Providing Exchange 2010 Activesync HA with multiple sites

Update: a bug in Exchange 2010 SP3 breaks the mechanism described below.  See for a good writeup.  Apparently slated for a fix in RU2.  As a workaround, I changed the CNAME to point only to the record and the errors are resolved.

Assuming you already have a solid handle on DR for your mailboxes, the next most important thing is client connectivity.  Many DR solutions for AS (and OWA too) involve repointing DNS to the DR site in case of an disaster.  Changes to our external DNS (it’s hosted) take well over an hour to propagate.  And that problem can be avoided.

By using extra DNS entries and the built-in proxying and redirection functions in the Activesync service, AS clients can seamlessly failover between datacenters. It requires adding a one extra level to the namespace meaning more Subject Alternative Names on the SSL cert.  Beyond that, I’ve perhaps over-complicated the namespace a bit more here, but I don’t like changing A records, so I have some CNAMEs that can be shifted in a pinch without modifying the As.

The idea is that regardless of what name is used to access the Activesync service, the CAS server will verify that it is in the same site as the desired mailbox and if not, based on the version of the client:

  • EAS 14.0+ clients will get a 451 redirect to the externalURL of the EAS Virtual Directory on a CAS in the same site as the current mailbox location.
  • EAS 12.1 or earlier clients will be proxied to the CAS in the correct site if the /proxy directory is set for Windows Authentication.
    Note: In my case, both datacenters are connected internally by a fast link, so any proxied traffic is not an issue.

The setup is as follows:

Names highlighted in orange need to be listed as SANs or as the common name of the SSL cert.

These two DNS A records are specific to the two sites and used as the domain name of the external Activesync URLs for the two locations.  (these names are used by the client if redirected)

These overloaded A records are used for the round robin.

The last record is just for my convenience. I want to point it directly at site2 if site1 was down, otherwise it’s always pointed at

When not using Autodiscover to configure the AS device, it makes it easy to give the user the server name and letting the back-end functions take care of getting the device connected to the right place.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: