AD site design for centralized mail. Ex2010
Hi all,
We have Single Forest/domain Windows 2008 .FFL and DFL 2003. There
are 24 AD sites, spilt among NA. Asia and Europe . All DCs are GCs and DNS
servers, a DC in each AD site however, 5 sites (small remote offices) are
running RODCs . We are a Lotus Notes shop and migrating to Exchange 2010.
Currently email is decentralized model, a domino server in every AD site .
Now that we are moving to Ex 2010 a decision was made to centralized mail,
all mail servers will be hosted in our datacenter ( single AD site ) as
result there will be no local exchange server or CAS server in any remote
sites . We have apprx 4000 users combined in all sites and we will be build
out approx 3-4 servers in DAG along with NLB CAS array in our datacenter .
..
My question is we currently have 2 two DCs in our datacenter granted all
users will now connect to the datacenter for mail do I need to add addition
DCs in my datacenter? I read that outlook clients will require a GC in every
AD site therefore I assume there shouldn't be any issues because all AD
sites there is DC/GC however not sure about the 5 AD site that host RODCs.
Do I need to rebuild to RWDCs or in that case will the Outlook clients use
the datacenter DCs/GCs. btw all 4000 users will be running Outlook 2007 in
cache mode.
Thanks .
August 22nd, 2010 4:00pm
Yes, Outlook is supported against RODCs ( as opposed to Exchange itself)
Note that in Exchange 2010, the NSPI endpoint for clients is the Client Access Server or Client Access Server Array and not the GC.
.http://technet.microsoft.com/en-us/library/cc732790(WS.10).aspx
Microsoft Office Outlook
Note
Microsoft Exchange Server does not use RODCs. However, you can configure Outlook clients in a branch office that is serviced by a read-only global catalog server to use the read-only global catalog server for global address book lookups
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2010 3:25am
Hi Darren,
Although Exchange doesn't work with RODC/ROGC, Outlook can use ROGC to do directory look up. I suggest you read the following article to get more information:
Windows 2008 Read Only Domain Controllers and Exchange 2007…
http://blogs.msdn.com/b/douggowans/archive/2009/01/06/windows-2008-read-only-domain-controllers-and-exchange-2007.aspx
Hope this helps. Thanks,
Elvis
August 23rd, 2010 9:54am
Thank you..
"AndyD_" wrote in message
news:9b48e32e-cf04-4893-92cf-0223d02855b8...
Yes, Outlook is supported against RODCs ( as opposed to Exchange itself)
Note that in Exchange 2010, the NSPI endpoint for clients is the Client Access Server or Client Access Server Array and not the GC.
.http://technet.microsoft.com/en-us/library/cc732790(WS.10).aspx
Microsoft Office Outlook
Note
Microsoft Exchange Server does not use RODCs. However, you can configure Outlook clients in a branch office that is serviced by a read-only global catalog server to use the read-only global catalog server for global address book lookups
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2010 9:45pm
hi ,
So if I understand correctly, for remote office with RODC , outlook clients will require a registry setting to use local GC/Dc? but some operation may still use remote Dc/GC?.
What about remote offices with RWDC ,keep mind Ex servers are in datacenter only (HUB AD site) no remote offices . I assume by default outlook clients will use their local DC/GC as apposed to mail AD site -DC/GC ,
correct ?
"Elvis Wei -MSFT" wrote in message
news:d4a2367d-9adb-4e10-ac1b-11a66985163b...
Hi Darren,
Although Exchange doesn't work with RODC/ROGC, Outlook can use ROGC to do directory look up. I suggest you read the following article to get more information:
Windows 2008 Read Only Domain Controllers and Exchange 2007
http://blogs.msdn.com/b/douggowans/archive/2009/01/06/windows-2008-read-only-domain-controllers-and-exchange-2007.aspx
Hope this helps. Thanks,
Elvis
August 23rd, 2010 10:14pm
I have an issue where there is a site with a single ROGC and clients are using Outlook 2007. The problem comes when a user needs to update a distribution group membership, they receive an "Access Denied" error. However, if that same user remotes into a PC
in a site with a R/W GC, the operation succeeds. My guess is that it is trying to update the DG membership using the ROGC, which will obviously fail.
Does anyone know if there is a way to allow Outlook 2007 or greater to be ROGC-aware (maybe a registry setting or patch)? So they can use the ROGC to do directory lookups, but once Outlook tries an operation that requires a RWGC, it will connect to one (even
if it is in another site) to perform the edit.
Free Windows Admin Tool Kit Click here and download it now
January 6th, 2011 11:00pm
I am confused as well. Exchange 2010 pre-requisites requires a CA server in each AD site. Installing Exchange in a site with RODC/GCsw is not supported. CA is an Exchnage server. By that logic it says RODCs in an Exchange 2010 enviroment
is useless???
January 7th, 2011 1:14am
I have an issue where there is a site with a single ROGC and clients are using Outlook 2007. The problem comes when a user needs to update a distribution group membership, they receive an "Access Denied" error. However, if that same user remotes into a PC
in a site with a R/W GC, the operation succeeds. My guess is that it is trying to update the DG membership using the ROGC, which will obviously fail.
Does anyone know if there is a way to allow Outlook 2007 or greater to be ROGC-aware (maybe a registry setting or patch)? So they can use the ROGC to do directory lookups, but once Outlook tries an operation that requires a RWGC, it will connect to one (even
if it is in another site) to perform the edit.
However what about Outlook clients…? If you’ve got a load of Outlook clients sitting in the branch office it might be beneficial if the client made use of its local RODC (ROGC). Well Outlook is listed
here as an application that will work with an RODC. It takes a registry setting to point it at a local ROGC and the ROGC will then be used for certain operations – specifically GAL lookups.
HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider
String Value: DS Server
Data: FQDN of ROGC
If you decide to make use of this registry setting then be aware that Outlook will still revert to a remote DC\GC for many operations and the use of the key does depend on the version of Outlook that you have chosen to deploy.
I think we are definitely going to see a lot more queries about how Outlook operates against a local read only DC in combination with remote domain controllers. In my opinion the story isn’t very clear yet. I’ll blog more as I know
more.
Got this from:
http://blogs.msdn.com/b/douggowans/archive/2009/01/06/windows-2008-read-only-domain-controllers-and-exchange-2007.aspx
Free Windows Admin Tool Kit Click here and download it now
January 7th, 2011 1:56am
If you decide to make use of this registry setting then be aware that Outlook will still revert to a remote DC\GC for many operations and the use of the key does depend on the version of Outlook that you have chosen to deploy.
I tried that reg setting with an outlook 2010 client (still one exchange 2k3 backend mailbox) and it still fails. For some reason the outlook client still doesn't know that it has to contact a writable DC/GC to do the write operation. Removing this
reg key and the Closest GC reg entry, it goes back to the same site as the exchange server and talks to the RWGCs in that site. The exact error message the outlook client displays is "Changes to the public group membership cannot be saved. You
do not have sufficient permission to perform this operation on this object." The clients are able to update through ADUC so I'm thinking that there has to be an update to the outlook client that needs to be applied. If someone hears of a better
solution other than just defaulting the branch office clients back to the main office for GC queries, please feel free and post. :)Jason Fare
June 29th, 2011 7:40pm