This tutorial will demonstrate the steps for deploying Exchange Server 2010 as a Client Access Server array using Windows NLB. This is a demonstration only, and should not be taken as a recommendation to use Windows NLB for your load balancing. A dedicated hardware or virtual load balancer will provide much better performance and capability than NLB can, for any Exchange version.

If you’re new to the concept of Client Access Server arrays and need to know more then check out this article for an introduction and overview of CAS Arrays.

Client Access Server Array Pre-Requisites

Two or more Exchange Server 2010 Client Access Servers can be configured as a CAS array using NLB as long they are not also installed as Mailbox servers that are members of a Database Availability Group (DAG).

The reason is that DAG members utilize Windows Failover Clustering, which can’t co-exist with NLB.

To demonstrate the setup of a CAS array the following servers have been provisioned.

Server #1

  • Operating System: Windows Server 2008 64-bit R2
  • Name: EX3.exchangeserverpro.local
  • Primary Interface:
  • Secondary Interface:

Server #2

  • Operating System: Windows Server 2008 64-bit R2
  • Name: EX4.exchangeserverpro.local
  • Primary Interface:
  • Secondary Interface:

The IP address allocated to the NLB cluster will be

Installing the Exchange Server 2010 Client Access Server Pre-Requisites

On each server, from an elevated Windows PowerShell prompt, run the following commands.

PS C:\> Import-Module ServerManager

Note: In my lab the servers are also Hub Transport servers, and so I installed both sets of pre-requisites. I also use the -Restart switch to automate the restart of the servers, however you can remove this if you wish to control when the servers are restarted.

For only the Client Access Server pre-requisites:

PS C:\> Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart

For the Client Access Server and Hub Transport Server pre-requisites:

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart

After the servers are restarted run the following command, again from an elevated PowerShell window.

Set-Service NetTcpPortSharing -StartupType Automatic

Installing the Exchange Server 2010 Client Access Server Role

From an elevated command prompt run the following unattended setup command.

Note: Again, my lab servers are also Hub Transport servers.

For only the Client Access Server role with Management Tools:

C:adminExchange Server 2010> setup /m:install /r:ca,mt

For both the Client Access and Hub Transport Server roles with Management Tools:

C:adminExchange Server 2010> setup /m:install /r:ca,ht,mt

Installing Windows Network Load Balancing

On each of the servers, from an elevated PowerShell window run the following commands.

PS C:\> Import-Module servermanager
PS C:\> Add-WindowsFeature NLB

Creating the NLB Cluster

After both servers have been prepared the NLB cluster can be created.  On the first server launch the Network Load Balancing Manager from Administrative Tools.

From the Cluster menu choose New.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

Connect to the first server for the NLB cluster.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

Choose the interface that is to be used for the cluster, and then click Next.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

Accept the default Host parameters and click Next.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

Click Add and enter an IPv4 address for the NLB cluster, then click OK.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

Click Next to continue.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

Enter a name for the cluster.  In this example I’m using casarray.exchangeserverpro.local.  Click Next to continue.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

Although the port rules can be made more specific, in this example the default rule is acceptable.  Click Finish to complete the creation of the NLB cluster.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

At this stage you should have a single host NLB cluster that is successfully converged.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

Right-click the cluster name and choose Add Host to Cluster.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

Enter the name of the second server and click Connect.  Choose the interface to be used for the cluster and click Next.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

Accept the default Host Parameters and click Next.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

There are no changed necessary to the port rules, so click Finish.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

You should now have a dual host NLB cluster that is successfully converged.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

One final step, on each of the NLB members run the following command to allow the NLB virtual IP address to be reachable from outside of the subnet that it resides in.

netsh interface ipv4 set int "NLB" forwarding=enabled

Replance “NLB” with the name of your NLB interface on your server.

Creating the Client Access Server Array

Now that the NLB cluster has been formed we can create the CAS array in Exchange Server 2010.

First, register a DNS record for the NLB cluster name.

How to Install an Exchange Server 2010 Client Access Server Array using Windows Network Load Balancing

Next, launch the Exchange Management Shell on one of the Exchange servers and run the following command.

[PS] C:\>New-ClientAccessArray -Name CASArray -Site "Default-First-Site-Name" -Fqdn casarray.exchangeserverpro.local

Name                Site                 Fqdn                           Members
----                ----                 ----                           -------
CASArray            Default-First-Sit... casarray.exchangeserverpro.... {EX3, EX4}

Substitute the Name, Site, and FQDN as appropriate for your environment.

Updating Existing Mailbox Databases

When the CAS array has been established any new mailbox databases created on servers in that Active Directory Site will be configured with the CAS array as their RpcClientAccessServer.

However any existing mailbox databases need to be manually updates so that those mailbox users begin connecting to the new CAS array.

You can see here that the existing mailbox database on server EX2 is still configured with a standalone Client Access server as its RpcClientAccessServer.

[PS] C:\>Get-MailboxDatabase -Server EX2 | fl name, rpc*

Name                  : Mailbox Database 02
RpcClientAccessServer : EX3.exchangeserverpro.local

To update all databases on the server with the new RpcClientAccessServer run the following command.

[PS] C:\>Get-MailboxDatabase -Server EX2 | Set-MailboxDatabase -RpcClientAccessServer casarray.exchangeserverpro.local

The change can be seen by running the same command as earlier.

[PS] C:\>Get-MailboxDatabase -Server EX2 | fl name, rpc*

Name                  : Mailbox Database 02
RpcClientAccessServer : casarray.exchangeserverpro.local

Note that any existing Outlook profiles will not automatically update from the single Client Access Server to the new CAS array name. Those clients will not automatically failover to an alternate member of the CAS array when there is a server failure. You will need to update those profiles for them to receive the high availability benefits of the CAS array. This is one reason that it is important to establish CAS arrays prior to migrating user mailboxes to Exchange Server 2010.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. Manas Dash

    Hi Paul,

    What are the step-by-step to install service pack or roll-up update when the CAS array running behind the Hardware Load Balancer other than using Microsoft Network Load Balancer.

  2. James

    Can you think of anything off hand that would cause an NLB member to be unable to converge after being moved from one hypervisor to another?

    I was attempting to move a VM from one hypervisor to another, exported the VM and imported it on the new hypervisor. Set it’s mac address as the same to ensure no changes there in the configuration.

    When it comes up it says that it is unable to converge. Is there a supported method of moving a VM for a NLB joined system?

  3. Kris

    Hi Paul,

    You had a great article!

    I would like to ask for some pointers.

    I currently have 2 Exchange Server installed with CAS, HT and Mailbox Role each. Also I have DAG with the current setup.

    What can you recommend for me to be able to achieve the CAS Array and eventually remove the CAS roles from the 2 existing exchange servers I have.

    Thank you and best regards,

    1. Avatar photo
      Paul Cunningham

      The goal shouldn’t be to remove the CAS roles from those servers (which is not supported anyway).

      You can load balance your CAS Array and HTTPS namespaces by adding a load balancer like a Kemp or F5 to your network.

      1. Kris

        Hi Paul,

        Can I install CAS role on a new servers then use Windows NLB?
        Then set the new CAS Array and update the existing mailbox database to point to the new CAS Array?

        Is this possible and supported?

        Thank you!

    2. Manas Dash

      Hi Paul,

      I have clear all my doubts after reading this article and now I can able to configure it my self. But how to do the same using hardware load balancer . Please post some article.

  4. Jasper Gacayan

    Hi Paul,
    Thanks for your wonderful article.
    I have a question regarding my exchange setup. I have 1physical server with Exchange 2010 – Mailbox Database and 2 VM Exchange 2010 CAS server that load balance by F5 appliance. My question is do i have to setup CAS Array on this coz i have plan to move my old physcial server to new vm server but still exchange 2010 setup. What is the best advise for you with regards to this setup?
    Your reply is highly appreciated.



    1. Avatar photo
      Paul Cunningham

      CAS Array relates to the CAS role. If you’re moving your Mailbox server role from a physical to a VM there’s no changes needed for the CAS Array.

  5. Phil

    Hi Paul, thanks for that great Article. I’m new on or with Exchange Cas Array’s but sounds interessting. So yesterday we tried to switch to a cas array at a customer, he das followed setup:
    – 3x Exchange 2010 CAS Server
    – 4x Exchange 2010 MailboxDB Server with DAG configured
    – virtualised Servers are running on VMWare ESXi
    The configuration and change was made in time(most from your website and other MS Articles) and everything worked fine. After the configuration we tried to shutdown one CAS Server and the next one, but we find out, clients how where switched to the new casarray where no longer able to connect to any of the Exchange Servers.
    The Cluster was configured as Unicast, iv’e read some articles where that can be a problem with VMWare ESXI, can that be the problem that clients are no longer able to connect to the exchange servers or maybe autodiscover ?
    Any tip or help would be great, thanks alot.

  6. Nguyen Nghia

    Hi Paul Cunningham,

    I see your guide configure ssl certificate for single client access server. so with two CAS server using Windows NLB, how should I configure SSL certificate? Please guide me.
    Thanks & Best regards,

    1. Avatar photo
      Paul Cunningham

      If you’re load balancing HTTPS traffic then both servers should have the same SSL certificate installed.

  7. Thebloke

    Apologies if this is re-posted twice or if it was in appropriate

    Just to add to my above post

    The Autodiscover settings on both servers show

    Get-ClientAccessServer | fl Name,AutoDiscoverServiceInternalUri

    Name :
    AutoDiscoverServiceInternalUri :

    Name :
    AutoDiscoverServiceInternalUri : is

    Noithing to do with outlook clients not connecting right?

  8. Thebloke


    Thanks ever so much for the reply. bloody lifesaver. Let me explain a little better.

    I don’t have an alias as I don’t have a CAS Array setup. I’ve inherited this system and never received a handover as the previous admin left the org before I arrived.



    RPC entry on DB On EXCH01
    RpcClientAccessServer :

    RPC entry on DB on EXCH02
    RpcClientAccessServer :

    Failover the DB’s from DC1 to DC2 is fine, no issues there. Clients connect fine. They just get the ‘Your administrator has made a change…..but re-connect after closing /reopening outlook.

    It’s when the server is switched off after the DB’s are moved the clients disconnect happens.

    What are my options here? I can post configs if that helps.

    Thanks a mil

    1. Avatar photo
      Paul Cunningham

      A key issue is the lack of a CAS Array configured in your environment. Read this if you want more detail on what/why/etc:

      Retrofitting a CAS Array is challenging because the Outlook clients won’t auto-update in every scenario. One solution is to force all Outlook clients to use Outlook Anywhere at all times, even internally, so you can load-balance the Outlook Anywhere hostname or change its DNS any time you need to for site failover reasons.

      Another alternative is to live with the broken design you’ve got and start planning for an Exchange 2016 upgrade, since 2010 is out of mainstream support right now.

  9. Thebloke

    Good morning Paul,

    Just to add the witness server is on a 3rd server in Data centre 1


    DC 1 Exchange 2010 SP3 (Multi Role on each) running on W2008R2
    DC2 Exchange 2010 SP3 (Multi Role on each) running on W2008R2. Witness on a seperate server.

    Thank you.

