8

What would be best topology considering that:

  1. 6 x Exchange 2010 Standard Licenses
  2. 2 x Separate locations that are supposed to support redundancy in case of link problems
  3. 4 x Forefront TMG 2010 with Forefront Security and Forefront Protection/Security

Multiple locations worldwide using those Exchange. Most locations will be connected with VPN Tunnel (the ones hosting Exchange for sure).

I was thinking something like this:

Location MAIN (about 70-100 people):

  1. 2x TMG 2010 in NLB
  2. 1x Exchange 2010 CAS/HUB Role
  3. 2x Exchange 2010 Mailbox Role (Active + Passive)

Location SUPPORT (about 20 people):

  1. 2x TMG 2010 in NLB
  2. 1x Exchange 2010 CAS/HUB Role
  3. 2x Exchange 2010 Mailbox Role (Active + Passive)

Management wants to make sure that in case of problems in main location (power failure, link loss etc) second location can support all traffic from around the world and vice-versa. We have 6-7 locations and more comming up (not big ones but like 10+ people per each location).

I do know that CAS/HUB is single point of failure (and no NLB), but i simply lack more licenses to do some redundancy on that.

What do you think about this approach? What would be better approach according to you?

MadBoy
  • 3,703
  • 13
  • 61
  • 93

1 Answers1

5

That setup doesn't sound too ridiculous to me, and I wouldn't change much. I'm assuming all the preparatory work has been done (such as multiple Active Directory Sites, Domain controllers in each site etc.) so I won't go into great detail about that. If you can stretch your budget a little bit, I would tweak your CAS topology a little bit to eliminate the SPOF.

You can install the Hub Transport role on your Mailbox servers and they will automatically load balance themselves according to the Active Directory site they reside in. That's a quick and easy win, and I can't see that much of a reason not to do this.

If your budget can accomodate 2 hardware load balancers, you can also install the CAS role on the Mailbox servers as well. You'd then create A records in DNS for your load balancers and configuire the appropriate Mailbox Databases in each site to use the CAS Array for the site.
To do this, issue the command New-ClientAccessArray -Fqdn "ex-sitename-casarray.acme-widgets.com" -Site "AD-Site-MAIN" for each site (replacing your A records and real AD Site Names as appropriate).
Then issue Set-MailboxDatabase "<<Appropriate Database>>" -RpcClientAccessServer <<site-casarray-name.acme-widgets.com>> to make sure your Mailbox Databases use the CAS Array.

It is best to have a local copy of a users Mailbox in the same site as the user, so I would create 2 Mailbox Databases each replicating to a Mailbox server in the same site, as well as the other site (I've done a diagram to visualise it for you). For users in the MAIN site, home their Mailbox on the Main Mailbox DB and for users in the SUPPORT site, home their Mailboxes on the Support Mailbox DB. alt text

Ben Pilbrow
  • 11,995
  • 5
  • 35
  • 57
  • 1
    I'm not really sure I agree with your assertion that the user's mailbox server should be in the same site. This may have been true 10 years ago, but all versions of Exchange starting at 2003 support cached mode. Combine that with the small number of users at the support site and I doubt anybody would notice a difference. It's best to create databases based on factors other than physical location. Storage limits, level of classification, need for archiving, or recovery time objectives are all better used to seperate mailboxes into databases. – Jason Berg Dec 19 '10 at 18:34
  • Thanks for the comment @Jason Berg, I appreciate your input. If the SUPPORT site is ready to handle the traffic from the MAIN site, I assume the WAN link would be pretty good, so yes, the users probably wouldn't notice a difference. The reason I put that is a simple one, and it's because the instructor on my training course said to do that. To be honest, it was more of a passing "when you're creating a mailbox database, put it in the same site as the users" and then she moved on to something else. It didn't sound like a stupid suggestion, so I didn't really think anything more of it. – Ben Pilbrow Dec 19 '10 at 19:19
  • TMG 2010 (new ISA) has load balancing so it wouldn't be a big deal but putting every role on each box seems a bit overkill. I know the CAS role is a SPOF and not really sure what to do with this without putting everything in one basket. We're getting the 6 licenses from partnership for free and we'll have to buy some hardware, plus some CAL's so I don't think my client would like to pay additional price for that. But i'll make sure to put it in the document to make sure they understand the risks (downtime that is). – MadBoy Dec 19 '10 at 21:34
  • If TMG can load balance the CAS servers, that's great (I won't pretend to know anything about TMG). Can I ask why you don't fancy putting all the roles on all the boxes, do you think there will be a big performance hit? Without trying to sound like a jerk (I really don't want to come across like that), in my opinion there is no such thing as overkill - you create a more redundant solution, which is after all what you're after. Could you suggest putting the extra Hub Transport on 1 Mailbox server and CAS on the other to lighten it a bit? (Bearing in mind the CAS still needs load balancing). – Ben Pilbrow Dec 19 '10 at 21:49
  • I could do it also 4 servers in main location, and 2 with all roles in the other with load balancer. This could deliver main location with best practice books and support location with all-in-one solution. – MadBoy Dec 19 '10 at 21:54