MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Exchange 2013 SP1: Edge Transport Server Installation and Configuration

Edge Transport Server has protected many Exchange Infrastructures and we liked to rely on Microsoft since the release of Anti-spam in Exchange 2003 SP2.

Many of us were waiting for the Edge Transport Server to come back in Exchange 2013 and with the Release of SP1 Microsoft gave us Edge Transport Server.

New Edge Transport can only be managed be Exchange management shell until we create a subscription.

Once we configure the subscription, we can manage Edge Transport from the Exchange 2013 SP1 ECP which is CAS 2013 server. This means Edge Transport does not come with a separate EAC or ECP component.

Most of the time we place Edge Transport server in the DMZ.

Let us have a look on the Installation and possible configuration options.

 

Ports:

          Open the following Ports from your DMZ Firewalls

             Internet ß–> EDGE Transport Server

SMTP Port 25

             EDGE Transport Server ß–>Intranet

           SMTP Port 25 and 2525 – Mailflow

           DNS TCP/UDP – 53 – DNS Resolution

           RDP TCP 3389 – Remote Desktop

           LDAP – 50389 – locally to bind to the AD LDS instance – There is no need to open this port on perimeter firewall.

           Secure LDAP – 50636 – Directory synchronization from Mailbox servers to AD LDS

 

 

Installation:

  1. This will be a server in the work group with the domain name of the Active directory domain in the Full Computer name as suffix. See the screen shot.


  2. We need to point the DNS to the Active Directory DNS on the Corporate firewall LAN. Only LAN DNS and no Public DNS. Let the DNS server do the forwarding or use root hints.


  3. Install the ADLDS from Add Roles in the server manager. There is no configuration required. Exchange will configure it.


  4. Install the Exchange Prerequisite from the help of my blog here.
  5. Install the Exchange 2013 SP1 Edge Transport Server.

 

a. Run the setup.exe. Select “Don’t check for updates right now”

b. Now you will see, setup is coping the files to start the setup.

 c. Click next on the below screen

 

d. Accept the agreement and click next here.

             
 e. Select “Don’t use recommended settings” then click next

f. In the server Role selection, make sure you select Edge Transport Role and click next.

           
 g. Give the path then click next.

h. It will do a readiness check.

i. Once Readiness check completes without an error then click install.

j. Once finish, restart the server.

k. Let us do some checks. Setup.log

 l. Check the ADLDS

Check the Server Component

Check the Services

Check the transport Agents

Check the Telnet verbs

Check the receive connector

 

Export Edge Subscription from EDGE Transport Server

      Run the below command to export the subscription then copy the file to Mailbox server.

      New-EdgeSubscription –FileName “FilepathFilename.xml”

      Look at the screen, it clearly says Edge will talk to Mailbox server. We need to import this file within 1440 minutes (24 hours) else subscription will expire.


         Type Y then Enter at the confirmation Prompt.

 

 

DNS Configuration

           Create a host record in the DNS if there is not one present. Then test the ping from EDGE to Mailbox and Mailbox to EDGE. Do not proceed until this works.

    

 

 

 

Import Edge Subscription on a mailbox Server

      Check this when you run Get-help New-EdgeSubscription

    

      Run the below command to import the subscription.

      New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “ FilepathFilename.xml” -Encoding Byte -ReadCount 0)) -Site “ADSiteName”


         Ensure that you have port 50636 open from mailbox LAN to Edge Transport DMZ.

 

Verify the Changes in Exchange Admin Center in ECP

       Servers

    

 

      Send Connectors

    

             No other send connector required.

       

         Receive Connector

              There is no new receive connector required.

 

 

Don’t change Send connector Configuration

“–” is part of the configuration on the “EdgeSync – Inbound to AD Site” Connector so don’t change it. We will see this in the smart host and accepted domain

The — value in the address space represents all authoritative and internal relay accepted domains for the Exchange organization.

The — value in the list of smart hosts represents all Mailbox servers in the subscribed Active Directory site.


