Monday, September 26, 2011

Exchange 2010 DAG Network Configuration

I have seen many DAG deployments with mis-configuration for DAG networks, especially when the DAG is accross multiple sites. I am posting an example configuration here to show how the DAG networks should be set up.

The example makes the following assumption:
  • 2 AD Sites: Site1 & Site2
  • 4-node DAG with each Site having two DAG nodes

IP address Configuration  
Server
Network\IP
MBX1
MAPI: 192.168.10.11
Replication: 10.1.10.11
MBX2
MAPI: 192.168.10.12
Replication: 10.1.10.12
MBX3
MAPI: 192.168.20.13
Replication: 10.1.20.13
MBX4
MAPI: 192.168.20.14
Replication: 10.1.20.14

By default, the DAG network will be set up like this: 
DAG Network Name
Subnets
Interfaces
DAGNetwork01
192.168.10.0/24
192.168.10.11
192.168.10.12
DAGNetwork02
10.1.10.0/24
10.1.10.11
10.1.10.12
DAGNetwork03
192.168.20.0/24
192.168.20.13
192.168.20.14
DAGNetwork04
10.1.20.0/24
10.1.20.13
10.1.20.14

The problem of this configuration is the cross-site log repliation will use the MAPI NIC on the servers instead of using the dedicated Replicaiton NIC because there is no DAG network that has been defined between 10.1.10.0/24 and 10.1.20.0/24.
DAGNetwork01
DAGNetwork02
DAGNetwork03
DAGNetwork04
DAGNetwork01
MAPI
MAPI\Replication
-
DAGNetwork02
-
Replication
-
-
DAGNetwork03
MAPI\Replication
-
MAPI
-
DAGNetwork04
-
-
-
Replication

The solution is to collapse default DAG networks as below:
DAG Network Name
Subnets
Interfaces
Replication Enabled
DAGNetwork01
192.168.10.0/24

192.168.20.0/24
192.168.10.11
192.168.10.12
192.168.20.13
192.168.20.14
No
DAGNetwork02
10.1.10.0/24

10.1.20.0/24
10.1.10.11
10.1.10.12
10.1.20.13
10.1.20.14
 Yes
Make sure log replication is disabled on DAGNetwork01 so that log shipping will always use the replicatio NICs first, but will still fail over to the MAPI NICs. If you don't disable replication on DAGNetwork01, DAGNetwork01 will have the same weight as DAGNetwork02 when the servers choose to ship logs.
Posted by at No comments:
Labels:

Thursday, September 15, 2011

Hardware Load Balancing a Relay Connector

This is not a re-post of Pmeijden's blog, but you should read his blog first in order to understand what I am trying to show here.

One of the solutions mentioned in his article is to

1. Add HLB IP to the Anonymous Relay connector on each HT server.
2. Create IP Allow rules with a default Block rule on the HLB to control who can relay

This has been proved to work. But if email from outside also goes through the HLB, inbound email will hit the Anonymous relay connector instead of Default Receive Connector since the Anonymous Relay Connector has a specific IP defined. This would still work if you have any hosted service (Postini, FOPE, etc) or another OnPrem email gateway. All you have to do is to add Postini\FOPE\Gateway IP to the allow rule. So your server still cannot be used for open relay.

But what if you don’t have either of those or you just don’t want any other traffic to hit the Anonymous Relay connector (for logging\troubleshooting purpose). So the solution is to do the following:

  • Add additional NIC to each HT server with additonal IP
Note: do not add the additional IP to the existing NIC as this will also register the additonal IP on the DNS server. If you use an additional NIC, you can then disable DNS registration on the NIC. Also, you do not need to define Default Gateway for the additoinal NIC since it only needs to talk to the load balancer which is on the same subnet.
  • Change the Default Receive Connector to listen on the original IP\NIC and the Anonymous Receive Connector to listen on the additional IP\NIC.
  • Create a 2nd VIP on the HLB to balance between the additional IPs over TCP 25
  • Add HLB IP to the Anonymous Relay Connector.
  • On the HLB, create IP allow\block rule to only allow specific IPs to hit the 2nd VIP.    

Now inbound mail will hit the Default Receive Connector while relay mail will hit the Anonymous Relay Connector.
Posted by at No comments:
Labels:

Saturday, September 10, 2011

LyncSocial is out

LyncSocial (Beta) is the first FREE application for Microsoft Lync that allows users to update your Lync, Twitter and LinkedIn statuses simultaneously. LyncSocial is a simple way to enhance your social media presence without taking the extra time to login and post to different platforms. Simply include #TW for Twitter or #LI for LinkedIn in your Lync status to automatically update these platforms.
LyncSocial can be downloaded here.
Posted by at No comments:
Labels:

Wednesday, September 7, 2011

Exchange 2010 Certificate Planning

 I feel it’s necessary to make some standard clarification here to facilitate any future E2010 deployment.


1.       Wildcard certificate not recommended due to Lync. Always use UCC cert that support SAN name. But if you do use wildcard, remember to set EXPR Provider to msstd:*.contoso.com.



2.       You do NOT put the actual CAS array name into the certificate. The only place cas array name is being used is the RPCClientAccessServer attribute for mailbox database. Outlook clients will use this for MAPI\RPC connection. It’s not over HTTPS, so no need to put that in the cert. Normally the cas array name will be the internal FQDN, such as casarray.contoso.local. But if you happen to have internal domain name be the same as external domain name, make sure you DO NOT have a DNS record for cas array name. If you do, this will slow down the initial connection of Outlook Anywhere. Do not use the actual CAS array name (casarray.contoso.local or casarray.contoso.com) as the URL for any virtual directory (owa, ecp, activesync, ews, oab, etc). Create a different name such as owa.contoso.local for the internal URL.



3.       If you have ISA\TMG at front, issue a cert using internal CA for the backend exchange server. The public cert should go on to ISA\TMG or load balancer if you do SSL offloading.


4.       I wouldn’t recommend to put the internal server FQDN to the public cert (and you really don’t need to) as this will expose your server to the outside world.


5.       So in a nutshell, the basic names you would need in the cert would be:

Owa.contoso.com

Autodiscover.contoso.com

Legacy.contoso.com (if doing co-exist)

failback.contoso.com (for datacenter failover and failback)

                smtp.contoso.com (if secure SMTP is required)


References:

http://blogs.technet.com/b/exchange/archive/2010/11/22/3411576.aspx

http://www.howexchangeworks.com/2011/06/should-cas-array-url-be-part-of.htm

Just based on my understanding and experience. Any comments is highly welcomed.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)