Exchange Genie CAS Array

Welcome to Exchange-Genie.com where we talk about all things Exchange. Learn more about us »

Exchange-Genie

This blog is dedicated to Microsoft Exchange

Submit Query

Home•About Exchange Genie•Forum•Genie Articles•

RPC Client Access service

Filed in E14, Exchange, exchange 14, exchange 2010, Exchange genie, mapi, momt on Sep.26, 2009

Easy AdSense by Unreal

Updated 8/18/2010

One of the major changes with Exchange 2010 is related to the mapi end point. In all previous versions of Exchange the Outlook client (using mapi) would connect directly to an Exchange mailbox server, with Exchange 2010 the Outlook client will connect to an Exchange server running the CAS role as its mapi end point for all connection except public folder access which will go direct to the mailbox server.

As you will discover later in this blog a common issue that user experience if they are running Outlook 2003 is related to the default configuration requiring encryption to be enabled on the Outlook client or connections will fail. I will go into more detail later on this topic.

When a user opens Outlook today a number of items occur but the main one I am going to talk about is the connection from the client directly to the mailbox server to retrieve their mail via mapi-rpc.

How clients connected pre Exchange 2010

Priority Pass - 10% offAccess to 600 Airport VIP lounges Worldwide - Join today and save 10%www.PriorityPass.com

Page 1 of 25

Some of the issues with this configuration even when using an SCC or CCR cluster is during a failover the client connection point will be disrupted even if only for a few moments. This also means that clients are making a direct connection to the server which is limited to 60k connections to the information store. This does not mean 60k users, as client makes a number of connections to the system.

As the Exchange team looked at how they can better scale Exchange 2010 one of the new techniques was to move the client connection endpoint to the CAS server instead of the mailbox server. This allows for a number of things to happen.

During a database move/failover the client end point does not go down and makes the move seamless to the user

1.

If you reach the 60k port limit you just add an additional CAS server to the rpc array2.

Let’s take a look at our Exchange settings….

How do I know what my mapi end point is?

At first thought you may think this is configured per user however that is not the case. To find out what your rpc client end point is you need to run the following command get-mailboxdatabase “yourdatabase” | fl name,rpc* the output of this command will show you each RpcClientAccessServer associated with each database.

By default there is no rpc array configured, the name of a random CAS server in the same AD site will be directly associated with each database.

Let’s run our command and see what settings we have get-mailboxdatabase | fl name,rpc*

You can see that our RpcClientAccessServer points to my CAS server

Let’s create a new mailbox database in EMC:

Page 2 of 25

Open EMC -> Organization Configuration -> mailbox

Right click and select New Mailbox database

I am going to call my database rpcservercheck and specify the server as E14Ex1

Specify the logs and database path

C:\db\db and c:\db\logs

**note I dont recommend these location but this is just a lab **

Page 3 of 25

Click New to complete the database

Now that we create the new database lets run our command again:

You can see the new database also shows the CAS server, since I only have one CAS in this environment they are configured the same.

Outlook Profile

After setting up an Outlook profile let’s take a look at see that our mapi end point is now the CAS server

With Outlook 2007 click Tools – Accounts Settings

Page 4 of 25

Select the profile and click Change

We can see that our Microsoft Exchange Server information points to the CAS fqdn and not our mailbox server

Page 5 of 25

If we hold down CTR and right click the Outlook system tray icon we can bring up our connection status

You can see that all Directory and mail connections are now going to the CAS server with 1 exception, public folders. Yes, public folders calls are still direct connections from the client to the mailbox server hosting the public folder.

WireShark

If we use a network sniffer to capture traffic from our client 192.168.1.59 we can see that NSPI and MAPI requests from Outlook are all directed to the CAS

How does this work?

On each CAS server there is a new service that runs called the MSExchangeRPC which runs as Microsoft.Exchange.RpcClientAccess.Service.exe and listens on port 6001 for HTTP connection and uses dynamic ports by default for tcp/ip connections

Page 6 of 25

By default when you install Exchange 2010 the files that makeup this service will be located in C:\Program Files\Microsoft\Exchange Server\V14\Bin

When connections are made to the CAS server by the mapi client, the CAS server then creates a channel to the mailbox server to retrieve the mailbox data. The CAS server will create a maximum of 100 Rpc connections to the mailbox server

Encryption

As I briefly mentioned in the introduction by default Exchange requires the client to connect with encryption enabled. This is not set on each database but on each rpc server and can be found with the following command Get-RpcClientAccess | fl server,encrypt*

[PS] C:\>Get-RpcClientAccess | fl server,encrypt*

Server : E14-EX1

EncryptionRequired : True

Server : E14-EX2


Server : E14CAS1


Page 7 of 25

After running the command you can see that each CAS and Mailbox server has this configuration. You may ask why would the mailbox server require this is all the client connections are direct to the CAS? You may recall that I stated above that the clients still connects direct to the mailbox server for public folder access.

