Client Access Array Switchover script…

Let’s kick off this post by considering the following Exchange 2010 DAG Configuration:

dcSO_ScenarioDiagram

In summary – the Exchange infrastructure is spread across 3 geographic sites. There are two DAG nodes on site A and B which are also running the Client Access Server and Hub Transport roles.

At site C there is a file share witness server which has connectivity and oversight of both sites A and B.

Client Access Servers are provisioned as a Client Access Array where the DNS record for the CAA points at the node located in site A and is manually changed when a switchover is needed. There is NO hardware load balancer within the configuration.

Now I know you might be thinking; the above is not technically a supported configuration – and you would be right – but in fairness, there are a large number of companies around which have exactly this type of Exchange 2010 topology, so whether we like it or not many of us are in the position where we have to support something that is not quite the way we would like it to be.

With the above statement born in mind we need at times to come up with creative solutions to help us as Exchange Administrators to mediate the problems which such architectures present – so lets consider the main limitation that the above scenario presents to us:

  • With a Client Access Array configured and all databases have the RPCClientAccessServer property configured to point at a DNS record which points to an IP address which is not load balanced – when a switchover occurs (e.g. where databases which are resident on one dag node that holds the CAA record) are moved to another node  – RPC clients (e.g. Outlook) can then experience problems connecting to the mailbox stores

So given the above situation, what can we do to alleviate the issue as described above?

Well I have come up with a Powershell which is designed to run from an independent server within a topology like the one depicted above which can either be scheduled to execute at a specified interval (which will check for the availability of the Client Access Array) – and if it does not get a reply – points the CAA DNS record IP address to point at the other server running the Client Access Role. The script can also be used manually to change the record – this all conceptually this looks like the following:

dcSO_ScenarioDiagramScript

Script Requirements / Pre-Requisites

  • Ensure that your chosen server is configured to allow the execution of scripts from the Internet – as per the following article: Running Exchange Based PowerShell script files from the command line or a batch file
  • The switchover script MUST be executed on a computer that is totally independent from the sites or Exchange servers which house the Database Availability Groups. If you have three sites with a File Share witness located at a independent site this would be good place for the script to be executed
  • The Server on which the script is executed must have the DNS Server Tools installed this can be done by dropping to a Powershell Windows on the source server and typing the following commands;
Import-Module ServerManager

Add-WindowsFeature RSAT-DNS-Server

dcSO_DNSServerTools

The Switch Over Script – Download

The switch over script is available for download from the following location:

[ Client Access Array Switch Over Script – 2KB ]

You can also copy and paste the script to a file on your chosen server from the code below:

# Exchange 2010 - CAA Switch Over Script
# Version 1.0
# Author: Andy Grogan
# http://www.telnetport25.com

param(
    [parameter(Mandatory=$true,ValueFromPipeline=$false,HelpMessage="Primary DNS Server to update the CAA Record on")]$PrimaryDNSServer,
    [parameter(Mandatory=$true,ValueFromPipeline=$false,HelpMessage="Primary DNS Zone to update")]$dns_Zone,
    [parameter(Mandatory=$true,ValueFromPipeline=$false,HelpMessage="Client Access Array DNS Record")]$dns_CAA_ARec,
    [parameter(Mandatory=$true,ValueFromPipeline=$false,HelpMessage="Ttl for Client Access Array DNS Record")]$dns_CAA_ARecTtl,
    [parameter(Mandatory=$true,ValueFromPipeline=$false,HelpMessage="Switchover Client Access Server IP for CAA Record")]$CAASwitchOverServerIPAddress
)

$ConsecutiveFails = 10

function script_Logging($logEntry,$Colour){
    Write-Host $logEntry -ForegroundColor $Colour
}


function test_PrimaryCAAS{

    param(
        $strPriCAAServer
    )
    script_Logging "Checking Existing Client Access Server Status" "Green"
    if(!(Test-Connection -ComputerName $strPriCAAServer -Count $ConsecutiveFails -Quiet)){
        script_Logging "Client Access Array appears to have failed!" "Red"
        return "failed"
    }else{
        script_Logging "Client Access Array is OK!" "Green" 
        return "ok"
    }
}

function perform_CAA_SwitchOver{

    script_Logging "Constructing DNSCMD Update Commands" "Magenta"
    $DNSCMD = "dnscmd.exe"
    $ArgsDel = "$PrimaryDNSServer /recordDelete $dns_Zone $dns_CAA_ARec A /f"
    $ArgsAdd = "$PrimaryDNSServer /recordAdd $dns_Zone $dns_CAA_ARec $dns_CAA_ARecTtl A $CAASwitchOverServerIPAddress"
    script_Logging "Removing old record: $DNSCMD $ArgsDel" "White"
    cmd /c "$DNSCMD $ArgsDel"
    script_Logging "Re-adding new Record: $DNSCMD $ArgsAdd" "White"
    cmd /c "$DNSCMD $ArgsAdd"
    script_Logging "DNS Switchover Completed" "Green"
}

script_Logging "Starting Client Access Array Tests" "Cyan"
$Res = test_PrimaryCAAS $dns_CAA_ARec


if($Res -eq "failed"){
    script_Logging "Starting DNS CAA Switchover" "Cyan"
    perform_CAA_SwitchOver
}
script_Logging "Script Completed" "Green"

Script Execution

The script requires 5 mandatory parameters which are as follows:

  • PrimaryDNSServer = IP address of the Primary DNS Server that you wish to change the Client Access Array record address on
  • dns_Zone = The name of the primary DNS zone where the Client Access Array Record is located
  • dns_CAA_ARec = A Name of the CAA record (this does not need the full FQDN)
  • dns_CAA_ARecTtl = The Ttl is very important as this will dictate how long the DNS record will live in the caches of the DNS servers and the clients. The lower the Ttl the quicker the switchover will be noticed – however the lower the value the more load is placed upon your DNS servers – I recommend a Ttl of about 600 (10 minutes) but you can customise this to your organisational needs
  • CAASwitchOverServerIPAddress = This is the IP address of the Server that will hold the CAA DNS record (so in my example the DAG server on site B)

Therefore from a Powershell command windows an example looks like the following:

.\CAA-SwitchOver.ps1 -PrimaryDNSServer 172.31.253.138 -dns_Zone prepad.local -dns_CAA_ARec prod-caa -dns_CAA_ARecTtl 3600 -CAASwitchOverServerIPAddress 10.66.66.140

Which should produce output that looks like the following:

dcSO_ScriptScreen

Scheduling the Script

In order to get the best out of the Switch Over script you should schedule it to run on your chosen server at regular intervals (I would recommend every 5 – 10 minutes). This will allow for the remote server running the script automatically detect if the CAA goes offline.

You do not have to schedule the script as it can be run manually – but it is important to note that the script will attempt to test the Primary CAA Record 10 times by default – this is configured within the script via the $ConsecutiveFails variable – see below

$ConsecutiveFails = 10

If you plan to run the script “standalone” (e.g. just to perform a DNS change when you know that the Primary node has failed) I recommend that you reduce the $ConsecutiveFails count to 1.

Of course the best course of action is always to try to deploy resilient Exchange infrastructures – but if you find yourself working with the scenarios described in this article – feel free to have a look.

Sharing is caring!:

Leave a Reply

Your email address will not be published. Required fields are marked *