Getting Started with Exchange Server 2010 Client Access Server Arrays

An often misunderstood feature of Exchange Server 2010 is the Client Access server array, or CAS array.

In Exchange Server 2007 the Client Access server role was introduced to perform a similar role to the Exchange 2003 Front-End server, in that it was responsible for accepting client connections for services such as Outlook Web Access, ActiveSync, Outlook Anywhere, and other web services. However a mailbox user still connected directly to the Exchange 2007 Mailbox server for mailbox and public folder access.

Exchange 2007 Client Access server
Exchange 2007 Client Access server

In Exchange Server 2010 the Client Access server role was expanded to include a new service called the RPC Client Access Service. This service allows Outlook clients to connect via MAPI/RPC to the Client Access server for mailbox access, however they do still connect directly to mailbox servers for public folder access.

Exchange 2010 Client Access server role
Exchange 2010 Client Access server role

This new RPC Client Access service delivers several benefits to the organization:

  • Connections to mailbox resources are made via a common path
  • Connection throttling and other rules can be applied to mailbox connectivity
  • The end user experience during Mailbox server failovers and mailbox moves is improved
  • The RPC Client Access service can be made highly available

Basic Requirements of a Client Access Server Array

Although a CAS array is often assumed to be highly available, it is important to realise that it is not the Client Access Server array itself that delivers high availability.

The Client Access Server array is simply an object in Active Directory that associates a DNS name with the RPC Client Access Service for a particular AD Site.

Therefore to create a CAS array you only need to:

  1. Create the CAS Array object in Active Directory
  2. Configure a DNS record for the CAS Array name pointing to an IP address for a Client Access server
  3. Configure the RPCClientAccessServer attribute on the mailbox databases in that site

Creating a Client Access Server Array

CAS Array objects are created using the Exchange Management Shell and the New-ClientAccessArray cmdlet. In this example a CAS Array is created with:

  • a name of “cas-headoffice”
  • a FQDN of “outlook-ho.exchangeserverpro.net”
  • the AD Site of “HeadOffice”
[PS] C:\>New-ClientAccessArray -Name cas-headoffice -Fqdn outlook-ho.exchangeserverpro.net -Site HeadOffice

Name                Site                 Fqdn                           Members
----                ----                 ----                           -------
cas-headoffice      HeadOffice           outlook-ho.exchangeserverpr... {HO-EX2010-MB1, HO-EX2010-MB2}

If you are running a single AD Site in your organization the CAS Array name and FQDN can be anything you like, however if you’re running multiple sites then you will need to put some thought into a naming standard for your CAS Arrays so that each one is unique.

Configuring the DNS Record for the Client Access Server Array

The next step is to configure a DNS A record for the FQDN you specified when creating the CAS Array object.

DNS A record for the Exchange 2010 CAS Array
DNS A record for the Exchange 2010 CAS Array

Configure the RPCClientAccessServer Attribute on Mailbox Databases

The final step is to configure the mailbox databases with the correct RPCClientAccessServer attribute. It is this attribute that Outlook looks up to determine which RPC Client Access Server to connect to for a given mailbox.

The attribute is set automatically when the mailbox database is created to either:

  • The CAS Array name if one already exists in the AD Site
  • The FQDN of a Client Access server in the AD Site

You can see from this that it is wise to configure the CAS Array object first before creating mailbox databases, or at the very least creating the CAS Array object and updating the mailbox databases before deploying mailbox users to those databases.

You can check the existing settings by running the Get-MailboxDatabase cmdlet.

[PS] C:\>Get-MailboxDatabase | select name,rpcclientaccessserver | ft -auto

Name      RpcClientAccessServer
----      ---------------------
MB-HO-01  HO-EX2010-MB1.exchangeserverpro.net
MB-HO-02  HO-EX2010-MB1.exchangeserverpro.net
MB-BR-01  BR-EX2010-MB.exchangeserverpro.net
MB-HO-03  HO-EX2010-MB1.exchangeserverpro.net
RDB-HO-01 HO-EX2010-MB1.exchangeserverpro.net

To update the RPCClientAccessServer attribute for a mailbox database run the Set-MailboxDatabase cmdlet.

[PS] C:\>Set-MailboxDatabase MB-HO-01 -RpcClientAccessServer outlook-ho.exchangeserverpro.net

High Availability for Exchange 2010 Client Access Server Arrays

As I mentioned earlier one of the benefits of the CAS Array is that is enables the RPC Client Access Server service to be made highly available.

The configuration of the CAS Array itself is the same, however instead of pointing the DNS record at the IP address of a single Client Access server you would point it at the virtual IP of a load balanced array of servers.

Exchange 2010 load balanced CAS Array
Exchange 2010 load balanced CAS Array

The load balancing can be achieved in multiple ways:

Best Practices for Exchange Server 2010 CAS Arrays

Because of the behaviour of the mailbox databases and their RPCClientAccessServer attributes, and how this is handled by different Outlook versions, it is considered best practice to:

  • Always configure CAS Arrays in your Exchange 2010 sites
  • Configure the CAS Array before you provision mailbox databases or mailbox users to Exchange 2010 in that site

Microsoft themselves recommend this as a best practice.

We recommend that you create a Client Access server array even if you only have a single Client Access server within your organization.

This has several benefits, such as:

  • making it easy to scale out the CAS Array name to multiple Exchange 2010 Client Access servers
  • making it simpler to replace a Client Access server with a new one of a different name
  • migrating the MAPI endpoint to future versions of Exchange Server

Comments

  1. says

    You mention that it is wise to create the CAS array object before creating the mailbox databases. What if you already have an Exchange environment in place and want to implement a CAS array for high availability of the RPC Client Access Server?

    • says

      Implement the CAS array as normal, then update the RPCClientAccessServer attribute on the mailbox databases. You’ll then need to use a script or other method to get the Outlook profiles to update to the new name.

  2. Dave Purscell says

    Excellent article. Looks like I will be drilling into some of the other Related Articles to answer some of the questions that this one produced.

  3. Valentin Tsvetkov says

    Hello,

    I’d like to add something in the part with the recommendations. It appears that the scenario with Windows NLB is not reliable and MS don’t recommend it for production environments. They said it many times on the last TechEd sessions in 2011.

  4. Vikas says

    Hi Paul,

    Can you share script or method to update existing outlook profile to recieved failover features.

    recenetly i have added HUB/CAS node in CASARRAY in Exchange 2010 and now i want all users profile to get recieve features of failover. I changed Database RPCClientAccess attribute but still users are getting connect to single node only instead of CASARRAY.domain.com.

    • David Wong says

      Has anyone figured out the answer to this? Is there a script to run to update Outlook profile? Thanks, -David

  5. Chuck says

    In a small environment, is it possible to setup the CAS array on two Exchange servers that will also host the hub and mailbox roles configured as a DAG? Essentially getting high availability with only two servers?

      • Chuck says

        So setting up the CAS array and specifying the DAG FQDN which point to both servers won’t work? Figures, nothing is ever easy. Any recommendation for a hardware load balancer for a fairly small network of ~200 workstations and no Internet connectivity?

        • says

          “So setting up the CAS array and specifying the DAG FQDN which point to both servers won’t work?”

          You’re mixing terminology. The CAS Array has its own DNS entry. That DNS entry resolves to an IP address, whether it be the IP address of a single Client Access server, or it could be the virtual IP address provided by some load balancing technology (either NLB or Hardware LB).

          The CAS Array, in the sense of Exchange 2010 and how Outlook clients connect, performs the role of “RPC Client Access Server”, which is the RPC/MAPI endpoint that Outlook clients on the network connect to for their mailbox access.

          Although the DAG does have its own DNS entry, clients don’t point to it.

          Edit: take a look at Kemp for load balancers, they have affordable low-end options including virtual appliances.

        • Chuck says

          First let me say thank you so much for the great site and your quick replies. Been doing a bunch of reading and see that the best solution is to get 2 more licenses so I can have 2 CAS/HUB servers load balanced and 2 mailbox servers in a DAG. And from teched I see that it’s recommended to use hardware load balancing in a single arm SNAT config instead of WNLB; more pain. I just keep coming back to the idea that since setting up a DAG on 2 servers that have the CAS/HUB/MBX roles result in the two servers being configured in a failover cluster with the DAG virtual IP and FQDN why wouldn’t it be possible to assing that same FQDN to the CAS array so that when a failover occurs the CAS array would resolve to the active server? I know that using failover clustering was ok with IIS in server 2000 but no longer recommended in server 2003. At this point I’m either looking at trying to get funding for a load balencer and more licenses, testing using the DAG FQDN for the CAS array, or deploying as non highly available for now. Any thoughts on deploying a single CAS/HUB and MBX server with an upgrade later vs. waiting a few months to get extra licenses and a load balancer?

        • says

          “the best solution is to get 2 more licenses so I can have 2 CAS/HUB servers load balanced and 2 mailbox servers in a DAG”

          NLB isn’t necessarily the *best* option, it is just one option. I recommend watching this presentation from TechEd which should help with your decision making:

          http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/EXL307

          ” I just keep coming back to the idea that since setting up a DAG on 2 servers that have the CAS/HUB/MBX roles result in the two servers being configured in a failover cluster with the DAG virtual IP and FQDN why wouldn’t it be possible to assing that same FQDN to the CAS array so that when a failover occurs the CAS array would resolve to the active server?”

          Because it doesn’t work that way. Even when Exchange roles are combined on the same server you need to still consider each role separately.

          The CAS array name and IP are separate entities to the DAG name and IP. They can’t be the same.

          “testing using the DAG FQDN for the CAS array”

          Let me save you the trouble – it won’t work.

          “Any thoughts on deploying a single CAS/HUB and MBX server with an upgrade later vs. waiting a few months to get extra licenses and a load balancer?”

          Yes, this is completely fine. The bare minimum you should do is create the CAS Array object, create the DNS entry for it, and point that DNS entry at a Client Access server. It doesn’t need to be a load-balanced Client Access server, later on you can update the DNS to point to a load-balanced IP address instead and it will work seamlessly.

          Same goes with the Mailbox servers. You can deploy single Mailbox servers and run them in production and then later create a DAG and add those servers as members of the DAG, again it is a seamless change. Microsoft refers to this as “incremental deployment”.

          Some of these concepts don’t make total sense until you’ve run through the deployment yourself, so I do recommend you play around in a test lab and experience the setup of CAS Arrays and DAGs first hand.

          Just remember, each server role operates independently even when combined on a single server. CAS Arrays and DAGs are separate entities – they can exist independently of each other, or they can exist in combination with each other, but they remain separate.

      • Chuck says

        Oh, let me also explain. These two servers are virtual on a 3 node Hyper-V cluster. Might make load balancing them a little harder. Guess I need to get two more Exchange licenses and setup 2 CAS servers in an NLB config or will a hardware load balancer work with virtual machines?

        • says

          There’s nothing about virtualization that impacts the ability to use NLB or a hardware load balancer.

          If you’re going to virtualize your Exchange just go and read the best practices guidance from Microsoft, which is detailed and important.

      • Chuck says

        Thanks again for all your help. After several hundred pages of reading today, and meticulously removing the 2 servers I created (wow what a pain removing the last arbitration mailboxes), I think I understand what is going on here. Please confirm if you will. A CAS array is nothing more than an AD object that you create to point to an IP address. Wow, that is a very misleading name. You have to actually create an NLB array and then create the CAS array and point it at the NLB virtual IP address. Assuming that is correct, I need to create the first server with a CAS and HT role. Add NLB along with setting up AD and DNS stuff. Then create a server with the MB role. At a very high level of course? Nothing like a Friday to try it all again after wasting the rest of the week. Wish I had a test lab; kind of scary doing this stuff on the live network.

        • says

          You’re on the right track. And you’re also discovering that it isn’t always as simple as just uninstalling and trying again. I cannot recommend strongly enough that you do some practice in a test lab first. This is not something to be learning by messing around in live production environments.

          To answer your other point, yes I think the term “CAS Array” has caused a lot of confusion for people these last couple of years. I am expecting to see the terminology change in the next version of Exchange Server to make things clearer.

      • amit says

        Paul if I have 2 HUB/CAS & 2MBX IN DAG For geographical locations Site A has different smtp domain site b has different smtp domain Can we achive mutiple locations with different Cas array .
        Well internet facing as hub /cas role will be in NLB mails for respective locations and MX will be pointed to ISP Antispam which will forward mails to respective sites HUB servers

  6. Daphne Vink says

    Paul,

    I cannot find anything about CAS arrays and multiple DAG’s. We have a large organization with 4 DAG’s within one AD site (44 multi role Exchange servers).
    I know I can have only one CAS array per site, but is there also a limitation on the amount of DAG’s within one CAS array?
    I guess it is not related and therefore not an issue but I want to be sure about it.

  7. Eric says

    Paul,

    We currently have a single site, single CAS/HUB server (no array). RPCClientAccessServer points to hostname of CAS/HUB server. What’s the recommended approach to create a CAS array? Add second CAS/HUB and create array? Or add two new CAS/HUB’s and create array with them and then decommission original CAS/HUB?

    We would like to do this without changing RPCClientAccessServer attribute. I would think that would rule out the first approach (using current CAS/HUB server and adding second C/H sever and creating array) as the RPCClientAccessServer points to FQDN of first C/H. We wouldn’t be able to point CAS array name to same name as first C/H server, correct?

    Thanks for any input you may have.

  8. Leo says

    Nice one.

    Also, CAS array is tied to per AD site hence it doesn’t cross the bounder of its own AD site.