How do I know if my Outlook client is setup to use encryption?

Let’s look in our Outlook client to see this setting:

Using the same steps as before open your Outlook settings -> click More Settings

Select the Security Tab

We can see that Outlook 2007+ defaults to having encryption enabled however Outlook 2003 does not

If you have a large number of Outlook 2003 users you have a few options:

Use Group Policy to enable this setting1.Disable this settings on the Exchange Server with the Get-RpcClientAccess | Set-RpcClientAccess -EncryptionRequired:$false

2.

**Recommended configuration is to keep encryption enabled**

Have users manually enable this setting1.script2.

**Note this will also affect Outlook Anywhere users (formerly Rpc.https) **

Configuring an Rpc Array

Now that we have a basic understanding of how MOMT is used lets configure our first Rpc Array. You can use NLB or a hardware Load Balancer like F5 for the rpc array as either is supported however you cannot use NLB if your server is multi roled and a member of a DAG.

Page 8 of 25

The dns entry for the array should not use a public dns name and only needs to be resolvable to the internal network.

Lets start with the Get-ClientAccessArray command just to show that we do not currently have an array

1. Create a DNS entry for your array name (I am going to use Site1Array.ExchangeGenie.local)

a. Open the DNS administration tool

b. Select the appropriate DNS Zone (for me .ExchangeGenie.local)

c. Right click and create a new host record (a cname would work as well)

d. Input the name and Ip for the record

e. Click Add Host

Page 9 of 25

F. Click Done

G. Validate the record had been created

H. Lets use Nslookup to validate the record is seen

Create an RPC Array

From an EMS window we will use the new-clientaccessarray command if you use the help …. get-help new-clientaccessarray, we can see the command takes in 2 require parameters FQDN and Site

If you dont know your AD site information you can use the get-ADSite command to get that information

As you can see I have renamed my default site to GenieSite1

New-ClientAccessArray -Name Site1Array.ExchangeGenie.Local -fqdn Site1Array.ExchangeGenie.Local -Site GenieSite1

As you can see we now have a new array called Site1Array.ExchangeGenie.Local

**Note the memeber paramenter will show every Exchange 2010 CAS in the AD site of the Array, which CAS server actually participate are based on the NLB nodes **

Does this mean you are done?

No, creating an array but its self does nothing we have 2 additional steps 1. create the NLB for the Array and 2. associate the array to our database.

Creating an NLB for our Array

Ads by Google Exchange MS Exchange Exchange 2003 Exchange 2007

Page 10 of 25

I am going to use WNLB for this blog which is a viable option however for large organization a hardware load balancer is advised.

If NLB is not installed on your CAS server you will need to do that first.

1. Open Server Manager

2. Select Features

3. Select Network Load Balancing

4. Click Next

5. Click Install

6. Click close after the installation completes successfully

Page 11 of 25

7. Launch NLB Manager

8. From the file menu click Cluster -> New

9. Input the IP address or hostname of the CAS server and click Connect

10. Select Next

11. Select Next unless you need to add an additional dedicated ip to the server

Page 12 of 25

12. Click Add to add the VIP for the cluster ** this should match the ip that we used to create our dns record for the array**

13. Enter the IP asscociated with the array and click OK

14. Click Next

Page 13 of 25

15. Enter an FQDN that will be associated with the NLB, I have selected Mulicast for my cluster mode however please select the method that best fits your environment.

16. Click Next

17. Click Remove to delete the default listening ports

You can choose to listen on all ports however lets use the minimum required for the array which we will later scope down even lower. The minimum ports required will be 135, 1024-65535

a. Click Add

b. Remove the check box “All” so that we can scope which IP the ports listens on

c. Add port 135 – 135 TCP and click OK

Page 14 of 25

d. Report for port 1024 -65535 TCP and click OK

18. Click Finish to complete building the NLB

Page 15 of 25

Validate the NLB has been created properly

Associating the Array with databases

The final step for us is to associate the client array with our existing databases. Any new databases will be automatically associated with the array in that site.

Lets open our Outlook client so we can see our current settings

Let’s use the following command to set our new array on all the current databases we have created

Get-MailboxDatabase | Set-MailboxDatabase -RpcClientAccessServer site1array.exchangegenie.local

Page 16 of 25

**Please note the above command would do all databases you can use the –server switch to scope the databases returned you can use something like this to scope the site

C:\>Get-ExchangeServer | where {$_.isMailboxServer -eq $true -and $_.Site -eq ‘ExchangeGenie.Local/Configuration/Sites/GenieSite1′} | Get-MailboxDatabase **

We can validate the array association with the following command Get-MailboxDatabase | fl rp*

***Please note it could take a few minute for this information to get updated for clients do to the store cache**

If we look at our client setting, they will get updated with autodiscover if the client is Outlook 2007+, for Outlook 2003 the client should be redirected after connecting to the current configured server.

