An often misunderstood feature of Exchange Server 2010 is the Client Access server array, or CAS array.
In Exchange Server 2007 the Client Access server role was introduced to perform a similar role to the Exchange 2003 Front-End server, in that it was responsible for accepting client connections for services such as Outlook Web Access, ActiveSync, Outlook Anywhere, and other web services. However a mailbox user still connected directly to the Exchange 2007 Mailbox server for mailbox and public folder access.
Exchange 2007 Client Access server
In Exchange Server 2010 the Client Access server role was expanded to include a new service called the RPC Client Access Service. This service allows Outlook clients to connect via MAPI/RPC to the Client Access server for mailbox access, however they do still connect directly to mailbox servers for public folder access.
Exchange 2010 Client Access server role
This new RPC Client Access service delivers several benefits to the organization:
- Connections to mailbox resources are made via a common path
- Connection throttling and other rules can be applied to mailbox connectivity
- The end user experience during Mailbox server failovers and mailbox moves is improved
- The RPC Client Access service can be made highly available
Basic Requirements of a Client Access Server Array
Although a CAS array is often assumed to be highly available, it is important to realise that it is not the Client Access Server array itself that delivers high availability.
The Client Access Server array is simply an object in Active Directory that associates a DNS name with the RPC Client Access Service for a particular AD Site.
Therefore to create a CAS array you only need to:
- Create the CAS Array object in Active Directory
- Configure a DNS record for the CAS Array name pointing to an IP address for a Client Access server
- Configure the RPCClientAccessServer attribute on the mailbox databases in that site
Creating a Client Access Server Array
CAS Array objects are created using the Exchange Management Shell and the New-ClientAccessArray cmdlet. In this example a CAS Array is created with:
- a name of “cas-headoffice”
- a FQDN of “outlook-ho.exchangeserverpro.net”
- the AD Site of “HeadOffice”
[PS] C:\>New-ClientAccessArray -Name cas-headoffice -Fqdn outlook-ho.exchangeserverpro.net -Site HeadOffice
Name Site Fqdn Members
---- ---- ---- -------
cas-headoffice HeadOffice outlook-ho.exchangeserverpr... {HO-EX2010-MB1, HO-EX2010-MB2}
If you are running a single AD Site in your organization the CAS Array name and FQDN can be anything you like, however if you’re running multiple sites then you will need to put some thought into a naming standard for your CAS Arrays so that each one is unique.
Configuring the DNS Record for the Client Access Server Array
The next step is to configure a DNS A record for the FQDN you specified when creating the CAS Array object.
DNS A record for the Exchange 2010 CAS Array
Configure the RPCClientAccessServer Attribute on Mailbox Databases
The final step is to configure the mailbox databases with the correct RPCClientAccessServer attribute. It is this attribute that Outlook looks up to determine which RPC Client Access Server to connect to for a given mailbox.
The attribute is set automatically when the mailbox database is created to either:
- The CAS Array name if one already exists in the AD Site
- The FQDN of a Client Access server in the AD Site
You can see from this that it is wise to configure the CAS Array object first before creating mailbox databases, or at the very least creating the CAS Array object and updating the mailbox databases before deploying mailbox users to those databases.
You can check the existing settings by running the Get-MailboxDatabase cmdlet.
[PS] C:\>Get-MailboxDatabase | select name,rpcclientaccessserver | ft -auto Name RpcClientAccessServer ---- --------------------- MB-HO-01 HO-EX2010-MB1.exchangeserverpro.net MB-HO-02 HO-EX2010-MB1.exchangeserverpro.net MB-BR-01 BR-EX2010-MB.exchangeserverpro.net MB-HO-03 HO-EX2010-MB1.exchangeserverpro.net RDB-HO-01 HO-EX2010-MB1.exchangeserverpro.net
To update the RPCClientAccessServer attribute for a mailbox database run the Set-MailboxDatabase cmdlet.
