Robert’s Rules of Exchange: Multi-Role Servers

Great post again Robert !

I'm interested in an alternative that "small" costumers might have for the popular 2 multi-role servers in a DAG configuration, with regards to load balancing and having the cas-array "work".

WNLB is not possible of course, software/hardware external balances introduce funds issues... and Round Robin seems like the most logical way to work this out.. but then again it's not perfect ....

Is there a recommended supported method solve this dilemma ?  

Thanks !

ilantz

Ilantz, in the situation where you have the CAS roles on the DAG servers, you are correct, WNLB is not supported.  There has been a lot of internal discussion around DNS "round robin" as a possible solution, but the problem there is that when your TTL times out, the client will query DNS for the addresses again and reconnect.  When the client does that, they have a 50/50 chance of connecting to a different server.  For some clients, this is "masked" from the user (Outlook in RPC mode and EAS clients will both resend the credentials silently), but for some clients (OWA comes to mind), this will cause the user to be prompted for credentials.  It is the opinion of Microsoft that this is a poor user experience, so we don't recommend doing this.

The recommended solution in this case is to look to our hardware load balancer partners and find an agressively low priced solution.  For instance, KEMP (www.kemptechnologies.com) has a purpose built load balancer for Exchange 2010 that costs less than US$1600 list price AND supports a highly available architecture by having two devices.  That's HA load balancing in hardware for US$3200 list - not a bad solution.  KEMP also has virtualized versions of their load balancing devices in both Hyper-V and VMware versions...  

(NOTE:  I work for Microsoft, not KEMP, and I am not advocating KEMP over any other hardware load balancer vendor - if there is another vendor that wants equal billing, I am more than willing to work with you as well!!!)

--

rgillies at Microsoft

I have Exchange 2010 running all 4 roles (Mailbox, Client Access, Hub Transport, and Unified Comminications) for 150 users and have never had any issues. This has a DAG setup with a second server with all 4 roles for failover only (rather than balancing, though it's a future goal). This setup has not caused me any issues in the time I've used it. It's virtualized on VMware with a quad core CPU, 24GB of RAM, 4 NIC ports, and plenty of storage on an array. I realize it's not necessarily optimal, and everyone's needs are different, but for the small-to-medium size businesses it's a solution that can work well with appropriate maintenance and planning.

I just don't get the JBOD part...  Every time I see this as part of Exchange 2010 literature I cringe a little bit.  I totally get driving down costs and cheap SATA drives (use them myself in many scenarios) - but they are SO cheap and SUCH a small cost compared to the rest of the server, why not spring for a second drive?  At the VERY least the mirroring built into the OS will save you a lot of time in rebuilding the server in case of drive failure - and an inexpensive $50 raid card makes it even easier (or just use built-in raid 1 on the mobo depending on the box you're using).  JBOD just seems a bit irresponsible given the low cost to implement raid1 and relatively big payoff in case of drive failure...

Otherwise, great article, thanks!

I run Exchange 2010 virtualized on an HP ProLiant DL380 G6 with a quad-core Xeon, 24GB of RAM, 4 NIC ports, and plenty of storage for 150 users. I have all 4 major roles-- MBX, CA, HT, and UM-- plus Forefront Protection for Exchange (limited to one process for each realtime scanner), and I've never had any major issues.

I have about 30 ActiveSync mobile connections, 10 OWA users, and 20 RPC over HTTPS connections and the rest make up desktops using Outlook 2007 or 2010. My CPU usage generally sits about 60% during the day, and drops to 5-10% during the evening hours. My RAM load is about 19GB, and paging is about 200MB (so very minimal). Network traffic is load-balanced on 4 1Gbps ports, so again during the day it can spike a bit but I rarely see it using more than 1-2 Gbps.

I'm not saying it's ideal for everyone, but from what I'm reading in your post, it generally seems reasonable that as long as you monitor CPU/RAM/Disk/Network loads, and as long as you're taking suitable recovery needs for your environment, then running a multi-role server is a very efficient, cost-effective way of consolidating your servers.

@GoodThings2Life - Thanks for the comments!  Just wanted to say two things:

First, everyone needs to be aware that our guidance states that having UM servers on a virtual platform is not supported.  technet.microsoft.com/.../aa996719.aspx, in the section titled Server Virtualization, this is specifically called out.  This is primarily because of scalability concerns for customers larger than yours.  Because of your relatively small organization, this might not cause you issues, but as your org grows, you should be aware of this.

Second, just wanted to let everyone know that this is not just an architecture for the small or medium sized organizations.  Microsoft is recommending this multi-role server architecture for customers of all size.  I am workign with a customer that has about 1.5 million seats, and we are strongly recommending to that customer all three of the core roles collocated.  On these larger organizations, we see significant cost savings in both capital expenditures and operational expenditures with this collocation of server roles!

@pesos - Great comment, and a great point to reiterate.  Microsoft is going with the JBOD storage solution as our #1 recommendation, but that is only for the Exchange data storage - your databases, the associated log files and the system files used by the ESE database (the checkpoint file, etc.).  The operating system files, the Exchange binaries, etc. are recommended to be stored on storage that is protected with RAID.  As you called out, a simple mirror of the OS disk is inexpensive, and ensures that if a disk fails that has the OS on it, you are not required to rebuild your server from scratch.  For implementations where your data volumes are presented to Exchange through "mount points", the directories where you mount those volumes would also be on this system disk, and therefore protected by RAID.

Once again, only the Exchange data goes on disks that are JBOD, and only in situations where you have a minimum of 3 HA copies of the data in a DAG.  Since you have 3 HA copies (HA meaning "non-lagged") of the data online at all times in this situation, the loss of a single disk causes an unplanned switchover of a single database (approximately a 30 second outage to the users on that database), and then the administrative team would replace the failed disk, format, mount, and finally reseed to that disk to bring it back into use by Exchange.

One last thing - Microsoft is also recommending SAS as the controller for the "big cheap disks" because we see a better time between failure, and slightly higher performance from the SAS disks as opposed to the SATA disks.  The 7200 RPM SATA disks are certainly supported, but we prefer the SAS and that is what we recommend to customers when we are designing their systems.

Great comment, @pesos and everyone else!  Keep them coming!!

Great article and it just shows in my recent Exchange 2003 to 2010 upgrade that I got it right. I just couldn't think of a good reason to split out the roles, so rather than doing it just because I could I left them together.

I think a workable solution for a 2-server DAG multi-role implementation would be to use a CNAME with a short TTL (say 5 minutes at a maximum) to access the CAS. Have your monitoring software keep an eye of your critical CAS services and if one misbehaves then trigger a script to modify the CNAME to point to the other server.

Then at most you have a 5 minute client outage. If your DNS infrastructure can handle it then you could just tighten up the TTL until your SLA requirements are met (that is that you SLA requirements DON'T require you to go out and purcahse a load balancer, which most would).

Great post, well done!

I think its a good idea.

I have read about a 12 processor core "limit" for mailbox servers. What do you think about a 24-core multi-role server (with 12 core for mailbox an 6+6 for Hub and CAS role.)? Could it be an nice solution maybe for >10000 mailboxes? Or do we have other limits, for example the maximum number of network connection?

@Jeremy Hagan - That should work, but as you note it would require you doing the work to make sure that the script worked, etc.  If you needed a better than that 5 minute RTO, or if you needed to make sure that the load was actually balanced across the two CAS servers (smaller orgs won't need this), then you can't make this work, and this is the reason that it isn't one of our recommended solutions to the problem for our enterprise customers.  But, if it works for you, then go for it.

@XMichaeL - We have changed our guidance from "core count" to "socket count".  Read the table carefully on this page:  technet.microsoft.com/.../dd346699.aspx   What we say is that we recommend a maximum of 2 populated processor sockets for any single role server or a CAS/HT combined role server, and a maximum of 4 populated processor sockets for a mulit-role server (with CAS/HT/MBX all on the same server).  That gives a "theoretical" limit of 12 or 24 cores in the table if you have 6-core processors, but that doesn't mean that the 8-core processors are not supported or recommended.  Drive your maximums based on the number of sockets, not cores!  

This is from the Microsoft Press Self_paced Training Kit for Exam 70-662: "The witness server should be a Hub Transport server that does not have the Mailbox role installed."  Is this still Microsoft's recommendation?  If so it would seem to indicate multi-role servers have limited application.