 

Configure Internal SMTP server on Transport Configuration

Use the InternalSMTPServers parameter on the Set-TransportConfig cmdlet to specify a list of internal SMTP server IP addresses or IP address ranges to be ignored by the Sender ID and Connection Filtering agents on the Edge Transport server.

Run the below command on the mailbox server

             Set-TransportConfig –InternalSMTPServers IP, IP

 

 

Configure Port 2525 if CAS and MBX are installed on the same server

           Run the below command

           Set-SendConnector “EdgeSync – Inbound to Default-First*” -Port 2525

           Or Change from ADSIEDIT

 

 

Start Edge Sync

      Once all above completed, run the below command

        Start-EdgeSynchronization -Server MailboxserverFQDN -TargetServer EDGEServerFQDN -ForceFullSync

 

 

Restart Service

    Restart Edge-Sync on the Edge Transport Server.

 

 

 

Test the Mailflow:

           Incoming from EDGE to Exchange ORG

My LAB is not receiving from Internet so I used the telnet. This is also showing the Exchange verbs.

Message Receive – See header

 

 

From Exchange ORG to Internet

See the Message Header

 

 

 

References

Edge Transport Server: http://technet.microsoft.com/en-us/library/bb124701(v=exchg.150).aspx

Message Tracking Verbs: http://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx

 

 

 

Prabhat Nigam

Microsoft MVP | Exchange Server

Team@MSExchangeGuru

140 Responses to “Exchange 2013 SP1: Edge Transport Server Installation and Configuration”

  1. Jason Says:

    @Prabhat Nigam
    Thank you for the reply!
    I have 2 more questions, if our edge server is in the dmz, is there a problem if it is physically a guest on a host that is a member of the AD domain? We want the server to be a virtual server (while not being on the host domain) and since the host is part of the AD domain, does that create a vulnerability?

    Also, do we have to run any AD/forest/domain preps? \

    Thanks for the help,
    -Jason

  2. Prabhat Nigam Says:

    @Jason
    VM Guest non-domainjoined server is fine. It does not matter if host is domain joined.

    There is no need of any preps.

  3. Jason Says:

    @Prabhat Nigam
    Thanks for your help!
    We have began the installation of the edge transport server but we are having issues with the subscription import process. I may have possibly left out some per-requisites. We are able to ping the mailbox server from the edge and can ping the edge from the mailbox. I successfully create the subscription file,but when I attempt to run:

    [PS] C:\Windows\system32>New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “C:\EdgeSubscription.xml” -Encoding Byte -Readcount 0)) –Site “Default-First-Site-Name”

    I get the following Error:

    New-EdgeSubscription : A parameter cannot be found that matches parameter name ‘FileData’.
    At line:1 char:31
    + New-EdgeSubscription -FileData <<<New-EdgeSubscription -FileName:”C:\EdgeSubscription.xml” -Site:”Default-First-Site-Name”

    I got the following error:

    New-EdgeSubscription : The Edge Subscription file did not load for the following reason: Access to the path ‘C:\EdgeSubscription.xml’ is denied..
    At line:1 char:21
    + New-EdgeSubscription <<<< -FileName:"C:\EdgeSubscription.xml" -Site:"Default-First-Site-Name"
    + CategoryInfo : InvalidOperation: (:) [New-EdgeSubscription], InvalidOperationException
    + FullyQualifiedErrorId : 77FBD31B,Microsoft.Exchange.Management.SystemConfigurationTasks.NewEdgeSubscription

    I think I missed some of the per-requisites. Here are the pre-reqs I've done in order:
    Installed Server 2012 R2 as a Hyper-v, did all windows updates, ran the "Install-WindowsFeature ADLDS" install command, gave the server the FQDN and kept it in the workgroup, pointed the server to the DNS server, gave the server a static ip and made sure the IP address was added in our exclusion list so dhcp doesnt hand out that ip, Installed Exchange 2013 Edge Transport role, ran the "Install-WindowsFeature RSAT-ADDS" install command, opened the ports, made sure the servers were pingable, ran all of the server check commands you listed, and created the subscription.xml file.

    I did not do any of the "Preparing Exchange 2010/2007: If this is a coexistence then these steps will be required" section.
    I skipped a lot of the exchange prereqs because I thought those only pertained if I was setting up a mailbox server, and not an edge server. Please let me know if I have missed some.
    thank you,

    -Jason

  4. Jason Says:

    @Prabhat Nigam

    Sorry for the double post! It cut out a section of my post the first time, hopefully it goes through this time!

    Thanks for your help!
    We have began the installation of the edge transport server but we are having issues with the subscription import process. I may have possibly left out some prerequisites. We are able to ping the mailbox server from the edge and can ping the edge from the mailbox. I successfully create the subscription file,but when I attempt to run:

    “[PS] C:\Windows\system32>New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “C:\EdgeSubscription.xml” -Encoding Byte -Readcount 0)) –Site “Default-First-Site-Name””

    I get the following Error:

    “New-EdgeSubscription : A parameter cannot be found that matches parameter name ‘FileData’.
    At line:1 char:31
    + New-EdgeSubscription -FileData <<<New-EdgeSubscription -FileName:”C:\EdgeSubscription.xml” -Site:”Default-First-Site-Name””

    I got the following error:

    “New-EdgeSubscription : The Edge Subscription file did not load for the following reason: Access to the path ‘C:\EdgeSubscription.xml’ is denied..
    At line:1 char:21
    + New-EdgeSubscription <<<< -FileName:"C:\EdgeSubscription.xml" -Site:"Default-First-Site-Name"
    + CategoryInfo : InvalidOperation: (:) [New-EdgeSubscription], InvalidOperationException
    + FullyQualifiedErrorId : 77FBD31B,Microsoft.Exchange.Management.SystemConfigurationTasks.NewEdgeSubscription"

    I think I missed some of the prerequisites. Here are the prereqs I've done in order:
    Installed Server 2012 R2 as a Hyper-v, did all windows updates, ran the "Install-WindowsFeature ADLDS" install command, gave the server the FQDN and kept it in the workgroup, pointed the server to the DNS server, gave the server a static ip and made sure the IP address was added in our exclusion list so dhcp doesnt hand out that ip, Installed Exchange 2013 Edge Transport role, ran the "Install-WindowsFeature RSAT-ADDS" install command, opened the ports, made sure the servers were pingable, ran all of the server check commands you listed, and created the subscription.xml file.

    I did not do any of the "Preparing Exchange 2010/2007: If this is a coexistence then these steps will be required" section.
    I skipped a lot of the exchange prereqs because I thought those only pertained if I was setting up a mailbox server, and not an edge server. Please let me know if I have missed some.
    thank you,

    -Jason

  5. Jason Says:

    It still removed part of my post, so it may look confusing in the area “I got the following error:”. The first error I was getting was because I was trying to run the 2013 syntax on our 2007 mailbox, so I attempted to run the 2007 syntax for importing a subscription file, that is when I get the “Access to the path ‘C\EdgeSubscription.xml’ is denied..” error. I hope that makes the post a little more clear.
    Again, sorry for the double post.
    Any help would be greatly appreciated!

    -Jason

  6. Prabhat Nigam Says:

    On which server you are running the below command. You have to run this on Exchange 2013 mailbox role or 2010 HT role.
    The error is on filedata. do you have access to the file C:\EdgeSubscription.xml
    Run the EMS with run as admin.

    New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “C:\EdgeSubscription.xml” -Encoding Byte -Readcount 0)) -Site “Default-First-Site-Name””

  7. Jason Says:

    I am running the command on a 2007 server. It has both Mailbox and HT roles. I do have access to the EdgeSubscription.xml file. It created the .xml file on the 2013 Edge server.

  8. Prabhat Nigam Says:

    open EMS with run as administrator

  9. Jason Says:

    I tried the run EMS as an administrator, but I receive the same error.

