Exchange Server 2013 Client Access Server High Availability

In an Exchange Server 2013 organization where high availability is a requirement you need to consider both the Client Access and the Mailbox server roles.

Although a Database Availability Group can provide high availability for the databases hosted on the Mailbox servers, the Client Access server needs to be considered separately for HA.

In Exchange 2010 high availability for the Client Access server was achieved through the configuration of a CAS Array and some form of load balancing (hardware/virtual, or Windows NLB). Although the CAS Array no longer exists in Exchange 2013, and other architectural changes mean that load balancing can be approached in different ways, the basic concept of a single namespace for Outlook connectivity remains.

Here is a general demonstration of configuring high availability for Exchange 2013 Client Access servers.

To begin with, two Client Access servers have been deployed in a site. The servers are multi-role servers and are also members of the DAG that has been deployed. A third server is installed with only the Mailbox server role and is a member of the DAG as well.


A mailbox user connecting via Outlook 2013 is connected to server E15MB2, as shown here in the Outlook connection status dialog. There was no manual configuration required for this, it is just how Outlook autodiscovered the endpoint to connect to.


The mailbox databases are currently active on E15MB2.

[PS] C:\>Get-MailboxDatabase -status | select name,mounted,mountedonserver

Name            : Mailbox Database 1
Mounted         : True
MountedOnServer :

Name            : Mailbox Database 2
Mounted         : True
MountedOnServer :

The trouble begins when E15MB2 goes offline. The databases are able to failover to other DAG members and remain available.

[PS] C:\>Get-MailboxDatabase -status | select name,mounted,mountedonserver

Name            : Mailbox Database 1
Mounted         : True
MountedOnServer :

Name            : Mailbox Database 2
Mounted         : True
MountedOnServer :

However the mailbox user is no longer able to connect to E15MB2 and access their mailbox.


Eventually Outlook may autodiscover other available Client Access servers in the site and connect to one of them, but it is not an ideal user experience.


To improve this situation we need to look at the Outlook Anywhere configuration for the Client Access servers. If you’re not already familiar with Outlook Anywhere from previous versions of Exchange it is the service that provides RPC/MAPI connectivity for Outlook clients over HTTP or HTTPS. While this was typically only used for remote/external access in the past, architectural changes in Exchange 2013 mean that all Outlook connectivity is via HTTP/HTTPS even for internal clients.

At the moment each of the servers is configured with their own name as the internal host name for Outlook Anywhere, which is the default.

[PS] C:\>Get-ClientAccessServer | Get-OutlookAnywhere | select identity,*hostname

Identity         : E15MB1\Rpc (Default Web Site)
ExternalHostname :
InternalHostname :

Identity         : E15MB2\Rpc (Default Web Site)
ExternalHostname :
InternalHostname :

We can configure a single namespace for these instead of the unique server FQDN for each. Note that when configuring the InternalHostName you also need to set the InternalClientsRequireSSL option as well. To keep this example simple I am not requiring SSL for internal clients.

[PS] C:\>Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostname -InternalClientsRequireSsl $false

We also need to make sure that the DNS records exist for that namespace and resolve to the Client Access servers. With no load balancer available to me at this stage I am using DNS round robin, which is not as good as proper load balancing but will do the job for now.

PS C:\> Resolve-DnsName

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------                      A      3600  Answer                      A      3600  Answer

The change made with Set-OutlookAnywhere is not instantaneous. It takes about 15 minutes for the Client Access server to update with the new configuration. You’ll be able to tell it has taken effect when an Outlook autoconfiguration test returns the new value for Exchange HTTP.


After waiting a while and then restarting Outlook the client is connecting to the newly configured namespace. I left this for about 30 minutes before restarting Outlook only because I wanted to test the result quickly. In the real world you could just let users restart Outlook in their own time (eg the next business day).


Netstat shows me that the client has resolved to and Outlook is connecting to E15MB2 at the moment.

C:\>netstat -ano | findstr ":80"
  TCP       ESTABLISHED     2272
  TCP       ESTABLISHED     2272
  TCP       ESTABLISHED     2272
  TCP       ESTABLISHED     2272

So to test high availability I shut down E15MB2 while observing the Outlook connection status dialog.

Without the aid of a load balancer the Outlook clients takes about 20 seconds to time out and then re-establish connectivity to the other IP address that resolves to. A much better user experience than before the Outlook Anywhere namespace was configured on the Client Access servers.

C:\>netstat -ano | findstr ":80"
  TCP       ESTABLISHED     2272
  TCP       ESTABLISHED     2272
  TCP       ESTABLISHED     2272
  TCP       ESTABLISHED     2272


So there you have it, a basic demonstration of Exchange 2013 Client Access server high availability. In upcoming articles we’ll look further at load balancing options for Exchange 2013 CAS, as well as how to configure the external hostname and the SSL options for Outlook Anywhere.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.


  1. The typo on the 3rd server is a little confusing, but then it says “the trouble starts when E15MB goes offline”?! Which server is that?

  2. mattia lodi says:

    Hi Paul,

    if i want to configure only two server with mailbox +cas on each one , how i can configure dns and certificate request?
    i want to configure dag for mailbox HA and round robin for cas HA ok ?


    server 1

    for dns i have need to configure a single namespaces for cas high avaiability correct ? :

    a record —>>

    a record—>>>

    in my dns enviroment i have need to configure other two records for autodiscovery service or just that above ?

    how can configure virtual directory such as ecp,ews,owa,outlook anywhere ecc for redundant cas ?

    can you explain me how to configure certificate request for each one of this service ?

    thank you so much

    Mattia Lodi

  3. Paul, great work. Quick question here. In the scenario where the CAS role is broken out to separate front-end servers (configured per above) and the mailboxes are on 2 more servers which are setup with a DAG (per your other article), what additional steps, if any are needed to ensure seamless failover in the event that the first server in the DAG goes toes up. How are the front end servers connecting/checking the mailbox servers for availability and for which server to connect to?


  4. Santhosh says:

    What about Windows NLB instead of DNS round robin?

    will it make any issues?

    • It has several limitations and issues and no real advantage over DNS RR that make up for them so I don’t think NLB is worth doing for Exchange 2013. That is my opinion anyway.

  5. Paul, you say in this article:
    We can configure a single namespace for these instead of the unique server FQDN for each. Note that when configuring the InternalHostName you also need to set the InternalClientsRequireSSL option as well. To keep this example simple I am not requiring SSL for internal clients.

    Are you saying you should ncrease security on the LAN with ssl and you actually don’t need to set that but then the internal traffic will not be encrypted??


    • SSL for internal clients is not required as default. You can turn it on if your “Internal” clients are actually connecting via what you would consider a hostile network (which some people consider *all* networks to be).

      Despite the non-SSL the auth credentials are not passed in the clear anyway, which is probably what some people will be immediately concerned about.

      It isn’t insecure to run it that way but I suspect many customers will enable SSL requirement for internal clients.

  6. So basically with a proplerly configured single name space, you do not need NLB anymore it seems?

    It seems this 20 sec switchover will work the same whether the CAS is loaded on the Mailbox or on a separate server?

    • NLB wasn’t a good option for Exchange 2010 anyway.

      With Exchange 2013 I see absolutely no need to run NLB in any scenario. As it stands right now I doubt I will ever recommend it to a customer.

      • Paul,

        Thank you! you made my day. I opened a ticket with Microsoft and two different engineers told me with exchange 2013 if you create separate CAS Servers you need a NLB. It is like they are stuck in the 2010 world.


        • :-o) that’s hilarious,

          So what is the recommended way to provide High Availability for the 2x Virtualized CAS 2013 servers ?

  7. Paul,

    One thing I just thought of, if you have four exchange servers, two primary and two in a DR Data center over a WAN link, if I create a single namespace and put all four servers in it, won’t the traffic spread across all four and cause 50% of the people to attach to DR CAS servers, in which then have to come back across the WAN links to get the data, then transmit it back over the WAN links again?

    Do you have to leave out the DR from the DNS round robin, them manually add them in the event you lose both primary servers?

    • The DR subnet is in its own AD Site.

      • Randy

        I have been trying to understand this, but not much avail. The below is what I have seen in exchange 2010 sp3

        Site A – CAS Array name – SiteA-CA — Site B – SiteB-CA
        When clients whose MBDB is on Site A Mbx server, Outlook talks to SiteA-CA, when the DB failsover to a MBX server on Site B- the Client changes the end point to SiteB-CA(redirection over proxy, I think this happened somewhere after SP2 RU2).

        I am assuming that the same concept applies in Exchange 2013 as well, unless someone corrects me.

        To answer your question in 2010 world – 2 Datacenters in 2 diff sites, cant be part of same CAS array name, question is how is it achieved in Exchange 2013.

        Gopinath T

  8. Paul,

    Nice article, can you please clarify how Outlook updates itself, with the changes made. I mean you mentioned that within 30 minutes its updated, so the TTL for EXPR provider has it changed in 2013.

    Also is there a CAS array in 2013, and can it be bound to a site.

    Gopinath T

  9. Hi Paul and thanks for another great tutorial!
    Wonder when your next wil come out.At the end of this post you mentioned the following:

    In upcoming articles we’ll look further at load balancing options for Exchange 2013 CAS, as well as how to configure the external hostname and the SSL options for Outlook Anywhere.

    Hope its out soon,and keep up the good work!

  10. Manguon055 says:

    Hi everyone
    My System had 4 exchange 2013 (2 Database DAG and 2 CAS). rpc/https is Unstable. when i modified Database or move mailbox is outlook client disconnect (but webmail is normal) …and waiting 1-2h it reconnected.
    Now, I still have not fixed. Who can help me…

  11. Hi Paul,
    Just wanted to check with you about the configuration you stated up
    you are saying there is no need for load balancing exchange with NLB or a load balancer?
    what if you have exchange server published through TMG or UAG or any reverse proxy how will that work with out having a virtual ip to publish to TMG or any reverse proxy software as they are not aware of rpc/https or autodiscover and works either with FQDN or ip.

    thank you
    David K

    • I didn’t say there is no need for load balancing.

      If you’re publishing multiple CAS in TMG you can let TMG do the load balancing for you.

      • Andrey Santana says:

        Hi Paul,

        Regarding this issue, I read that the propper NLB should have service awareness (L7 NLB).
        Meaning, if the server is online but the service is down, the NLB will automaticaly fialover to the other available servers.
        However, I can’t seem to find any good info on this.
        Do you have any recommendation?
        Will TMG do the job, or will it just send the information using DNS RR?

        • Windows NLB does not have service awareness.

          TMG is end of life.

          If you need robust L7 load balancing with service awareness then look at a load balancer from a vendor such as Kemp or F5.

  12. You can add additional IP address on primary CAS server for CAS Array hostname. With unstable NLB uninstalled. If primary CAS goes offline, just add the same additional IP to another CAS. That way you have control of CAS servers.

    Probably the same way can do with exchange 2013 single namespace.

    • There is no CAS Array hostname in Exchange 2013. And moving IP addresses around manually is not a very good HA strategy.

      • For example, on Exchange 2010 with CAS Array and 2 NLB nodes mail flow sometimes stopped completely (on two different NLB setups). To restore mail flow i had to disable enable NLB Ethernets…
        Uninstalled NLB and implemented additional IP for primary CAS Array node, so far works very stable.

        Similar solution works for Exchange 2013 external links too…
        No need for NLB, HWLB, DNS…

        Of course this will not be suitable for all deployments.

  13. Hi Paul

    Thanks for the Great Article. Can you please explain the requirements and configuration, for 2 sites? each containing 2 Multirole Exchange 2013 Servers. If we make use of a single name space would that not cause 50% of the users to connect to the DR site CAS “Array” and they would have to traverse the WAN to get to their active mailbox server?

    I would like to know how you get around this? Both my sites will have active mailbox users & I would like each site to connect to it’s own CAS Array name. in the event of a disaster the sites should fail-over to each other. What are my requirements?

    Kind Regards,


    • Hi JP,

      i would recommend that you mount the database of users of site A in site A and have copy of the database in site B and also the same for site B mount the database in site B and have a copy of in Site A since exchange 2013 is more aware of where the database of specific user is found and will direct the CAS to where the database is active. When an incoming client connection must be processed, CAS looks up Active Directory to find details of the mailbox via its GUID and Active Manager will tell CAS what mailbox server currently hosts the active copy of the database.

      David K

      • Thanks David.

        Just a bit of background, I would like to deploy the following:

        Site A: 2x CAS Servers & 2x MBX servers. Site A also has the Internet Breakout & reverse proxy.
        Site B: 2x CAS Servers & 2x MBX Servers. Site B has no Internet breakout.

        The DAG will be configured as per your post above, split across both sites containing all 4x MBX servers, Site A users database mounted in site A with copy in site B, and Site B users database mounted in site B with copy in Site A

        Site A CAS Servers will be deployed in a CAS Array for that site Single name space for that site
        Site B CAS Servers will be deployed in a CAS Array for that site Single name space for that site

        I however need to ensure that only SITE B users connect via SITE B CAS Array & only Site A users connect via SITE A CAS array.

        I would like to avoid a 50% split in CAS proxy traffic across the WAN, if any of the sites fail and I would like to provide site resilience. how would you recommend I do that?

        I will configure the internal URL’s on Outlook anywhere for both site A CAS servers to reflect


        I will configure the internal URL’s on Outlook anywhere for both site B CAS servers to reflect

        The External URL’s for both sites will be configured as:, which will point to the CAS Servers in Site A this should cause external connecting users who have mailboxes hosted in site B to be proxied across the WAN to site B CAS Servers. {which is fine}

        I would like to know from an internal connectivity perspective, if Site A CAS Servers would fail what is required to be performed to provide site resilience? so users would then connect to Site B Cas Array servers and be proxied across the WAN to Site A MBX server where the mailbox DB is mounted.


        I would like to know from an internal connectivity perspective, if Site B CAS Servers would fail what is required to be performed to provide site resilience? so users would then connect to Site A Cas Array servers and be proxied across the WAN to Site B MBX server where the mailbox DB is mounted.

        Kind Regards,


        • Hi JP,

          Well first to get things straight there is no such thing as CAS Array in Exchange 2013 they have removed this and it is found in exchange 2010. also having two different site name will kick out the HA of Exchange in your organization in case the servers in site B goes down the users will not automatically switch the servers in site A since you only limited the site to two servers in the configuration you have set in outlook anywhere.

          If you read up in Paul article you will see how he set up the outlook anywhere to be the same across the site and let outlook and exchange deal with finding the where the mailbox is active over http/https.

  14. Hi David

    The CAS Array in Exchange 2013 doesn’t exist anymore but the grouping of CAS Servers “ARRAY or Load balance” does exist.

    Trying to Avoid the below 2x points:

    Internal users that have mailboxes hosted on mounted DB’s located in site A connecting to Site B CAS Servers/ internal CAS Load balancer URL if there is no disaster.

    Internal users that have mailboxes hosted on mounted DB’s located in site B connecting to Site A CAS Servers/ internal CAS Load balancer URL if there is no disaster.

    Trying to achieve the below 2 points:

    1.Internal users to connect to Site A, CAS Array/internal CAS Load Balancer URL if they have mailboxes mounted DB’s hosted in site A, and ONLY connect to site B CAS Servers/array in the event of a disaster.

