locked
Separate certificate at DR site RRS feed

  • Question

  • We are on Exchange 2010 SP2 with 2 CAS+2MBX at primary site. Everything working normal with Primary site. Now we are introducing DR site which we will use in case of disaster with manual switchover procedure.

    My question is from certificate point of view to dedicate separate certificate at DR.

    Certificate at Primary site:

    URL : primary.abc.com

    Autodiscover.abc.com

    Seconday site url :  failover.abc.com

    As at primary it is working in production we don’t want play with certificates by requesting to add failover url into existing certificate. So I will generate new certificate for DR site with SAN name as :  failover.abc.com & autodiscover.abc.com using Windows CA server.

    Kindly advice it above will work for clients whenever manual switchover or automatic failover happens for autoredirection & proxy requests.

    Friday, October 19, 2012 6:22 AM

Answers

  • There are different scenarios. Seems you're talking about automatic fail over between site while both sites are Internet facing.

    If you access from external, it will be redirect. Yes, you need different namespace for the 2 sites.

    Proxy is used in different scenario. If your DR site is not internet facing. Then it does not have external URL. primary site will do proxying and internal url for both sites must be different.


    In summary, since there are CAS-CAS communication between 2 sites, so they must have different names, either as internal url or external url.
    Monday, October 22, 2012 2:58 PM

All replies

  • How about your OWA? You don't want your user to use a different URL for DR situation, right? So both cert should contain a name of owa.abc.com

    Friday, October 19, 2012 6:57 AM
  • mail.abc.com 1.1.1.1
    failover.abc.com 2.2.2.2

    during normal condition we will use separate url mail.abc.com at primary & failover.abc.com at DR site.
    So say my mailbox moves from primary to DR but Primary site is working then OWA will redirect or proxy request to DR CAS.

    In situation of disaster Primary site is not available then i will change pointing in internal & public DNS to point  mail.abc.com to 2.2.2.2.

    Using separate certificate for Primary & DR shud not cause any problem for autoredirection & proxy...right?

    Friday, October 19, 2012 7:13 AM
  • Yes. Using separate cert will not cause any problem as long as you manage the subject/SAN name properly.
    Friday, October 19, 2012 7:27 AM
  • Are they two different AD sites? Will it be an active/active DAG?

    These determine the certs as well. 


    Rajith Enchiparambil | http://www.howexchangeworks.com |

    HowExchangeWorks.Com

    Friday, October 19, 2012 7:33 AM
  • Hi Rajith,

    Yes two different AD site. one for primary working site & DR site for disaster recovery.

    DAG will be in active -passive. Only primary site will have acitve copies of DB at any given time. We will manually switchover DB to DR in case of disaster.


    Friday, October 19, 2012 7:40 AM
  • Hi Rajith,

    Can you brief what wud be the difference in using Single namespace model & different namespace model. i.e. in our case we have separate namespace with primary mail.abc.com & DR failover.abc.com. So if only one DB move to DR & primary site functional; CAS at primary will redirect/proxy request to DR site CAS from mail.abc.com to failover.abc.com.

    But if you consider the same case for Shared namespace model if mailbox move from Primary to DR; does mail.abc.com at primary will redirect to mail.abc.com at DR. If yes then i think configuration point of shared namespace model sounds easy. Is there any features i miss out if i use shared namespace model.

    Thanks

    Friday, October 19, 2012 6:16 PM
  • can somebody help me above queries.
    Sunday, October 21, 2012 4:22 AM
  • How you are planning to failover OWA\OA?

    This determines the Certs as well.


    ExchangeGeek

    (MCITP,Enterprise Messaging Administrator)

    **My posts are provided “AS IS” without warranty of any kind**

    Sunday, October 21, 2012 7:33 AM
  • yes firstly i want to understand what will be difference in failover/switchover process for choosing shared namespace & multiple namespace? 
    how failover within site is possible if one chooses shared namespace? as mail.abc.com is pointed to primary site only. How it will redirect request to DR site?

    i read implementing shared namespace is easy to configure than different namepace, how?

    what is ideal choice for configuring DR strategy? single or different namespace?

