0

Basically we have a Main Site Exchange 2013 with CAS and Mailbox Roles and supposedly all users connect to this exchange from their Outlook.

Now we installed an other Exchange 2013 at the DR site.. Our main office and the DR site are connected with a Layer2 bridge so the two exchanges are joined to the same domain and are also on the same network subnet. So the two Exchange servers have one network card on each of them which is the LAN/Domain network.

We created the DAG and the replication of the DBs works fine.. but the issue that we are currently facing is that some users are connecting directly to the DR Exchange from our Main office with their Outlook which is not what we would like to have.. We want that the DR hosts a copy of the DB and is activated only if some issues arise at the main site and we have to switch everything on the DR site manually.

We noticed this issue when we went to check the connection status on their Outlook and noticed that the Proxy server that they are connected to is the DR exchange.

Any idea on how can we solve this issue please?

StefanGrech
  • 154
  • 2
  • 10

2 Answers2

2

Exchange is AD site aware. You need to put the two sites in to separate AD sites. Then have unique URLs for each site. The clients will then connect to the server located in the same AD site as their mailbox, rather than going across the WAN. At the moment Exchange doesn't know it is on two different sites, so is treating everything as one big LAN. I expect you will also find that Windows machines are using domain controllers in the other location as well - unless you have done some firewall tricks to stop it (rather than using sites and services properly).

Sembee
  • 2,854
  • 1
  • 7
  • 11
  • This issue is not related to AD Sites. Exchange is AD site aware but it doesnt use this information for load balancing. Users will be proxied to the mailbox server hosting the active copy of their mailbox database regardless of AD site. – Stephen F Jan 13 '16 at 20:52
0

As very well explained in this article from the Exchange Team Blog, in Exchange 2013 the CAS Server acts as a stateless proxy to the mailbox database server where the requested mailbox is currently active on. So even if the CAS answering your clients' request is in the DR site, the connection is always proxied to the mailbox servers in the primary site (provided all your database copies are activated in the main site).

If you want to prevent any "random" connections to the CAS in the secondary site, you will have to deploy a "bound" namespace model with separate namespaces for each site.

But if it is ok for you to have about half of your connections be proxied by the DR CAS Server (and since you are using a stretched VLAN, I assume latency and bandwidth are not a big issue) then by keeping the namespace unified you are greatly simplifying your environment.

Alternatively, if you do not want to use the secondary CAS server except for DR and you are willing to update the configuration manually when required, you could point the DNS entry to the CAS server(s) in the main site only, set it with a low TTL and update it to point to the CAS server(s) in the secondary DNS when needed. In this case you might also probably want to prevent the mailbox database in the secondary site to be activated: 

Set-MailboxServer <secondary mailbox server> –DatabaseCopyAutoActivationPolicy Blocked

But again, this removes any automation from the failover mechanism, so if you have only one mailbox or CAS servers in the primary site and any of those fail, then your users will not be able to connect until you manually update the configuration.

I would also make sure that all your databases are currently active in the main datacenter only by running:

Get-MailboxDatabaseCopyStatus -Identity <Main Exchange Database Server> | Format-List

If the Status is different from mounted for any given database then that DB is active on a different server, possible in the secondary site.

Ultimately, it very much depends on how many Exchange Servers you have deployed (and whether they are multi-role or not), the namespace model you are using and the mechanism you have adopted to distribute the load among them (DNS round robin, hardware load balancer, etc.)

As a last note, if you haven't done it already, you should look at configuring Datacenter Activation Coordination Mode

Pennino
  • 159
  • 1
  • 9
  • As per the OP all servers are in the same AD site so the CAS doesn't know it shouldn't proxy to the DR server – Drifter104 Dec 29 '15 at 13:24
  • The AD site does not make any difference. The CAS won't proxy to any mailbox server in the DR server, unless the requested mailbox is active in that site. – Pennino Dec 29 '15 at 17:28
  • It does if using a single namespace for outlook anywhere, and the IP range is the same – Drifter104 Dec 29 '15 at 17:45
  • Sorry, it does not. Read the the post from the Exchange Team blog [link](http://blogs.technet.com/b/exchange/archive/2013/01/25/exchange-2013-client-access-server-role.aspx). **5. CAS queries an Active Manager instance that is responsible for the database to determine which Mailbox server is hosting the active copy 6.CAS proxies the request to the Mailbox server hosting the active copy.** If you don't have active copies on the DR mailbox server, the CAS will not proxy to that mailbox server regardless of the IP of the server. If you disagree, what's your source ? – Pennino Dec 29 '15 at 20:07
  • Actually that link will do nicely. Way down near the bottom, where a single namespace is used cas servers will proxy to the mailbox server. – Drifter104 Dec 29 '15 at 20:53
  • Pennino is correct, It is good idea to have separate AD sites but makes no difference in this issue. CAS array will proxy to the mailbox server hosting the Active copy of the user's mailbox database. There can only be one active copy of a database. If all active copies are in the primary site then all users will be proxied to the primary site. – Stephen F Jan 13 '16 at 20:40