You can see that all communication (except pf) is now connecting to our new client array

Scoping the Mapi Ports

By default when you open your Outlook client it attempts to make a connection to the rpc port ( 135) on the server andnegotiate a dynamic port above 1024 for usage. If there are no firewalls between the clients and servers then you dont mind all the traffic however in many scenarios there are firewalls between the client network and servers. To keep from the requirement of open port 135 and 1024 – 65535 you can make a few simple modifications to your CAS server to reduce the number of ports that are required to be open on the firewall.

There are 3 modifications you must make 1. Mapi which is a registry key change 2. Addres Book (NSPI) which is modifed in the config file and 3. Referral Service (RFR) modified in the config file.

We can restrict Rpc Client Access Array to a single port for each of the following settings Mapi,Address Book, and Referral Service let’s take a look at the default configuration below:

Key:HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeRPC\ParametersSystem

Value:TCP/IP Port

Page 17 of 25

Type:DWORD

*Note you will need to modify the same registry key on mailbox servers that host the public folder role

Earlier you saw the network wireshark data with the server making connections to the CAS on radom high number ports, in this section we are going to scope the port range down to 3 ports of our choosing. Please note the client will still need access to port 135 for the initial connection.

Scoping the CAS server ports

1. Open the regsitry editor (start -> run -> regedit

2. browse to HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeRPC

3. Create a new key ParametersSystem (Right click new-> key)

4. Create a new Dword TCP/IP Port

5. Input a port I have selected 50000

6. Restart the Microsoft Exchange RPC Client Access Service

7. Open a command window and run NetStat -na

We can see that we are connecting the CAS server on port 50,000 and 135

Page 18 of 25

**You will need to repeat these steps for any mailbox server this is hosting a public folder database**

8. Open Microsoft.Exchange.AddressBook.Service.Exe.config with notepad (default location is C:\Program Files\Microsoft\Exchange Server\V14\Bin)

*** This option has changed in Exchange 2010 SP1 and is now configured via a registry key

Address book Registry change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeAB\Parameters\RpcTcpPort

•

9. Modify the section “RpcTcpPort” to the port you desire, I am going to use 50,001 since I used 50,000 for the mapi port

10. Restart the Microsoft Exchange Active Directory Topology Service (note this will stop all the Exchange services)

11. Open a command window and run NetStat -na

You can see we are now listeing on port 50,000 for map and port 50,001 for Address Book

If we open Outlook again and run a netstat -na from our client we can see that we are connecting to the CAS server on port 50,001 and 50,001 and to our mailbox on port 50,000

CAS IP 192.168.1.60 and Mailbox 192.168.1.57 and CAS Array 192.168.1.61

Tags: exchange 2010, mapi, momt, rpc array, rpc client access array

Comments (15)

Page 19 of 25

15 Responses to “RPC Client Access service”

Tweets that mention RPC Client Access service -- Topsy.com Says: October 30th, 2009 at 1:47 pm

1.

[...] This post was mentioned on Twitter by Jetze Mellema, Mike Pfeiffer. Mike Pfeiffer said: RT @JetzeMellema: Excellent blogpost on MOMT: Exchange 2010 Mapi on the middle tier http://bit.ly/aVOiF #Exchange [...]

Gleb Kholodov Says: November 11th, 2009 at 1:26 pm

2.

**Note the memeber paramenter will show every CAS in the AD site of the Array please note this is going to be removed in later builds and does not hold any value**

The value of this property lays in 1) helping to automate maintenance tasks, especially in configurations where E2010 is installed with other Exchange versions in the same site. For example, E2007 CAS servers will not be listed as member of an array, even if they reside in the same site.

2) helping admins recognize a difference between functionality modes of the MSExchangeRPC server when it runs on the Mailbox role as opposed to running on a box that has a ClientAccess role: only CAS server become members of an array

3) array membership is defined in two places: explicitly in the NLB configuration (Exchange has no knowledge of this) and implicitly in the Exchange configuration by putting CAS servers into the same site. Showing an admin what Exchange thinks the array consists of is supposed to make him aware of this difference.

There’re currently no plans to remove this property.

Gleb Kholodov, MSExchangeRPC dev, Microsoft

Exchange Genie Says: November 11th, 2009 at 4:32 pm

3.

Thanks gleb, updated the info

Herc Says: December 7th, 2009 at 10:46 pm

4.

Would you use ClientAccessArrays if you have a DAG that spans mulitple sites, wouldn’t this lock client access down to one particular site for access.