  10. Thebloke


    I have 2 Exchange 2010 SP3 (Multi Role on each) running on W2008R2
    Single Domain / 2 Data Centres
    DAG is set up correctly as DBs failover ok to 2nd server
    NO HW load balancer either

    It’s the usual issue of clients not connecting as they point to the previous server.

    Could I change DNS to point to thefailover server and also change the rpcckientaccessserver entry on the DB to point to the failover server. Would this get the clients up and running?

    If not. How many additional servers would I need to set up a cas array? It’s just a one time failover required as we wil be moving to o365 soon.

    1. Avatar photo
      Paul Cunningham

      First, just to be clear, the RPCClientAccessServer name shouldn’t be a real server’s name, it should be a unique alias. During any failover situation there should be no need to change the RPCClientAccessServer value itself.

      For site failovers, there’s a combination of the correct design being in place to begin with, and then the operational steps for a datacenter switchover, documented here

      I don’t know your environment so I can’t be too specific, but you should review that information and your design, because the clients should not be trying to connect to “the previous server” if everything is set up correctly.

  11. Narasimha

    Hi Paul.

    I configured as described in the article. But i am not able to ping casarray from DC or from any other client, It gives request timed out. My clients outlook profiles are not configuring. I am using Virtualbox for my lab

    My lab is as below

    Dedicated 2 mailbox servers with DAG
    2 Exchange servers with HT and CAS installed

    Any help will be much appreciated

  12. JT


  13. JT

    Hi Paul

    Again great article. Question. When our 2010 exchange servers were setup the plan was to use a load balancer appliance so a NLB was not created. I have 2 CAS server, CAS1 and CAS2 and the CAS array names is load balance is currently just through DNS round robin.
    Can I easily create the NLB cluster with these existing CAS servers and keep the same CAS array name? or would it be better to creat new CAS servers in a new NLB cluster?

    1. Avatar photo
      Paul Cunningham

      You can use the existing CAS and create an NLB cluster as long as the CAS are not also DAG members.

      You’re better off deploying a load balancer though.

  14. Mikael Ljung

    Hi Paul
    Thanks for all the stuff you teach us! One thing that puzzles me is the name space that you use for the clientaccessarray. Does the name space have to be that of the AD domain or can it be the public one in case I use split dns?
    Mikael Ljung

    1. Avatar photo
      Paul Cunningham

      The CAS Array namespace should be a unique namespace (different to OWA, Outlook Anywhere, etc) that is only resolvable internally.

  15. Munir

    i have one server with (HUB/CAS/Mailbox) , i have 4 mailbox database i want to create high availability on cas and dag

    what i have to on summary


  16. Shakti

    Hi Paul,
    I got 2 CAS servers, 2 MB servers, all in the subnet (10.60.x.x).
    I am using NLB, i assigned private IPs (192.168.0.x) to the two NICs on CAS servers and another 192.168.0.x to the NLB cluster.
    My problem now is that I can’t ping the NLB cluster IP from the other MB servers or DC since they r in different subnet.
    I am afraid if i proceed to creating a CAS array, I’ll be messed up, even my mail flow will stop since all the RPC Client access server access would be replaced by the cluster IP which is not reachable from the outlook clients.
    How to proceed?

  17. Christian

    Hi Paul,

    I’ve always found your articles really useful and this one has been a massive help too, but I just wanted to ask a question around this subject, and this may sound a little dumb so please bear with me and excuse my ignorance…

    I’m about to make some changes to a existing exchange 2010 organisation where a CAS Array was not implemented from day one, currently there are two exchange servers running the CAS / HUB and MBX roles, which are both part of an existing DAG. However, I would like to create a CAS array and below is the configuration I’m going to implement going forward…

    CAS Array Members – Roles – CAS / HUB
    EX01 – Exchange 2010 Standard / Server 2012 Standard
    EX02 – Exchange 2010 Standard / Server 2012 Standard

    DAG Configuration – Roles – MBX
    EX03 – Exchange 2010 Standard / Server 2008 R2 Enterprise
    EX04 – Exchange 2010 Standard / Server 2008 R2 Enterprise

    My first question is with regards to the Network Load Balancing being used to distribute RPC connections between the two CAS Array members…

    I understand that NLB needs to be installed on both CAS Array members, but am I right in thinking the Windows NLB cluster should be created on a stand alone server, outside the exchange organisation, and the cluster DNS A Record pointed to the stand alone server? So that it doesn’t matter which CAS Array member is taken offline, RPC connections will always get handled. And if the stand alone NLB cluster server is taken offline, am I right in thinking OWA will continue to function normally, because it uses HTTP / HTTPS rather than RPC?

    My second question is because there are already two existing exchange servers with the CAS, HUB and MBX roles installed, and both members of an active DAG, would creating a CAS Array break the current DAG or environment?

    I plan on building the two new CAS / HUB servers, adding them to the CAS NLB Cluster, creating the exchange CAS Array, updating the current DAG MailStore’s RPC Servers to the CAS Array and then removing the CAS / HUB roles from the two existing DAG members. I understand that DAG members cannot be members of a CAS Array because Failover / NLB clustering cannot co-exist on the same server, but I just want to make sure I don’t break anything creating the CAS Array because the two current servers have the CAS role installed. My simple understanding is that creating the CAS Array will have no effect on the existing DAG, as I won’t be trying to add them to the NLB cluster.

    Please educate me Yoda…


    1. Avatar photo
      Paul Cunningham

      I think you’re over complicating this.

      The CAS Array is just an object representing the RPCClientAccessServer for the databases in that site. It has a DNS name that resolved to an IP. That IP can be load-balanced, which is where NLB would come into play. However, NLB is not a good solution for load-balancing Exchange 2010 or any later version of Exchange.

      Some orgs go for NLB as a zero-cost option, but as you’ve learned it costs you more in terms of additional Exchange servers to manage because the NLB role can’t be added to DAG members, so the CAS role needs to be separate. If you did continue with the NLB solution the NLB role is deployed on the CAS servers themselves, not separate servers.

      You’ve got two multi-role servers right now which is the recommended practice. To get HA at your Client Access layer I would recommend you look at a load balancer instead of pursuing NLB, either virtual or hardware-based like a Kemp or F5. That becomes the load balancing mechanism for your CAS Array IP.

      If you’re still a bit unsure about all this I really recommend you build up a basic test lab and test your solution in there, including the impacts (if any… there should be few or none) of implementing the CAS Array and load balancing and making the necessary changes to cut over to that.

  18. Kyle Tripp


    As always, great articles. I have used several to create my Exchange environments.

    I have scanned through the comments and find a few questions that are close to my situation but do not match exactly, so I’d like to detail my situation and get your thoughts.

    I have a small three server setup (E2010 on W2008R2). I have one server with CAS, HUB and Mailbox and a 2 server DAG set. This environment originally started as a single server setup, but we added the DAG servers and moved all user mailboxes there. No CASArray was ever configured due to this starting as a single server.

    We are now interested in adding two new CAS & HUB servers to the environment as a CASArray to get the HA benefits (we use hardware load balancing). The current CAS server is named Can we add the two new servers to the environment, and create a CASArray with the same name as the original server? Once the CASArray is created, it should automatically add the current and two new servers as members. I am just wondering if this will cause a conflict. If it does not cause a conflict, then I can change the DNS for to point to the new IP on the load balancer. Then if this all works, the next question is, will this still cause use to have to touch the client machines if they are already pointed to

    I realize this is a strange setup, but any thoughts or suggestions are appreciated. I am looking to minimize the impact on the customer as much as possible.

    thank is advance for any guidance you can offer.


    1. Avatar photo
      Paul Cunningham

      Pointing the DNS entry for an existing server to a load balancer is probably not a good idea.

      If you’re planning to stick with Exchange 2010 for a while I would just do the work and implement a proper CAS Array namespace, and update the clients via login script or deskside visit over a period of time.

      1. Kyle Tripp


        Thanks for the response …

        So the alternative plan is this …
        Stand up the two new CAS/HUB servers …
        create a CASArray (which will capture the old server as a member) …
        set the databases to use new CASArray …
        configure the load balanacer to use the new CASArray (but only the two new servers) on a different IP than the old server …

        this will allow all clients that are configured to use the old server to continue to function …
        allowing time for a tech to help change the profiles to use the new CASArray …

        Sound close?
        thanks again for your input, it is always helpful …


        1. Avatar photo
          Paul Cunningham

          Sure. You could load balance across all three servers too if you wanted to. I’m sure you’ve got your reasons either way.

  19. Thiago Almeida

    You save my job today! Thank you so much for the best article about NLB.

  20. dv2750

    Hi Paul,

    I have always been confused with the basics of NLB., I am new to it. 😀
    Confused with 2 NIC configurations
    When I am configuring in Unicast Mode, I need 2 NICs in each server, correct?
    Srv1 :
    Production NIC: IP:, GW:, DNS:
    NLB NIC: IP:, GW: ???, DNS: ????

    Srv2 :
    Production NIC: IP:, GW:, DNS:
    NLB NIC: IP:, GW: ???, DNS: ????

    Q1: Do I need to have GW and DNS address on NLB NIC as well?
    Q2: Do I need to use the NLB IP address same as the production subnet?
    Q3: When Configuring the NLB, which NIC should I select? Production or NLB?

    Please help me to understand.


  21. Ali Manzoor

    Dear Paul,

    Thanks for this help full topic, Please guide where i will certificate request generate ? mean that

    Both are CAS ARRAY


    and if i chose exch-01 for certificate request , When i will certificate it will install on Exch-02 ?????????

    Please guide me on this Paul.


  22. Ali Manzoor

    Am getting a issue dear, i created same scenario but when i set owa default logon format only with username its not working when i access owa with NLB addeess then owa open with domainusername. i want only with username. is there any option which i should set ??????

  23. Ritesh

    Do we need to configure the same steps in other CAS servers?

    New-ClientAccessArray -Name CASArray -Site “Default-First-Site-Name” -Fqdn casarray.exchangeserverpro.local

    Get-MailboxDatabase -Server EX2 | Set-MailboxDatabase -RpcClientAccessServer casarray.exchangeserverpro.local

    Will it work if the 2 CAS servers are in different sites?

  24. basheer

    Paul, nice article.

    I have all exchange 2010 roles (HT, CAS AND MB) installed on a single server . i want to have DR for that server on the same site . Is it possible and if so , Can you refer some documents in doing the same .

  25. Basel

    Thanks for the great article, but this is only for internal CAS, What about the external CAS, ActiveSync and OWA ( ?
    Can you please advise on how it is done externally as well?



    1. Avatar photo
      Paul Cunningham

      A CAS is a CAS. If the CAS are internet-facing and you’ve got some form of load balancing set up for internal users, that same load balanced IP can be NATed on your firewall and used to service external connections as well.

  26. rajkarthik

    Hello Paul,

    Everything is working perfect in our organisation, but our Windows based NLB not balance the loads equally,
    We are having 4 CAS servers, among that one server getting huge traffic and leads to performance issue on that server.
    We already checked the affinity is single, muticast in NLB. still issue persists.
    Could you please help on this issue at earliest

    Raj kartik

  27. James

    Hi Paul,

    Thanks for a great article. I just wanted to check something that I think I know the answer to, but just want confirmation from someone a bit more knowledgeable.

    I have 4 Exchange servers.