[PS] C:\>Set-MailboxDatabase MB-HO-01 -RpcClientAccessServer outlook-ho.exchangeserverpro.net
High Availability for Exchange 2010 Client Access Server Arrays
As I mentioned earlier one of the benefits of the CAS Array is that is enables the RPC Client Access Server service to be made highly available.
The configuration of the CAS Array itself is the same, however instead of pointing the DNS record at the IP address of a single Client Access server you would point it at the virtual IP of a load balanced array of servers.
Exchange 2010 load balanced CAS Array
The load balancing can be achieved in multiple ways:
- By deploying a Windows Network Load Balancing (NLB) cluster for the Client Access Servers
- By deploying a virtual or hardware-based load balancer appliance
Best Practices for Exchange Server 2010 CAS Arrays
Because of the behaviour of the mailbox databases and their RPCClientAccessServer attributes, and how this is handled by different Outlook versions, it is considered best practice to:
- Always configure CAS Arrays in your Exchange 2010 sites
- Configure the CAS Array before you provision mailbox databases or mailbox users to Exchange 2010 in that site
Microsoft themselves recommend this as a best practice.
We recommend that you create a Client Access server array even if you only have a single Client Access server within your organization.
This has several benefits, such as:
- making it easy to scale out the CAS Array name to multiple Exchange 2010 Client Access servers
- making it simpler to replace a Client Access server with a new one of a different name
- migrating the MAPI endpoint to future versions of Exchange Server
About Paul Cunningham
You mention that it is wise to create the CAS array object before creating the mailbox databases. What if you already have an Exchange environment in place and want to implement a CAS array for high availability of the RPC Client Access Server?
Implement the CAS array as normal, then update the RPCClientAccessServer attribute on the mailbox databases. You’ll then need to use a script or other method to get the Outlook profiles to update to the new name.
Excellent article. Looks like I will be drilling into some of the other Related Articles to answer some of the questions that this one produced.
Excellent article. your articles are awesome . Please keep it up.
Hello,
I’d like to add something in the part with the recommendations. It appears that the scenario with Windows NLB is not reliable and MS don’t recommend it for production environments. They said it many times on the last TechEd sessions in 2011.
NLB isn’t as good (in many ways) as a proper load balancer, that is correct.
This is a very good TechEd presentation on the topic:
http://channel9.msdn.com/Events/TechEd/Australia/Tech-Ed-Australia-2011/EXL304
Hi Paul,
Can you share script or method to update existing outlook profile to recieved failover features.
recenetly i have added HUB/CAS node in CASARRAY in Exchange 2010 and now i want all users profile to get recieve features of failover. I changed Database RPCClientAccess attribute but still users are getting connect to single node only instead of CASARRAY.domain.com.
I paul can i have Mutiple Cas array internet Facing in single forest single domain architecture
In a small environment, is it possible to setup the CAS array on two Exchange servers that will also host the hub and mailbox roles configured as a DAG? Essentially getting high availability with only two servers?
Yes, but you need to use a hardware load balancer. NLB can’t be used on DAG members.
So setting up the CAS array and specifying the DAG FQDN which point to both servers won’t work? Figures, nothing is ever easy. Any recommendation for a hardware load balancer for a fairly small network of ~200 workstations and no Internet connectivity?
“So setting up the CAS array and specifying the DAG FQDN which point to both servers won’t work?”
You’re mixing terminology. The CAS Array has its own DNS entry. That DNS entry resolves to an IP address, whether it be the IP address of a single Client Access server, or it could be the virtual IP address provided by some load balancing technology (either NLB or Hardware LB).
The CAS Array, in the sense of Exchange 2010 and how Outlook clients connect, performs the role of “RPC Client Access Server”, which is the RPC/MAPI endpoint that Outlook clients on the network connect to for their mailbox access.
Although the DAG does have its own DNS entry, clients don’t point to it.
Edit: take a look at Kemp for load balancers, they have affordable low-end options including virtual appliances.
