Network Layout
King: DC
EX1: Exchange 2010 SP1 with MB, CA, and HT. Internet facing address is mail.1ask2.com.
EX2: Exchange 2010 SP1 with MB, CA, and HT. Internet facing address is mail.1ask2.com.
FW: Domain member (Windows 2008 R2), C:\myWitness folder is created and “1ask2\Exchange Trusted Subsystem” group is a member of local Administrators group.
Create a certificate with multiple DNS names
Install Certificate Service on King.1ask2.com
Renew CA Certificate…
Duplicate “Computer” Certificate
Add “Copy of Computer” template to the list of issued template
At EX2:
Because the name “EXServer.1ask2.com” will be used to configure Outlook client, the certificate’s Subject Name will be “EXServer.1ask2.com”. The alternative name: mail.1ask2.com will be used for access methods both internally and externally, such as https://mail.1ask2.com/owa, https://mail.1ask2.com/ecp, and Outlook Anywhere configuration.
EXServer.1ask2.com can only be resolved internally.
Mail.1ask2.com can be resolved both internally and externally. The alternative names of EX1.1ask2.com, Ex2.1ask2.com, ex1, and ex2 are used for my test convenience.
From EMC of EX1, import the exported certificate and assign the certificate to all services.
New-SendConnector -Name "ToInternet" -Usage 'Internet' -AddressSpaces 'SMTP:*;1' -DNSRoutingEnabled $false -SmartHosts 'Shawmail.vc.shawcable.net' -SmartHostAuthMechanism 'None'
Because FW.1ask2.com does not have Exchange server installed, I will assign “1ask2\Exchange Trusted Subsystem” to local Administrators group.
I don’t like the long mailbox name and I don’t like to rename them in case there is side effect. So I create a new mailbox database: Shaw and move all mailboxes into it, and then delete the mailbox databases.
For remote administration, if Windows Firewall turns on, an exception should be added.
netsh advfirewall firewall set rule group="remote administration" new enable=yes
The DAG1 is created with warning “ the Exchange Trusted Subsystem is not a member of the local Administrators group on specified witness server FW.1ask2.com.”
Manually create the c:\myWitness directory on FW.1ask2.com.
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer Ex1
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer Ex2
Add-MailboxDatabaseCopy -Identity 'Shaw' -MailboxServer 'EX2' -ActivationPreference '2'
Test Database switchover
The witness server works even though there is no exchange server installed on FW computer.
Disconnecting Ex1 from the network;
Shaw mailbox Database is mounted on Ex2.
You might notice that the Public Folder Database is on Ex1. When Ex1 is down, Outlook 2003 cannot connect to Exchange.
Connecting Ex1 to the network;
I simply remove the public folder database.
get-publicFolder –Server 'Ex1' "\" -Recurse -ResultSize:unlimited | Remove-PublicFolder -Server "Ex1" -Recurse -ErrorAction:SilentlyContinue
get-publicFolder -Server 'Ex1' "\NON_IPM_SUBTREE" -Recurse -ResultSize:unlimited | Remove-PublicFolder -Server "Ex1" -Recurse -ErrorAction:SilentlyContinue
Get-PublicFolderDatabase | Remove-PublicFolderDatabase
Creating a Client Access Array
New-ClientAccessArray -Name EXServer -Site "Default-First-Site-Name" -Fqdn "Exserver.1ask2.com"
After the Client Access array has been created, you'll also need to create the address in DNS and associate it with the virtual IP address used for the Client Access array. My virtual address is the DAG1 (191.121.3.3).
Add a (A) record in DNS server
Dnscmd King.1ask2.com /recordadd 1ask2.com Exserver A 191.121.3.3
Each Mailbox database contains an RPCClientAccessServer value. This value is established when the database is created and it determines the Client Access server or Client Access array that the clients with mailboxes on that Mailbox server will use. This value also determines the location of the RPC end point. For Outlook 2007 and Outlook 2010 clients, this value is obtained from the Autodiscover service.
Get-MailboxDatabase Shaw | fl RPC*
RpcClientAccessServer : EX2.1ask2.com
Because the Shaw database is created before the creation of a Client Access array or the installed a Client Access server within the Active Directory site, I will reconfigure the value of the RPCClientAccessServer property.