    2 X CAS servers
    2 X Mailbox servers

    The mailbox servers are in a DAG. That works fine and replication happens between them quite happily.

    The 2 Cas servers are in a NLB as you have described. However, if I reboot one of the CAS servers then some of my users get prompted for their credentials. If they close outlook and re-open then it seems to be fine. From what I can gather online this is because the Outlook session has authenticated against the CAS1 for instance. And if CAS1 goes offline, then NLB not being that intelligent swaps the connection over to CAS2. But CAS2 then see’s this as a new connection and so asks for the password again.

    Is this right or have I reconfigured something? If it is right then is there any way to get around it? Or is it just the way it is and on the odd occasions that we have to reboot in the middle of the day users will just have to close and re-open where necessary?

    1. Avatar photo
      Paul Cunningham

      Are you just rebooting the CAS or are you draining it from the NLB cluster first?

      1. James

        I was just rebooting, however it seems as though I need to drain stop it first before doing that. Though some people are suggesting that even doing that you may still get some people getting the prompt.

        But this line of inquiry was more of a “what if one of my servers died on me” sort of thing.

  28. Vasant

    Hi Paul,
    This is a great article for me as i am new for Exchange, I have made my test lab as per you stated above.
    Please answer following my questions which will help me to complete my task.
    1. Can i set my host name to my CAS Array name?
    2. My Second NIC does not work with same subnet on both CAS server to each other CAS server, It is not able to ping..
    3. What will happened if my one CAS server goes down on which i have configured CAS Ararry and NLB, my outlook client will be access server mb or not.

    Please help me in this regards ASAP.

  29. Steven Ahmet

    Hi Paul,

    Great article, (as they all have been). I’m currently in the middle of a co-existence migration between 2003 and 2010. Co-existence has been working perfectly.

    The 2010 server I introduced (ex01) was really just temporary hardware hosting only a handful of users at the moment that I imported from another company. I need to introduce the real 2010 server, (ex02), that will host the current 2010 mailboxes, plus the rest of the 2003 mailboxes. What I want to be left with is a single 2010 Exchange server (ex02).

    I’ve installed ex02 into the organisation and moved my mailbox over to it. I noticed that the Outlook profile doesn’t update and I had to manually intervene.

    Should I look at creating a CAS Array now, knowing I will only have 1 server in the future?
    Do I have to worry about any SSL certificates at this stage, or will it only be when I’m moving OWA, Autodiscover etc.


  30. Jamie Powell

    Hi Paul (and everyone else),

    I just thought I’d share a solution for changing the Outlook client settings seamlessly to take in the new CAS Array settings. This solution does not affect all of the other parts of the Outlook profile like custom settings (signature) or cached email address that are usually stored in the NK2 file.

    I have written a VB script that:

    1. Searches the registry for the default Outlook profile on a user’s machine;
    2. Once the name of the Default Profile has been found it finds the specific keys that contains the Exchange server name and deletes them;
    3. The script then reboots the computer.

    Apart from the usual “run this script at your own risk, I take no responsibility etc etc” there are a critical items to note:

    1. Make sure Outlook is closed and not running before running this script;
    2. Make sure any unsaved documents/data are saved before running this script as the script will reboot the computer;
    3. This script will NOT work for shared PCs where multiple users use the same machine;
    4. This script is not tested on Citrix.

    I can confirm that I have tested this script in my environment by following these steps:

    1. Move a mailbox from a DB server not attached to our CAS Array to a DB server that is attached to our CAS array;
    2. Jump onto the mailbox user’s PC and run the script;
    3. After the reboot the user runs Outlook and the CAS Array name is now populated in the Exchange Server field in the user’s Outlook profile.

    Before I go ahead and share the code on this webpage I will wait until either Paul has said it’s OK to share or if there is enough interest in this solution.



    1. Avatar photo
      Paul Cunningham

      Pasting the code into the comments here would probably mangle the code and formatting beyond usefulness.

      I would recommend publishing your script somewhere public such as the TechNet Script Gallery.

      1. Jamie Powell

        Hi Paul,

        Thanks for the tip, I have published my script on the TechNet Script Gallery. This is the first time I have ever done this and feel quite chuffed about it.

        The address is

        I hope it helps anyone faced with the same situation and needs an automated process to autodiscover a new CAS Server/Array name.



  31. Imran

    Hey Paul thanks for nice steps and notes,

    I got 2 servers exch servers how can i configure CAS+NLB+DAG ?

    i don’t want to have hadware load balancer?

    imran from afghanistan

    1. Avatar photo
      Paul Cunningham

      As the article states:

      “Two or more Exchange Server 2010 Client Access Servers can be configured as a CAS array using NLB as long they are not also installed as Mailbox servers that are members of a Database Availability Group (DAG).

      The reason is that DAG members utilize Windows Failover Clustering, which can’t co-exist with NLB.”

      1. Imran Safi

        I know NLB and DAG cant work 2gether because of culster failover am just asking isn’t any other way to acheaive this goal without having hardover load balancer or to configure CAS ARRAY without NLB?

        thanks so much for support

        imran from afghanistan


  32. Jamie Powell

    Hi Paul,

    Great article, I am in the process of migrating from a multi-role Exchange 2010 server to split role servers and I want to set up a CAS Array first before pulling the plug on the old server.

    My logic is, if I set the NLB array with dedicated NICs on the old CAS server and the new CAS server, create the array in Exchange and point the mailbox DBs to the new CAS Array, when the time comes to decommission the old server it will be as simple as taking the member out of the NLB group (after Exchange has been removed from the old server) and since all of the Outlook clients would already be using the CAS Array the removal of the old server node would not be a factor or issue. Is my logic correct or am I skewed somewhat in my reasoning?

    I have followed your steps all the way up to actually creating the CAS array in Exchange via the PowerShell, before I perform this step I have some concerns, my questions are:

    1. If I pull the trigger on creating the CAS array in Exchange via PowerShell, do I have to immediately change the mailbox DBs to point to the array or will everything keep working fine for all Outlook clients?

    2. If the change to the mailbox DBs needs to be immediate, will there be a massive disconnect for all Outlook clients?

    3. Will there be a massive disconnect to all Outlook clients regardless?

    I guess I’m looking for a way to implement this array without causing any downtime to clients, while this change would obviously be made outside of normal business hours we have users in other countries and so I need to be extremely mindful of any interruptions this may cause.

    Thanks Paul, I appreciate any advice you have, love your site!



    1. Avatar photo
      Paul Cunningham

      1) No. The RPCClientAccessServer value on existing databases doesn’t change until you manually change it.

      2) N/A

      3) No.

      Sounds like you’ve got a plan in mind. Please make sure you’ve read the note at the very end of the article, and considered Outlook behaviour and how your plan will impact existing Outlook profiles.

      1. Jamie Powell

        Hi Paul,

        Thanks for your reply, so I can go ahead and create the CAS Array and it will happily sit there until I go ahead and change the RPCClientAccessServer value on our DB servers when the time comes for us to do it?

        When we’ve made the change to our DB servers, the mailbox user’s Outlook connection needs to change to point to the FQDN of our CAS Array, right? Do you know of any methods using Group Policy (or similar) that automates the changing of each user’s Outlook profile to reflect this change?

        1. Avatar photo
          Paul Cunningham

          Correct. You can even make the changes to the DB attributes, and Outlook clients will keep working.

          The existence of the CAS Array for a site will automatically stamp the RPCClientAccessServer attribute with that value on *new* databases when they are created.

          And, once that DB attribute is set, *new* Outlook profiles will Autodiscover that FQDN to connect to.

          Existing Outlook profiles will keep connecting to whichever server FQDN they’re already configured to, until that FQDN becomes unavailable (which should cause them to Autodiscover the new value) or until you update it with a script or other process (that I have no suggestions for sorry).

  33. Jasen Somwaru

    Hi Paul, I just set up two member CAS array following these instructions. It seems as though some outlook clients are able to get free/busy but other are not. Is there some configurations that need to be made to have a casarray work with free/busy?

    1. Avatar photo
      Paul Cunningham

      The CAS Array is for RPC connections (ie Outlook connecting to mailboxes).

      Free/busy is an EWS (Exchange Web Services) lookup.

      So, if you want EWS connections to be load balanced as well, you would need to set the EWS virtual directory URLs to a DNS name that resolves to a load balanced IP address (which can be an IP on the NLB cluster).

  34. Gbedu

    Pls Paul, i just setup 2 cas servers with NLB and initially i saw the second cas server after adding it to the cluster then my computer shutdown unexpectedly because of battery issue. By the time i brought my computer back up and logged on into my virtual machines then launch the NLB Manager..i couldn’t see the second node anymore in the NLB yet it tell me it’s converged and when i try to add the second cas to the cluster it also tells me it’s already a member of the cluster and yet i can’t see it. Pls can you explain to me what might have happened.

    1. Avatar photo
      Paul Cunningham

      So you can ping/logon to both servers, then can ping each other etc, but can’t see more than one in the NLB cluster?

      1. Gbedu

        Yes Paul….can’t see more than one in the NLB cluster unless i go back to add existing to cluster and add the second node which will also disappear once i close the NLB and re-launch.

  35. Eric Govreau

    I read through this with great interest, as I’m trying for a HA solution myself. One thing that didn’t seem to be addressed was what was being done with the LAN NIC’s. I believe that the IP addresses in your steps were x.x.x.34 and .35 respectively. If they’re not to be part of the NLB cluster, why the need for the second NIC? I’m sure I’m missing something, but not sure what…


    1. Avatar photo
      Paul Cunningham

      The server still needs an IP/NIC for direct server traffic. The load balanced IP only exists for specific services.

  36. Shan

    Hi Paul,

    Great article. Let me explain what I have setup here and you tell me if your approach will work in this scenario.

    Currently I have exchange 2010 SP1 RU 8 installed on domain controller with all the roles. (I know not the best practice). I have created a new VM with Windows 2K8 R2 SP1 with all the patches and updates. Do you recommend updating the current exchange to the latest service pack which is SP3 and then installing the exchange software on the new VM, then creating the CAS array on the DC and then move mailboxes to new server? Or what is the best way to move forward since I plan to retire the existing DC with exchange and separate out domain controller and exchange. I also have a secondary DC which is a VM.

    Thanks for your help.

  37. John


    I currently have 3 Exchange Servers all running W2K8R2 Standard and Exchange 2010 Standard SP3
    roll up 1.

    Our single main server at our corporate office has 2 databases and the 2 remote servers have 1
    database each.

    They also a single Public Folder running on each of the servers.

    We are currently also using a Sophos Email Appliance ES1100 that filters emails at our main

    corporate location before moving on to our corporate and remote exchange locations.

    Firewall – Sophos Email – OWA – EXCH1corp(Hub,MBx)/EXCHrem1(MBx)/EXCHrem2(MBx)

    I am currently working out a plan to take advantage of High Availability and Site Resilience.

    With a setup of the following with DAG with CASarray:

    EXCH1corp 2 Active DBs for corp office users
    1 Passive for Exchrem1
    1 Passive for Exchrem2
    1 Public Folder

    EXCH2corp 2 Passive DBs for corp office users located at our collocation site

    Exchrem1 1 Active DB for remote office 1 users
    1 Public Folder rem1

    Exchrem2 1 Active DB for remote office 2 users
    1 Public Folder rem2

    ExchWitness 1 Witness server located at our corp office

    We are only about 100 users with approx 200-300 mailboxes.