    I then ran the following command for 2007:
    [PS] C:\Windows\system32>New-EdgeSubscription -FileName:”C:\EdgeSubscription.xml” -Site:”Default-First-Site-Name”

    This is the error I get:

    New-EdgeSubscription : The version of the Edge subscription doesn’t match any Hub Transport servers in the subscribed site.
    At line:1 char:21
    + New-EdgeSubscription <<<

    -Jason

  10. Prabhat Nigam Says:

    Actually Exchange 2007 is unable to find the file ‘C:\EdgeSubscription.xml’
    Make sure file name is correct with the location.

  11. Tommie Bueno Says:

    I couldn’t resist commenting. Perfectly written!

  12. Jason Says:

    We are still having issues with the subscription. I recreated and renamed the subscription file a few times now, but I continued to receive the same error. I then used the gui version via the exchange management console. I shared the folder the subscription file resides, so the location can be seen by the mail server. I went to the “New Edge Subscription” section of the console. It gives me the option to browse and highlight the subscription file. I am able to find the file and select it, but i still receive the exact same error of “The version of the Edge subscription doesn’t match any Hub Transport servers in the subscribed site”.

    I did some research and some people had luck with installing the latest SP. I applied SP3 to the Client Access, then Hub transport, then mailbox – in that order. I still receive the same error. I am not sure what is causing the error, but I found Rollup 13 for 2007 that I am going to apply today. Hopefully that will fix whatever is going on.

    I appreciate your guidance you’ve given so far. Hopefully you can give me some insight into our issue. I haven’t found much information on this yet. The most I’ve heard is to try the latest SP and Roll up, because that have fixed others with the same issue.
    Thanks for your help!

    -Jason

  13. Prabhat Nigam Says:

    @Jason

    Seems you are moving in the correct direction, you need legacy exchange version to be at the minimum supported level of exchange 2013 to let them talk. So for exchange 2007 is SP3 RU 13. You sequence of applying the update is correct.

    Copy the subscription file to 2007 Hub Transport server. Run the command on Exchange 2007 Hub Transport server.

  14. Ishtvan Balint Says:

    I followed all the steps and it seems to install ok except that when i do a telnet test i get
    ] Queued mail for delivery
    451 4.7.0 Timeout waiting for client input

  15. Prabhat Nigam Says:

    It looks like a 3rd party issue. Try to bypass any 3rd party.
    http://social.technet.microsoft.com/Forums/exchange/en-US/defc53b7-424f-4354-ba3e-5eae2a9c2282/451-470-timeout-waiting-for-client-input

  16. Ishtvan Balint Says:

    No 3rd party included. Two servers. One mailbox and cas the other edge. No problem using the mailbox and cas server connector but issue seems to be with the edge connector.

  17. Prabhat Nigam Says:

    From where to where you did the telnet. Do you have any router or firewall between them?

  18. Ishtvan Balint Says:

    Actually i got it to work by disabling the connection filtering agent in the transport agent. Now I have another issue. In the transport agent I have recipient filtering as priority one however now when i send a message to a non existent user in AD I still get a bounce. Shouldn’t the telnet command tell me right away that the recipient is not OK?
    thanks

  19. Prabhat Nigam Says:

    I know what you are talking but I am not sure if this is still working.
    Do you have check box checked on the recipient filtering to accept the email for only email addresses belong to AD.

  20. Ishtvan Balint Says:

    Only works on Edge Server. First you need to make sure that Recipient Filter Agent is enabled and then you need to run this:
    Set-RecipientFilterConfig -RecipientValidationEnabled $true
    After that if you telnet and try sending to a non existent user it will reject right away.

  21. Prabhat Nigam Says:

    Good to know. 🙂

  22. Khoa Says:

    Thanks for post, I can send and receive internet email via OWA, but when I config in Microsoft Outlook (internal client):
    -POP3: IP of Client Access Server; SSL; Port 995
    -SMTP: IP of Edge Server (In test, Edge Server is same network with CAS); none SSL; Port 25
    I can receive email and when I send it error “The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was ‘khoa.caovan@yahoo.com’. Subject ‘Re: goi tu internet’, Account: ‘192.168.103.249’, Server: ‘192.168.103.249’, Protocol: SMTP, Server Response: ‘550 5.7.1 Unable to relay’, Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79”

    Is there right config POP3 and SMTP server?
    How I fix this error?