    2.Internal users to connect to Site B, CAS Array/internal CAS Load Balancer URL if they have mailboxes mounted DB’s hosted in site B, and ONLY connect to site A CAS Servers/array in the event of a disaster.

    How do I achieve this Please advise.

    • There’s high availability, and then there is site resilience. HA is for general faults and failures like a server being down, SR is for full DR situations.

      HA can be automatic. SR tends to require manual intervention, as is appropriate for a full blow DR situation.

      There are also a lot of factors that go into designing HA and SR. Are the two physical locations the same AD site, or two different AD sites? What is the connectivity and bandwidth between each data center? What is the bandwidth and connectivity between the data centers and the client locations? How many DAG members are at each site? What load balancers (if any) are available? So on and so on.

      Giving you a solution here in a comments section is impossible. But I would encourage you to think about the *simplest* possible solution you can put in place. A lot of networks can easily handle clients connecting to either data center regardless of where their mailbox happens to be active at the time.

    • Darren Johnson says:


      I have exactly the same scenario as you here!

      Did you ever get a working solution to this?



  15. Hi Paul, Thanks for the great article. What do you think of this as an alternative to the round robin DNS?
    Create the single name space as you described, however in DNS point that record to the DAG IP address. Then the client is always pointing to the active server when the DAG IP moves in the event of a server shutdown or failure. I have tested this and it seems to work fine. If i ping the DAG IP, I only loose 1 packet when the server shuts down and the IP moves to the other server. The client remains connected.


  16. Hi again, they do if you tell them to. Picture this…
    EX01.local =
    EX02.local =
    DAG1 =
    Set-OutlookAnywhere = mail.local
    Set DNS mail.local =
    Create Computer account called Mail.

    Autodiscover sets users to connect to mail.local which is EX01 (1.10) and Mail (1.12) are both set as this is the active database holder..
    EX01 (1.10) goes down and the DAG IP (1.12) instantly moves to EX02(1.11). The client is still pointing to Mail on 1.12 but it is in fact now the other server. The cluster service moves the 1.12 IP in 1 second from EX01 to EX02.

    I have had this running in 2010 for a few years with no problems. My current test lab for Ex 2013 is set up like this and seems to work very well.


    • No. What you’ve got there is a hack that happens to work because you’re running multi-role servers, but is incorrect as far as the actual Exchange server role architecture works (in both Exchange 2010 and 2013).

      It is not correct to point your client namespaces at the DAG IP and you should not recommend it to anyone.

  17. Hi Paul, I can’t argue with that and you certainly know what you are talking about.
    Thanks for all the good advice.

  18. Hi Paul

    Can you please have a look at my earlier posts above and provide some input?

    Kind Regards,


  19. Bas van den Dikkenberg says:


    I have two cas servers on two location’s on 2 subnets

    What i want if cas server on site 1 is down the clients on site go to the cas on site 2

    Can that be done automaticly in stead use of round robin ?

  20. Hi, i have two network connection on my exchange server 2013 one for internet and another for local network my problem is when i enable internet network connection exchange server services stop and ECP doesn’t open in my organization but when i stop the internet network connection everything works fine and ECP open in my organization … whats the problem ? what can i do for this … thanks

  21. Luke Pickard says:


    I’m strongly considering implamenting the round robin DNS as you suggest but I’m fearful of what happens when one server is down. The DNS won’t know this server is down and will continue to serve request to the invalid IP resulting in continuous errors until both servers are connected again right?

    Once a connection with Outlook and a CAS is made does it maintain that connection until it is lost or does it try to hit the single FQDN each time and therefor result in an error 50% of the time when there is an outage?

    • Towards the end of the article I talk about what happens to Outlook when I shut down one of the servers.

      For long term outages you would remove the offline server’s IP from DNS to prevent clients from trying to connect to it.

      For better HA experience for end users you would implement a load balancer.

      • Luke Pickard says:

        I guess we would have to implement two load balancer to keep from having a single point of failure. I appreciate the help.

        • Hi Paul,

          Would NLB not be an improvement on RR in the event of one server being off the air, as users would automatically be redirected to the live server? Or am I missing something here !

        • My opinion is that the HTTP client (eg Outlook, IE) is smarter at detecting a failure.

          Remember NLB only detects if an entire server is down. If just one service (like OWA) is failing then it won’t know and will keep directing traffic to it. And because the client only has one IP to connect to (the NLB VIP) it can’t decide to try another IP instead, as it can with DNS RR.

          The only advantage I see with NLB is that will actually *load balance* the traffic as opposed to DNS RR which will not (it will just semi-load balance as clients randomly choose one or the other DNS record).

          But if true load balancing like that is required in your environment then a proper load balancer (like an F5 or a Kemp Loadmaster) would be much, much better than NLB.

  22. Greetings Paul.

    In Exchange 2010, the outlook client was looking for a mount point via LDAP query to SCP. In SCP he received URL CAS servera.CAS provided to the Outlook client connection point to register in the mailbox database “RpcClientAccessServer” (CAS Array or CAS server). After all this Outlook client connected to that point.