    I would like to know if we require following:

    1. a single load balancer at each location (can this be done with Windows NLB or do we require a hardware load balancer (if so what are the benefits and drawbacks of both)
    2. Do I require W2K8R2 Enterprise License for DAG utilization
    3. We have a low bandwidth connection so would initial seeding and replication be an issue. FYI in the future we will be upgrading this.
    4. Do we still require and Edge Server even though we are using a Sophos Email appliance for mail filtering.
    5. Do we still require a MAPI and replication network as this is a small site and we are using Vmware virtualization.



    1. Avatar photo
      Paul Cunningham

      1. Windows NLB can’t be used if the servers are also DAG members.
      2. WS2008 R2 Enterprise is required for DAG members due to the dependency on Failover Clustering. WS2012 doesn’t required Enterprise as Standard includes Failover Clustering.
      3. Yes.
      4. Edge is never required, it is always optional. Unless you see specific feature of Edge that you need then the Sophos appliance is probably fine.
      5. Every DAG has at least one DAG network used for MAPI and replication. You can then optionally add extra replication networks if required.

      1. John


        Thank you for your response. Just wanted to clear up the below.

        1. Can you recommend a decent load balancer, something so I don’t break the bank.

        5. In our smaller scenario will we still need separate networks as we are a smaller organization.



        1. John


          A couple of other questions.

          1. Would we need the auto discover feature of OWA in Exchange 2010 in our scenario.

          2. Could we setup a scenario where we create a new DB then move each user slowly and then create the DAG or should we create the DAG first.



        2. Doug

          1. KEMP has very affordable hardware load balancer appliances.

          5. You don’t “need” a separate replication network for your DAG. If you’re really that small, you can get away with one network for both MAPI and your DAG.

      2. John


        We also have a current OWA (CAS) server in front of our current main corporate Exchange 2010 server.

        1. Can we setup a secondary redundant OWA (CAS) server at our corporate office with another OWA server located at each of our remote sites?

        2. Also in this scenario where can I locate the Kemp load balancer (in front of OWA server?

        3. Would I require a load balancer at all locations?

        FYI current setup is below.

        Internet -> FW -> Sophos Mail -> OWA (CAS) -> EXCH1corp(Hub,MBx)/EXCHrem1(MBx)/EXCHrem2(MBx)

        Looking at Below

        EXCH1corp 2 Active DBs for corp office users
        1 Passive for Exchrem1
        1 Passive for Exchrem2
        1 Public Folder

        EXCH2corp 2 Passive DBs for corp office users located at our collocation site

        Exchrem1 1 Active DB for remote office 1 users
        1 Public Folder rem1

        Exchrem2 1 Active DB for remote office 2 users
        1 Public Folder rem2

        ExchWitness 1 Witness server located at our corp office and another at each Remote locations and the DR site.

        We are only about 100 users with approx 200-300 mailboxes.

        FYI I just realized I needed 1 witness server at each location to total 4.

        Another question can I accomplish just doing database copies without using a DAG configuration?



  38. Doug


    The answer to your question is No. In fact, it is recommended that you create your CAS array first. Then, any servers you create, in the same Active Directory Site, that are installed with the Client Access Role, will automatically become members of the CAS array; as far as Exchange is concerned. You will, of course, still need to add the new nodes to your Load Balancing solution.

    1. julia

      Thanks Doug!

  39. julia


    This is my existing setup:

    – EX1: 2008 r2 server with exchange 2010 sp3 (cas, ht), 2 NICS
    – EX2: 2008 r2 server with exchange 2010 (mailbox)

    Now, i would like to add another server:

    – EX3: 2008 r2 server with exchange 2010 sp3 (cas, ht), 2 NICS and do cas array

    My question is – do i have to configure the EX3 exactly as EX1 before doing the CAS array?


  40. Pham Trung Duc

    Hi everybody,
    I have configured my system as the guide of Paul above : eache server have 1 interface to outboud traffic (have Default GW) and 1 another Inbound interface to build VIP NLB unicast mode.
    But from reality for what i have tested –> this topology is unstable when sometime, client can’t ping the VIP or maybe also the Dedicate Inbound IP with no clause, no change, no influence to system. Check on Switch, the switch operates correctly.
    Here we try to use just one Interface (with Default GW) on each server to build VIP NLB unicast mode and everything seems to be fine, the NLB service work stable. On strange thing is that i can ping between each other server (not like Microsoft’s Document say that in unicast mode, we have to use 2 interface on each server if we want to communicate between member server)
    So what is the trick here??
    I’m very happy to share with everybody !
    Thanks !

  41. mont

    Hi Paul,

    I followed the above steps, I just have one problem. When I setup Outlook 2007 and let the automatic configuration continue, it hangs on “Online search for server setting” and it will tell you that Microsoft Exchange is unavailable… but when I put in the CAS Array name on the server field, and click check name… I can successfully finish the outlook configuration.

  42. jddcrouch

    Hi Paul,
    One quick question on NLB setup.
    When I setup my hosts as unicast, I couldn’t get other servers to be able to ping the cluster.
    the hosts could ping the cluster name (CASArray) and resolve etc, but not other servers. (IE, DC in the same subnet.)
    Error is destination host unreachable.

    the following were checked with no issues that I could see:
    – NLB Cluster settings (according to the artical)
    – DNS
    – NICs set to forward
    I changed to multicast and it started working.

    Is there a specific reason for using unicast vice multicast and if so, any ideas why I couldn’t get it to work with unicast?

  43. Faris Mlaeb

    but will this also create the Virtual directories for CAS on each server IIS
    and is it important to use the default website for the CAS Array.

    1. Avatar photo
      Paul Cunningham

      The virtual directories are created for you when you install the Exchange Client Access server role. And yes, they are installed to the default website.

      1. Faris Mlaeb

        Thanks for reply
        I know that the Virtual Directories installed when the CAS installed, but when you make the NLB cluster we have to make some changes to the Exchange Web Services like Autodiscover – OWA so URL will point to the NLB not to a single server.
        would you please tell us about how to make this service modification.

  44. Pham Trung Duc

    Hi Paul,
    I have a question that for the interface configuration that you said above:
    Server 1:
    Primary Interface:
    Secondary Interface:
    Server 2:
    Primary Interface:
    Secondary Interface:

    Could i use private interface to connect 2 CAS server together? For Example:
    Primary Interface: – GW – Server 1 and Primary Interface: – GW for Virtual IP
    and secondary: 10.0.0.x/24 for connect 2 CAS server together?
    The manner here is i don’t understand why you use 4 interface connect to an switch in the same VLAN. It is mandatory? And could i use my configuration like description above ?
    Many thanks!

    1. Avatar photo
      Paul Cunningham

      The secondary interface is not for the two servers to talk to each other. It is for use in the NLB cluster.

      Two interfaces means you can have one interface for the NLB cluster, and the other for everything else (eg management, non-CAS traffic, etc).

      1. Pham Trung Duc

        Thanks Paul for your reply
        What does “It is for use in NLB Cluster” mean? Sorry for my question but i’m not clear to understand your information.
        Do you mean that i could use only 2 interface to build an NLB VIP for Client Access Server Role in Unicast Mode, it is possible? Because i have read some topic said that in the Unicast mode, we have to use 1 more interface on each server to talk to each other.

        The second question is that: my current setup has the Hub Transport Role and the Client Access Server Role are installed together. This means 2 HUB-CAS server: HUBCAS_01 & HUBCAS_02. Each server has 4 NIC and i build 2 NIC Teaming: Team1 and Team2.
        So i’m trying to do:
        – HUBCAS_01_Team1 & HUBCAS_02_Team1 form an VIP for NLB CAS service (HTTP/HTTPS request from client).
        – HUBCAS_01_Team2 & HUBCAS_02_Team2 is used for Load Balancing SMTP traffic from/to EDGE_01 & EDGE_02 (2 Edge Transport Server) via Edge Subscription Process (What i have read from the technet is that Exchange 2010 automatically load balances all intra-organization message traffic between Edge Transport, Hub Transport, and Mailbox servers using enhanced DNS –

        So the question is: after run Edge Subscription and the Default Receive, Send Connector is automatically created, which interface team on 2 HUBCAS server is use for SMTP traffic. Does it recognizes to use only NIC Teaming 2 or it will use all 2 NIC Teaming? Or maybe i have to mannually edit the Send/Receive Connector parameter?

        Thanks Paul in advanced 🙂

  45. Debbi

    Hi Paul,
    First up , thanks Paul for all your great guides. I’m having an issue after setting up a CAS array as per the steps above. I have 2 x CASHT servers using NLB. I have then created separate Mailbox servers with various databases in a single DAG. This has been added to an existing Exchange 2007 organisation. When I move the first user mailbox from the Exchange 2007 to the Exchange 2010 mailbox server I can no longer connect to the mailbox using Outlook. User receives a prompt that a change has been made that requires them to restart outlook but when they do it prompts for authentication to access the CAS array name and no matter how many times entered it just keeps prompting and can not access the mailbox. Accessing via OWA is successful.

    1. Avatar photo
      Paul Cunningham

      It is possible that the RPC/MAPI connection is failing so it tries Outlook Anywhere instead (hence the auth prompt).

      I would check that:
      a) The RPCClientAccessServer for the Exchange 2010 databases has been set to the CAS Array nam
      b) The CAS Array name is resolving correctly in DNS
      c) The NLB port rules are correct for RPC/MAPI access.
      d) If the clients are from different subnets than the NLB cluster, that the “netsh interface ipv4 set int “NLB” forwarding=enabled” has been run.

      You can also test whether its an issue with the NLB by changing the CAS Array DNS record to point directly at one of the Client Access server IPs instead of the NLB VIP.

      1. Debbi

        After double checking everything I noticed a typo in one of my settings … Doh. Everythings working now.
        Thanks,Paul for the help.

  46. shanmugam

    Thank you Mr.Paul. Good explanation.

  47. Grace Zhang

    Thank you very much for your article Paul, it is greatly appreciated. Here I have three questions:

    1) For the command: New-ClientAccessArray -Name “CAS-Array-Name” -Fqdn “” -Site “ABC”,
    I understand that “” is the FQDN of NLB cluster network name, SHOULD or SHOULDN’T I use “NLBcluster” for “CAS-Array-Name”? (if I use any other name, than it has no match DNS record obviously)

    2) We have two CASs, the internal owa URL is and respectively. After creating NLB cluster(, should I change the internal URL on both servers to “”?

    3) The last one may should go to NLB section (more NLB related), but with your extented knowledge Paul, when we say “no default gateway should be configured on NLB NIC” and “no DNS register entry for NLB NIC”, should I also disable “File/Printer sharing for MS network” and disable “NetBIOS over TCP/IP” on NLB NIC?

    Thanks again for your time to clearify my doubts. Grace

    1. Avatar photo
      Paul Cunningham

      1) The CAS Array name and the NLB cluster name don’t need to match. I would actually recommend that they should not be the same. Yes, you need to create a DNS record for your CAS Array name.

      2) You can, but it is not required. I usually use the External URL as the common OWA namespace.

      3) The only requirement is the default gateway and DNS registration.