  23. Prabhat Nigam Says:

    @Khoa
    you should connect to CAS server and not edge.

  24. Khoa Says:

    And what port open to check from internet

  25. Prabhat Nigam Says:

    @Khoa
    Try Port 587 but you need to use authentication, Edge can’t use authentication. 0x800CCC79 is a authentication error, I hope the below blogspot helps.

    http://iamacomputerfreak.blogspot.com/2013/05/protocol-smtp-server-response-550-571.html

  26. Khoa Says:

    On firewall, open port 587, 995 from internet to CAS? If that true, I think I can do it. Many people tell me the right config is in MS Outlook, POP3 and SMTP field must be Edge Server. This is first time I config Exchange with Edge, I read many guide about config Edge but it do not mention how to config Microsoft Outlook. Please help me Prabhat, thank you so much!

  27. Kamlesh Ambre Says:

    Dear Prabhat,

    Nice document to understand the configuration part for ET server.

    I’m planning email soln with the following details :

    1)2 ET Servers in DMZ ( In Round Robin LB using same priority for MX record )

    2)2 nos CA+MB Servers in Inside secure zone

    3)CA will be load balance using Layer 4 Hw load balancer

    4) FSW will be on another VM for DAG of Mailbox role

    5) Internal and External domain name will be same

    Please validate my incoming mail flow config required at ISP DNS Server:

    To Receive incoming mails , I’ll create 2 A records for ET1 and ET2 and with two public IPs and same name MX record for 2 A records( ET1 and ET2) with same priority.

    ET1.abc.gov.in A 210.212.210.212
    ET2.abc.gov.in A 210.212.210.213
    mail.abc.gov.in MX ET1.abc.gov.in
    mail.abc.gov.in MX ET2.abc.gov.in

    Will do NATing on firewall for above 2 nos public IP to Local ET1 and ET2 IP address.

    To access OWA and Autodiscover and activesync :

    VIP with private IP configured on HW Load balancer with 2 CA server NLB :

    ISP End DNS entry :

    email.abc.gov.in A 210.212.210.214

    Will do NATing on firewall for above public IP to VIP configured on Hardware loadbalancer.

    Please validate this approach for mail routing and for OWA,Autodiscover,activesync.

    Kindly confirm to access OWA/Autodiscover/Active sync MX record is not required?

    T & R,
    Kamlesh

  28. Prabhat Nigam Says:

    You missed autodiscover entry here
    ISP End DNS entry :

    email.abc.gov.in A 210.212.210.214
    Autodiscover.abc.gov.in A 210.212.210.214

  29. Prabhat Nigam Says:

    Rest all looks good. Except I prefer minimum 3 copies of databases in Dag but again it depends on customer budget.

  30. Kamlesh Ambre Says:

    Tks prabhat. Clarified.

    In same scenario.

    I created new-edge subsription on ET1 Server :

    PS c:\> New-EdgeSubscription -FileName C:\Edge.xml

    and Imported on both CA+MB1 and CA+MB2

    PS c:\> New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “C:\Edge.xml” -Encoding Byte -ReadCount 0)) -Site “Default-First-Site-Name”

    I checked with telnet ET1 server using I’m getting Email in Users mailbox junk-mail.

    As I have only 2 ET servers in DMZ, Shall I repeat both the below command on Edge2 server and and both CA+MB servers

    or

    To create clone config of ET1 and import it on ET2 ? and after this nothing to do on CA+MB servers for ET2 ?

    T & R,
    Kamlesh

  31. Prabhat Nigam Says:

    Repeat the same onET2

  32. Kamlesh Ambre Says:

    Made the changes on ET2.

    Shall I use Hw Load balancer with natting on 1 VIP for 2 ET server instead of round robin and natting on 2 IPs?

    Note : IN technet MS suggested RR with ET. Your suggestion Best practice is what ?