    At the moment, I do not understand the principle of autoconfiguration mail clients Outlook with Exchange 2013 :(
    Outlook looks for the mount point via LDAP query to SCP. In SCP he gets URL CAS server. What setting gives CAS server to the client Outlook?
    After auto-configuration , the Outlook client has connection point (server name ) “234b- 34545”, proxy name ( internal Anywhere URL)

    What is “234b- 34545”?
    Why “proxy name” in the Outlook client has an internal Anywhere URL, but not the external Anywhere URL ( this setting is registered on the server ) ?

  23. Raza Usman says:

    Hi Paul,

    I have a Exchange 2013 cu2 deployment on HyperV VM on 2008 R2 standard (say exchange01). A snapshot was taken and deleted. If I shutdown the VM a merge will happen and the consequences are not clear. I cant add the VM to a high availability group due to standard windows on exchange01.
    I would like to add another physical machine (say exchange02) move all the mailboxes from the first to the second and then shutdown the VM for a merge. In essence a manual high availability, disaster recovery move.
    There is not much literature on two separate exchange servers on the same domain without a DAG. I have full access to the running exchange01.
    My questions are:
    1. Is this the right step. Any other way to save exchange01.
    2. Can I move mailboxes on two separate servers on the same domain without DAG? Whats the best way to move the mailboxes? Should I make a recovery database and use dial tone portability or batch move through EAC?
    3. If I add the second exchange server will it disrupt the operations of the first in any way?
    4. How can I make the move transparent for the outlook client.
    5. Any other advice will be much appreciated

    1. Can I use a backup of the virtual machine through windows backup to do a restore on a physical server as listed at

    Thank you

    P.S Great job on the site. Concise pertinent information.

    • Yes you can install as many servers in the org as you like without creating a DAG. There’s nothing unusual about that.

      Yes you could move all the mailboxes across to reduce the risk/impact of the snapshot merge on the first server.

      Moving mailboxes is safer than trying to do a database portability or recovery operation.

      I of course recommend you take backups of your databases before you do any of this.

      Outlook should connect to the second server just fine after the mailbox is moved, no action required by user.

      Hopefully by now you learned not to snapshot Exchange servers, which is an unsupported operation.

  24. Rengga Patria says:

    Hi Paul,

    I Have 4 Server, 2 as CAS Server Role and 2 as Mailbox Server Role. I have succeed set CAS High Availability (Thanks to you :D ).

    I would like to try :
    This Case :
    OutlookAnyWhere :
    CAS1 :
    CAS2 :

    OutlookAnyWhere :
    CAS1 :
    CAS2 :

    Can i set OutlookAnyWhere with multi name space for same CAS Server Role?



    • Outlook Anywhere can have both an internal and external URL. They can be different if you like. Best practice is to keep them the same and use split DNS to manage internal vs external name resolution.

  25. Hello Paul ,
    I do not understand why the last server is only one mailbox server and not a combined server just like the other two ? Is it not possible to solve this with the round robin of three cas servers?

    I imagine a DAG with three members and a dynamic quorum, which in one case might be losing two members (at a sequential shut down) and then still be able to run the CAS / MBX on one member.
    In your case if you are running dynamic quorum and you have the misfortune of the first two servers go down you are left without CAS and thus without the ability to send / receive email. I know this solution is not an optimal HA solution with dynamic quorum. But I believe if two servers go down at the same time, my third will do it too. So I expect that I have all three servers up or not , but that the possibility exists for a service window to shut down a server and get an error on my second server, giving me the access I need a third server and dynamic quorum.

  26. Alessandro Matano says:

    Hi Paul, great job here!
    Finally this sorted out the problems back with 2010 and you had no budget for more than 2 Exchange server. :-)

    Little question. My outlook 2010 takes well more than 20 seconds to reconnect, once I take down one of the two legs. I figured you have to add the time of the DAG failover, but still I’m wondering if this could be minimized.
    There’s any way to reduce the TTL in the RR scenario, so the connection goes to the other address more quickly?
    Also, there’s any difference using OL 2010 and 2013 in autodiscover?


    • I can’t really make any claims to how fast or slow the clients will handle failovers in different prod environments. The TTL doesn’t really matter here, you’re serving up 2 or more DNS records and the client determines when one is unavailable and tries the other. It works, but your mileage may vary. If you want faster, more robust HA then a load balancer would be worth looking at.

  27. How I can configure a Exchange 2013 mailbox manually in outlook when a different user is logged in?

  28. Hi Paul! Great Job!

    Just one thing that I’m trying to accomplish but I’m not sure!

    I have two datacenters where there one DAG each wtih active database. There is a CAS in each datacenter also.

    Here’s the cenario:

    DC A: 2 MBX / 2 CAS – Active/Passive Mailbox Database – SUBNET A – AD SITE A
    DC B: B MBX / 2 CAS – Active/Passive Mailbox Database – SUBNET B – AD SITE B

    In the Datacenter A there’s dozen of other sites that connect to Exchange Server using the single name space “”

    There’s a security policie in the Datacenter B where we need that the users in the site B always connect to this site.

    I have this: – – SUBNET A

    I add this – – SUBNET B

    So, I want the users in the site B always use not

    How can I reach this configuration? I can’t use Single namespace in this scenario.

    In the Exchange 2010 we have CAS ARRAY that I configured per site, but in Exchange 2013 I’m no sure about this.

    Thanks in advance.


    • I have to ask, what is the point of splitting the DAG over two sites if users are only allowed to connect to one of them?

      • Hi Paul!

        The Datacenter A will have the most users from the environment!
        The Datacenter B, because of security policies of the Country has to have they email system in this Datacenter! In this case I need to configure a way to this uses only connect to this site!

        The fact is how do I configure a specific name space for this site!?

        Thank you for your reply!

        • Configure the CAS Outlook Anywhere hostnames in that site with the name you want them to use.

          If they require mail to be hosted only in that datacenter then it seems like a breach of that policy to have the DAG span two sites.

      • did you think about geo dns?
        will give these users this answer and these users that answer(different datacenters, one namespace)

  29. Good article in a rather surprisingly sparse 2013 HA and SR documentation space. This DNS ‘load balancing’ is certainly interesting feature, particularly for small business, but in my tests it did not work very well – I guess too much depends on particular clients, DNS records configs (TTL still do matter – by MS recommendation need to set them to 5 min), etc. I’m looking forward to next article with LB solution. Anytime soon?

    Also, the issue with directing users to particular datacenter – is it resolvable at all? Or we stuck with having datacenter load balancing instead of datacenter failover? Its important in many cases as I personally don’t see any point for users in Georgia connecting to CAS in California only to be proxied back over already loaded WAN to Georgia located mailboxes. And vice versa. It could only be useful when disaster strikes. But under normal working conditions is there anything we can do to ensure users are only connected to datacenter where their mailboxes actually are?

  30. Paul,

    Long time reader, first time poster. :)

    I have configured a DAG for a client with the following setup:

    Site A = Main Office
    Site B = Tertiary (DR)

    In Site A I have the EX01 server
    In Site B I have the EX02 server
    In Site B I have the FSW

    Split DNS is configured with pointing to both EX01 and EX02 as above.

    I have some questions based on HA and SR.

    1. We have an issue when, for whatever reason, the VPN between Site A and Site B goes down, Outlook clients at Site A cannot connect to Exchange. Is this because the FSW server is in Site B and should be in Site A?

    2. I have DNS Made Easy failover in place in the event of an outage the points to the tertiary. Should I, in the internal DNS, point the clients to on the tertiary server’s external IP as part of the split DNS Round robin configuration?

    3. In the event the office is down and users connect to the RDP server located at the Tertiary location, will they have issues connecting with Outlook?

    Thanks Paul.

    • 1) That is a question of DAG behaviour. When the link is down EX01 is isolated and EX02 + FSW are able to form quorum, so I would expect the databases will then be active on EX02. Anyone not able to connect to a CAS that can then proxy them to EX02 won’t be able to connect to their mailbox.

      2) I don’t quite understand your question. But if your site to site link is down, clients need to be able to connect to a CAS that can proxy them to the active mailbox database(s).

      3) Wherever they are using Outlook from, as long as it can connect to a CAS that can connect to the active mailbox dastabase copy then it should work.

  31. Couple of questions:

    1. In the article it says “when configuring the InternalHostName you also need to set the InternalClientsRequireSSL option as well”. But you did not and it all still works well. So “need” in this context means “must” or “can”? So if I dont set the …RequireSSL parameter (either for internal or external client) what would happen? Also, is setting this parameter equivalent to checking ‘require ssl’ box in IIS or its independent setting?

    2. What about setting the RPCClientAccessServer paramter – is it still required or no longer? Its still present and has a value pointing by default to one of the CAS servers. But does it do anything (considering the stores now decoupled from CAS and all communications now HTTP based)?

    3. And still the all important question – should we understand that now with new way of load balancing between two data centers (say, located one in MT and the other in CA) users with active mailboxes in CA may happen to connect to MT CAS to get to their CA mailbox and there is no way for them to know or control it?

    4. And the last one – how many namespaces would need to be configured in the simple case like presented in the article? Would just two be enough – and (Same for two datacenters?)


    • 1) I did set that option in the example.

      2) Not required for Exchange 2013.

      3) Yes. Geo-load-balancing would be a way to avoid that if it is a concern. Obviously that carries some costs with it.

      4) A single namespace is the minimum. You can read more about that here:

      Also demonstrated here:

      I used autodiscover.* as well because some mobile devices will try to use that in the autodiscovery process.

      • Thanks, Paul.

        1. I understood it as the ‘need to set the parameter to “true”‘. So if Im getting it right it means it can be either true or false but needs to be set to something, otherwise client will not connect. Intuitively one would think it should have some value by default.

        2. Great. So its just another legacy parameter that MS sloppily left that does not do anything. One thing less to worry about.

        3. Got it now. So thats the reason why we still might need geo-balancers. Otherwise Exchange would not figure out which way is better to connect client to the closest site. Its random (until something breaks).