      1. Grace Zhang

        Amazing…thank you Paul for getting back to me so quick and it does clarify my thoughts, thumb up 🙂

  48. Amal

    Dear Paul,

    In our exchange 2010 environment we have two hubcas server with NLB configured. But mails hits only hubcas server one if the hubcas server one down then the mail folw through hubcas server2. Please tel me how to set the virtual ip to get all the hits straterway. where to chenge that seetings in exchage ?

    1. Avatar photo
      Paul Cunningham

      What do you mean “mails hit only hubcas server one”? Which emails do you mean, incoming internet email?

      1. Amal

        yes incoming internet mails

  49. Justin

    I currently have an environment with 2 CAS/HT servers and no CAS array and I want to move to 2 new servers in a CAS array. What I am planning to do is create a new mailbox DB after the CAS Array is created and then move users to the new mailbox DB. Can I do this without disrupting the users (except while their mailbox is migrating)? Is there an easier way to transition to the CAS array other than modifying all of the Outlook profiles and changing the RPCClientAccess setting on the current databases?

  50. Danushka

    Dear Paul,

    I confused, do we really need two NIC for CAS/HT server. any reason you had used two NIC.
    because I used only one NIC for CAS/HT server.

    Best Regards,

  51. Mustafa

    HI Paul, first of all , you are the pro 😀 , your article is awesome , I want to tell you my scenario to upgrade my 2003 environment to 2010, ” DCs 2003 to 2008 and Exchange 2003 to 2010 and applying TMG to publish the CAS ARRAY URL” … I have one two servers , one for DC 2003 and the other one for EX 2003 , on the EX 2003 I have 5 mailbox database , all of this will migrate to a Hyper V environment contains Two hosts that will carry the Virtual machines , the first host will have the following VMs :
    DC1 , HUB-CAS01 , MB01 , TMG
    the second host will have the following VMs:
    HUB-CAS02 , MB02

    we will apply NLB between the two VMs ” HUB-CAS01 and HUB-CAS02″ and a DAG for ” MB01 and MB02″ ,.

    can you give me more specific details about DNS configuration for every member server in the cluster because each server has two NICs and how registration should apply for the IPs in DNS and about placing the Mailbox databases .. should I place two DBs on one server and three DBs on the other or place all the five DBs on one server and DAG will replicate them to the other one.

  52. Senthil

    Hi Paul,

    Thanks for the article. I have question on loadbalancing OWA URL / Auto discover and other services.

    CASARRAY Name will be used for outlook only. How to point out OWA URL and other URLs through Virtual IP?

    Do you need to create CNAME for each url to point out the virtual IP (CAS Array IP)?

    Appreciate your help

  53. Leo

    I guess my question is, If I have two or three Exchange Servers 2010 in CAS array (i.e., casarray.domain.local), I still have to run the below in Powershell for Exchange Server 1, for Exchange Server 2, Exchange 3 so forth etc, to change the “RpcClientAccessServer, right?

    Get-MailboxDatabase -Server EX2 | Set-MailboxDatabase -RpcClientAccessServer casarray.domain.local

    Note: At this point in time, there are no mailboxes have been migrated yet or created in those Exchange servers (i.e., they are freshly installed…..just building my CAS array at this moment…Outlook profiles don’t even exist for Outlook MAPI clients at this point).

    1. Avatar photo
      Paul Cunningham

      That is covered towards the end of the article above.

      “When the CAS array has been established any new mailbox databases created on servers in that Active Directory Site will be configured with the CAS array as their RpcClientAccessServer.

      However any existing mailbox databases need to be manually updates so that those mailbox users begin connecting to the new CAS array.”

  54. Leo

    Cheers Paul.

    Some clarification…….

    I gather that Outlook MAPI clients will be looking for casarray.exchangeserverpro.local to benefit from HA provided that you have setup your CAS array first before migrating the mailboxes?

    Therefore, if I have 2 or more CAS member in the CAS array, i still need to run the below in Powershell cmdlet for each Exchange server?

    Get-MailboxDatabase -Server EX2 | Set-MailboxDatabase -RpcClientAccessServer casarray.exchangeserverpro.local

    1. Avatar photo
      Paul Cunningham

      The CAS Array object itself is separate from the HA.

      The CAS Array is a DNS name that points to an IP address. That IP address can just be a single Client Access server. Or it can be a load-balanced IP address for multiple Client Access servers (via NLB or HLB).

      But the CAS Array itself is not providing HA or load balancing.

  55. Leo

    Thanks Paul

    In E2K13, how is HA gets handle? Do you still need hardware load balancer?

    1. Avatar photo
      Paul Cunningham

      2013 has the same story with NLB, but for HLB it has been simplified somewhat as it now only needs a layer 4 load balancer instead of layer 7 like Ex2010. HLB is also still the recommended way to go.

    1. Avatar photo
      Paul Cunningham

      My take is that hardware load balancing is better for a lot of reasons, but if you can’t get a HLB and you still want some level of HA and load balancing for your CAS then NLB is your only option.

      1. Leo

        Thanks Paul…appreciate it.

        Will Windows NLB still works for smaller site like 700 mailboxes for HA? Isn’t Windows NLB is not application aware hence if CAS A for instance goes offline for some reason, Windows NLB won’t have a clue about it therefore it will continue to sent the traffic to CAS A instead of CAS B therefore failover will not possible to achieve with Windows NLB?

        1. Avatar photo
          Paul Cunningham

          I think NLB tops out around 10,000 max users, and it can’t scale out to more than 8 CAS servers.

          Yes, it is server-aware but not service aware. So there are failure scenarios where the NLB will continue sending traffic to a server that may only have say a stopped service rather than the whole server going down.

  56. Mahmoud

    High Paul, thanks for your good article.
    Regarding to the note in the end of the article, how can I update those profiles for them to receive the high availability benefits of the CAS array?

    can you explain it to me please?

  57. khaled

    thank you for your post.

    am new at exchange .
    i have two questions
    1- when we do the second CAS installation before or after the creation of casarray?
    2-when i install the CAS can i use the same External url for both of my CAS ??


    1. Avatar photo
      Paul Cunningham

      1 – Doesn’t matter. You can establish the CAS Array before or after installing the second, third, fourth etc CA servers.

      2 – Yes, in fact that is required if you also plan to load-balance other CAS traffic such as OWA, ActiveSync etc.

  58. Je Remy

    Hello Paul, many thanks for so many really excellent tutorials on Exchange. I’m learning alot from following your work. I’m studying to learn Exchange in more detail. I’m trying to build an HA Exchange 2010 – This tutorial has provided many answers to the questions I’ve been looking for. A few remain though, and I was wondering if you had time to field a few?

    I’m puzzled by the path – C:adminExchange Server 2010>

    Can you elaborate for a noob – am I creating this path, copying Exchange CD files to it? what am I missing here?

    When do I run Prepare AD/Schema – as the CAS/HT will be the first servers I’m building into my environment (After a DC) I’m getting conflicting info and when this should happen. A colleague assures me Exchange 2010 SP2 does it for you, but I ran the installer for an HT, got no AD prep prompt and the readniness check subsequently failed

    If you had time for any insights, you have my thanks in advance


    1. Avatar photo
      Paul Cunningham

      C:AdminExchange Server 2010 just happens to be where I have extracted the Exchange setup files on my server.

      The schema preparation can be performed manually ahead of the first Exchange server install, or when you install the first server it will do it for you automatically if it detects that it has not already been done (assuming all other requirements are met).

      The readiness check can fail for many reasons so you’ll need to be more specific.

  59. VAT Saravuth

    Hi Paul,

    Excellence post. i have followed all of your steps and it is working well in internal domain and sent out to internet domain is also working well but the problem is unable to receive mail from outside domain. Send connector / receive connector are already created by adding both HUBCAS into receive connector

    Let me tell about network setup:
    1. HUBCAS01 =
    2. HUBCAS02 =
    –> NLB VIP =
    3. MBX01 =
    4. MBX02 =

    If i forward SMTP port 25 to in my Cisco Linksys E1200 router it will not receive any mail from outside domain and it doesn’t allow to telnet on port 25. but if i forward smtp port 25 to or it will working well

    Can you bring me to the right place to pointing out my NLB working properly?

    Million thanks

    1. Avatar photo
      Paul Cunningham

      Can you telnet to the NLB VIP on port 25 from a server such as MBX01 or a non-Exchange server within that same subnet?

      Is it just external connections and those from anywhere outside of the 192.168.10.x subnet that aren’t working?

  60. Valentin


    Please receive my thanks for the good articles you are publishing. They helped me a lot in learning and configuring Exchange 2010.
    I have a problem and I hope you can guide me in solving it.
    My test infrastructure contains:
    1. DC1 – GC/DC (win 2008 R2)
    2. EX1 + EX2 – Client Access Server + Hub Transport roles (win 2008 R2, Exchange 2010 + Sp1)
    3. EX3 + EX4 – Mailbox Role (win 2008 R2, Exchange 2010 + Sp1)
    4. DT3 – client station.( Windows 7 Pro)
    I have I external domain which I
    Internally I use I have an internal DNS which I use only for internal DNS resolving.
    I configured the CAS as instructed, step by step. 20 times.
    Each time I configure the client using Autodiscovery, in the e-mail address field I get
    The “Server” is well recognized by the Autodicovery service as

    Please help me in troubleshooting this.
    Kindly let me know what additional info can I provide.

    Thank you,


    1. Avatar photo
      Paul Cunningham

      Do you have your SSL certificates configured correctly on the Client Access servers?

      1. Valentin

        Hi Paul,
        I tried both, with self signed Exchange certificates and with a certificate issued by a certificate authority which I installed on my domain controller.
        For getting an Exchange certificate from my CA i followed the next steps:
        1. On van-ex1 created the request.xml.
        2. Opened the http://van-dc1/certsrv
        3. advanced request for certificate; pasted the contents of the request.xml; selected web server; downloaded the issued certificate
        4. from the van-dc1 exported the root ca and imported to the van-ex1, otherwise it would not recognise the certificate
        5. on van-ex1 completed the certificate requeste; assigned serviceds to certificate
        6 on van-ex1 exported the certificate
        7 on van-ex2 imported the root ca and the certificate.

        Maybe I am wrong in this?

        1. Avatar photo
          Paul Cunningham

          Is the private CA you’re using also trusted by the clients?

          Did you include the correct names in the SSL certificate? Does it work for other acess such as OWA without giving any certificate warnings or errors?

        2. Valentin

          Hi Paul,

          the private CA is trusted because I exported it from my DC and imported it in the Trusted CA’s container on the clients.
          The OWA works ok Externally (I configured same address internally and externally). Intermally does not work. There is a problem with the internal DNS I think. Could this be the reason why autodiscovery does not work either?

          Thank you,


        3. Valentin

          Hi Paul,

          I managed to solve the problem. Split DNS was the solution.



  61. Dinesh

    Thank you for posting nice articles. I have one exchange 2010 server with all the roles. The server name and the SSL certificate installed is :
    When I want to use Outlook anywhere, it doesn’t allow me to use as the mail server. The proxy settings are pointing to – But the mail server name I have to give as
    How do I make use everywhere? It will eliminate users to remember the original netbios name of exchange server.

  62. ITC

    Hi Paul. This is the best Ex 2010 CAS/NLB article I’ve seen! Thanks for putting it together.

    We are planning to do a 4 server Exchange 2010 HA setup for a client. It will be 2 CAS/HT in an NLB and 2 MBX in a DAG as you described in comments above. All 4 servers are Hyper-V VMs on 2008 R2 Enterprise.

    The tricky part here is the current mail system is an all-in-one Exchange 2003 box that we will be moving away from so there is a whole migration piece that ties into the implementation above. I’ve read a ton of material and feel good about the overall process. However, I have a concern about the order of events below. Which is the right order – the Exchange migration introduction of 1st CAS, then NLB or NLB and then intro of 1st CAS into EX 2003 site?

    1. Prepare forest and domain for Ex 2010
    2. Introduce 1st CAS server into 2003 site
    3. Introduce 2nd CAS server into 2003 site
    4. Make sure mail is still flowing correctly
    5. Install NLB, configure cluster, define CAS Array
    6. Configure CAS Array

    Does that order make sense? My biggest concern is not disrupting mailfow during the whole process so I need to get 2010 introduced into our existing 2003 environment, configure HA for CAS, configure DAG, then move existing clients to 2010. If you know of any good write-ups that combine a migration with introductio of HA features noted above, I’d really appreciate it!

    Many thanks!

  63. Sundip

    Hello Paul,
    Great Article very usefull. However i have some questions. I’m trying to setup a lab environment for a basic HA Exchange 2010 environment with a Single AD Site design. This is the equipment i have:

    1. VMware hypervisor esxi with: 1xDC, 1xCAS/HUB01 & 1xMAILBOX01 < – All Servers Win 2008 R2 ENT
    2. VMware hyperviso esxi with: 1xCAS/HUB02 & 1xMAILBOX02 < – All Servers Win 2008 R2 ENT
    3. Physical Server Win 2008 R2 ENT

    What i understand from all your replys & article is:
    1. CAS ARRAY & DAG Setup can't live together on the same box. Hence why min of 4 servers are required for HA/DR that is HA for 2 x CAS & 2 x Mailbox. Is this correct?
    2. Since CAS ARRAY & DAG Setup can't live together on the same box i have decided to put a physical server to act as a Load Balancer for CAS and Witness Folder Server for DAG is this correct? the reason i'm doing this is if 1 x VMware hypervisor fails we have another hypervisor as HA hence why i'm not putting witness folder/nlb in any of the hypervisors.
    3. Will a physical win 2008 r2 ent server handle NLB for about 15-20 staff in a company?
    4. How will this affect auto-discover will all the certs need to be install on NLB Server or NLB server is there just to forward requests to the next available server in a round robin fashion.

    thanks for your HELP!!!!!

    1. Avatar photo
      Paul Cunningham

      1) The conflict isn’t CAS Array members and DAG members, it is Windows NLB and DAG members (because DAG uses failover clustering, which can’t run on the same server as NLB).

      So if you’re using NLB, yes they need to be separate.

      2) If you’re using NLB then the CAS servers themselves form the NLB cluster. The NLB isn’t a separate server. Putting the FSW on a separate server is fine as that will assist with some DAG failure scenarios.

      3) Refer to answer above. The NLB isn’t a separate host.

      4) The CAS Array really refers to the RPCClientAccessServer, which is for RPC/MAPI connectivity only.

      You can load balance the other CAS services such as Autodiscover as well, using the same NLB, but it is completely separate to the role of the CAS Array for RPC/MAPI traffic.

      A good article series to read is this one from the MS Exchange team, which clears up a lot of misunderstandings:

  64. Christian

    Hi paul,
    Very Usefull article, thanks fort that.
    Can you describe if client DNS should be enablend on Both NIC, if we need to enable box “Register this connection’s addresses in DNS”, if gateway should be specified for all the NIC etc. ?

    1. Avatar photo
      Paul Cunningham

      On the NICs that will be used for the NLB virtual IP, don’t register them in DNS and don’t configure a default gateway.

  65. Ryan

    I created a cas array a year after isntalling exchange 2010 and it updated all of my outlook clients to the cas array name instead of server name despite your comment “Note that any existing Outlook profiles will not automatically update from the single Client Access Server to the new CAS array name. ”
    It did take a few days, i believe it was the autodiscover service that did this for me. It popped up and said a system administrator has made changes that require you to restart outlook.

    1. Avatar photo
      Paul Cunningham

      Yep, something that causes Autodiscover/autoconfiguration to run again would kick the profile across to the CAS array name.

      I’m not 100% sure but one of the fixes in the latest update rollup might also help with this situation. I’ll have to check that out a bit more.

  66. AmitRak

    Excellent article!!
    Easy to understand.

    Questions on NLB
    in what scenario we select “UNICAST” , MULTICAST AND IGMP MULTICAST

  67. muath

    thank you very much
    I have Intalled lab that Include
    1 dc server
    2 mailbox servers
    2 cas servers
    I have enabled the NLB for on both cas servers.
    the nlb record = mail.test.local with ip
    i am trying to access cas server by nlb record ( https:\mail.test.localowa) but it gave me IE CAN NOT DISplay the webpage …. but if wrote https:\cas1.test.localowa or https:\cas2.test.localowa it works.
    please advise

  68. Kenneth Polaski

    Hi Paul,

    Great article. I have a single Exchange 2010 with MB, HT, and CAS roles on it. What it is the simplest way to start creating redundancy on our way to full redundancy? I publish OWA, Outlook Anywhere, and eventually Active Sync. We do have a VM cluster available. Thanks in advance.

  69. Amit

    Hi Paul,
    Would like some information on below mention points

    1) On the NLB NIC do i need to put the gateway IP address
    2) How do i connect the NLB NIC of both the server ? do i connect it back to back with cross over cable or do i connect NLB NIC’s directly to switch.

    1. Avatar photo
      Paul Cunningham

      1) No.
      2) Connect them to the LAN switch, not with a cross over cable.

  70. Frank D'Amore

    Paul, we are going forward with a screwy topology that consists of two “well connected,high speed” physical sites in one domain(single Exchange org). Both physical sites will have a HT/CAS server as well as an mbx server. The HT/CAS servers will be on two different subnets that are routable to each other. Is it possible to place these two CAS servers into a CAS array using NLB? Is it possible to publish the CAS array VIP to both physical sites?

    1. Avatar photo
      Paul Cunningham

      The CAS Array name has a corresponding DNS entry that needs to resolve to an IP address. That IP address can be made highly available through load balancing, but it is a single IP address. If you can load balance that single IP across both sites then it may work. Otherwise you need to keep it in a single site and use manual DNS updates to failover to the other site if the primary site CAS is down (keeping in mind that Microsoft has never intended for full datacenter switchover capability to be fully automatic, it always involves manual steps).

  71. SysAdmin-E

    Hi Paul:

    We have a 3 server DAG with a 2 server CAS Array using NLB. The 3 DAG servers also have the CAS role installed and we have run into issues where clients have connected to a particular DAG node for free/busy lookup. For example, if we put DAG001 into maintenance mode, it will not have any active mailboxes so you’d think that rebooting that node wouldn’t cause any issues. It turns out that if we were to reboot that node in the middle of the day, users who have connected to it for free/busy lookup will get an error.

    Does it makes sense to remove the CAS role from all 3 DAG nodes? Would there be any configuration files that we need to edit after we do that, or will Autodiscover and such take care of redirecting clients to the 2 CAS NLB nodes only? Thank you.

    1. Avatar photo
      Paul Cunningham

      Yeah the issue is that you’re rebooting your Client Access server (that co-exists with the Mailbox server role on that node), that clients are connecting to for Availability service lookups. Makes sense that would cause issues.

      What I recommend you look at is pointing your EWS URLs at a DNS name that resolves to your load-balanced IP address(es). There is an article here on TechNet that described this:

      1. SysAdmin-E

        Paul: Thank you for your reply. That seems like it will work and we can leave the CAS role installed on the DAG MB servers. I really appreciate how you take the time to reply to the comments that your visitors post. I don’t know where you find the time to do it, but it’s very helpful.

    1. Avatar photo
      Paul Cunningham

      Hi Pete, correct, and then in addition to that the FQDN of the CAS Array itself needs to point to an IP that will load balance the traffic across all available CA servers.

      1. Doug

        OK. I think I’m catching on. So, the array name, or FQDN, is really an rpc client access pointer for mailbox databases. When another CAS is added to the AD site, I need to configure it’s IP on the NLB as another server that the array VIP points to. That all makes sense.

        So, I setup CAS02. Configure it’s IP on the NLB for ARRAY01 VIP to point to. Then, it will be part of the load balanced array and direct Outlook clients to their proper mailbox database. Am I on the right track?

        Would the new CAS02 server then show up as CAS Array member server when the Get-ClientAccessArray cmdlet is run?

        Thanks for the quick responses guys, by the way. I really appreicate it.

      2. Avatar photo
        Paul Cunningham

        Hi Doug,

        Yes as soon as the new CAS is in that site, it will appear in the Get-ClientAccessArray output as a member for that site’s CAS Array object. It will do that whether it is a member of an NLB or not.

        And yes, if you’ve already got an NLB VIP you’ll need to add that new CAS to the NLB before it can participate in the load-balanced client traffic.

  72. Doug

    I understand that you can create an array with just one CAS, which is what I’ve done. I also understand that I can add another CAS to the existing array, which is what I plan to do. The question is, what is the cmdlet to add the new Cient Access Server to the existing CAS array?

    1. Avatar photo
      Paul Cunningham

      Hi Doug, think of the Client Access Server array itself as a pointer. It associates an AD Site with a DNS name for RPC client access, which resolves to an IP address.

      If you establish a single-server CAS Array in the site (which Microsoft does now recommend as best practice) you are pointing your DNS record at that server’s IP address.

      When you later wish to scale out to multiple CA servers for high availability, you install them into the site and then establish a new load balanced IP address (using either Windows NLB or a hardware load balancer), and then update your DNS record to point to that new IP address.

      The load balancer (or NLB if you choose) then handles the distribution of client traffic across all of the CA servers in the “array”, not Exchange itself.

      Hope that helps.

  73. Tash

    Hi Paul,
    I have an existing client access array for exchange 2007. I have now installed 2 exchange 2010 CAS servers (Same AD site.Same forest, same subnet where the exchange 2007 cas/ht/mbx servers reside). When I run the get-clientaccessarray cmdlet on Exchange 2010, I get a blank response. I checked and the CAS array with the FQDN of does exist for this AD site. So here’s my question, when the clients mailboxes are moved to the new exchange 2010 database, the outlook user profile will still point to the existing cas array ( yet, the mailbox will not be there.
    The existing exchange 2010 mailbox servers and databases are pointing the for CAS. How can I create or these servers to the existing CAS array or can’t I?
    What will happen? I hope I didn’t’ ramble on too much, but this is a huge concern.
    Thanks in advance for your response.

    1. Pete

      There is no CAS array in Exchange 2007. may just be a friendly DNS record that points to your Exchange 2007 mailbox servers in your enviroment.

      Client Outlook profiles will be redirected to the new CAS array once there mailbox is moved to Exchange 2010 providing the CAS array is set on all the DB.

      1. Tash

        Aha. I’ll have to start digging into the existing record, wherever the exchange 2010 system is seeing that from.
        Thanks Paul !

  74. Ehsan

    Hi Pual

    my environment is like below

    1. 2 MB server – DAG
    2. 2 CAS server – CAS/HUB

    But just like know few things

    First, NLB and CAS array is necessary to have High Availiblity in CAS/HT server

    Second, I already done the migration of our users it will be around 350 users would like to setup CAS array is there any harm does it require any restart of CAS servers

    Third, I would like my DAG whether it works fine or not without any downtime is there any steps can I perform

    Your help in this regard would be great help

    1. Avatar photo
      Paul Cunningham

      Hi Ehsan,

      1) A CAS array with either NLB or a hardware load balancer is required for CAS high availability. HT high availability can be achieved by simply installing more than one HT in a site, no need to load balance that traffic as Exchange does it automatically.

      2) No harm, however you will need to look at updating the profiles on the existing users as they will still point directly to one CAS not the new CAS array.

      3) I don’t understand the third question, sorry.

  75. Plug

    Hi Paul,,

    Great Article, we used your article as basis for our NLB implementation, however, i have a question in mind.

    we got a problem in our first setup upon implementing NLB. Please take a look below.

    Previous Setup:

    2 CAS,HT Servers
    2 MB Servers— DAG

    now in the setup above, we encountered an issue because after we are done configuring NLB on the 2 servers which has the role of CAS/HUB, our DAG got crazy.. ^_^ i mean it cannot replicate on its database copy and cannot failover seamlessly.

    my question is that is it Possible to configure NLB on servers having CAS/HUB Roles at the same time?

    Our resolution is to separate all roles. see current setup below.

    2 CAS Servers–NLB
    2 HUB Servers
    2 MB Server -DAG

    NLB and DAG works perfectly but our HUB is not automatically redundant.

    Your thoughts would be a great help.

  76. RDFTS

    I’ve followed you article and have been running our CAS array for 6 months in production without any issues. We have four Exchange servers; two CAS/HT servers (NLB) and two MBX servers (DAG). All four servers are virtual using 2008 Hyper-V R2.

    We recently tried to move one CAS/HT server to a Cisco UCS system and found that our CAS array even though appeared to be functional, was not. Our Cisco vendor stated that Unicast cannot be used and we need to use Multicast mode instead. I imagine that I need to break down the WNLB and recreate choosing Multicast but since Unicast is the recommendation for WNLB, what are the issues that I might see with Multicast?

    With Multicast, do I still use two NIC’s on the CAS/HT or change it to just one NIC?

  77. roy

    great article! setting up a cas array using vmware vm’s any suggestions as far as unicast or multicast?
    and if so what considerations to take in the vswitches?

  78. Preben Madsen

    Hi Paul
    I have used your article to set up a CAS Array.
    It all works fine, NLB and the Array. there is only a few test users on the Exchange 2010 system and no connectors, until now.
    Problem is that we have a Exchange 2003 server that is a “all-in one” (The old one). and the system is
    the main Exchange server for all the users. and now after I have setup Connectors and try to test the mail flow, I can see that the 2010 system can’t send to the 2003 system, and the opposite way.
    Also when try to accessing the Legacy mailbox users in the 2010 Management console, I receive a error, telling that the system can’t see the mailbox server (2003).
    I have tried to re run all the settings and have searched the web for a solution.
    Do you have any ideas?
    Right now I am removing the CAS Array.

    Regards Preben Madsen

  79. Matt Duffey


    Thanks for the article. I am getting ready to implement a CAS array with a hardware load balancer. My question actually has to do with our Edge Transport servers. Are their any changes that need to be made on the Edge Transport servers when dealing with a CAS Array. I am not sure if you answered this question anywhere above (at least I didn’t see it if you did).


    1. Avatar photo
      Paul Cunningham

      The Edge and Client Access roles don’t relate to each other. The Edge will send mail to the Hub Transports in the site it is subscribed to.

  80. Corbett Enders

    Has anyone noticed in this config (using dual NICs) that you get an event log error 4319 that says A duplicate name has been detected on the TCP network. Now, I’m pretty sure that unchecking “File and Print Sharing for Microsoft Networks” on the NLB NIC will solve my problem but I haven’t done that just yet (waiting until after we close for the day). Is there a different solution?

  81. Hussam

    Dear Paul thank you for you article
    but when i run the command
    Get-MailboxDatabase -Server EX2 | Set-MailboxDatabase -RpcClientAccessServer casarray.exchangeserverpro.local
    the error of casarray.domain not found
    i did all the steps as you mentioned

    1. Avatar photo
      Paul Cunningham

      The RPCClientAccessServer you specify needs to be a valid Exchange server or CAS array object for the command to be successful.

  82. Jeff

    Great article Paul. What are the pros and cons of NLB versus a hardware load balancer for a CAS array?

  83. Pete

    So when I create the CASArray name would this be a different fqdn then I use for OWA ie if so do I need to have the CASArray name on my SAN certificate for when my outlook users connect?

  84. Susantha Silva

    Hi Paul,

    What about if my Outlook machines belong to a different CAS array? Will they be automatically update to the new CAS array? I’m in the migration process of Exchange 2007—>Exchange 2010. Client already had CAS array in Ex2007. I’ve created a different CAS array name for the 2010. During mailbox migration I’m wondering about the impact of CAS array name change for the end users.


    1. Avatar photo
      Paul Cunningham

      Hi Susantha, Exchange 2007 did not have CAS Arrays as a feature. Are you referring to something else?

  85. Michael Szymanski

    Hi Paul,

    I have question about the CAS HT server, I have 2 Exchange 2010 servers that has CAS,HT and Mailbox installed on 2 separate servers.
    The 2 Exchange servers are members in a DAG group and that works fine.
    I simulated a test when one node dies for a exampel, that is my Exchange01 the first server that was installed, i changed the dns records and ip on the second backup Exchange server “EXCHANGE02”, but when I start up the EMC and go to server config -> Client Acceess, and point on the Exchange02 it says “The task wasn`t able to connect to IIS on the server “Exchange01.itsthlm.local”” Make sure that the server exists and can be reached from this computer. RPC-servern is not reachable. It was running the command “Get-OwaVirtuallDirectory”.
    When I access the https://localhost/owa on the second server “EXCHANGE02” i can login and send mails but not receive. The mails that recevies are stuck in the mail queue on the “EXCHANGE02”.
    I have test with several commands like Set-RpcClientAccess, Set-OwaVirtuallDirectory etc etc and point it on the EXCHANGE02 but the same error in EMC could not contact the “EXCHANGE01” but that server is dead….
    Do I have missed a powershell to take over the whole CAS and point it on the Exchange02??
    I want to set EXCHANGE02 as a primary CAS server what powershell command is that?

    Best Regards
    Michael Szymanski

    1. Avatar photo
      Paul Cunningham

      Hi Michael…

      Ok first, understand that you can’t run an NLB cluster on the same servers that are also DAG members. I assume you realise that, I just want to be clear. So by the sounds of it you are not running a CAS Array of any kind (whether using NLB or a hardware load balancer).

      This article is about CAS Arrays. It sounds to me like you’re trying to create a DR solution without using a CAS array, which is going to be far more complex and less reliable, as you’ve discovered.

      Second, you’ve changed the IP address of your second Exchange server? There should be no need to do that. I don’t understand why you’ve done that.

      Third, yes you’ll often get errors like that in the EMC when one of your servers is down.

      Fourth, whether your mail can send/receive is more to do with your Hub Transport roles and whether they are working properly, and whether your incoming SMTP from the internet is set up correctly in your firewall and DNS etc.

      Finally, I think you need to go back to the start and work out your DR strategy a little more. I don’t know enough about your environment or what you’re planning to achieve to give much more detail at this point.

  86. Karl Atkins

    Hi Paul, I have found your article very useful. Thank you.

    Can you explain to me what happens if the CAS server which has the NLB configuration on it goes down? Does this stop the CAS array from working? Would it be better to have NLB on a totally different server all together?

    Many thanks,


    1. Avatar photo
      Paul Cunningham

      If there are two or more NLB cluster members then it can survive one server going down, the other server(s) continue to serve requests sent to the NLB virtual IP.

      If you want to separate your load balancing from your CAS servers you’d need to look at hardware load balancers.

  87. Benjamin


    we’re going to set up Exchange 2010 next year and we plan to cluster it. Let’s say we use NLB for a CAS Array and use DAG on a total of 4 servers.

    DAG features “lagged” databases, is it even possible to use this feature in a CAS Array? It isnt, right? Because some clients would be redirected to the lagged database!? How many Exchange servers would you need to cluster the Mailbox AND use lagged databases?

    Thanks 4 help

    1. Avatar photo
      Paul Cunningham

      Hi Benjamin, though you can install the CAS and Mailbox roles together on servers a server can be a member of an NLB-based CAS Array or a DAG but not both at once.

      If you want to the CAS/MB roles to co-exist in a DAG you’d need to use a hardware load balancer for the CAS Array.

      Anyway, to answer the other part of your question, a CAS (whether in an array or standalone) will connect the user to their mailbox on the active database copy only, never on a passive replica (whether that passive replica is lagged or not).

      If you want to use lagged copies I recommend having at least three replicas of each database, so that would be a minimum of three MB servers in the DAG.

  88. Daft_Penguin

    Paul… Thank you for the great article, it is most helpful. We had to rebuild our CAS/HUB servers and mistakenly forgot to recreate the CAS Array during our initial migration. So, my understanding is first make a new CAS Array, stamp the existing databases to use the new CAS array then update the Outlook clients so that they may make use of the HA now available. My question is: After I create the CAS Array and update the databases will my existing clients (which are all directed to only one of the CAS servers) still function? If so, I can update at my leisure, by doing a profile repair, a “check name” on the profile or by migrating everyone to a new database that has the CAS Array as default. Is my thinking correct?

    1. Avatar photo
      Paul Cunningham

      Hi DP, yes clients that are still pointing directly at a CAS instead of the CAS Array will still work, they’ll just have no HA benefit. Your plan to update profiles is fine.

  89. Satriyo

    Hi Paul,

    I have a question for you about NLB & Cas Array. I Have 1 HT server, 2 CAS&Mailbox server. I created NLB for 2 CAS&Mailbox server & Create DAG. After they successful created, my client in outlook 2003/2007 cannot discover the server for Cas Array, I try to ping the hostname & ip for Cas Array, but not resolved(RTO). And then i try ping my IP/hostname Cas Array from my one cas&mailbox server is resolved.
    I try to discuss about they problem with my network tim, but they say my IP Cas Array must be have an Ip gateway to resolved this issue. Because the ip from server with the client is diffrent segmentation. I say my network tim about Cas Array don’t have an IP Gateway, when I set the NLB, I just can set the IP and Subnetmask. My Question is, can’t NLB/Cas Array used at the diffrent Ip segmentation??
    1 HT Server= Ip.
    1 CAS&Mailbox Server(have 2 NIC)= Ip.—>Replication Ip.
    1 CAS&Mailbox Server(Have 2 NIC)= Ip. —>Replication Ip.
    CasArray/NLB = Ip.
    DAG Ip.
    Ip Gateway.
    PC Client Ip scope. –
    PC Client Ip scope. –

    1. Avatar photo
      Paul Cunningham

      Hi Satriyo, NLB and DAGs aren’t compatible. If you want your Mailbox servers to be in a DAG then they can’t also be in an NLB cluster. The two features just don’t work together.