    My Internal Domain : abc.com
    My Eternal Registered domain: abc.gov.in

    Using Split Brain DNS:

    I made following changes in my AD integarted DNS Zone ( abc.com )

    exchcamb1 A 172.30.100.43
    exchcamb2 A 172.30.100.44
    mail A 172.30.100.43
    mail A 172.30.100.44

    in virtual directory changed URL for OWA/Autodiscover/EAS/Power shell/ECP/OAB etc
    as https://mail.abc.com/owa and same for all in internal URL and

    I made following changes in my DNS Zone (abc.gov.in)

    Exchcamb1 A 172.30.100.43
    Exchcamb2 A 172.30.100.44
    mail A 172.30.100.43
    mail A 172.30.100.44

    in virtual directory changed URL for OWA/Autodiscover/EAS/Power shell/ECP/OAB etc
    as https://mail.abc.gov.in/owa and same for all external URL.

    Q is

    When Configuring outlook autodiscover is working fine but it is asking to click yes on certificate popping window
    like mail,exchcamb1,exchcamb2 everytime when I opens Outlook.

    How to avoid it everytime cerificate popup while working on outlook in LAN environment?

    In the next test, I’ll add UPN suffix same as @abc.gov.in to use the same URL for internal and external with requisite changes in user login ID as xxxx.yyyy@abc.gov.in instead xxxx.yyyy@abc.com. I hope it will work fine.Please confirm.

    Answer to your suggestion for 3 Servers in DAG is Budget and user are only 300-350. I personally suggested to use 3 to avoid dependency on FSW with even MB servers and added redundancy @ mailbox database level. But mgmt is not ready.

    Pl suggest answers to my queries…

    Tks for your support in resolving doubts.

    Kamlesh

  33. Prabhat Nigam Says:

    1. Note : IN technet MS suggested RR with ET. Your suggestion Best practice is what ?
    A. RR with 1 VIP – LB is in HA
    2. When Configuring outlook autodiscover is working fine but it is asking to click yes on certificate popping window
    like mail,exchcamb1,exchcamb2 everytime when I opens Outlook. How to avoid it everytime cerificate popup while working on outlook in LAN environment?
    A. Install a ssl cert with all urls as Subject Alternative Names

  34. Kamlesh Ambre Says:

    Tks.
    A. RR with 1 VIP – LB is in HA
    Not understood ..
    On my firewall , 2 Public IPs will nat to 2 Private IPs of ET1 server is my plan.
    As per your suggestion 1 VIP on HW load balancer and 2 ET servers as a real servers in loadbalancer configuration and NAT both the public IPs to single Load balancer private VIP for ET servers?

    Proposed DNS config for ET with HW Loadbalancer

    ET1.abc.gov.in A 192.168.10.10
    ET2.abc.gov.in A 192.168.10.11
    mail.abc.gov.in A 192.168.10.12

    on My Firewall :

    NAtting 210.212.210.212 –> 192.168.10.12 & 210.212.210.213 –> 192.168.10.12

    On My Hardware loadbalancer –
    URL Real servers
    mail.abc.gov.in 192.168.10.10,192.168.10.11

    A. Install a ssl cert with all urls as Subject Alternative Names
    I read that SSL cert for internet to Exchange server communication self sign certificate is for internal client to exchange server communication. is it required for LAN outlook PCs also..?

    Please confirm . Bit confused …. for traffic coming inside to ET servers.

    Kamlesh

  35. Kamlesh Ambre Says:

    Dear Prabhat,

    Pl reply to my last query. I know I’m sending lot of queries and doubts but you are a exchange guru. Please reply.

    T & R,
    Kamlesh

  36. Prabhat Nigam Says:

    Sorry, I was running busy.

    A. RR with 1 VIP – LB is in HA
    Not understood ..

    PN – It means RoundRobin with 1 VIP is fine but Load balancer should be in High Availability mode. I assume both public IP can land to same VIP ip or you can have 2nd VIP for 2nd public IP but Load balancer should be in the HA mode.

    On the IP config.
    PN – all looks good.

    ON SSL Cert
    PN – You don’t need SSL cert for ET. It will use self signed cert.
    You need SSL cert only for CAS role.

  37. Kamlesh Ambre Says:

    Dear Prabhat,

    very very Thanks for clarification.

