Load-balancing Microsoft Exchange with nginx+ – Part 4: Configuring Microsoft Exchange

nginxIn part 3 of this series I configured nginx+ to support Microsoft Exchange.

In this part, I configure Microsoft Exchange 2010/13.

Other articles in the series:

  1. Installing and configuring keepalived
  2. Installing nginx+
  3. Configuring nginx+ for Microsoft Exchange
  4. Configuring Microsoft Exchange
  5. Tidying up

The Exchange environment consists of the following:

  1. 3 sites (2 in Amsterdam, 1 in London, 1 DR (Southport, UK))
  2. 2 Windows 2008 R2 domain controllers (core) (1 in Amsterdam, 1 in London)
  3. 11 Exchange 2010 SP3 RU9 servers
  4. 3 client access servers (2 in Amsterdam, 1 in London)
  5. 3 hub transport servers (2 in Amsterdam, 1 in London)
  6. 5 mailbox servers (3 in Amsterdam, 2 in London)
  7. 2 Forefront Threat Management Gateway 2010 servers (1 in Amsterdam, 1 in London)
  8. 1 Windows 2008 R2 landing pad (for administration)

Background information

The Exchange solution I have designed is based on the concept of a production and resource domain.  All user accounts are hosted in the production domains (nl.mdb-lab.com and uk.mdb-lab.com), and all Exchange-related objects reside in the resource domain (mail.mdb-lab.com).  A trust exists between the two  forests, and accounts are linked to mailboxes.

Whilst there are many advantages to this design, it does add extra complexity and there are simpler ways to bring Exchange to the organisation.

The first disadvantage is in the choice of name I made for the resource domain.  Ideally I wanted to use a consistent name across the estate for all services – mail.mdb-lab.com.  Unfortunately with DNS stub domain created to support the forest trust won’t allow this – any request for mail.mdb-lab.com will also return the IP addresses of the two domain controllers in the resource domain.  The only way around this it to configure internal hosts to use outlook.mail.mdb-lab.com and use mail.mdb-lab.com for external clients.  In hindsight I wish I had of named the domain exchange2010.mdb-lab.com.

At first the aim is to load-balance Exchange front-end traffic for users in Amsterdam for both Outlook Web App and the Outlook client. Exchange ActiveSync will also benefit from this additional layer of redundancy, along with using TMG to publish this to external users.

First, create an A record in DNS to point to the load-balanced address:

dnscmd dc1.mail.mdb-lab.com /RecordAdd mail.mdb-lab.com outlook A 172.17.80.13

For inbound SMTP from the internet, mail will come from the Exchange 2010 Edge server in the DMZ. However if you want to take advantage of the load-balanced address for sending email internally then another DNS entry is preferred:

dnscmd dc1.mail.mdb-lab.com /RecordAdd mail.mdb-lab.com smtp A 172.17.80.13

Using the Exchange Management Shell, create a new client access array on your Exchange server:

New-ClientAccessArray -Name "outlook.mail.mdb-lab.com" -fqdn "outlook.mail.mdb-lab.com" -site Amsterdam

Configure the RpcClientAccessServer attribute on the mailbox database:

Set-MailboxDatabase DB1 -RpcClientAccessServer "outlook.mail.mdb-lab.com"

You can check this by using:

Get-MailboxDatabase | select name,rpcclientaccessserver | ft -auto

If done correctly that should show:
RpcClientAccess
When the Outlook client communicates with the Client Access Servers it does so by first connecting the TCP Endpoint  Mapper on tcp/135.  After that, it chooses a port from the dynamic RPC port range (6005-59530).  For load balancing to work, we need to restrict this to as few ports as possible.

We do this by setting the ports in the registry for the Exchange RPC and Address Book services.

Create the following registry keys on each CAS in the site using:

reg add HKLM\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters /v RpcTcpPort /t REG_SZ /d 60001
reg add HKLM\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem /v "TCP/IP Port" /t REG_DWORD /d 60000

Reboot each CAS and verify the ports are in place using Netstat:

netstat -an -p tcp | find "60000"

Finally, configure Outlook and connect to Exchange.  The connection status should box should show a connection to the RPC port configured previously:

Outlook connectivity

That’s it for the Exchange configuration.  In part 5 I tidy up a few things before the solution can be put live.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s