@tpgbrennan: Any server in the same site will do, but they use an Exchange box as an example because it's a) part of the e-mail infrastructure and b) has the proper local group memberships. The reason for not picking a mailbox server I think is that it's expected to be a DAG member. Of course, if you have DAG configuration and a separate mailbox server (or another DAG) I see no reason for not using it to host the Witness share, just as long as it's not a mailbox server part of the DAG configuration it's witnessing.

@tpgbrennan, that appears to be a documentation bug in that training kit.  It's not that the witness should be a Hub Transport server without the Mailbox role, but rather that the system can automatically choose a server with that configuration as your witness server, if you like.  Otherwise, any Windows Server 2003 server in the AD forest that is not a member of the DAG can be the witness server for the DAG.

Great information Robert!  

We are a bit smaller shop with only 1000 users spread across Asia region. I just finished upgrading 2003 to 2010, I have 2 CAS/Hub role servers installed on VM (4-core each running WNLB) and have 2 physical MB servers (16 core each with 1 DAG), and a TMG deployed in the DMZ. Performance seems to be OK. What is really weird is that I am starting to notice few users from remote offices has over 60 to 100 TCP connection each to my CAS Array.  Has anyone seen this before??  I am just wondering what would cause so many TCP connection the CAS.

Thanks,

Ken

What do you consider the cutoff for medium sized organizations?

I'd like to thank Tony Redmond for the great post in reference to this Robert's Rules post.  I suggest reading it (and following Tony's blog, for that matter).  Check it out here:  thoughtsofanidlemind.wordpress.com/.../microsoft-reveals-the-truth-about-single-role-servers

One question Tony asks in his blog is "what's happened in the five years since to make Microsoft recant" the idea of having the roles separated.  The big thing here is that with the advent of CCR in Exchange 2007 as the high availability (HA) model of choice, the Exchange team didn't support having the roles other than Mailbox on the CCR machines (or even on an SCC cluster machine, for that matter).  Our customers pushed back on this because in many cases it did cause a higher number of servers in an organization.  As we moved from CCR in Exchange 2007 to the DAG in Exchange 2010, Microsoft decided to support the other roles when on the DAG nodes.

In my article above, we talk a lot about simplicity and how the multi-role server can simplify your Exchange implementation no matter the size of your organization.  What we really don't touch on is the fact that the multi-role server can also make better use of the newer hardware.  Processors now have 6 or 8 cores per processor, and making use of those high core counts with a single role server is sometimes difficult.  The multi-role server allows a higher processor density in a given server platform - having a server that supports 2 processor sockets with a single processor installed takes space in your datacenter and generates almost as much heat as it would if it had both processors, so why not make full use of the hardware in your system.

The only thing I would like to refute in Tony's blog article is the claim that somehow this had something to do with marketing.  Marketing has nothing to do with the technical recommendations we make around high availability.  The high availability technologies and how to deploy them have been a steady progression of revolution and evolution from Exchange 2003 with only what was later known as single copy clusters to Exchange 2007 with CCR to Exchange 2010 with the DAG.  The requirements and the recommendations around these HA technologies have changed with the versions.  But, as I teach in every course I ever teach around HA of Exchange - we don't deploy them because they are cool or snazzy or because Marketing wants it done.  You only deploy CCR or DAGs because you need the HA or the site resilience that DAGs bring.  If your customer requirements are such that you do not have a firm HA or site resilience requirement, then why deploy a DAG?  I will have very frank discussions with customers that want to deploy HA because their CIO has been reading CIO magazine again and thinks they need it when the business model is such that they have no hard requirement for it.

Thanks again, Tony!  Great blog!!

@Matt Anderson - the definition of small, medium and large organizatoins is quite nebulous, isn't it?  I don't personally have a definition.  For the customers I deal with (Dept of Defense and other large government entities), anything less than 10,000 is a fairly small engagement.  Anything up to about 100,000 mailboxes is medium sized and the large ones are over 100,000 mailboxes.  But then, scale has to do with what you think, not some arbitrary number someone else gives you.

Bottom line in sizing Exchange is to use your hardware wisely.  Don't allocate more hardware than you need, but don't undersize your hardware.  Have twice the processor that you need is an expense that the current economy doesn't support.  Same with RAM.  And as for disks, you just don't need the performance or redundancy of a SAN any more because Exchange 2010 doesn't need the performance like older versions did, and the DAG provides the redundancy you need.  Why go for a Bugatti Veyron of disk subsystems?  Sure it can go 250mph, but why would you do that when the speed limit is 70mph max in most of the US?  What you need is a Ford Expedition Extended Length so that you can easily go the 70mph you need and take everything you own in the back!  

We have been using WNLB due to the cost of hardware load balancers, but perhaps it's time to revisit that.

Currently we have four hyper-v guests: two mbx servers (dag) and two servers running both CAS/HT (wnlb).  We then have a 3rd server offsite running all roles just for DR purposes.  We only have around 300 mailboxes (and 100 or so resource mailboxes)

Does anyone here have experience with any low cost hardware load balancers (or virtual appliances even - we run hyper-v) they can recommend for Ex2010?

@pesos - I don't have personal experience with them (my customers tend to be larger and have the mainstream "enterprise" leaders like Cisco and F5), but KEMP is certainly the leader when it comes to the smaller environments.  I believe that Henrik Walther has deployed them - check his blog at blogs.msexchange.org/walther

Please note once again, folks.  I work for Microsoft, not KEMP.  I am not advocating KEMP as a solution better than others, just saying that they have an attractive price point and I have heard good things about their solution.

--

rgillies at Microsoft dot com

Do you have a strategy or recommended order to patch an Exchange 2010 environment were all 3 server roles are separated out on different hosts in a load balanced environment with a CAS array and 4 server DAG

Hello sir,

Thx for your valuable post.

We are gonna config 3 Node DAG infra. In this case we are thinking we don't need Witness server. Am i correct ?

And Still we have a market for WNLB who cant effort HLB or VHLB. We are configuring Dual NIC WNLB configuration. Is this situation, We use Same Ip range for Management Network and Production both. Is it correct ?

And during the Node fail over we saw below warning message at Event Viewer.

"NLB cluster [192.168.1.200]: NLB detected duplicate cluster subnets. This may be due to network partitioning, which prevents NLB heartbeats of one or more

hosts from reaching the other cluster hosts. Although NLB operations have resumed properly, please investigate the cause of the network partitioning."

Is this warning normal ?

Regards

Sunil

@Brenton Foggo - I would suggest a normal patching model.  We suggest "outside to inside", or with the three core roles "alphabetical order".  In other words, CAS, then HT, then MBX.  The biggest thing is that you should NEVER patch Mailbox before CAS and/or HT.

@SUnil-Nair - I am not a WNLB expert.  We do support WNLB for situations where hardware NLB cannot be purchased, but it is not a recommended solution, especially when there are attractive low-price solutions out there.  I don't have the knowledge to answer your questions, sorry.

--

rgillies at microsoft dot com

I understand Microsoft is moving away from recommending WNLB, as it has some limitations.

What I don't understand is why the OS team is not working on improving WNLB. It has basically stayed the same since Windows 2000.

If other manufacturers can create virtual appliances that work as well as a hardware load balancer, shouldn't Microsoft be able to come up with improvements for WNLB to overcome the current shortcomings?

@Twan - Wow.  That is certainly a loaded question.  I know that the Exchange team asked why we couldn't have Windows Failover Clustering and WNLB on the same servers so we could utilize WNLB on the multi-role servers, and the response was blank looks and "why would anyone want to do that?"  Not sure if anything will ever happen there, but I don't expect it.

I'm not really sure why the Windows team chooses not to update WNLB.  I haven't had any discussions with them about this in about 5 or 7 years, and was told at that time that we didn't think that the investment necessary to compete with the hardware load-balancer vendors weighed against the amount of revenue in Windwos this would drive didn't make a good business case.  The big deal is that the biggest hardware load-balancer vendors have special chips in their devices where they accelerate the performance of what they are doing, and in Windows, we don't have that capability.  I don't think we could really ever compete with the "big guys" like F5 or Cisco.  Because of this, I would think we aren't going to see much investment in WNLB.

