Solved

Implementing a DAG in exchange

Posted on 2016-08-03
5
48 Views
Last Modified: 2016-08-10
I currently have a single exchange 2013 server. As part of this years upgrades to the domain we are looking to build in failover for all major services.

Currently i am looking at creating a DAG however i had a few questions i wanted to double check to make sure i am understanding the recommended setup properly.

I will be migrating to an exchange 2016 server before looking to create the DAG. I have been reading through this site http://msexchangeguru.com/2015/07/14/e2016allyouneed2/ so most my questions come from here.

Every datacenter should be a separate AD site so DAG should expended to 3 AD Sites - currently we are a single site domain. We were going to install a second Exchange 2016 in Azure with a VPN connection between azure and our head office. There was no plans to use a seperate site for azure, is this something i should do?

Microsoft has recommended to have separate namespace internalurl and externalurl for outlook anywhere and mapi/http so that separate authentication can be used for intranet (Kerberos) and internet (NTLM or Basic) connection. But it is only useful when we have internalurl which in not available on Public DNS. I have explained namespace requirement here. http://msexchangeguru.com/2015/06/09/e2013_2010_2007-casurls/ - My domain has a .local domain name (dont blame me), so i can no longer get a certificate to create both an external and internal domain name. Will i have any issues using mail.domain.co.uk for both internal and external? From reading i presume its just a security issue but i just want to make sure.

As we will only have 2 locations, i was planning on putting the witness on my internal domain so that if we lose internet connectivity the internal server still operates as the primary sever. However if we have a building disaster the Exchange server in Azure will only ever recieve 1 vote. Is there a way for me to "promote" it manually from failover to the main server?

Thanks in advance for any help.
0
Comment
Question by:CaptainGiblets
  • 2
  • 2
5 Comments
 
LVL 14

Assisted Solution

by:Jason Crawford
Jason Crawford earned 250 total points
ID: 41740355
Regarding the AD Sites.  The reason three Data Centers are recommended is due to the placement of the witness server in a multi-site DAG deployment.  If you only have two Data Centers, the witness server will have to be placed in one of the two sites.  If the site with the witness server ever goes offline for whatever reason your DAG may not be able to maintain quorum and all databases could dismount in a worst case scenario.  At a minimum it will take manual intervention to fail over the witness to an alternate in the second site.  These scenarios are all addressed by the addition of a third Data Center.  When you introduce a third site, you now have the option of placing the witness server apart from the rest of your Exchange servers giving it a nice vantage point monitor DAG quorum.  Starting with Exchange 2013 SP1 I believe, the option exists to use Azure for your third site; however, this option requires a multi-site VPN tunnel between all three Data Centers, not just to your main office.  

Namespaces - there is absolutely nothing wrong with using a .local AD domain in an Exchange environment.  Yes I realize that .local support was deprecated over a year ago, but the fix is simple...just rename all your internal URLs to match their external values and call it done.  This mitigates any need for including your .local domain in a third party SAN certificate.  I've repeated this process so many times I eventually just scripted the whole process including configuring the Autodiscover SCP and OutlookAnywhere authentication settings.  Note the script needs to be run on each CAS server:

begin {
    $exchhost = Read-Host 'Enter the hostname'
    $server = Read-Host 'Enter the server name'
    $ErrorActionPreference = 'Stop'
}

process {
    try {
        Write-Host 'Setting OWAVirtualDirectory to: '"https://$exchhost/OWA"
        Get-OWAVirtualDirectory -Server $server | Set-OWAVirtualDirectory -ExternalURL "https://$exchhost/OWA" -InternalURL "https://$exchhost/OWA" -WarningAction silentlycontinue

        Write-Host 'Setting OABVirtualDirectory to: '"https://$exchhost/OAB"
        Get-OABVirtualDirectory -Server $server | Set-OABVirtualDirectory -ExternalURL "https://$exchhost/OAB" -InternalURL "https://$exchhost/OAB"

        Write-Host 'Setting WebServicesVirtualDirectory to: '"https://$exchhost/ews/exchange.asmx"
        Get-WebServicesVirtualDirectory -Server $server | Set-WebServicesVirtualDirectory -ExternalURL "https://$exchhost/ews/exchange.asmx" -InternalURL "https://$exchhost/ews/exchange.asmx"

