reason your DAG may not be able to maintain quorum and all databases could dismount in a worst case scenario. At a minimum it will take manual intervention to fail over the witness to an alternate in the second site. These scenarios are all addressed by the addition of a third Data Center. When you introduce a third site, you now have the option of placing the witness server apart from the rest of your Exchange servers giving it a nice vantage point monitor DAG quorum. Starting with Exchange 2013 SP1 I believe, the option exists to use Azure for your third site; however, this option requires a multi-site VPN tunnel between all three Data Centers, not just to your main office.
Namespaces - there is absolutely nothing wrong with using a .local AD domain in an Exchange environment. Yes I realize that .local support was deprecated over a year ago, but the fix is simple...just rename all your internal URLs to match their external values and call it done. This mitigates any need for including your .local domain in a third party SAN certificate. I've repeated this process so many times I eventually just scripted the whole process including configuring the Autodiscover SCP and OutlookAnywhere authentication settings. Note the script needs to be run on each CAS server:
Namespaces - there is absolutely nothing wrong with using a .local AD domain in an Exchange environment. Yes I realize that .local support was deprecated over a year ago, but the fix is simple...just rename all your internal URLs to match their external values and call it done. This mitigates any need for including your .local domain in a third party SAN certificate. I've repeated this process so many times I eventually just scripted the whole process including configuring the Autodiscover SCP and OutlookAnywhere authentication settings. Note the script needs to be run on each CAS server:
begin {
$exchhost = Read-Host 'Enter the hostname'
$server = Read-Host 'Enter the server name'
$ErrorActionPreference = 'Stop'
}
process {
try {
Write-Host 'Setting OWAVirtualDirectory to: '"https://$exchhost/OWA"
Get-OWAVirtualDirectory -Server $server | Set-OWAVirtualDirectory -ExternalURL "https://$exchhost/OWA" -InternalURL "https://$exchhost/OWA" -WarningAction silentlycontinue
Write-Host 'Setting OABVirtualDirectory to: '"https://$exchhost/OAB"
Get-OABVirtualDirectory -Server $server | Set-OABVirtualDirectory -ExternalURL "https://$exchhost/OAB" -InternalURL "https://$exchhost/OAB"
Write-Host 'Setting WebServicesVirtualDirectory to: '"https://$exchhost/ews/exchange.asmx"
Get-WebServicesVirtualDirectory -Server $server | Set-WebServicesVirtualDirectory -ExternalURL "https://$exchhost/ews/exchange.asmx" -InternalURL "https://$exchhost/ews/exchange.asmx"
Write-Host 'Setting ActiveSyncVirtualDirectory to: '"https://$exchhost/Microsoft-Server-ActiveSync"
Get-ActiveSyncVirtualDirectory -Server $server | Set-ActiveSyncVirtualDirectory -ExternalURL "https://$exchhost/Microsoft-Server-ActiveSync" -InternalURL "https://$exchhost/Microsoft-Server-ActiveSync"
Write-Host 'Setting ECPVirtualDirectory to: '"https://$exchhost/ECP"
Get-ECPVirtualDirectory -Server $server | Set-ECPVirtualDirectory -ExternalURL "https://$exchhost/ECP" -InternalURL "https://$exchhost/ECP" -WarningAction silentlycontinue
Write-Host 'Configuring OutlookAnywhere...'
Get-OutlookAnywhere -Server $server | Set-OutlookAnywhere -ExternalHostname $exchhost -InternalHostname $exchhost -ExternalClientAuthenticationMethod basic -ExternalClientsRequireSsl $true -InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl $true -IISAuthenticationMethods basic,ntlm -SSLOffloading $false
Write-Host 'Configuring ClientAccessServer...'
Get-ClientAccessServer $server | Set-ClientAccessServer -AutoDiscoverServiceInternalUri "https://$exchhost/Autodiscover/Autodiscover.xml"
}
catch {
Write-Host 'An error occurred' -ForegroundColor Red
}
}
Active today
There was no plans to use a seperate site for azure, is this something i should do?
Exchange doesn't have to be placed in different AD sites to implement DAG. If fact, though it is supported, it is difficult to get it to failover properly in a cross-site deployment--and in most cases is never automatic. Additionally, Exchange is an expensive proposition if deployed in Azure with the cost of the servers alone running 24/7 and the cost of configuring Exchange properly if you want it to be supported by Microsoft. In order for Exchange to be supported in Azure the databases and log files must be deployed on premium storage--which is not cheap.
This article outlines what platforms Exchange is and is not supported on and why ... https://oddytee.wordpress.com/2016/04/05/is-exchange-server-supported-in-amazon-web-services/
For the cost (and headache) of implementing DAG in a cross-site environment, I would recommend Exchange Online (Office 365) if that is in your budget. For all of the features O365 has compared to what an IT staff could implement on-premises, this would be my recommendation.
Will i have any issues using mail.domain.co.uk for both internal and external?
No, in fact this is known as the unbound namespace model and is configured in the majority of all implementation cases.
Is there a way for me to "promote" it manually from failover to the main server?
In most cases, the failover or switchover process with a multi-site deployment is always a manual one. The only case where it might be automatic is if you have 3 sites where Exchange servers are at 2 of them and the witness server is at the 3rd site.
Here is the TechNet article for Switchovers and Failovers. Though for 2013 the same rules apply. ... https://technet.microsoft.com/en-us/library/dd298067(v=exchg.150).aspx
Active 5 days ago
We have exchange online licensing, but exchange online doesnt support failover from what i have read.
We are happy to put archives / external staff in the cloud and if it was up to me we would have all users on Exchange online but IT Director wants internal email accounts kept on the on premises server.
So my option for failover as we are 1 site is using azure. I have priced up all the premium storage and compute pricing and it has been approved.
Your answer about the manual failover will help me a lot though, thanks.
We are happy to put archives / external staff in the cloud and if it was up to me we would have all users on Exchange online but IT Director wants internal email accounts kept on the on premises server.
So my option for failover as we are 1 site is using azure. I have priced up all the premium storage and compute pricing and it has been approved.
Your answer about the manual failover will help me a lot though, thanks.
Active today
exchange online doesnt support failover from what i have read.
Correct, Exchange Online doesn't support or provide a failover option for on-premises environments. However, I was recommending a migration of the on-premises environment to Exchange Online.
Exchange Online itself is more redundant, reliable, and resilient than anything a Microsoft customer could implement in their own environment.
Active today
I think I should clarify how Azure plays into a site-resilient DAG since it seems like there's some confusion with Exchange Online. You don't put a third Exchange server is Azure and try to include Exchange Online in your DAG, you just spin up a simple file server in Azure and specify it as the FSW for the 100% on-prem DAG. Make sense? This file server will need to be joined to your AD domain which is where the multi-site VPN requirement comes into play.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article will help to fix the below errors for MS Exchange Server 2013
I. Certificate error "name on the security certificate is invalid or does not match the name of the site"
II. Out of Office not working
III. Make Internal URLs and Externa…
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Organization >> Ad…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month11 days, 2 hours left to enroll
719 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.