Of course, I want to make sure everyone knows that this is just MY OPINION - not an official Microsoft statement!!  ;*)

--

rgillies at microsoft dot com

Please correct me if I am wrong - I think, one of the possible options to load-balance multi-role Exchange servers in a DAG using WNLB, is the TMG (that’s just my theoretical suggestion and not a proven in the field scenario at all). The easiest way to describe my thought, I think, is this sample scenario:

Customer already has pair of TMG servers that are part of the corporate AD forest. Each TMG has one NIC in DMZ and another NIC in corpnet. NICs in DMZ are in WNLB and the customer is publishing Exchange to the Internet thru them.

So far that’s an obvious scenario. Now the suggestion: publish Exchange to the corpnet using these TMG servers. Additional configuration for that:

1) Join TMG servers existing NICs in corpnet in WNLB (if not already done so) or install additional NICs for that purpose and join them in WNLB;

2) Change existing Exchange publishing rules to allow traffic from corpnet or create additional rules to publish Exchange to corpnet. The key thing here is the ability of TMG to publish Exchange RPC protocol and we need a new rule for publishing RPC to corpnet. I’ve never tried such RPC publishing, so it’s a theoretical suggestion, as the whole scenario by the way ;)

3) In the internal DNS, repoint CAS Array DNS entry to the TMG WNLB IP address in the corpnet. Internal URLs for different Exchange services also must lead to this IP.

So, in the end of the day, TMG servers are in WNLB, internal traffic somehow spreads amongst them thru WNLB functionality, and then TMG servers use server farm concept to proxy this traffic to CASs inside corpnet and to test, does each CAS is alive, to continue to proxy the traffic to it if it is alive. Of cause, additional load on these TMG servers must be taken into account before such a reconfiguration.

Eagerly waiting for the next installment of Robert’s Rules for virtualized Exchange!

Twan> What I don't understand is why the OS team is not working on improving WNLB. It has basically stayed the same since Windows 2000.

+++1

I believe that now is the time for the vNext NLB

Or ... Microsoft can outrun "big guys"(F5 or Cisco) companies at own field - the application level. I mean why not make a similar broker on CAS as RD Server session broker? Inexpensively and efficiently

@Shyamsundar Manian - Thanks!!  I very much appreciate you reading the posts!

@Sazonov ILYA [ sie ] - Thanks for the comment.  As a Microsoft guy, I'd like to quit pointing our customers elsewhere as well, but I guess Microsoft can't do everything.  I guess we'll see if they want to take that to the next level.  

Another idea that I've heard expressed is that we should just make our email clients and servers such that load balancing is not needed, or that the load balancing and client failover is "built in" and transparent to the user.  Personally, I like that idea even more - remove the need for load balancing and have it all built into our products out of the box...

Once again to both of you and everyone else that has commented - thanks for reading and thanks for the great comments!!

--

RGillies at Microsoft dot com

Hello RObert,

I have a one question. I am configuring 3 Node Dag. As i know we don't need Witness server with odd number of DAG nodes. So, is there any later configuration for this or just need to add all 3 DAG nodes to DAG ?

Regards

@Nair - remember that as you define your DAG it will go through being a one-node DAG and a two-node DAG before it is a three-node DAG.  ;*)  If you want to allow Exchange to just place the FSW (assuming you have a separate hub transport server, that is), you can do that, but in my opinion it is best practice to just define the FSW directory and server when you define the DAG.  Then, as the DAG goes from "majority node" quorum model to "majority node with FSW" and back, it will just make use of the directory and share that you have defined.

--

Rgillies at Microsoft dot com

Great post Robert

is there a limitation using multi-Role in exchange 2010 Sp1 with hosting switch espically in inter-tentant routing?

Thanks.

@NemoMania - there should be no adverse effects when deploying with the /hosting switch.  Same guidance.

@NemoMania - My buddy Scott Schnoll asked me to clarify a few things here...  We need to remember that Edge and UM cannot be installed as part of an environment when using the /hosting switch, so that is an impact.  

To extend what Scott said to me, as one of the main proponents of this "multi-role" approach, I generally don't think about UM being part of the "multi-role server".  I almost always propose the UM server(s) as being separate servers from the multi-role servers.  The sizing calculator does NOT take the UM role into account when you mark it as multi-role, so you need to be aware of that.

So, last note on the /hosting switch is to reiterate - /hosting doesn't support UM or Edge, so keep that in mind!

Great question, by the way.  Not many people know much about the /hosting option, so thanks for asking for clarification!