    Would CAS array still function if one of CAS array member located at the at the branch office linked by persistent VPN whereby the Exchange server has the same network address of the CAS array in the head office?

    • says

      The “members” attribute of the CAS Array object (as seen when you run Get-ClientAccessArray) is a bit misleading. You should only think of it as “the Client Access servers that are in the AD site for this CAS Array”. It actually has no bearing whatsoever on the HA or load balancing.

      If you can load balance the IP address associated with your CAS Array across multiple physical sites then it will work, but it brings into play a lot of additional concerns such as latency and reliability of the link between the sites. It also complicates some failure scenarios.

  9. Jed Peters says

    Great article. I have been trying to figure out a better way to handle datacenter swithcover/failover on the CAS side. I have 2 sites with a single server with all roles on each. I know a cas array can only be created in a single AD site, I was wondering if I could do this between production and DR sites if I were to make a single AD site instead of the now two AD sites. The cas server role would still resolve to two different IP subnets and not sure if that is a limitation..
    Objective would be to make datacenter failover easier so that I would not have to change the rpccleintaccesarry setting manually.

  10. Danushka says

    Dear Paul,
    I have setup NLB cas array and woking fine in LAN but I am not able to access cas array from my remote site.

    can you help me to resolve this issue.

    Thanks
    Danushka

  11. Prashant says

    HI Danushka,

    I have configured 2 exch 2013 on 2 diff’nt windows box’s.And i need to map this 2 exch mail database to one of my vip address..Please find the below details.

    1.ipadd : 192.168.0.1 (ADS,DNS)
    2.ipadd : 192.168.0.2 (Member of domain,Exch 2013)
    3.ipadd : 192.168.0.3 (Member of domain.Exch 2013)
    4. ipadd : 192.168.0.4 (VIP address)..I need to map 192.168.0.2.& 192.168.0.3 mail database to 192.168.0.4 (This is my vip address).Please let me know..

    Regards,
    Prashant

      • Prashant says

        Hi Paul,

        Please find below erroer.
        PS C:\Program Files\Microsoft\Exchange Server\V15\Scripts> Get-MailboxDatabase
        Get-MailboxDatabase : The term ‘Get-MailboxDatabase’ is not recognized as the name of a cmdlet, function, script file,
        or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
        try again.
        At line:1 char:1
        + Get-MailboxDatabase
        + ~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : ObjectNotFound: (Get-MailboxDatabase:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException

  12. Prashant says

    Hi Paul,

    Thanks for Suggestions.But getting.

    [PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>New-ClientAccessArray -Fqdn vip.lb.cas.com -Site Default-Fir
    st-Site-Name
    New-ClientAccessArray : The term ‘New-ClientAccessArray’ is not recognized as the name of a cmdlet, function, script
    file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
    and try again.
    At line:1 char:1
    + New-ClientAccessArray -Fqdn vip.lb.cas.com -Site Default-First-Site-Name
    + ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (New-ClientAccessArray:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
    Regards,
    Prashant

  13. Prashant says

    Hi Paul,

    I am trying out this below cmd.

    Get-ClientAccessArray

    New-ClientAccessArray -Fqdn xyz.com -Site Default-First-Site-Name

    Get-MailboxDatabase | Set-MailboxDatabase -RpcClientAccessServer
    xyz.com

    Set-MailboxDatabase cmdlet with –Identity ‘mailbox database name’

    Regards,
    Prashant

  14. Danushka says

    Dear Paul,
    we are going to install exchange 2010 on exchange 2007 environment for our company and I have some doubt about installation of exchange 2010.
    we Purchased HP DL 380 G8 server (8core/32GB). kindly advise what would be the best implementation from below options

    Option 1
    Windows 2012 Hyper-V – HOST
    TWO VMs
    1.Windows 2008 R2 64bit standard with exchange 2010 (CAS/HT)
    2.Windows 2008 R2 64bit Enterprise with exchange 2010 (MBX)

    Option 2
    Single windows 2008 R2 64bit Enterprise with exchange 2010 CAS/HT/MBX

    Kindly advise.