First let me say thank you so much for the great site and your quick replies. Been doing a bunch of reading and see that the best solution is to get 2 more licenses so I can have 2 CAS/HUB servers load balanced and 2 mailbox servers in a DAG. And from teched I see that it’s recommended to use hardware load balancing in a single arm SNAT config instead of WNLB; more pain. I just keep coming back to the idea that since setting up a DAG on 2 servers that have the CAS/HUB/MBX roles result in the two servers being configured in a failover cluster with the DAG virtual IP and FQDN why wouldn’t it be possible to assing that same FQDN to the CAS array so that when a failover occurs the CAS array would resolve to the active server? I know that using failover clustering was ok with IIS in server 2000 but no longer recommended in server 2003. At this point I’m either looking at trying to get funding for a load balencer and more licenses, testing using the DAG FQDN for the CAS array, or deploying as non highly available for now. Any thoughts on deploying a single CAS/HUB and MBX server with an upgrade later vs. waiting a few months to get extra licenses and a load balancer?
“the best solution is to get 2 more licenses so I can have 2 CAS/HUB servers load balanced and 2 mailbox servers in a DAG”
NLB isn’t necessarily the *best* option, it is just one option. I recommend watching this presentation from TechEd which should help with your decision making:
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/EXL307
” I just keep coming back to the idea that since setting up a DAG on 2 servers that have the CAS/HUB/MBX roles result in the two servers being configured in a failover cluster with the DAG virtual IP and FQDN why wouldn’t it be possible to assing that same FQDN to the CAS array so that when a failover occurs the CAS array would resolve to the active server?”
Because it doesn’t work that way. Even when Exchange roles are combined on the same server you need to still consider each role separately.
The CAS array name and IP are separate entities to the DAG name and IP. They can’t be the same.
“testing using the DAG FQDN for the CAS array”
Let me save you the trouble – it won’t work.
“Any thoughts on deploying a single CAS/HUB and MBX server with an upgrade later vs. waiting a few months to get extra licenses and a load balancer?”
Yes, this is completely fine. The bare minimum you should do is create the CAS Array object, create the DNS entry for it, and point that DNS entry at a Client Access server. It doesn’t need to be a load-balanced Client Access server, later on you can update the DNS to point to a load-balanced IP address instead and it will work seamlessly.
Same goes with the Mailbox servers. You can deploy single Mailbox servers and run them in production and then later create a DAG and add those servers as members of the DAG, again it is a seamless change. Microsoft refers to this as “incremental deployment”.
Some of these concepts don’t make total sense until you’ve run through the deployment yourself, so I do recommend you play around in a test lab and experience the setup of CAS Arrays and DAGs first hand.
Just remember, each server role operates independently even when combined on a single server. CAS Arrays and DAGs are separate entities – they can exist independently of each other, or they can exist in combination with each other, but they remain separate.
Oh, let me also explain. These two servers are virtual on a 3 node Hyper-V cluster. Might make load balancing them a little harder. Guess I need to get two more Exchange licenses and setup 2 CAS servers in an NLB config or will a hardware load balancer work with virtual machines?
There’s nothing about virtualization that impacts the ability to use NLB or a hardware load balancer.
If you’re going to virtualize your Exchange just go and read the best practices guidance from Microsoft, which is detailed and important.
Thanks again for all your help. After several hundred pages of reading today, and meticulously removing the 2 servers I created (wow what a pain removing the last arbitration mailboxes), I think I understand what is going on here. Please confirm if you will. A CAS array is nothing more than an AD object that you create to point to an IP address. Wow, that is a very misleading name. You have to actually create an NLB array and then create the CAS array and point it at the NLB virtual IP address. Assuming that is correct, I need to create the first server with a CAS and HT role. Add NLB along with setting up AD and DNS stuff. Then create a server with the MB role. At a very high level of course? Nothing like a Friday to try it all again after wasting the rest of the week. Wish I had a test lab; kind of scary doing this stuff on the live network.
You’re on the right track. And you’re also discovering that it isn’t always as simple as just uninstalling and trying again. I cannot recommend strongly enough that you do some practice in a test lab first. This is not something to be learning by messing around in live production environments.
To answer your other point, yes I think the term “CAS Array” has caused a lot of confusion for people these last couple of years. I am expecting to see the terminology change in the next version of Exchange Server to make things clearer.
Pual Can we have mutiple internet facing CAS array
The CAS Array relates to the RPC Client Access Server, which is for internal RPC/MAPI connectivity only. It isn’t an internet-facing service.
Paul if I have 2 HUB/CAS & 2MBX IN DAG For geographical locations Site A has different smtp domain site b has different smtp domain Can we achive mutiple locations with different Cas array .
Well internet facing as hub /cas role will be in NLB mails for respective locations and MX will be pointed to ISP Antispam which will forward mails to respective sites HUB servers
Paul,
I cannot find anything about CAS arrays and multiple DAG’s. We have a large organization with 4 DAG’s within one AD site (44 multi role Exchange servers).
I know I can have only one CAS array per site, but is there also a limitation on the amount of DAG’s within one CAS array?
I guess it is not related and therefore not an issue but I want to be sure about it.
A DAG doesn’t exist “within” a CAS Array, they are separate entities. Yes, you can have multiple DAGs, it is not a 1:1 relationship with CAS Arrays.
Paul,
We currently have a single site, single CAS/HUB server (no array). RPCClientAccessServer points to hostname of CAS/HUB server. What’s the recommended approach to create a CAS array? Add second CAS/HUB and create array? Or add two new CAS/HUB’s and create array with them and then decommission original CAS/HUB?
We would like to do this without changing RPCClientAccessServer attribute. I would think that would rule out the first approach (using current CAS/HUB server and adding second C/H sever and creating array) as the RPCClientAccessServer points to FQDN of first C/H. We wouldn’t be able to point CAS array name to same name as first C/H server, correct?
Thanks for any input you may have.
Nice one.
Also, CAS array is tied to per AD site hence it doesn’t cross the bounder of its own AD site.
Would CAS array still function if one of CAS array member located at the at the branch office linked by persistent VPN whereby the Exchange server has the same network address of the CAS array in the head office?
The “members” attribute of the CAS Array object (as seen when you run Get-ClientAccessArray) is a bit misleading. You should only think of it as “the Client Access servers that are in the AD site for this CAS Array”. It actually has no bearing whatsoever on the HA or load balancing.
If you can load balance the IP address associated with your CAS Array across multiple physical sites then it will work, but it brings into play a lot of additional concerns such as latency and reliability of the link between the sites. It also complicates some failure scenarios.
Excellent article.
How can I update my user’s outlook profile after creating CAS array?
Thank You..
Great article. I have been trying to figure out a better way to handle datacenter swithcover/failover on the CAS side. I have 2 sites with a single server with all roles on each. I know a cas array can only be created in a single AD site, I was wondering if I could do this between production and DR sites if I were to make a single AD site instead of the now two AD sites. The cas server role would still resolve to two different IP subnets and not sure if that is a limitation..
Objective would be to make datacenter failover easier so that I would not have to change the rpccleintaccesarry setting manually.
Dear Paul,
I have setup NLB cas array and woking fine in LAN but I am not able to access cas array from my remote site.
can you help me to resolve this issue.
Thanks
Danushka
Read this and perform the netsh configuration it describes:
http://exchangeserverpro.com/how-to-install-an-exchange-server-2010-client-access-server-array
Thanks Paul,
I did it as you mentioned by site. cas array ip able ping from my remote site
thanks for support.
Regards,
Danushka
HI Danushka,
I have configured 2 exch 2013 on 2 diff’nt windows box’s.And i need to map this 2 exch mail database to one of my vip address..Please find the below details.
1.ipadd : 192.168.0.1 (ADS,DNS)
2.ipadd : 192.168.0.2 (Member of domain,Exch 2013)
3.ipadd : 192.168.0.3 (Member of domain.Exch 2013)
4. ipadd : 192.168.0.4 (VIP address)..I need to map 192.168.0.2.& 192.168.0.3 mail database to 192.168.0.4 (This is my vip address).Please let me know..
Regards,
Prashant
Read the part of the article about the RPCClientAccessServer attribute.
Hi Paul,
Please find below erroer.
PS C:\Program Files\Microsoft\Exchange Server\V15\Scripts> Get-MailboxDatabase
Get-MailboxDatabase : The term ‘Get-MailboxDatabase’ is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1
+ Get-MailboxDatabase
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MailboxDatabase:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Use the Exchange Management Shell.
Hi Paul,
Thanks for Suggestions.But getting.
[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>New-ClientAccessArray -Fqdn vip.lb.cas.com -Site Default-Fir
st-Site-Name
New-ClientAccessArray : The term ‘New-ClientAccessArray’ is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At line:1 char:1
+ New-ClientAccessArray -Fqdn vip.lb.cas.com -Site Default-First-Site-Name
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (New-ClientAccessArray:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Regards,
Prashant
Hi Paul,
I am trying out this below cmd.
Get-ClientAccessArray
New-ClientAccessArray -Fqdn xyz.com -Site Default-First-Site-Name
Get-MailboxDatabase | Set-MailboxDatabase -RpcClientAccessServer
xyz.com
Set-MailboxDatabase cmdlet with –Identity ‘mailbox database name’
Regards,
Prashant
Dear Paul,
we are going to install exchange 2010 on exchange 2007 environment for our company and I have some doubt about installation of exchange 2010.
we Purchased HP DL 380 G8 server (8core/32GB). kindly advise what would be the best implementation from below options
Option 1
Windows 2012 Hyper-V – HOST
TWO VMs
1.Windows 2008 R2 64bit standard with exchange 2010 (CAS/HT)
2.Windows 2008 R2 64bit Enterprise with exchange 2010 (MBX)
Option 2
Single windows 2008 R2 64bit Enterprise with exchange 2010 CAS/HT/MBX
Kindly advise.
Thanks
Dansuhka
Excellent article…
Hi All,
Let me just bring my issue with KEMP, we are new to KEMP Load Balancer and finding some issue in getting the cas array work in branch office and vpn users.
Kindly find my infrastructure as below,
Mailbox Server 2 No’s
CAS Server – 2 No;s
Load Balancer – 1 No;s ( VM)
My outlook in LAN network is working perfect with KEMP LB, but i have issue with accessing outlook from my branch Office and VPN users. We are able to ping the LB IP and virtual server and all exchange servers.
But or mailbox are not resolving.
Kindly help me to solve the issue., we are planning to KEMP LB 2200 Hardware once we finish setup.
LAN Subnet 192.168.2.0/24
Branch Office – 192.168.27.0/24
Kindly help us to fix this issue and looking for solution or Trouble shooting tips.
Regards,
Jinu
Have you contacted Kemp support? I’m sure they’d love to help you get your new load balancers up and running.
Yes, i am i think they are not working today, i may get a answer by tomorrow.
Hi Paul,
I have upgrade my active directory from window server 2003 to server 2012. and I am using exchange server 2013 but I have facing some issue with outlook 2010,outlook 2013.When I am manually configure exchange accounts on my outlook 2010 its giving error “cannot open your default email folder. You must connect to Microsoft exchange with the current profiles before you can synchronize your folders with your outlook data file (.ost)”. But its working with OWA and pop3 but not working with outlook. I have try everything like I turn off cached Exchange mode, setting the email account to not cache does not resolve the issue and I get error message – “Cannot open your default e-mail folders. The file (path\profile name).ost is not an Outlook data file (.ost) again. Very odd since it creates its own .ost file when you run it for the first time.
I have also check RPCClientAccessServer and its pointing to right mailbox database but no luck and outlook only work in RPC over https, but not working when you configure it manually. Can you please help me on this issue.
Any help would be greatly appreciate
Hi Paul,
We currently only have one Active Directory site. However, we will soon be creating another Active Directory site. I am planning on moving one of my existing Client Access Servers to the new Site. Will I be able to remove that server from the current Client Access Array and add it to the new array in the new site? If so, are there any special cmdlets I need to run or will it update itself once it’s in the new IP space and DNS is updated accordingly?