        Write-Host 'Setting ActiveSyncVirtualDirectory to: '"https://$exchhost/Microsoft-Server-ActiveSync"
        Get-ActiveSyncVirtualDirectory -Server $server | Set-ActiveSyncVirtualDirectory -ExternalURL "https://$exchhost/Microsoft-Server-ActiveSync" -InternalURL "https://$exchhost/Microsoft-Server-ActiveSync"

        Write-Host 'Setting ECPVirtualDirectory to: '"https://$exchhost/ECP"
        Get-ECPVirtualDirectory -Server $server | Set-ECPVirtualDirectory -ExternalURL "https://$exchhost/ECP" -InternalURL "https://$exchhost/ECP" -WarningAction silentlycontinue

        Write-Host 'Configuring OutlookAnywhere...'
        Get-OutlookAnywhere -Server $server | Set-OutlookAnywhere -ExternalHostname $exchhost -InternalHostname $exchhost -ExternalClientAuthenticationMethod basic -ExternalClientsRequireSsl $true -InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl $true -IISAuthenticationMethods basic,ntlm -SSLOffloading $false

        Write-Host 'Configuring ClientAccessServer...'
        Get-ClientAccessServer $server | Set-ClientAccessServer -AutoDiscoverServiceInternalUri "https://$exchhost/Autodiscover/Autodiscover.xml"
    }
    catch {
        Write-Host 'An error occurred' -ForegroundColor Red
    }
}

Open in new window

0
 
LVL 14

Accepted Solution

by:
Todd Nelson earned 250 total points
ID: 41740621
There was no plans to use a seperate site for azure, is this something i should do?

Exchange doesn't have to be placed in different AD sites to implement DAG.  If fact, though it is supported, it is difficult to get it to failover properly in a cross-site deployment--and in most cases is never automatic.  Additionally, Exchange is an expensive proposition if deployed in Azure with the cost of the servers alone running 24/7 and the cost of configuring Exchange properly if you want it to be supported by Microsoft.  In order for Exchange to be supported in Azure the databases and log files must be deployed on premium storage--which is not cheap.

This article outlines what platforms Exchange is and is not supported on and why ... https://oddytee.wordpress.com/2016/04/05/is-exchange-server-supported-in-amazon-web-services/

For the cost (and headache) of implementing DAG in a cross-site environment, I would recommend Exchange Online (Office 365) if that is in your budget.  For all of the features O365 has compared to what an IT staff could implement on-premises, this would be my recommendation.


Will i have any issues using mail.domain.co.uk for both internal and external?

No, in fact this is known as the unbound namespace model and is configured in the majority of all implementation cases.


Is there a way for me to "promote" it manually from failover to the main server?

In most cases, the failover or switchover process with a multi-site deployment is always a manual one.  The only case where it might be automatic is if you have 3 sites where Exchange servers are at 2 of them and the witness server is at the 3rd site.

Here is the TechNet article for Switchovers and Failovers.  Though for 2013 the same rules apply. ... https://technet.microsoft.com/en-us/library/dd298067(v=exchg.150).aspx
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 41740720
We have exchange online licensing, but exchange online doesnt support failover from what i have read.

We are happy to put archives / external staff in the cloud and if it was up to me we would have all users on Exchange online but IT Director wants internal email accounts kept on the on premises server.

So my option for failover as we are 1 site is using azure. I have priced up all the premium storage and compute pricing and it has been approved.

Your answer about the manual failover will help me a lot though, thanks.
0
 
LVL 14

Expert Comment

by:Todd Nelson
ID: 41741001
exchange online doesnt support failover from what i have read.

Correct, Exchange Online doesn't support or provide a failover option for on-premises environments.  However, I was recommending a migration of the on-premises environment to Exchange Online.

Exchange Online itself is more redundant, reliable, and resilient than anything a Microsoft customer could implement in their own environment.
0
 
LVL 14

Expert Comment

by:Jason Crawford
ID: 41742384
I think I should clarify how Azure plays into a site-resilient DAG since it seems like there's some confusion with Exchange Online.  You don't put a third Exchange server is Azure and try to include Exchange Online in  your DAG, you just spin up a simple file server in Azure and specify it as the FSW for the 100% on-prem DAG.  Make sense?  This file server will need to be joined to your AD domain which is where the multi-site VPN requirement comes into play.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now