DAG not fowarding to functional CAS Servers

I've introduced Exchange 2013 into an existing 2010 environment for testing and eventual migration. I've configured a DAG with 2 CAS members in one AD site, and 1 in another. All of our CAS servers also function as our mailbox servers.

Everything seemed to be working fine until I began testing certain parts of the DAG failover, which I assumed was mostly automatic based on server availability.

Scenario 1:
I have all of my test mailboxes on CAS-A in Site1, which also houses CAS-B. I've verified that CAS-A is the "PrimaryActiveManager" according to Exchange 2013, but when I shut down CAS-B to simulate a server outage, Outlook & OWA are unable to connect as they continually try to route users to CAS-B for some reason (even though their mailboxes are verified to be on CAS-A). For this scenario, I've also tested putting CAS-B into maintenance mode, but even then OWA redirects to the CAS-B address internally. I can still get to the mailbox via OWA using the FQDN of CAS-A in the URL.

Scenario 2:
When I activate the mailbox database with user mailboxes on CAS-C in Site2 (where CAS-A in Site1 is their primary home), Outlook reconnects to the new CAS server automatically, but OWA fails to redirect with the error: "A server configuration change is temporarily preventing access to your account." If I re-activate the mailbox database on CAS-A in Site1, OWA allows me to login as one of the test users again.

Did I miss an important part of DAG configuration here?

January 23rd, 2015 10:16pm

I would assume you are load balancing CASA an CASB, have you configured health probes to ensure that traffic isn't sent to a unresponsive server? 

" To ensure that load balancers do not route traffic to a Client Access server that Managed Availability has marked as offline, load balancer health probes must be configured to check <virtualdirectory>/healthcheck.htm (e.g., https://mail.contoso.com/owa/healthcheck.htm)"

http://blogs.technet.com/b/exchange/archive/2014/03/05/load-balancing-in-exchange-2013.aspx

Kyle Green

kylgrn.com

Free Windows Admin Tool Kit Click here and download it now
January 24th, 2015 10:03am

Hi,

Based on your description, you create DAG using Exchange 2013 servers.

Do you load balance your CAS servers using HLB or DNS round robin?

Please check URL on the CAS Server in site 2. Make suer you configured properly.

Please check if you have enabled Basic Authentification for OWA & ECP on CAS server in site 2.

Best regards,

If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

January 26th, 2015 9:56am

Hi,

Is there any update on this issue?

Best regards,

If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Free Windows Admin Tool Kit Click here and download it now
January 28th, 2015 4:04am

Thanks for your assistance, Belinda. I'm back in the office now and still troubleshooting the issue. We are not load balancing our new CAS servers at the moment.

I've been troubleshooting the issue with kb article 2931385, "Exchange 2013 Redirects to Exchange 2010 for OWA and ECP".

Currently, I appear to have locked myself out of the Exchange Admin Center on the CAS in SiteB, so I'm trying to regain access to check which authentication owa and ecp are set to. I've attempted checking this from a CAS in SiteA, but the web UI just sits at "Please wait..." on the authentication page for the SiteB CAS and the cmdlet for the Get-VirtualDirectory variants all hang when specifying that server.

January 28th, 2015 8:10pm

So I've managed to make my way back into the Exchange Admin Center on the CAS in SiteB. I've configured the owa/ecp virtual directory URLs as such:

owa internal url: https://SiteBCAS.domain.com/owa
owa external url: https://webmail.domain.com/owa

ecp internal url: https://SiteBCAS.domain.com/Ecp
ecp external url: N/A (I didn't configure this as I only want to use the ECP internally)

Both virtual directories are set to use the following standard authentication methods:
Integrated Windows authentication, Basic authentication.

Visiting the 2013 Owa or Ecp page for the SiteBCAS from my desktop in SiteA automatically forwards me to the Exchange 2010 owa login.

Attempting to log in via the Exchange 2010 webmail page gives me the following error (which persists after an issreset, server restart, and browser cache clear): "A server configuration change is temporarily preventing access to your account. Please close all Web browser windows and try again in a few minutes. If the problem continues, contact your helpdesk."
  • Edited by czarship Wednesday, January 28, 2015 7:18 PM
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2015 10:16pm

Hi,

Regarding the first issue, since you dont have any load balance for CAS servers using HLB or DNS round robin, the redirect failed. This is an expected behavior. Actually if we didnt configure Load balance or DNS round robin, then we shut down one CAS server, it event dont know whether to redirect the request, thus it failed when we login OWA. Also, since CAS server use its own sever FWDN as its host name, which URL do you use? And as the other server is still alive, you can use that servers URL to access OWA.

Regarding the second issue, I would like to confirm the issue first:

  1. Where does the test mailbox reside? On the Exchange 2010 server or Exchange 2013 server?
  2. If visiting the 2013 Owa/Ecp page for the SiteBCAS from PC in SiteA will automatically redirect to the Exchange 2010 owa login, is the mailbox on Exchange 2010 servers?
  3. Do we configure redirections on IIS(on website or Virtual Directories)?
  4. If we use a mailbox on CAS-C, can we access OWA successfully?

And to know more about the issue, please help to collect configuration information to clarify:

[Config Info]

=========

  1. Get-Mailbox <an affected mailbox>| fl >user.txt
  2. Get-MailboxDatabase -IncludePreExchange2013 | fl identity,servers,servername >c:\dbs.txt
  3. Get-owaVirtualDirectory | fl >c:\owa.txt
  4. Get-ExchangeServer | fl FQDN,Identity,site,ServerRole,*version >c:\server.txt
  5. Get-ClientAccessServer | fl >c:\cas.txt
  6. Set-OwaMailboxPolicy | fl >owap.txt

[Application logs]

=============

  1. On the Exchange 2013 CAS server.
  2. Click the Start, input "eventvwr" in start search box (without the quotation marks) and press Enter.
  3. Click Continue if the User Account Control (UAC) window prompts.
  4. In the left pane, click Windows logs to expand the subfolders.
  5. Right click the Application Log and choose Save all events as.
  6. Save the log and send it to me.  

 

[IIS Log]

=======

1. Please reproduce the issue first, record the following information:

         User account who reproduces this issue: Domain/Account

         User's SMTP address

         Exact time the issue occurs:

         The IP address of the client on which we reproduce the issue:

2. Wait for about 10 minutes.

3. On both Exchange 2013 CAS Server, locate the folder c:\inetpub\logs\logfiles\W3SVC1

4. Collect the latest IIS log inside the folder.

If there is any sensitive information, you can send these log to ibsexc@microsoft.com

Best regards,

If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

January 30th, 2015 11:42am

Thank you for your response, Belinda. For your questions regarding the first issue, I was instructed to not use webmail.domain.com in any of the virtual directories (both internal and external) as they would appear to point back to the 2010 Exchange servers (which are currently using webmail.domain.com for most of its virtual directories). Instead, we've now created externally accessible addresses for each CAS server like so: CAS1.domain.com, CAS2.domain.com, & CAS3.domain.com (where CAS1 & 2 are in our primary data center and CAS3 is in our secondary data center). Once we're done migrating I assume we'll point webmail.domain.com and autodiscover.domain.com to load balance to these addresses (also assuming that once the load balancers hand a user off to any of the CAS servers, they'll be able to direct said user to the correct CAS server where their mailbox resides).

In response do your questions regarding the second issue:
1. The test mailbox resides on a Exchange 2013 mailbox database
2. Since enacting the virtual directory change mentioned above (where each server gets a unique address for internal and external URLs), the OWA redirection issue appears to have ceased. Now if I attempt to log into CAS3.domain.com with a new test account whose mailbox resides in Exchange 2013 on CAS1, the URL redirects to CAS1.domain.com and I'm able to login successfully.
3. I have not configured redirections in IIS
4. As mentioned in my answer to question 2, I'm now able to connect to mailboxes on any server through the CAS3.domain.com OWA URL.

I've gathered the config info you requested, though I had to split the Get-OwaVirtualDirectory command up into 3 output files as it would hang indefinitely when trying to access the information for CAS3 (SiteB) when running the command from CAS1 (SiteA). I've sent these logs to your address "ibsexc@microsoft.com" with the subject "DAG not forwarding to functional CAS Servers Logs" with a link to this thread.

Thankfully, reconfiguring the virtual directories on each server to be unique (including autodiscover URLs) has resolved my OWA redirecting issues. Even during a shut down of a CAS server, users are being properly routed to the correct URL for the CAS server their mailbox is on. However, a similar issues has now appeared in Outlook. Most of our users are on Outlook 2013. During my tests, I was able to use autodiscover in the Outlook wizard to automatically configure Outlook for a new test user mailbox account.

When I try putting the CAS2 (SiteA) server into maintenance mode using the commands listed in the "Performing maintenance on DAG members" section of the "Managing database availability groups" page of the technet library article for Exchange 2013 when the test user mailboxes were activated on CAS3 (SiteB), Outlook disconnects and fails to reconnect when I shut down CAS2. Even after bringing the server back up and reactivating it from maintenance mode, Outlook remains disconnected and cannot reconnect until I activate the mailbox database on a SiteA server. I continually get the pop-up "The Microsoft Exchange administrator has made a change that requires you quit and restart Outlook". No matter how many times I try restarting Outlook or the entire desktop computer, Outlook fails to connect and displays the Outlook error prompt.

In preparation for maintenance to our primary data center (SiteA), I'll need the ability to fail all mailbox databases over to SiteB.
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2015 12:26am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics