Vous êtes sur la page 1sur 5








Namespace Planning in Exchange 2016

Ross Smith IV 6 Oct 2015 7:00 AM

Tw eet

If you are like the vast majority of our customers, you already have some versions of Exchange deployed in your environment. Depending on the version, you
may have different namespace requirements today.

Exchange 2010
Exchange 2010 leverages the Autodiscover service for enabling client profile changes, so that namespace exists.
Exchange 2010 introduced additional namespace requirements, which resulted in additional complexity around namespace planning, especially for site resilient

Primary datacenter Internet protocol namespace mail.contoso.com

Secondary datacenter Internet protocol namespace mail2.contoso.com
Primary datacenter Outlook Web App failback namespace mailpri.contoso.com
Secondary datacenter Outlook Web App failback namespace mailsec.contoso.com
Transport namespace smtp.contoso.com
Primary datacenter RPC Client Access namespace rpc.contoso.com
Secondary datacenter RPC Client Access namespace rpc2.contoso.com

Out of these seven namespaces, five of them were required on certificates. The RPC Client Access namespaces were not required on the certificate because
they were accessed via RPC connectivity and not via an Internetbased protocol, like HTTP.

Exchange 2016
One of the benefits of the Exchange 2016 architecture first introduced in Exchange 2013 is that the namespace model can be simplified, when compared to
Exchange 2010.
An example of how it can be simplified can be seen when thinking about a site resilience scenario. If you have two datacenters participating in a site resilient
architecture, by replacing the Exchange 2010 infrastructure with Exchange 2016, five namespaces could potentially be removed:

Secondary datacenter Internet protocol namespace mail2.contoso.com

Primary datacenter Outlook Web App failback namespace mailpri.contoso.com
Secondary datacenter Outlook Web App failback namespace mailsec.contoso.com
Primary datacenter RPC Client Access namespace rpc.contoso.com
Secondary datacenter RPC Client Access namespace rpc2.contoso.com

Theres two reasons for this.

First, Exchange 2016 no longer leverages an RPC Client Access namespace.This is due to the architectural changes within the product for a given mailbox, the
protocol that services the request is always going to be the protocol instance on the Mailbox server that hosts the active copy of the database for the users
mailbox. In other words, the RPC Client Access service is no longer decoupled from the store, like it was in Exchange 2010.
Second, as mentioned, the Client Access services proxies requests to the Mailbox server hosting the active database copy.





Figure 1: Client Access services on MBX Server 1 proxying traffic to the Mailbox server hosting the active database copy on MBX Server 3

This proxy logic is not limited to the Active Directory site boundary. Unlike Exchange 2010, Exchange 2016 does not require the client namespaces to move with
the DAG during an activation event a Mailbox server in one Active Directory site can proxy a session to a Mailbox server that is located in another Active
Directory site. This means that unique namespaces are no longer required for each datacenter mail.contoso.com and mail2.contoso.com; instead, only a
single namespace is needed for the datacenter pair mail.contoso.com. This also means failback namespaces are also not required during DAG activation
scenarios, so mailpri.contoso.com and mailsec.contoso.com are removed.

Namespace Models
Depending on your architecture and infrastructure you have two choices:
1. Deploy a unified namespace for the site resilient datacenter pair unbound model.
2. Deploy a dedicated namespace for each datacenter in the site resilient pair bound model.
Its also worth mentioning that these choices are also tied to the DAG architecture.

Unbound Model
In an unbound model, you have a single DAG deployed across the datacenter pair. This DAG has Mailbox servers in each datacenter typically all Mailbox
servers are active and host active database copies, however you could deploy all active copies in a single datacenter. Mailboxes for both datacenters are
dispersed across the mailbox databases within this DAG. In this model, clients can connect to both datacenters in the event there is a WAN failure neither
datacenters connectivity is a boundary, hence the term unbound. It does not guarantee, however, the connectivity provides users an equal experience; meaning
one connection may provide a better user experience because it has lower latency or more bandwidth.
In an unbound model, a single namespace is preferred because either datacenter can service the user request. This means that from a load balancing
perspective, the Exchange 2016 Mailbox servers in both datacenters participate in handling traffic, as seen in the following diagram, where VIP virtual IP
address is the load balanced IP address associated with the namespace:

Figure 2: Single Namespace used across Site Resilient Datacenter Pair Unbound Model





As a result, for a given datacenter, the expectation is that 50% of the traffic will be proxied from the other datacenter.

Bound Model
As its name implies, in a bound model, users are associated or bound to a specific datacenter. In other words, there is preference to have the users operate
out of one datacenter during normal operations and only have the users operate out of the second datacenter during failure events. There is also a possibility
that users do not have equal connectivity to both datacenters. Typically, in a bound model, there are two DAGs deployed in the datacenter pair. Each DAG
contains a set of mailbox databases for a particular datacenter; by controlling where the databases are mounted, you control connectivity.
In a bound model, multiple namespaces are preferred, two per datacenter primary and failback namespaces, to prevent clients trying to connect to the
datacenter where they may have no connectivity. Switchover to the other datacenter is a controlled event.

Figure 3: Multiple Namespaces used across Site Resilient Datacenter Pair Bound Model

Autodiscover Namespace
Exchange 2016 takes advantage of the Autodiscover service for client profile configuration; so the autodiscover.contoso.com namespace remains in place.