    Thanks
    Dansuhka

  15. Jinu says

    Hi All,
    Let me just bring my issue with KEMP, we are new to KEMP Load Balancer and finding some issue in getting the cas array work in branch office and vpn users.
    Kindly find my infrastructure as below,
    Mailbox Server 2 No’s
    CAS Server – 2 No;s
    Load Balancer – 1 No;s ( VM)
    My outlook in LAN network is working perfect with KEMP LB, but i have issue with accessing outlook from my branch Office and VPN users. We are able to ping the LB IP and virtual server and all exchange servers.
    But or mailbox are not resolving.
    Kindly help me to solve the issue., we are planning to KEMP LB 2200 Hardware once we finish setup.
    LAN Subnet 192.168.2.0/24
    Branch Office – 192.168.27.0/24
    Kindly help us to fix this issue and looking for solution or Trouble shooting tips.
    Regards,
    Jinu

  16. Ravi Kumar says

    Hi Paul,

    I have upgrade my active directory from window server 2003 to server 2012. and I am using exchange server 2013 but I have facing some issue with outlook 2010,outlook 2013.When I am manually configure exchange accounts on my outlook 2010 its giving error “cannot open your default email folder. You must connect to Microsoft exchange with the current profiles before you can synchronize your folders with your outlook data file (.ost)”. But its working with OWA and pop3 but not working with outlook. I have try everything like I turn off cached Exchange mode, setting the email account to not cache does not resolve the issue and I get error message – “Cannot open your default e-mail folders. The file (path\profile name).ost is not an Outlook data file (.ost) again. Very odd since it creates its own .ost file when you run it for the first time.

    I have also check RPCClientAccessServer and its pointing to right mailbox database but no luck and outlook only work in RPC over https, but not working when you configure it manually. Can you please help me on this issue.
    Any help would be greatly appreciate

  17. Doug says

    Hi Paul,

    We currently only have one Active Directory site. However, we will soon be creating another Active Directory site. I am planning on moving one of my existing Client Access Servers to the new Site. Will I be able to remove that server from the current Client Access Array and add it to the new array in the new site? If so, are there any special cmdlets I need to run or will it update itself once it’s in the new IP space and DNS is updated accordingly?

    Thank you,

    Doug

  18. Rebecca Leonard says

    Regarding “still connect directly to mailbox servers for public folder access”. So does this mean that if the server with the primary copy of the mailbox database in a DAG is down, it doesn’t matter if you have a CAS Array as far as public folders are concerned? You can send/receive mail thanks to the CAS Array object, a hardware load balancer and a DAG setup, but not access the public folders?

    • says

      There’s a bunch of mixed concepts in that question.

      1) Public folders are not part of a DAG, though they can exist on a mailbox server that is a DAG member. If a server hosting a public folder database goes down, and there are no other PF replicas available, then PFs are unavailable.

      2) Outlook clients communicate directly with the mailbox server for public folders, not via the CAS array.

      3) CAS Array (or Client Access server for that matter) is not responsible for send/receive mail flow. That is the role of the Hub Transport server.

      • Rebecca Leonard says

        Paul -
        Thanks so much for your reply. Yes, I should have been much more specific. What I’m finding is that in our environment, we have two Exchange 2010 servers that hold the CAS, HT & Mailbox (in DAG) roles. We have a hardware load balancer for the CAS Array address. If I shut down the server that holds the primary copy of a mailbox database, due to the DAG and the timeout setting on my load balancer, Outlook stays connected and I can still send/receive messages. However, Outlook continues to freeze because it is trying to connect to the public folders (I can see that by looking at the Connection Status dialog). I just thought that was odd and makes Outlook a little unusable in that situtation?

        • says

          If your public folders are down Outlook will have problems, simple as that. You’ll need to look at providing HA/resilience for your public folders as well.

        • Rebecca Leonard says

          In this case, the public folders are not down. Simply the primary mailbox server, even though it is a member of a DAG. Am I correct in understanding that Outlook will always try to connect to the public folders via the primary mailbox server for whatever database your mailbox is on? In that case, it wouldn’t matter if the public folders were up or down. Am I confused?

        • says

          Outlook will connect directly to the mailbox server that hosts the public folders regardless of where the mailbox is hosted.

          If you bring up Outlook’s “Connection Status” box (CTRL+Right Click the Outlook icon in the system tray) you’ll see the connections that have been established.

  19. Paul says

    Hi Paul,

    The resource is great, however I can’t find the specific information I need anywhere, currently the environment is:

    2 x CAS, HT and MBD roles installed on 2 DC’s

    I want to get these removed and have 2 x CAS/HT Servers and 2 x MBD Servers all on Member Servers rather than DCs

    the existing CAS aren’t configured in an Array and hopefully will be decommissioned in the future.

    I have setup a new Server with CAS and HT roles installed and want to set it as an array.

    my questions are:

    1. What settings do I need to copy across to the new CAS/HT server from the old CAS/HT server?

    2. Do I need to copy the certificates across and install them?

    3. Setting it as an CAS array will existing accounts loose connectivity?

    Any help would be much appreciated.