Set-MailboxDatabase -Identity Shaw -RpcClientAccessServer "EXserver.1ask2.com"
Internal Outlook Client 2010 configuration:
Exchange Server: Exserver.1ask2.com
Outlook works fine.
Dnscmd King.1ask2.com /recordadd 1ask2.com mail A 191.121.3.3
HTTPS://mail.1ask2.com/owa works fine for both internal and external users after the certificate authority is trusted.
However, outlook anywhere does not work both internally and externally. Why?
Test methods:
https://ex1.1ask2.com/rpc
https://ex2.1ask2.com/rpc
If there is no RPC virtual directory created, adds Windows Feature: RPC over HTTP Proxy component.
Enable Outlook Anywhere for both EX1 and EX2.
Enable-OutlookAnywhere –server EX1 –ExternalHostName ‘mail.1ask2.com’ –DefaultAuthenticationMethod ‘ntlm’
Enable-OutlookAnywhere –server EX2 –ExternalHostName ‘mail.1ask2.com’ –DefaultAuthenticationMethod ‘ntlm’
or,
Run Test-outlookConnectivity from both EX1 and EX2.
Create the temporary test user for test, run New-TestCasConnectivityUser.ps1;
Test-OutlookConnectivity -RpcProxyTestType:Internal -RpcTestType:Server
It must pass all tests. If there is error(s), uninstall RPC over HTTP Proxy component and reinstall it.
Test-outlookconnectivity –Protocol:http
Configure Outlook with outlook Anywhere
Outlook client successfully opens its mailbox configured.
However if the Client Access Array name: EXServer is used in connection settings, outlook cannot open the configured mailbox by outlook anywhere.
It's important that the (FQDN) specified in the command be only resolvable internally. If the name is also resolvable externally, these external clients will attempt to connect to the array via a TCP connection instead of HTTPS.
Move-ActiveMailboxDatabase Shaw -ActivateOnServer Ex2 -MountDialOverride:None
Both outlook with Exchange configuration and outlook with Outlook Anywhere configuration work fine.
Switchover test
Both EX1 and EX2 are online.
EX2:
EX1:
Shutdown EX2
IP Resource (191.121.3.3) binds to NIC of EX1.
Everything works.
Turn on EX2
Wait for Copy Status for EX2:Healthy
Shutdown EX1
Outlook clients can send messages internally but not Internet.
Reason: the SourceTransportServers:{EX1}
Set-SendConnector -ID "ToInternet" -SourceTransportServers EX1,EX2
Internet message delivery is success.
The following settings are not automatically switched.
The generating server of "Default Offline Address Book" must be changed.
Move-OfflineAddressBook -Identity "Default Offline Address Book" -Server EX2
You must add EX2 as a web distribution point.
Public Folder Database
Because Public Folder Databases don't fail over, a public folder database is created on each server.
New-PublicFolderDatabase -Name Pub1 -Server EX1
New-PublicFolderDatabase -Name Pub2 -Server EX2
Mount-Database -ID Pub1
Mount-Database -ID Pub2
Get-MailboxDatabase | Set-MailboxDatabase -PublicFolderDatabase pub1
Get-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook "Default Offline Address Book"
Set-OfflineAddressBook -Identity "Default Offline Address Book" -PublicFolderDistributionEnabled:$true
Update-OfflineAddressBook "Default Offline Address Book"
Outlook 2003 clients can connect to Exchange
Wait a while (1 hour?) for public folder synchronization.
Because Shaw and Telus mailboxdatases are mounted on EX2, I shut ex2 down.
Outlook 2003 clients and Outlook 2010 work fine except that Global Address List is not up to date.