Office Online Server Namespaces

The document collaboration features included in Outlook on the web require Office Online Server. In site resilient deployments, you want to deploy an Office
Online Server farm in each datacenter that participates in the site resilient datacenter pair.This ensures that there is a local instance that can service the
document collaboration requests for the local mailboxes and avoids crosssite proxy scenarios.
From a namespace perspective, this means that each datacenter in the site resilient datacenter pair requires a unique namespace for Office Online Server; in
other words, the namespace model for Office Online Server is a bound model.The namespace model that is used by Office Online Server is mutually exclusive
from the model used by Exchange, meaning that you can deploy Exchange using an unbound model, while utilizing a bound model for Office Online Server as
seen in the following figure:

Figure 4: Office Online Server Namespaces Bound Model w ith an Exchange Unbound Model Namespace

As all the data serviced by Office Online Server is either stored in Exchange or SharePoint, during a datacenter outage, namespace manipulation steps are not





required. For example, if we refer to the previous diagram if the West datacenter fails, you dont need to change the DNS record for the Office Online Server
namespace in West and point it to the load balancer in East. This is due to the architecture of Exchange and Office Online Server. Any Exchange 2016 Mailbox
server will always proxy the clients request to the Mailbox server that hosts the users mailbox database. The Mailbox server hosting the users mailbox is
responsible for generating the Office Online Server URL that is used by OWA. This URL is defined perMailbox server, thereby ensuring that any Office Online
Server interactions are always local to the Mailbox server.

Internal vs. External Namespaces

Since the release of Exchange 2007, the recommendation is to deploy a splitbrain DNS infrastructure for the Internetbased client namespaces.A splitbrain
DNS infrastructure enables different IP addresses to be returned for a given namespace based on where the client resides if the client is within the internal
network, the IP address of the internal load balancer is returned; if the client is external, the IP address of the external gateway/firewall is returned.
This approach simplifies the enduser experience users only have to know a single namespace e.g., mail.contoso.com to access their data, regardless of
where they are connecting. A splitbrain DNS infrastructure, also simplifies the configuration of the Exchange virtual directories, as the InternalURL and
ExternalURL values within the environment can be the same value.
In the event that you do not deploy a splitbrain DNS also known as splitDNS infrastructure, Exchange 2016 does allow you to specify different namespaces
for internal clients vs. external clients for all clients.
Important: In the event that you are utilizing a splitbrain DNS infrastructure, then you must utilize the same authentication value for both your internal and
external Outlook Anywhere settings, or switch to use different names for Outlook Anywhere inside and out. Outlook gives priority to the internal settings over
the external settings and since the same namespace is used for both, regardless of whether the client is internal or external, it will utilize only the internal
authentication settings.

Regional Namespace
The concept of regional namespaces has existed since OWA debuted in 1997. A regional namespace is a way for clients to connect to the client access
endpoint that is closest to the Mailbox servers hosting the data.
Use of a regional namespace does not necessarily mean you are restricted to a bound model, either. This is because depending on your infrastructure and
network capabilities, you may choose to have a dedicated namespace for each datacenter pair. For example, your company may have a set of datacenters in
North America and in Europe, and due to a desire to reduce crossregion network traffic, you deploy a dedicated namespace for each region notice that
within a region, the unbound model is used:

Figure 5: : Regional Namespaces coupled w ith GeoDNS to RoundRobin betw een Datacenters w ithin a Region

Namespaces and Active Directory Site Topologies

When planning your namespace architecture, it is important to understand that namespaces and authentication settings must be identical and/or consistent
within an Active Directory site. For example, when Autodiscover generates a response to send to the client, it generates a list of internal URLs based on the
virtual directory settings of the Mailbox servers located in the Active Directory where the mailbox is located. If you attempt to have multiple namespaces within
a single Active Directory site, clients will be randomly directed to different namespaces. Likewise, setting different authentication settings within an Active
Directory site will lead to different behaviors for the clients. In other words, you can only define different namespace and authentication settings between Active
Directory sites, not within Active Directory sites.

Exchange 2016 introduces significant flexibility in your namespace architecture, enabling deployment of a single unified namespace for a site resilient
datacenter pair or worldwide, or deployment of multiple namespaces. As we delve into the intricacies surrounding load balancing principles and client
connectivity, you will understand hopefully how to choose the best namespace model.

Ross Smith IV

Principal Program Manager

Office 365 Customer Experience

StephenKCEE #

6 Oct 2015 2:08 PM



Thanks Ross for keeping us up to date with Namespace planning, always fun!

6 Oct 2015 6:01 PM

Jetze Mellema #

Great article! So basically nothing changes from Exchange 2013 to 2016, except for the introduction of Office Online Server namespaces. Thanks for the
reminder of the authentication settings for Outlook Anywhere because Outlook will try the Internal settings first.
"The concept of regional namespaces has existed since OWA debuted in 1997." Shouldn't that read EWA? :

8 Oct 2015 4:54 AM

Ravikumar Sathyamurthy ShakthiRavi #

Nice post !!!

10 Oct 2015 1:35 PM

Thomas Stensitzki MCSM MCM MCT #

Thanks for clarification on how to plan Exchange 2016 namespaces

Exchange TechNet

Exchange TechCenter
Exchange Server 2010
Exchange Server 2007
TechNet Library

Other Microsoft Team Blogs

Quick Links


Cool Community Links

Exchange Development

Buy Now

Exchange Server Forums


The NextHop Lync


Exchange Online

Exchange Server 2010

Tony Redmond's Blog

Forefront Protection 2010

for Exchange Server

Exchange Server 2007

MSExchangeGuru's Blog

Forefront Online Protection

for Exchange

Exchange Server DevCenter

The Master Blog

Exchange Server Wiki

Ask Perry

The Microsoft Windows

The Microsoft Office Blog
Bing Community

2011 Microsoft Corp.



Microsoft Office 365

Terms of Use



Privacy Statement

Report Abuse