Page 20 of 25

Exchange Genie Says: December 8th, 2009 at 4:04 pm

5.

yes you would still create an array. An rpc array is site dependant so you would have an array for site 1 and an array for site 2.

There is some work being done in sp1 that should make this a multi value data point for failover.

If you move a user between sites that array setting will update on the user and in a failvoer the client would proxy unless you updated dns or the setting.

in a site outage you would change dns so array1 name pointed to array2

Katrin Skarsbø Says: February 18th, 2010 at 8:33 am

6.

Hi!

I’m just wondering. Today one of our customer uses NLB on HUB/CAS Exchange 2007. This is working fine and SMTP in NLB is supported in Exchange 2007 SP2. Now I’m implementing Exchange 2010 and want to use NLB on CAS and HUB. Can thes two roles be on the same server or do we have to split the roles. Another question, do you have one network adapter on the CAS servers?

Kind regarsdm, Katrin

Exchange Genie Says: February 18th, 2010 at 1:19 pm

7.

The same rules would apply, as I combine those roles myself on my servers.

Exchange 2010 RTM High Availability Load Balancing Options | Elan Shudnow's Blog Says: March 18th, 2010 at 12:30 am

8.

[...] your RPC Endpoint on your CAS Servers. Lots of information on the RPC Client Access Server here and here. So what options are available for load balancing this new RPC Client Access Array and [...]

it24by7 Says: April 13th, 2010 at 5:26 pm

9.

Page 21 of 25

A quick question. Can I install Exchange 2010 Client Access and Hub Transport on the same server with NLB? These are the steps I’m going to follow, please correct me if I’m wrong:

- Configure NLB on 2 Servers running Windows 2008 x64. - Install Client Access and Hub Transport Role on those server. - Associating the Array with databases.

All Set?


10.

A quick question. Can I install Exchange 2010 Client Access and Hub Transport on the same server with NLB? These are the steps I’m going to follow, please correct me if I’m wrong:

- Configure NLB on 2 Servers running Windows 2008 x64. - Install Client Access and Hub Transport Role on those server. - Associating the Array with databases.

All Set?

Exchange Genie Says: April 18th, 2010 at 9:38 pm

11.

Yes, you can have the CAS and Hub server role on a single server and use NLB. Just note the internal connectors cannot be apart of the nlb for the hub transport servers


12.

I followed the steps mentioned in this article but my Outlook client is not able to connect to the server. I’m getting an error:

Cannot open your default email folders. You must connect to Microsoft Exchange with you current profile before you can synchronize your folders with you Outlook Data File.

Exchange Genie Says: April 21st, 2010 at 8:25 am

13.

To recap you created an rpc arry with NLB and how many CAS servers do you have in the NLB? Have you validate the services are running on the CAS server? Did you perform port

Page 22 of 25

scoping or just default? have you dont a packet sniff to see if the client it making it to the CAS array?

juned Says: September 14th, 2010 at 3:18 pm

14.

Is the CAS array going to load balance only the MAPI conection or it will also load balance Active Sync, AutoDiscover and Availability Services ?

Exchange Genie Says: September 15th, 2010 at 8:22 am

15.

The CAS array only load balances Mapi traffic you would create a load balance for your AS name space as well…. Since the CAS servers handle all traffic now this could be the same vip or different. I typically like to setup one name space for mapi and one for owa/as/etc…

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Submit Query

•

Type the two words:

Page 23 of 25

•

Search

Sponsored Links•

•

Login

Username

Password

Remember Me

Log in

Lost your password?

Blogroll•

All Things MAC◦

Jim Mcebee◦

Joe Joyce◦

Microsoft Exchange Team Blog◦

Archives•

June 2011◦

May 2011◦

April 2011◦

March 2011◦

February 2011◦

January 2011◦

December 2010◦

November 2010◦

October 2010◦

September 2010◦

August 2010◦

Page 24 of 25

July 2010◦

June 2010◦

May 2010◦

April 2010◦

March 2010◦

February 2010◦

January 2010◦

December 2009◦

November 2009◦

October 2009◦

September 2009◦

August 2009◦

July 2009◦

June 2009◦

April 2009◦

February 2009◦

January 2009◦

November 2008◦

October 2008◦

September 2008◦

August 2008◦

July 2008◦

June 2008◦

May 2008◦

April 2008◦

February 2008◦

January 2008◦

December 2007◦

November 2007◦

October 2007◦

September 2007◦

August 2007◦

July 2007◦

June 2007◦

•

© 2007 Exchange-Genie, WordPress Themes by DBT.

Full RSS - Comments RSS

Ads by Google

Exchange Mailbox Hosting

Exchange 2007 Server

Microsoft Exchange Owa

Exchange Mail Backup

Page 25 of 25

Documents

Exchange Genie CAS Array