    Regards,
    Paul

    • says

      1. It depends which services you’re running via the load balancer. For RPC/MAPI there is nothing really to configure. But if you also plan to load balance OWA, ActiveSync etc then you should make sure they are configured consistently (eg same authentication settings, external URLs).

      2. For RPC/MAPI purposes there is no certificate required. But again if you plan to load balance other services that run on HTTPS then yes, each server needs an SSL cert with the correct names on it. That can be the same cert or two different certs.

      3. No.

      • Paul says

        Hi Paul,

        Thanks for the response, really helpful.

        1. Yes, I’m planning to load balance OWA, ActiveSync etc

        2. Yes, again will be load balancing https services such as Outlook Anywhere.

        Was originally looking at doing the CAS across two virtual servers and the DAG across two virtual servers so 4 virtual servers in total, however have just read the Kemp Load Balancing article and if cost isn’t prohibitive I may look to do the load balancing that way.

        3. Excellent, thanks

        Regards,
        Paul

      • Jason Stevens says

        Regarding the RPCendpoint of an Internal Outlook client with Outlook Anywhere enabled on the CAS. From what I understand when OA is enabled it sets EXPR as the primary outlook provider which for outlook clients enables OA/RPCoverHTTPS through AutoDiscover. It leaves connect as TCP for fast connections off so by default Outlook should not connect using HTTPS to the CAS. However I had a situation/client where internal outlook clients were getting SSL warnings because the SCP URI and internalurl’s were the server.local name,their internal AD domain was.local and did not have a signed SSL for their internal domain. Clearly the Outlook client was connecting to the CAS with HTTPS.

        I have not been able to 100% determine if the RPC endpoint as listed in the Outlook Client’s account Server field is the CAS server/CAS array as specified under the mailbox database -rpcclientaccessserver or the -AutoDiscoverServiceInternalURI as listed under -clientaccessserver or the -internalurl as specified under the different vdir’s of the CAS or where autodiscover picks up the RPC endpoint and then configures outlook to connect to the CAS.

        http://support.microsoft.com/kb/940726

        In my issue to resolve the .local SSL issue I followed the above MSKB, created a casarray with an external name “mail.domain.com”, setup split DNS,, assigned it to my mailboxdatabase -rpcclientaccessserver, changed the SCP/CAS URI and all CAS internal/external URL’s with the same name (because I don’t know where outlook is connecting to (rpc endpoint) and while that is not best practices (casarray name should not be externally accessible) everything is working, external OA clients are not slow in connecting, clients seamless connect whether internal or external, autodiscover works internal external.

        I sure hope I can get some clarity in this matter, I have not found any official TechNet articles that answer this issue clearly.

        Thanks
        Jason

  20. Jinu says

    Hi All,

    can any help me if any setting need to do for accessing public folder in a setup where we use KEMP Load Balancer.
    Right now we are not able to access public folder ( Exchange 2010 Public Folder)
    Regards,
    Jinu

  21. Jason Reynolds says

    Paul,

    For a site with a single CAS server I’m assuming that I’d have the CAS Array pointing directly at that CAS server? I have about 18 sites that have to be migrated from E2k3 to E2k10.

  22. AKhil Chopra says

    HI Paul,

    First i would life to thanks you for your website which gives us good technical knowledge.

    My question to you. Can we create multiple cassarray name with same side

    e.g 1) DATABASE – Microsoft
    CASSARRAY name- outlook.microosft.com
    Site – USA
    2) DATABASE – Microsoft1
    CASSARRAY name- outlook1.microosft.com
    Site – LONDON

    Please see the above example and confirm me would be possible or not.

    PLEASE SEND THE ANSWER ON MAY EMAIL ADDRESS IF POSSIBLE – akhil.system@gmail.com

    Regards,
    Akhil Chopra

    • says

      A CAS Array exists within a single AD Site. You can have one CAS Array per AD Site. You can have multiple CAS Arrays in your organization for different sites. They must all have unique names.

      • AKhil Chopra says

        thanks paul

        But when we will switch our site to DR then the cassary will remain same with switched databases.

        But DR sites has its own cassarry of new datatbases if we create or already running, so automatically we have two cassarry on same side

        Post if i ma wrong

        • says

          I can only go by the information you provide when you ask a question. Your first question seemed like a scenario of running multiple, separate Exchange sites. Now it seems like you’re asking about running a primary and a DR site.

          Designing for DR scenarios is a little different and its not something I can just give you a quick tip about because it is very important. I would encourage you to go look at some of the detailed documentation on TechNet for designing for DR.

  23. says

    Hi Paul,

    Great document by the way.

    I have a question for you?

    I have multiple sites configured in AD with site1 being my main DC and site2 being my DR site. Site 1 as four CAS servers defined in the CAS array and if I look at the CAS config I see the four servers defined there as members.

    My second site (Site2 which is used for DR ) also as four CAS servers in the site but they do not appear on the members list when the CASARRAY is in site 1.

    I have eight mailbox servers configured in a single DAG across both sites My clients point to a CAS array name which is an A record in DNS which resolves to a Citrix netscaler. The Citrix netscaler then load balances the connections across the four CAS servers in the curent live site.

    Site 2 (DR) also as a citric netscaler and it is configured with the four CAS servers in the DR site. When we fail service over to the DR site we also run the “Set-ClientAccessArray CASARRAYNAME -Site site2″ and we cange the A record for CASARRAYNAME to now point to the IP address of the netscaler in the second site.

    My question is this, if I didn’t run the “Set-ClientAccessArray CASARRAYNAME -Site site2″ what would be the resulting problem?

  24. Indraneel Nandoskar says

    Hi All,
    I am in a learning phase and testing the CASArray concept in my test environment. I have the setup as below
    Two sites : site A and B
    site A: DC + two MBX servers + one HUB server + 2 CAS
    site B : ADC + one CAS + one HUB + two MBX
    DAG is configured and running successfully.

    I wanted to create CAS Array hence, I installed NLB in two CAS servers. Created the case array. Then I decided to test it for one database hence I changed the RPCclientAccessServer attribute of one database. Then I configured the outlook profile using autodiscover. the profile was configured. However I get the error message while opening the outlook profile

    When I change the RPCclientAccessServer back to my original cas server FQDN, I can configure the profile and open it successfully. I even can send / receive emails.

    What could be the issue ? any luck ?

  25. Michael Walsh says

    Hi there,

    thanks for the great info. Quick question.

    Do I need SSL Certs on the CAS members?

    Thanks again.

    Michael

  26. Michael Walsh says

    Hi all,

    a question on the DAG set up. Must I absolutely have two NICS (Primary + Secondary) on each DAG member?

    Or will it work with just having one in each Server all on the same IP network.

    Thanks.

    Michael

    • says

      Replication NICs/networks are not mandatory. A DAG will work and is supported to run with just one NIC/network for all client and replication traffic. Obviously this becomes an issue in larger environments where there is more replication traffic occuring.

  27. says

    Hey Paul,
    I’m in the middle of a troubleshooting session with MS after enabling online archive mailboxes. It appears that our CAS array may not be working as expected. From monitoring CPU utilization one node is hammered and the other is flatlined at near 0% utilization.

    My question is this, is there any way to monitor which clients are connected to which host in the CAS array? I haven’t found much. I think the solution will be to move away from the NLB clustering to a true hardware load balancer, but in the meantime I was hoping you might have some insight into how to check on the connections to the individual CAS nodes.

    Thanks much,
    Brian

    • says

      Paul, I think I might have answered this one myself. I see in the resource monitor if I check the RPCClientAccess service checkbox and look at the network section it shows the connection on that service.

      Thanks for the post BTW.

      Best regards
      Brian

  28. Les says

    Hi Brian,

    EXMON is a tool grovided by MS which you install on the CAS servers and then run. It will come up and show you which users are connected to the CAS server and also things like the client version and the connection latency.

    Having read above the first thing I would do if I was you is check to see if both your CAS servers are able to take client connection. If your CAS Array name was CAS01 simply make a host entry on one of your client machines with CAS01 and the IP address of one of the Client access servers. Launch Outlook and see if you get a connection. Then move on to to the second CAS server and again check the connection. If both CAS servers take connection without issue the next thing would be to check you load balancer is configured correctly. We’d need to get more info of you regards the type of NLB your using but it sounds like it may be a Windows NLB which to be honest is not the best solution.

    Let me know how the above checks go.

  29. Navishkar Sadheo says

    Hi Paul

    had a question, if a create a CAS array at a site comprising of 2 CAS servers without NLB or HLB.

    if one of the servers in that array went down, will outlook clients automatically connect to the next server in that CAS array??

    • says

      The CAS array name resolves to an IP address. Without a load balancer that IP address will be for one server only. If that server goes down, the CAS array namespace goes down. You would need to change the DNS record to another server’s IP address to restore service. That is not a good HA solution.

    • says

      Yes, that is how Exchange 2010 Client Access server high availability works.

      The CAS Array is namespace that resolves to a single IP address that points to a load balancer (whether that is NLB or a hardware/virtual load balancer), which distributes the traffic across multiple Client Access servers.

      Without a load balancer the single IP address can only be for one Client Access server. If that server goes down your Outlook clients will be unable to connect.