     
    Sunday, October 21, 2012 12:52 PM
  • It would be better to ask simple/small question in a forum. If you ask something big, what others can help could possibly be pointing you to a general article which addresses common situation instead of your environment.
    Sunday, October 21, 2012 12:57 PM
  • yes agree. can you help me redirect to article where it describes difference of shared namespace site resiliency design & different namespace DR design.

    I want to understand if one chooses single namespace as mail.abc.com. & consider only one DB moves to DR site. Redirection is possible in this case.

    Because in DNS mail.abc.com will be pointed to primary site but in case of failover CAS at primary needs to redirect request to CAS at DR. Can you comment pls.

    Sunday, October 21, 2012 1:17 PM
  • yes firstly i want to understand what will be difference in failover/switchover process for choosing shared namespace & multiple namespace? 
    how failover within site is possible if one chooses shared namespace? as mail.abc.com is pointed to primary site only. How it will redirect request to DR site?

    i read implementing shared namespace is easy to configure than different namepace, how?

    what is ideal choice for configuring DR strategy? single or different namespace?

     

    http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/5eca7dba-528e-4a6e-b056-44e4aff1f514/

    http://blog.morecoffeeany1.com/2010/03/25/external-ha-failover-in-multiple-internet-facing-exchange-2010-sites/


    ExchangeGeek

    (MCITP,Enterprise Messaging Administrator)

    **My posts are provided “AS IS” without warranty of any kind**


    Sunday, October 21, 2012 1:17 PM
  • yes agree. can you help me redirect to article where it describes difference of shared namespace site resiliency design & different namespace DR design.

    I want to understand if one chooses single namespace as mail.abc.com. & consider only one DB moves to DR site. Redirection is possible in this case.

    Because in DNS mail.abc.com will be pointed to primary site but in case of failover CAS at primary needs to redirect request to CAS at DR. Can you comment pls.


    If you plan to do redirect, you definitely need separate namespace. You can't redirect from mail.abc.com to mail.abc.com.
    Sunday, October 21, 2012 1:26 PM
  • yes i.e. where my confusion was.

    so if one doesn't want to have autoredirection/proxy capability to DR site (automatic failover), he can simply use shared name space & configured same cas url's owa,oab....mail.abc.com at Primary as well DR. 
    In case of DR then he will point mail.abc.com to DR site correct. Manual switchover process will be simpler in this case & certificate will be common for Primary as well DR.

    but in other case user mailbox moves to DR site & user shud redirect/proxy to DR cas then Different namespace is required. Right?
    Certificate will be different for both sites:
    mail.abc.com
    autodiscover.abc.com
    failover.abc.com

    Correct?

    Sunday, October 21, 2012 1:37 PM
  • Your term DR seems to be misleading. Common scenario is, DR is only activated when disaster hit primary site. Hence all services will be activated manually on DR site. Primary site will be totally disabled.
    Sunday, October 21, 2012 1:41 PM
  • yes but redirection will be required in case storage connectivity where DB are stored goes down at primary & CAS, MBX servers are available.

    In that case DB will get activate in DR & user request will get redirect/procy to DR cas. As per my understanding Redirect/proxy not possible with shared(single)namespace.

    Also one question, with different namespace mail.abc.com at primary & failover.abc.com at DR.  Do we need to create public dns entry for failover.abc.com to point to DR cas for redirect/proxy to work whereas in internal DNS server at primary failover.abc.com is pointed to private IP address of DR cas server.

     
    Monday, October 22, 2012 11:51 AM
  • There are different scenarios. Seems you're talking about automatic fail over between site while both sites are Internet facing.

    If you access from external, it will be redirect. Yes, you need different namespace for the 2 sites.

    Proxy is used in different scenario. If your DR site is not internet facing. Then it does not have external URL. primary site will do proxying and internal url for both sites must be different.


    In summary, since there are CAS-CAS communication between 2 sites, so they must have different names, either as internal url or external url.
    Monday, October 22, 2012 2:58 PM
  • thanks 
    understand.
    in our case we have dedicate private vpn between primary & DR site. i will publish mx record mail.abc.com using public ip pointing at primary. create dns entry in internal DNS server for failover.abc.com to point to DR site to failover/proxy request.

    In case of DR i will change mx pointing mail.abc.com to point to public ip of DR site & do manual switchover.

    Monday, October 22, 2012 5:15 PM