Get-OWAVirtualDirectory | fl Server,Name,InternalURL
Server:EX1
Name:owa (Default Web Site)
InternalUrl:https:/ex1.1ask2.com
Server:EX2
Name:owa (Default Web Site)
InternalUrl:https:/ex2.1ask2.com
Get-EcpVirtualDirectory | fl server,name,*url
Server : EX1
Name : ecp (Default Web Site)
InternalUrl : https://ex1.1ask2.com/ecp
ExternalUrl : https://mail.1ask2.com/ecp
Server : EX2
Name : ecp (Default Web Site)
InternalUrl : https://ex2.1ask2.com/ecp
ExternalUrl : https://mail.1ask2.com/ecp
Get-OabVirtualDirecotry | fl Server,Name,InternalUrl
Server:EX1
Name:OAB (Default Web Site)
InternalUrl:http://ex1.1ask2.com/OAB
Server:EX2
Name:OAB (Default Web Site)
InternalUrl:http://ex2.1ask2.com/OAB
Get-WebServicesVirtualDirectory | fl Server,Name,InternalUrl,ExternalUrl
Server : EX1
Name : EWS (Default Web Site)
InternalUrl : https://ex1.1ask2.com/EWS/Exchange.asmx
ExternalUrl : https://mail.1ask2.com/ews/exchange.asmx
Server : EX2
Name : EWS (Default Web Site)
InternalUrl : https://ex2.1ask2.com/EWS/Exchange.asmx
ExternalUrl : https://mail.1ask2.com/ews/exchange.asmx
How about set InternalUrl to Exserver.1ask2.com, the Client Access Array?
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InternalUrl https://exserver.1ask2.com/owa
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -InternalUrl https://exserver.1ask2.com/ecp
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl https://exserver.1ask2.com/EWS/Exchange.asmx
Get-oabvirtualDirectory | Set-OabVirtualDirectory -InternalUrl "https://exserver.1ask2.com/oab"
Get-MailboxServer | where {$_.DatabaseAvailabilityGroup -eq "DAG1"} | Get-MailboxDatabaseCopyStatus
Shutdown EX1:
To test that offline address book works, the following settings are configured.
By default, the offline address book is generated once from 4:00AM-5:00AM every day.
Move-OfflineAddressBook -id "Default Offline Address Book" -Server EX2
Schedule offline address book is generated more frequently.
By default, Outlook Client downloads the offline address book once every 24 hours when outlook is always online.
If you have increased the generation frequency of the offline address book files on your Exchange computer, you can also increase the frequency of the client offline address book downloads. To do this:
And then, create a new mailbox
Check whether Outlook includes it in its global address list or not.
Public Folder Access
New-PublicFolder -Name "vanarts"
Add-PublicFolderClientPermission -Identity "\vanarts" -User "Job" -AccessRights CreateItems,ReadItems,CreateSubFolders
Set-PublicFolder "\vanarts" -Replicas "pub2","pub1"
Update-PublicFolderHierarchy -Server ex2
Update-PublicFolderHierarchy -Server ex1
Both outlook 2003 and outlook 2010 can access the public folder \vanarts.
Public Folder synchronization takes time. I let it run for 3 to 4 hours.
Get-MailboxServer | where {$_.DatabaseAvailabilityGroup -eq "DAG1"} | Get-MailboxDatabaseCopyStatus
Shutdown EX2
Outlook can access mailboxes and public folders.
How about disconnecting EX1 from network?
Before disconnecting:
Disconnect EX1 from network
IP Resource (191.121.3.3) switches to EX2. Mailbox Databases are mounted on EX2.
Outlook works fine.
Solution: wildcard domain
At EX2:
Assign the certificate to SMTP and IIS. POP and IMAP don't support wildcard domain. To use it, a separate certificate must be created.
Export the certificate and Import it to Exchange server (EX1) and assign it to IIS and SMTP.
Database Availability Group Network
New-DatabaseAvailabilityGroup -Name DAG1 -DatabaseAvailabilityGroupIpAddresses 191.121.6.7 -WitnessDirectory c:\Witness -WitnessServer King.1ASK2.COM
At EX1:
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer Ex1
At Queen:
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer Queen
Get-DatabaseAvailabilityGroupNetwork -Identity "DAG1"
Identity ReplicationEnabled Subnets
-------- ------------------ -------
DAG1\DAGNetwork01 True {{192.168.1.0/24,Up}}
DAG1\DAGNetwork02 True {{191.121.0.0/17,Up}}
How about to dedicate DAGnetwork01 for replication (Disable DAGNetwork02 for log replication)?
Set-DatabaseAvailabilityGroupNetwork -Identity "DAG1\DAGNetwork02" -ReplicationEnabled:$false
show members of default global address list
$g=Get-GlobalAddressList "Default Global Address List"
Get-Recipinet -RecipientPreviewFilter $g.RecipientFilter