TPOV

During my stay at TechEd 2010 in New Orleans, I had to work the Exchange Server 2010 Flexibility and Reliability booth. Although most questions were on the Exchange DAG, the second most popular discussion was around the Client Access Server (CAS) and CAS-Arrays.

Hence, the 10 most predominant questions (and of course, the answers to them);

Q1. Is it true that there can be only 1 CAS Array?

A1. There can be only 1 CAS Array per Active Directory Site. The name of the CAS Array is stored as a string on the AD-Site object. When you use the Powershell command New-ClientAccessArray you see that you have to provide an AD-Site by means of the –Site parameter.

Q2. Can I create a CAS Array when I need it, or do I need to set it up in advance?

A2. No, you can create a CAS Array whenever you need it. But keep in mind that an Exchange Database is ‘linked’ to a certain CAS Server or CAS Array. If you do not create a CAS Array up front, and decide to create one after Exchange databases have been created, you have to manually ‘link’ the existing database to the CAS Array. (This can be done with the Powershell commandlet Set-MailboxDatase; Get-MailboxDatase | Set-MailboxDatabase –RPCClientAccessServer ‘cas-array.domain.local’) Otherwise, clients will keep using the first CAS Server rather then the CAS arrray for accessing the mailbox server. Luckily, you can have a CAS array with only one server. Since best practice is to install the CAS Server before creating an Exchange 2010 mailbox server, create the CAS right after creating the CAS server.

Q3. Is it true that there can be only 8 servers in a CAS Array?

A3. No. There can be any number of CAS servers in a CAS Array. But since many use Microsoft’s Network Load Balancing for load balancing client access to the servers, they are limited to 8 servers; it a limit imposed by Microsoft Network Load Balancing, not by the CAS Array design).

Q4. Can I stretch a CAS Array over multiple IP-Subnets?

A4. Depends. There can be only one CAS Array per AD-Site. So if both IP Subnets are in a different AD-Site, you cannot.

Q5. Do I need a Hardware Load Balancer in front of my CAS Array?

A5. Not necessarily. Depending on the clients you want to support (EAS, POP, IMAP, OWA, Outlook, RPC over HTTPS) certain load balancing solutions are better suited then others. I have seen Microsoft Network Load Balancing seen used with success, whilst others have problems with this ‘free’ solution. All different protocols require different affinity implementations on the load balancer, some protocols support redirection, some support proxying.

Q6.Do I need CAS arrays in my primary site and my DR site?

A6. Most probably yes. Although DAG’s can span sites, you need to set up a CAS array in your primary site and in your DR site.

Q7. If my DAG fails over to my DR site, will my clients still be able to connect?

A7. Most probably not. Remember; You will have a different CAS Array (with a different CAS Array name) in the DR Site. Since the mailbox database is linked to a specific CAS Array, if the primary site fails, the databases might be up and running in the DR site, but the clients will still try to access the CAS Array in the failed site. So you need to change the RPCClientAccessServer on the mailbox databases that are now in the DR site. If you set it to the name of the CAS Array in the DR site, client will now need to access the database by means of the CAS Array name in the DR Site. This can be done by means of autodiscovery, but if you have older Outlook clients, you have to change the outlook profile. Furthermore, take DNS into account in such a scenario; start by lowering the TTL of the DNS records of the CAS Array’s name so that in case of a failure you can change DNS records fast. (That’s also important for all other clients besides of Outlook!)

Q8. If I upgrade from Exchange Server 2003 or 2007 to Exchange Server 2010, can I replace the old CAS servers or Front-Ends with Exchange 2010 CAS servers first?

A8. No. An Exchange Server 2010 CAS server will not serve mailboxes that are running on older versions of Exchange. So if you still have mailboxes on let’s say Exchange 2007 servers, you will need an Exchange Server 2007 CAS server to service those clients. If you try to access the Exchange 2007 mailbox through the Exchange 2010 CAS server, the server will redirect the client to the Exchange 2007 CAS (if the protocol supports it). So in stead of replacing the ‘old’ CAS servers, install NEW CAS servers. This introduces some extra complexity; since the new CAS server(s) or CAS array cannot have the same name as the old CAS Server(s) or array, you need to introduce a new namespace or DNS name. And, because of that, you might have to purchase new certificates. Yes, the CAS role is the most tricky role in the Exchange portfolio of server roles…

Q9. How many CAS Servers do I need?

A9. Although this answer depends on a lot of important factors like server sizing, protocols used, client profile, etc. there is a rule of thumb here; You will need approximately 3 CAS servers for each 4 mailbox servers.

Q10. How many certificates (of what sort) do I need for my CAS Servers?

A10. It all depends. For one single CAS array you will obviously need at least one certificate; a certificate that has the name of the CAS ARRAY. That certificate can be used on all servers in the CAS Array. If you have let’s say 2 CAS arrays in 2 sites, and each CAS array serves as a fallback for the other CAS array, it is recommended that you purchase a SAN certificate with the names of both CAS arrays in it. Install that certificate on all CAS servers in both arrays/sites. But there could be other scenario’s that would require you to put more names on the SAN certificate. You can also use wildcard certificates, but make sure that all your clients support wild card certificates. For example, most older Windows Mobile devices will have problems with wildcard certificates. Always make sure that the root CA of the certificate is trusted by the device you use.

So where are my iPhone and BlackBerry questions?

Well, since the implementation of the iPhones ‘ActiveSync’ is lacking a lot of functionality, I will not go into much details here. The iPhone currently does not support the ActiveSync redirect. Something you will be using in a DR scenario. Furthermore, it does not implement a lot of policies you can set in Exchange with regards to mobile devices. (And the iPhone even ‘tells’ Exchange that all policies were applied, when in fact, they were ignored completely.) Microsoft is really pushing Apple towards implementing all of this, but they cannot force customers to do so. Just be aware of all the 3rd party EAS clients out there as they might not be as good as you think…

As far as BlackBerry’s go; get some expensive BlackBerry Enterprise product and see how far it get’s you. Be sure to test all failover scenario’s and keep track of the load on your CAS servers!