        4. Very useful links (both). Got it now. Though still autodiscover is a little confusing topic. In your article you are setting up single namespace for all services (including autodiscover) but then in the link to setting up Certificates you are saying:

        “With all of the namespaces configured the next steps are:
        Generate a Certificate Request for Exchange 2013 that only includes the minimum required names (in this case and”
        Or, after some thinking, maybe I am getting it after all – the minimum required names is a single name but then autodiscover most likely will not work (unless ‘domain only’ portion pointed to the same IP as all other services). To make sure it does work at least two names should be on certificate – single for all the services and another one for In addition, the External autodiscover name is not configurable and need not to be configured, its assigned by Exchange itself. Only internal URL for autodiscover service needs to be setup manually.
        And it is also my understanding that not only mobile devices but Outlook as well will try to use the autodiscovery link (otherwise, what else would it be using for autoconfiguration?).
        Hopefully, I got it right now.

        • 1) When you are setting the internal URL you need to explicitly set the SSL option as well. Try running the command without that and you’ll see what I mean.

          2) Calling it sloppy is a bit much. The attribute exists in the schema for objects of that type. What options do they have? Remove it and probably break legacy systems, or create a whole new object type and duplicate effort?

          3) Exchange doesn’t figure anything out. The client looks up the namespace in DNS and resolves it to one or more IPs to connect to. It isn’t really up to Exchange to determine whether you should be connecting to Site A or Site B if they both have the same namespace.

          4) You can run a single namespace for domain-joined clients that have the ability to look up the Autodiscover SCP in AD. Non-domain-joined clients (like mobile devices) can’t do that, and instead fall back on the other ways of finding Autodiscover for their domain (ie,, or SRV records in DNS).

          So yes, Outlook uses Autodiscover (the service) but not necessarily autodiscover.* (the URL) because you can configure the Autodiscover URL to be anything you like for domain-joined clients and they’ll be able to look it up in AD.

  32. I have been working and testing Exchange 2013 HA with DAGS while learning Windows 2012 Dynamic Clustering. One question I can’t seem to answer is what type of traffic goes over the DAG IP? In testing I can have the dag “off-line” yet the databases can still sync up.

    So what type of traffic actually goes across this DAG IP? I know this IP is tied to a Computer Name of the Dag – but what does actually do?

    If the “active” dag ip is online in the DR site, yet our active Exchange 2013 mailboxes our mounted in the primary site, what type of issues, (or traffic issues) does this cause?

    • The DAG IP is used to connect to the PAM (Primary Active Manager) of the DAG. An example is a Client Access server that needs to know where the active database copy is for a user’s mailbox. It asks the PAM for that info.

      The DAG IP is not used for database replication or client connectivity.

  33. Darren Johnson says:

    Hi Paul,

    I have a similar situation to JP above and I could really do with your help!

    We have 3 physical sites, site A, B & C, with sites A & B having a really fast low latency links between them, so from an AD point of view they are 1 site. Site C has links to both sites A & B, but the link is a lot slower and it is a separate AD site.

    We have an exchange design with 3 servers (one located at each physical site) that will form a DAG spread over the 3 physical sites. Ideally we will separate the CAS and mailbox server roles out and have them controlled by a hardware load balancer, however we can have both roles on the same server if required.

    What we want, is to prevent is a situation where an outlook client in site C connects to a CAS server in site A/B with the mail being hosted on a mailbox server in site C therefore traversing the network twice to get its mail.

    From doing the Microsoft training course, my understanding is that in Exchange 2013, the CAS server only proxy’s the request on to the mailbox server and does not redirect the request to the CAS server in the site where the mailbox server resides.

    I have seen a information online stating that a single namespace is the way to go as long as your site links/network bandwidth is good, but nothing to help with our scenario.

    Have you/anyone else come across this situation and how did you get round it?

    Thanks in advance :)

    • If you want clients in site C to connect to a CAS in site C, then use a CAS namespace for site C that resolves to the site C Client Access server(s), and set the RPCClientAccessServer for those databases to that CAS namespace, and host the active database copies for those users in that site.

      • Darren Johnson says:

        Hi Paul,

        Thanks for getting back to me.

        My understanding was that the RPCClientAccessServer attribute is depreciated in Exchange 2013 and is no longer used after any migration to 2013 has been completed.

        Is this the case? Or Are you saying we can use it?



        • Sorry I was answering too many comments last night and didn’t read yours properly. For some reason I thought you had an Exchange 2010 scenario you were asking about.

          You’re correct, that attribute is not relevant to us in Exchange 2013.

          Geo-DNS is probably something you should look into.

          Your scenario is a curious one. Why are you trying to run a DAG over bandwidth that you also say is too poor to handle client connections?

          Also, in cached mode the clients don’t really need much bandwidth. Is it a genuine problem for you if they are connecting to out-of-site CAS?

  34. Hey Paul,

    Here is my current project:

    Exchange 2007 to Exchange 2013 migration

    We have two(2) sites

    Chicago (Installing CAS & MBX)

    Milwaukee (Installing CAS & MBX)

    I plan on having a DAG between sites. Both sites are also Internet facing. I would like to setup HA on the CAS role also and make this failover properly if we lose one of the sites. Taking your above article into account, can you provide any ideas on the HA configuration.

    Thanks and love you BLOG.

    • If you don’t mind which site clients connect to then having the Outlook Anywhere FQDN resolving to both sites’ CAS is an approach to consider.

      If you do mind which site they connect to then have the Outlook Anywhere FQDN resolve to just the primary site and manually update it if there is a DR situation.