  30. Yurok says

    Great article, thank you!

    I have two servers in a CAS array and need to add another one. We’ve shut one of them down after several unsuccessful WNLB fail-over tries; we’ll be using Citrix Netscaler to load-balance client traffic.

    1. Can you recommend any articles to follow for steps/best practices on adding a CAS server?
    2. Same for removing a CAS server from the array/domain.

    Both concepts seems simple; I just wanted to know if there are any caveats.

    Regards,
    Yurok

  31. says

    We recommend that you create a Client Access server array even if you only have a single Client Access server within your organization.

    même si le client a oublé cette recommandation, la redirection des profiles Outlook vers le nouveau serveur reste faisable sous certaines conditions

    Merci

  32. Jeremy Steger says

    Paul, great write up as always.
    Quick question. When I setup our Exchange environment I was not very familiar with CAS arrays, etc. and as such my CAS Array fqdn = exchangevs.domain.com with 2 CAS members. My F5 NLB fqdn is: exchangevs.domain.com as well. And all of my services OWA, etc. are https://exchangevs.domain.com/owa , etc. The fqdn internally resolves to the F5 NLB’s internal interface and external to the external interface. My question, Am I in serious trouble with this setup? Do I need to change the CAS Array’s fqdn to say: cas.domain.com and only set the internal DNS to resolve it? What issues would I expect to have If I did this?
    Thanks,
    Jeremy

  33. Kelvin S says

    It’s a great article of yours and I have followed your article to the “T”. The issue I’m getting is Outlook 2010 clients are unable to connect to CAS Array. MAPI endpoint and RpcTcpPort has been configured according to this technet article http://technet.microsoft.com/en-us/library/ee332317(v=exchg.141).aspx#CASarray. Is there anyway/tools to trace where has gone wrong with during Outlook connectivity? Outlook Clients are able to connect to individual HTCAS directly and once it does, the CAS Array name will appear as server but when Outlook is restarted, it just fails to connect to server.

  34. George Howarth says

    Hi Paul

    Great article and easy to follow and understand – I have “inherited” the setup described below and have a couple of questions hopefully you might be able to help with

    The setup is currently

    Site A 192.168.12.0 /22

    2 x AD
    1 x Exch2010 server running CAS, HT, DB

    Site B 192.168.0.0 /23

    2 x AD
    1 x Exch2010 server running CAS, HT, DB

    Both Site A and B are in the same domain.local AD structure, Default First Site Name and both Exch2010 DB are members of a DAG

    Currently there is no CAS array setup so some Outlook users is Site A connect to Exch2010 in Site B and vice-versa

    My Questions are as follows –
    1 – Would I be able to setup a CAS array even though both Exch2010 servers are on different subnets?
    2 – Can I create a CAS array or not if the DB are setup in a DAG – not sure but I’m guessing not?

    Any help / pointers would be appreciated as stated I have inherited the current setup and been asked to improve it / scrap it and start again without any mail flow issues to end users – a bit of a baptism of fire

    Ta

    George

    • says

      1. The CAS Array name resolves to an IP address. That IP address can be on a load balancer. That load balancer can load balance between servers in different subnets. This applies to hardware/virtual load balancers only (which is the recommended approach for CAS HA anyway)

      2. Whether the databases are involved in a DAG or not has no bearing on the CAS Array. What you may be thinking of there is that you cannot form an NLB cluster using multi-role servers that are also members of a DAG. NLB is not recommended anyway, so with a hardware/virtual load balancer you can quite happily load balance multi-role servers that are also DAG members.

  35. Jonathan says

    Paul,

    Concerning the FQDN for the CASArray, I’ve seen that it’s not wise to use the same FQDN that you use for your external connections (owa, activesync, etc) (i.e. https://webmail.mydomain.org/). It’s recommended to use a domain name that’s not published out to the internet. If the CASArray FQDN is different than my public site address, that shouldn’t cause any major communication problems correct? Outlook should only care about the RPCClientAccessServer setting on the DB. It shouldn’t care about my autodiscoverinternalURI address should it?

    Also, should the FQDN for the CASArray match the NLB FQDN? Or does Exchange care about that consistency at all?

    JB

    • says

      Correct. CAS Array namespace should be unique and not externally accessible.

      CAS Array FQDN can be different to other namespaces, eg cas.something.net vs webmail.companyname.com

      I’ve always made CAS FQDN and NLB FQDN the same.

      • Jonathan says

        Should the CAS Array FQDN and the TLD for the AutoDiscoverServiceInternalUri link match as well?

Leave a Reply

Your email address will not be published. Required fields are marked *