In his blog post, “Exchange Server Front and Back Ends”, John Bostock discussed the security design of running Exchange servers in a Front End/Back End configuration within a DMZ. Both server roles are divided such that requests from clients are handled by the front end server which then proxies the requests to an alternate server functioning as the back end server. The back end server then services the requests.
A front end/back end server configuration was useful for performance reasons when Exchange 2003 was around but most organizations have already moved to an Exchange 2010 server environment. If your company has not migrated to Exchange 2010 then there are some considerations that must be evaluated with regards to how to migrate away from the earlier front end / back end scenarios.
Some earlier mail server environments included the use of clusters where two servers functioned as the front end servers and two servers operated on the back end servicing the client requests. A configuration such as this may have supported anywhere from five-thousand to ten-thousand mailboxes depending on the server workloads. The servers would most likely have been configured with multiple CPUs, lots of RAM and striped RAID disk storage.
Moving to an Exchange Server 2010 configuration will include many steps. Included among those steps will be the conversion of the traditional front end / back end server roles into the Exchange Server 2010 CAS-MX (Client Access Service) model. The CAS-MX model still provides the same functionality as the earlier front end / back server model.
The Client Access server role was introduced in Exchange 2007 and was further enhanced with the introduction of the RPC Client Access Service with Exchange Server 2010. The RPC Client Access service moved the responsibility of processing the client requests – previously handled by the back end servers – to client access servers in the middle tier. Also moved to the middle tier were directory accesses from domain controllers / global catalog servers.
The steps involved when migrating from Exchange Server 2003 to Exchange Server 2010 include:
- Get into Exchange Native Mode.
- Upgrade all Exchange 2003 Servers to Exchange Server 2003 Service Pack 2.
- Take the AD forest and domains to at least Windows Server 2003 Functional levels.
- For each AD site that includes Exchange Server, perform an upgrade to Windows Server 2003 SP3 or greater on at least one Global Catalog domain controller in an AD Site that will house Exchange Server.
- Configure a Windows Server 2008 (RTM or R2) x64 edition for the first Exchange 2010 server.
- Install Active Directory LDIFDE tools on the new Exchange 2010 server. This will support a schema upgrade.
- Install any necessary prerequisites (WWW for CAS server role).
- Run setup on the Exchange 2010 server, upgrade the schema, and prepare the forest and domains.
- Install CAS server role servers.
- Transfer OWA, ActiveSync, and Outlook Anywhere traffic to new CAS servers.
- Install Hub Transport role.
- Transfer inbound and outbound mail traffic to the Hub Transport servers.
- Install Mailbox servers and configure Databases.
- Create public folder replicas on Exchange 2010 servers using pfmigrate.wsf script, AddReplicatoPFRecursive.ps1, or Exchange 2010 Public Folder tool.
- Move mailboxes to Exchange Server 2010.
- Rehome the Offline Address Book (OAB) generation server to Exchange Server 2010.
- Rehome Public Folder Hierarchy on new Exchange Server 2010 Admin Group.
- Transfer all Public Folder Replicas to Exchange Server 2010 Public folder store(s).
- Delete Public and Private Information Stores from Exchange 2003 server(s).
- Delete Routing Group Connectors to Exchange Server 2003.
- Delete Recipient Update Service agreements using ADSIEdit.
- Uninstall all Exchange 2003 servers.
It is advisable to maintain all previous front end and back end roles until after all mailboxes have been migrated. Up until the time that all mailboxes have been completely migrated there will still be some users who access their email via Outlook Web Access. These OWA users will still be reliant on the front end / back end server roles until after their mailboxes have been migrated. Later, those same users will access their email via the client access server machines.
Also, the migration will be a lot easier if the older Exchange 2003 servers are kept running for two to three weeks after the migration. This will allow enough time for the users’ profiles to be updated with information pointing the client software to the new 2010 servers.