Thank you,
Doug
I’m not sure actually. I assume it automatically adjusts for the change, but I’ve never tested it.
Regarding “still connect directly to mailbox servers for public folder access”. So does this mean that if the server with the primary copy of the mailbox database in a DAG is down, it doesn’t matter if you have a CAS Array as far as public folders are concerned? You can send/receive mail thanks to the CAS Array object, a hardware load balancer and a DAG setup, but not access the public folders?
There’s a bunch of mixed concepts in that question.
1) Public folders are not part of a DAG, though they can exist on a mailbox server that is a DAG member. If a server hosting a public folder database goes down, and there are no other PF replicas available, then PFs are unavailable.
2) Outlook clients communicate directly with the mailbox server for public folders, not via the CAS array.
3) CAS Array (or Client Access server for that matter) is not responsible for send/receive mail flow. That is the role of the Hub Transport server.
Paul -
Thanks so much for your reply. Yes, I should have been much more specific. What I’m finding is that in our environment, we have two Exchange 2010 servers that hold the CAS, HT & Mailbox (in DAG) roles. We have a hardware load balancer for the CAS Array address. If I shut down the server that holds the primary copy of a mailbox database, due to the DAG and the timeout setting on my load balancer, Outlook stays connected and I can still send/receive messages. However, Outlook continues to freeze because it is trying to connect to the public folders (I can see that by looking at the Connection Status dialog). I just thought that was odd and makes Outlook a little unusable in that situtation?
If your public folders are down Outlook will have problems, simple as that. You’ll need to look at providing HA/resilience for your public folders as well.
In this case, the public folders are not down. Simply the primary mailbox server, even though it is a member of a DAG. Am I correct in understanding that Outlook will always try to connect to the public folders via the primary mailbox server for whatever database your mailbox is on? In that case, it wouldn’t matter if the public folders were up or down. Am I confused?
Outlook will connect directly to the mailbox server that hosts the public folders regardless of where the mailbox is hosted.
If you bring up Outlook’s “Connection Status” box (CTRL+Right Click the Outlook icon in the system tray) you’ll see the connections that have been established.
Your articles are very well written, thank you for a great resource.
Hi Paul,
The resource is great, however I can’t find the specific information I need anywhere, currently the environment is:
2 x CAS, HT and MBD roles installed on 2 DC’s
I want to get these removed and have 2 x CAS/HT Servers and 2 x MBD Servers all on Member Servers rather than DCs
the existing CAS aren’t configured in an Array and hopefully will be decommissioned in the future.
I have setup a new Server with CAS and HT roles installed and want to set it as an array.
my questions are:
1. What settings do I need to copy across to the new CAS/HT server from the old CAS/HT server?
2. Do I need to copy the certificates across and install them?
3. Setting it as an CAS array will existing accounts loose connectivity?
Any help would be much appreciated.
Regards,
Paul
1. It depends which services you’re running via the load balancer. For RPC/MAPI there is nothing really to configure. But if you also plan to load balance OWA, ActiveSync etc then you should make sure they are configured consistently (eg same authentication settings, external URLs).
2. For RPC/MAPI purposes there is no certificate required. But again if you plan to load balance other services that run on HTTPS then yes, each server needs an SSL cert with the correct names on it. That can be the same cert or two different certs.
3. No.
Hi Paul,
Thanks for the response, really helpful.
1. Yes, I’m planning to load balance OWA, ActiveSync etc
2. Yes, again will be load balancing https services such as Outlook Anywhere.
Was originally looking at doing the CAS across two virtual servers and the DAG across two virtual servers so 4 virtual servers in total, however have just read the Kemp Load Balancing article and if cost isn’t prohibitive I may look to do the load balancing that way.
3. Excellent, thanks
Regards,
Paul
Hi All,
can any help me if any setting need to do for accessing public folder in a setup where we use KEMP Load Balancer.
Right now we are not able to access public folder ( Exchange 2010 Public Folder)
Regards,
Jinu
Public Folder connections are made directly to the server, not via the CAS Array.