      In your situation the options are to separate the CAS and Mailbox roles, or use a Hardware Load Balancer for the CAS Array instead of NLB.

  90. nazmi

    you are right,
    working more hours daily sometimes lead to selly question:)
    please delete my post

  91. nazmi

    Hi Paul,

    nice article. Having one question, I am having right now exchange 2007 environment, CAS array is there.
    we are planning to transition to 2010 full redundant setup with DAG and CAS array, now what is the process of introducing a new CAS 2010 array. as you know you cant create two CAS array in the same site, how can we solve this issue?

    1. Avatar photo
      Paul Cunningham

      Nazmi, the Client Access Server Array is new to Exchange 2010. What do you mean when you say you’re running an Exchange 2007 CAS array?

  92. Sandesh

    Nice Work and very helpful to the New Exchange 2010 Administrators who willing to learn. Keep it up me8…

  93. Avinash

    Hi Paul,

    First of all I would like to thank you for your excellent walk through and providing useful articles like this.
    I have done all the steps as given above in my lab. I have six virtual machines in which I have configured AD and DNS on one machine and CAS1 (Exchange 2010) , CAS2, Mailbox1 (for CAS1), Mailbox2 (for CAS2) and CASARRAY on another machines. And they all are in the same domain. I have added CAS1 and CAS2 in the nlb and gave ip address of CASARRAY as cluster IP. The status for CAS1 and CAS2 is showing “converged” in NLB. I have run command for creating new cas array and assigned mailbox to this cas array. But I am unable to open “OWA” page from cluster ip. Either it is opened by ip address of CAS1 or CAS2 but not through cluster’s ip.

    So kindly give some comments about above to resolve the issue.

    Thanks and Regards,

    1. Avatar photo
      Paul Cunningham

      When you say “unable to open…” what do you mean? Is there an error message?

      1. Avinash

        No it’s not an error message. The page is giving error like try again. Means it does not have any service like OWA, i guess.

      2. Avatar photo
        Paul Cunningham

        OWA can work through an NLB cluster just fine. If its working when you hit the CAS directly then start troubleshooting.

        Is DNS for the CAS array name working properly? Ping, nslookup, etc

        Is there an IE proxy setting causing a problem? Sometimes you need to set exceptions in IE’s proxy settings or your ISA server so clients go directly to the URL.

        Is the port rule configure correctly on the NLB?

        Can you see the access attempts in the IIS logs on the CAS servers?

      3. Avinash

        Yes, DNS for the CAS array is working good. I have also tried it without any proxy. I have set the port rule as on default settings.

      4. SysAdmin-E

        Did you enable IP forwarding on the NLB NIC (Server 2008 R2 disables this by default). The command is this: netsh interface ipv4 set int “NIC2-NLB” forwarding=enabled, where “NIC2-NLB” would be the name of the NIC used for NLB. I mentioned this in a previous comment.

  94. SysAdmin-E

    Nice article. One thing that is missing is that you need to enable IP forwarding on the NLB NIC (Server 2008 R2 disables this by default). The command is this: netsh interface ipv4 set int “NIC2-NLB” forwarding=enabled

  95. Varun Turlapati


    I am trying to setup a CAS array. I am struggling after step 2.6
    I created the NLB cluster on a host (Host1) which is my DC, Hub transport and CAS.
    When I try to join Host 2 which is an additional DC in the same domain, CAS and Hub transport, that machine hangs. The modes I selected are affinity = single and multicast.

    Could it be possible that the change of MAC addresses is causing this state in the addition of a host?

    I tried restarting the Host2. It comes up and I could ping the fqdn of the Cas Array.
    However in the NLB on Host 1 I see the error “NLB not bound” for Host2’s entry. How could I solve this?

  96. Abbas Mousavi

    Hi Paul,
    A very useful article; I managed to set up CAS for internal use. However I could not get it working for external access, using OWA. To make it simple, in a test environment, I set up a single node CAS. When NATting to the actual CAS, I can connect to the server from the outside; however, when I NAT to the CAS Array IP (NLB), I cannot connect. in both situations, I can connect to my CAS from computers on the LAN. I read a number of articles regarding this problem. they talk about unicast and multicast, VMs & Physical machines, static ARP, etc… I did all theses combinations, except for static ARPing. the result is the same. i get the same result for VM servers too. I use Win Server 2008 R2, Exch 2010 SP1 & router Dreytek Vigor 2820. Many thanks for your help in advance.

  97. Marc

    What is the recommended procedure to run maintenance on a 2 box CAS/HUB configuration? Do you just drainstop the one box, apply a rollup/update and re-add it to the NLB? Great article, by the way.

  98. HUB Question

    When you create an NLB and add the CAS/HUB roles to it, are there any special settings you need to do to prevent the hubs from load balancing to themselves for internal communication?

    1. Avatar photo
      Paul Cunningham

      The NLB doesn’t handle Hub Transport traffic so you shouldn’t need to do anything special at all.

      1. Matt

        Hi Paul,

        just to clarify, do you mean that normal hub transport to hub transport traffic is not dealt with my NLB? In an environment with no Edge Transport servers, the Hub transport servers can use NLB for incoming email from the Internet.

      2. Avatar photo
        Paul Cunningham

        There is no need to load balance internal HT traffic. Incoming internet mail is a different story. You could load balance that if you like or just use two equal cost MX records (if you have enough public IP space to do it).

  99. Unbeatable

    Please could you help to provide me with a step by step guide to setting up and configuring ADDS on windows server 2008 and Exchange server 2010 on different Hardwares.

    Thank you in advance

  100. biblo

    should i first migrate user mailbox 2003 to 2010 and then configure cas array,
    i configured cas array and then migrate mailbox but migrated mailboxes don’t see the cas array name.profile is still trying to connect legacy exchnane.
    ıs there a way to automatite this

  101. Matt

    You need to use a cert with multiple Subject Alternate Names (SAN) to take all your servers and the relvant services (e.g. Autodiscovery) in to account. I know some people who simply use a wildcard cert (myself included in one case) but as this thread explains:

    there are prerequisites to using a wildcard cert.

  102. manju

    It is not clustering NLB/Failover related but Related to Client Access server question please answer.

    I have 2 Exchange 2010 server EX1(Roles–>MB,CA,HUB and UM) and EX2 (Roles–> MB and HUB)
    Exchange 2003server still there in the organisation

    My question is see I am able to connect to mailboxes residing on EX1 using CA URL mentioned above.
    But for mail boxes residing on EX2 the URL is not working means its not at all login in using same above URL

    What modification I have to do on CA or DNS i want single name space for this.

    I read your CA array config above so confused here
    please help

  103. Matt

    Please read my previous post. You should use a failover cluster for the mailbox role. For Exchange 2010, read about Database Availability Groups (DAGs). An NLB cluster is used to cluster services where the dataconfig is the same but separate on each server (think of a fancy round robin with bells and whistles).

    If you had two mailbox servers in an NLB cluster, the mailbox databases on each would be different so you wouldn’t be balancing them.

  104. DJ

    Thanks for the reply. I read this post this morning and it prompted me to get more info on it.

    As you can tell from the post, I have a complete setup using 2008 R2 standard and Exchange 2010 functioning very well but now have a need for high availability. Will this NLB cluster work for what im trying to do? I do NOT have the databases (mailbox and pub folders) on a shared resource so I would have to move the to a SAN to build a failover cluster. This post hints at the fact that I can build two separate servers with local resources and put them into a NLB cluster and it will work like a failover cluster….

    1. Avatar photo
      Paul Cunningham

      Hi DJ, this post describes building a highly available CAS (Client Access Server) Array using Windows NLB.

      HA for the Mailbox Server role is provided by the Database Availability Group (DAG) feature of Exchange Server 2010, which uses an underlying Failover Cluster (Exchange sets it all up automatically when you configure the DAG).

      If you want HA of all Exchange Server 2010 roles you would normally start with a pair of CAS + HT servers in an NLB cluster, and a pair of MB servers in a DAG (4 servers total). That is the most basic HA configuration for Exchange Server 2010.

      Note that DAGs don’t require shared storage resources unlike some of the clustering modes in previous versions of Exchange Server. Each DAG member maintains its own replica of the database(s), so it is in fact better to have separate storage for each DAG member.

      I’m planning a walk-through article on setting up a DAG sometime in the next few weeks so if you are sitll stuck maybe that will help.

  105. DJ

    What is the difference between the NLB you created and a Failover Cluster? Will the NLB array be able to give high availability and redundancy or does this just balance the traffic going to the CASs?

    Im asking because I just got done upgrading to 2010 from 2007 and now the suits want high availability. I installed 2008 R2 Standard which doesnt give HA because there is no clustering service unless you go enterprise or datacenter. Id rather not have to install an enterprise r2 server and move everyone off the standard then format the standard to put enterprise on it.

    Any thoughts would be awesome! 🙂

    1. Matt

      You want to use NLB clustering for the CAS role, basically because it is based on IIS and the config across your CAS servers will all be almost the same. Failover clustering should be used for services such as SQL or the Exchange mailbox role (when separated from the other roles).

      An NLB cluster does give high availability and redundancy based on the fact that there is a ‘heartbeat’ between all servers in an NLB cluster that will recognise when a server dies and will take it out of the cluster. The more servers in the cluster, the more resilient the cluster will be. Up to 32 nodes are possible. It is also possible to balance the load either equally or based on the power of the servers in the cluster e.g. with 3 servers where 2 have dual core CPUs and the other has an equivalent speed quad core, you could give more priority to the quad core so it handles more requests based on its power (this is a simplistic explanation).

      NLB clustering works well when the service being balanced is the same across the group e.g. web based, VPN. Failover clustering works where the backend data is on shared storage e.g. a SAN. Each cluster host would take ownership of the clustered resources (disks, files shares, IP addresses etc.) whilst it is the active node – if it goes down, the heartbeat dying tells the passive node to seize ownership of these resources.

      Effectively two different technologies for different situations. Failover clustering doesnt allow you share the load. Hope this helps.

  106. Dinesh Silva

    Thanks for the excellent article.

  107. Matt

    Is there any point in creating a CAS array with a single CAS server? I know that sounds like a daft question, but if I intend on adding new CAS servers in the future in an NLB cluster, would it not make sense to set this up now?

    1. Avatar photo
      Paul Cunningham

      Hi Matt, not daft at all. You’ll note in the article that I point out the recommended practice is to establish CAS arrays before migrating users to Exchange 2010. So even establishing one as a single-node NLB cluster will save you effort later on, because you can simply scale out the NLB cluster with more nodes as required without having to reconfigure any Outlook profiles.

  108. Jetze Mellema

    That’s an excellen walk-through, thanks! Just wanted to add that NLB needs some additional configuring, it’s not recommended to keep the default port rule in place. Maybe and idea for part two? 🙂

    1. Avatar photo
      Paul Cunningham

      Hi Jetze, thanks for pointing that out. I do want to work a few of the NLB best practices into this article on the next revision, or perhaps as a part 2 as you suggest. I’ll include port rules.

Leave a Reply