      • Thanks, Paul, that’s what I figured.

        Any ideas for providing redundancy for externally reaching OWA/Autodiscover/ActiveSync? We use EOP so I will populate it with both of the Internet facing sites external IP address for port 25 traffic, but that still leaves HTTPS traffic (OWA/AD/AS).

  35. Hi Paul,

    thanks for your great articles.

    I have a question regarding the relationship between CAS and Mailbox servers in general. In your scenario, we have 2 multirole servers. From my understanding CAS proxies Outlook connectiions to the mailbox role and Outlook is not directly connecting to the mailbox role.

    If BOTH Multirole Systeme are ONLINE:

    Is it possible that an Outlook Client is using E15MB1 as a CAS, when the user mailbox resides on E15MB2?

    Or will Outlook automatically use the CAS of E15MB2, because the mailbox is hosted on the Mailbox role of this server?


    • The client connects to the Outlook Anywhere namespace by resolving it in DNS.

      In the case of DNS round robin the client chooses a CAS IP to connect to without any regard for whether that CAS also happens to be the MBX server hosting the active database copy for their mailbox. The same applies via a load balanced IP, the load balancer uses whichever algorithm you choose (eg least connections, round robin) to distribute traffic with no awareness of where the mailbox happens to be active.

      So it is entirely possible and normal that a client may be connecting to CAS on E15MB1 while the mailbox is active on MBX on E15MB2.

  36. Hi Paul,

    having 2 multirole Servers in this Scenario – how would you apply cumulative updates? We can’t update the CAS roles seperately as they are running on the same System as the Mailbox roles.


  37. Alessandro Matano says:

    Hi Paul,

    Thanks again for a great article.
    I have followed and successfully configured two Multirole Ex2013 in one AD site and a third one in a different AD site. Everything works perfectly, but OWA.
    I mean, while Outlook connects perfectly regardless the server and the site, when I try to login to OWA on the Site B (either via namespace or the server’s FQDN directly) I cannot authenticate and returns always “The user name or password you entered isn’t correct. Try entering it again”. OWA on Site A works just fine.
    I feel I missed something here, using a separate Site (different subnet), but I can’t find anything around.
    What do you think?

    Thanks in advance!


  38. Hi Paul,

    you only configured the Outlook Anywhere name to the new round robin name “mail. ..”. What about the internal URLs for OAB, WebServices and the AutodiscoverURI setting on the clientAccessServer?

    Thanks in advance.

  39. Md. Ramin Hossain says:

    We have two exchange server 2013 both mailbox and cas (Virtual Host Machine) after completed cas array we can’t connected mailbox by using outlook 2007/2010/2013

  40. Mohammad Ravaghi says:

    Hi Paul,
    i have configured Exchange 2013 like this :
    1 AD 2012 R2
    2 Mialbox Servers Exchange 2013
    2 CAS Servers Exchange 2013
    1 Edge Server Exchange 2013
    1 TMG 2010
    now i have inbound and Outbound mails traversing our Service and even OWA works Perfectly Published Using Server Farms (Cas Servers Behind Published Rule). since i have confiured OWA Rule and Listener to Forms Based and Auth delegation to Basic Auth OWA is OK. but when i reuse the Listener with Forms Based to Publish OA and Active Sync there is Repeating Password Prompts on Outlook 2013. when i add OA and Active Sync Virtual Directory Paths to OWA Publishing Rule Exchange COnnectivity Analyzer completes Successfully but yet Outlook Prompts for Password.
    i wanted to Use KCD to Delegate Authentication against Exchange Servers but seems KCD doesn’t work against Server Farms ! am i right ?
    currently we don’t have the option to purchase a Load Balancer.
    is there any walk through to fix it ?
    for now i am thinking of Separating Autodiscover URL IP Address and Configure a Separate Listener. but this is a Security Concern to us

    May You please Help ! Really how you managed this ?

  41. Hello Paul
    Iam getting following message in almost users
    The Microsoft Exchange Administrator has made a change that requires you quit and restart outlook
    I have 2 Exchange 2013 configured with DAG with out any Load Balancer.
    Could you please help me to find a solution for this

  42. Mohammad Ravaghi says:

    in EAC i have configured as Internal/External Address for Outlook anywhere and Auth set to Negotiate for both CAS Servers.
    AutodiscoverService internaluri set to and Auth set to Basic and Integrated for Autodiscover virtual directories of both CAS Servers.
    when i try to publish only one of the CAS Servers for OA and Active Sync everything is ok. Problems starting to Appear when i want to implement Preauth and Stop Publishing Exchange Web Services without Pre Checks!

  43. Hi Paul,
    can u direct me to all your articles that explain the design of exchange 2013 with two exchange servers, two clientserver and mailbox server roles and DAG and also using F5 as load balancing for HA. We are in the intial stage of migrating to exchange 2013 from 2010, so i want to get the design right from the onset

  44. shaptoni says:

    Hi Paul – I cant *over!
    Reading your article, and many others, everything I can think of has been configured but clients will not reconnect after the database moves either from Server A-B or B-A, can you think of anything which may cause the issue?

    Full details here:

Leave a Comment


We are an Authorized DigiCert™ SSL Partner.