    If I dont have internal CA , is it required third party ( verisign,digicert etc) SSL certificate for Local LAN to Exchange server communication
    in the same way it is required for internet users to server communication?

    Note : I want to avoid pop windows for certificate while opening outlook everytime.

    T & R,
    Kamlesh

  38. Kamlesh Ambre Says:

    Dear Prabhat,

    Plz reply.

    If I dont have internal CA , is it required third party ( verisign,digicert etc) SSL certificate for Local LAN to Exchange server communication
    in the same way it is required for internet users to server communication?

    Note : I want to avoid pop windows for certificate while opening outlook everytime.

    I’m facing a typical issue in my test setup with 2 ET and 2 CA+MB Servers with Exchange 2013 Sp1 on Windows 2012 R2.

    My 2 CA+MB servers are VMs on hyper-v with DAG. Everything was working fine. But After taking backup of Mailbox DB folder on active copy server
    my mailbox DB discmounted. I chkd with eseutil it were in Dirty shutdown and so repaired and tried to mount but again same issue. Repaired log file and tried but same issue.

    Its giving error Active manager is not available and in windows failover manager no cluster is showing in any of the node.

    Trblshooting :

    CPU utilization was 100% so added addnl CPU but still no cluster is shwoing.
    Checked All exchange services on both the nodes are running properly.
    clussvc is also running. BITS,Diagnostic policy, User access policy,DTC are running but with startup type ( Delayed start).
    Made following changes :
    cluster /prop SameSubnetDelay=2000
    cluster /prop SameSubnetThreshold=10
    Test-Mapiconnectivity -server showing the server but DB are dismounted.
    Forcefully deleted one node from DAG and trying to readd but it is now allowing at all giving error unable to contact cluster services on other server.

    Please suggest if any hint to resolve the issue.
    Is it a patch level issue for DAG?

    T & R,
    Kamlesh

  39. Prabhat Nigam Says:

    You don’t need internal CA
    SSL cert from 3rd will be good for CAS popup. you url should be there in Cert SAN.
    ————

    we don’t take the backup of the Exchange folder. check my blog on how to take exchange backup.
    ———

    Your DAG cluster is not healthy and I am not sure what has been corrupted by backup. you better engage Microsoft support or our support services if you are not comfortable in troubleshoot. We can’t dig much here and suggest anything.

  40. Kamlesh Says:

    Dear Prabhat,

    I’m planning email soln with the following details :

    1)2 ET Servers in DMZ ( MX record in Round Robin on ISP DNS Server with same priority / Inside will use Hardware load balancer for 2 ET )

    2)2 nos CA+MB Servers in Inside secure zone

    3)CA will be load balance using Layer 4 Hw load balancer

    4)FSW will be on another VM for DAG of Mailbox role

    5) Internal and External domain name will be different ( Internal : abc.com , External , abc.gov.in ) on my AD integrated DNS will use split brain DNS for abc.gov.in zone.

    Here my users have UPN : kamlesh.ambre@abc.com , Email ID : kamlesh.ambre@abc.gov.in

    Q :

    1) Is it required to add UPN suffix @abc.gov.in and change user UPN to kamlesh.ambre@abc.gov.in ?

    2) Regarding SSL for SAN Names :

    In the above setup is it required SSL for both the domain names ( Like abc.com , mail.abc.com , autodiscover.abc.com , abc.gov.in , mail.abc.gov.in , autodiscover.abc.gov.in) while accessing mails from internal O/L clients and using O/A, OWA and active-sync over internet.

    3) Is is possible me to use SAN with external name for internal and external mail clients ? ( It will save my cost for 3 Internal SAN names)

    Please revert.

    T & R,
    Kamlesh

  41. Prabhat Nigam Says:

    @Kamlesh
    1. If you need your users to login using upn then they need to used the domain upn
    2. You can create email domain dns internally as well and add manual host records. This will you just need one email domain SAN. so this means keep internal url same as external. only barrier is if you have an external website which is not reachable from intranet.
    3. Answerred above.

  42. Kamlesh Ambre Says:

    Tks prabhat.

    Q – My FQDN for ET on HW LB Vip and CAS virtual directories can be same?
    ie mail.abc.gov.in.

    2) For autodiscover i’ll use separate pub –> priv natting pointing to CA Vip ON LB with respective autodiscover “A” entry on internal DNS server?

    T & R,
    Kamlesh

  43. Kamlesh ambre Says:

    Dear Prabhat ,

    With 2 ET and 2 CA+MB setup my incoming mails from Internet are coming but outgoing mails are not going with default edgesync connector settings.

    As per your doc :
    2. We need to point the DNS to the Active Directory DNS on the Corporate firewall LAN. Only LAN DNS and no Public DNS. Let the DNS server do the forwarding or use root hints.

    I have internal DNS server entry on ET1 & 2 which is my DC with AD intergrated DNS. On My Firewall 3 Zones Internet,Internal(ca+mb),external(ET).

    Policy configured for internet external for all –all.

    My incoming mails with nating on ET VIP on HW LB are working fine but outgoing mail are not going.

    Plz suggest any soln. Where is to configure forwarder to resolve external smtp domain for external mails.

    Its urgent to show it to the manager.

    T & R,
    Kamlesh

  44. Prabhat Nigam Says:

    Check the DNS resolution working on Edge Transport server. If not then you need to open port 53 tcp+Ido with your internal firewall.

  45. Prabhat Nigam Says:

    Please read Ido=udp

  46. Kamlesh Ambre Says:

    Dear Prabhat,

    As per your port list :

    Internet –> EDGE Transport Server
    SMTP Port 25

    But in My case ET servers are in DMZ and I’m using AD intergrated DNS on DC which I dont want to expose to Internet by entering forwarder with external DNS so here I will need to open Port 53 TCP/UDP from Internet till my DC which will be a issue.

    In our case, I opened port 53 from internet to ET server on ext firewall for sending outgoing mails and now they are flowing.

    As per technet :

    1) You can configure the Edge Transport server to use DNS to resolve MX resource records for external SMTP domains,

    Here I have given MTNL DNS Server directly on ET servers

    2) or you can configure the Edge Transport server to forward messages to a smart host for DNS resolution.

    I think this smart host is nothing but hosted SMTP server or Here also you can put the same MTNL DNS in Edgesysnc – Internet send connector.

    Please clarify.

    My Q is for Outgoing mails from Mailbox server server to ET server. Can it go thru the Hardware load balancer during exit to the internet ?

    Please exlpain the outgoing mail flow with et servers and with HW loadbalancer.

    T & R,
    Kamlesh

  47. Kamlesh ambre Says:

    Dear Prabhat,

    Plz clarify :

    1) How to achieve outgoing mails load balancing in exchange 2013 using mailbox and ET servers?

    Please exlpain the outgoing mail flow with et servers and with HW loadbalancer.

    My hardware load balancer vendor says outgoing mail load balancing cannot be achieve in LB box and it can be managed in Exchange 2013 architecture. Your reviews or any URL to clarify the same.

    T & R,
    Kamlesh

  48. Prabhat Nigam Says:

    Use Send connector for outgoing emails. In send connector you can add multiple servers.

    At the same time I would highly recommend you to hire a consultant for your design and deployment. Also go for some training sessions through your company. If you continue without the training and consultant then I am afraid you might break some things and look for me or someone who might not be available when you need to fix your issue.

  49. Kamlesh ambre Says:

    Dear Prabhat,
    Thanks for your suggestion and time to time solns.
    It is a test environment before moving production. I’m reading technet,david elfassy book exch 2013 book and trying.
    In my edge-sync – Internet send connector already 2 ET servers are present as source servers. I just need clarification whether if my 1 ET server is down , then all mails fwded to down et server will get transferred to another or mailbox servers will transfer to only live et server.
    I’m really sorry if I’m asking so many clarifications.
    T & R,
    Kamlesh

  50. Prabhat Nigam Says:

    Looks like I missed to reply this. If subscription is configured on both servers then yes it will be transferred.

Leave a Reply

Categories

Archives

MSExchangeGuru.com