Managing Exchange 2013 IIS Virtual Directories & Web Applications
If you've deployed Exchange 2013 in a lab or even in a production environment, you are no doubt getting familiar with the topology changes. If you are not completely up to speed on the changes, Microsoft has essentially returned to the Front End & Back End topology that was last used back in Exchange 2003. The front end server is called the Client Access Role, and the back end server is called the Mailbox Role. The Exchange Roles (i.e. Client Access, Hub Transport, Mailbox) that could be separated in Exchange 2007 & 2010 are still there in 2013, they are just all found on the Mailbox Role servers in Exchange 2013. The Client Access Role servers are essentially proxy servers, as all requests are load-balanced and proxied to the corresponding back end server. Exchange 2013 can also be deployed as an all-in-one server, just like 2007 & 2010.
The purpose of this Blog post is to point out the differences in managing IIS on the Client Access (Front End) & Mailbox (Back End) servers.
Whether you install your Exchange 2013 server as a Client Access Role or Mailbox Role you will have two Web Sites in IIS:
- Default Web Site
- Exchange Back End
The Client Access Role naturally uses the Default Web Site as the home for all the Exchange Virtual Directories (EWS, OAB, RPC, Autodiscover), just as it did in Exchange 2007 & 2010. The Mailbox Role uses the Exchange Back End site as the home for the corresponding Exchange 2013 Web Applications.
Client Access Role Mailbox Role
Although it would appear that these sites are relatively similar, the main difference between the two is not immediately visible until you go to PowerShell to manage the Virtual Directories. Just as in Exchange 2007 & 2010, you will run the varios commands to manage your Virtual Directories:
- Get-WebServicesVirtualDirectory
- Get-OabVirtualDirectory
- Get-AutodiscoverVirtualDirectory
- Get-ActiveSyncVirtualDirectory
The first thing you will notice when running one of these commands is that you will get the Virtual Directories for your Front End Client Access servers, but not for the Mailbox servers:
You may be asking why that is... as from looking in IIS they look exactly the same (just in a different Web Site). If you access the Exchange Admin Center, you will see the same thing:
Despite looking similar in IIS, the main difference between the roles is that all the Virtual Directories are actually located on the front end Client Access servers. The web applications on the Mailbox Servers can be viewed through the following command:
Get-WebApplication
Why is this important? I wasn't worried about that answer until a recent customer case. Essentially we were getting a 404 error when trying to browse EWS. The Virtual Directories on the front end Client Access servers looked fine, and the logs indicated a problem from the Mailbox servers. Further investigation on the Mailbox server led me to an interesting discovery... the EWS web application was missing on the Mailbox server! That certainly explained the 404 error.
I figured this would be no problem... we'll just create a new EWS Virtual Directory on the Mailbox Server. Well there are no EWS Virtual Directories on the Mailbox server. To create a new Virtual Directory requires the Client Access Role, as noted by the following error:
So what now...?
As it turned out what I needed to do was recreate the EWS web application on the mailbox server using the following command:
New-WebApplication -Site "Exchange Back End" -Name EWS -PhysicalPath "C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\EWS" -ApplicationPool MSExchangeServicesAppPool
Once this command completed my EWS web application was restored. I simply had to go into IIS Manger and enable Windows Authentication and the customer's issue was resolved.
I hope this post will help shed some additional light on how to manage IIS Virtual Directories & Web Applications on Exchange 2013 servers.
~Craig
Comments
Anonymous
January 01, 2003
Craig,
Thanks a ton for sharing this beautiful piece of writing and explaining with a visual snapshot the differences of IIS in CAS & Mailbox Servers when the roles are hosted on different servers. My situation is like this only. I need a little help.
I'm asked to setup a new production network with Exchange 2013 and it was an urgent requirement. I started with setting up a lab with 5 VM's running Windows Server 2012 R2.
1. - Active Directory
2. & 3. - CAS01 & CAS02 Servers
4. & 5. - MBX01 & MBX02 Servers
Setup AD & prepared the Schema for EX2013SP1
Installed first mailbox server & then tried opening EAC - issue popped up.
Installed Second mailbox server & then tried opening EAC - issue popped up.
Installed first CAS server & then tried opening EAC - works fine.
Installed Second CAS server & then tried opening EAC - works fine.
I noticed there is a difference between virtual directories on the CAS & Mailbox Servers. I thought I must have done something wrong but when I read your blog I understood that it is by design.
q1) I'm facing issues only on the mailbox servers to open EAC - so should I modify the virtual directories on the mailbox servers or do something on CAS.
q2) Since I'm facing issues with EAC (Exchange Administrative Centre) should I only consider modifying the ECP directories on mailbox servers?
q3) Have you made or is it available somewhere, a table with standard working values that should be present in each virtual directories on both servers - like application pool, physical path, ssl,
authentication etc.
q4) What paths should I look for in ADSI.edit for correct settings?
I need this badly because I've to go live within 2 days and this is my first experience of setting up from scratch.Anonymous
January 01, 2003
Amazing information, Helped me identifying the case for one of my cases !Anonymous
January 01, 2003
Nice postAnonymous
January 01, 2003
Thanks, this was really helpful for understanding the CAS / MBOX changes in 2013. Despite the CAS being a 'proxy' I have found on my deployments that the CAS role still needs to be allocated quite a bit of resources (RAM / PROC) so it must be doing quite a bit of processing/conversion getting the data to and from the mailbox server and the client. After a few deployments I discovered you can still configure the virtual directories using the GUI based 'configure external access' wizard as one could in 2010, I find it a lot easier than using the shell to set the virtual directories on the CAS http://enterpriseit.co/microsoft-exchange/2013/configure-virtual-directories-eac/Anonymous
January 01, 2003
Excellent post !Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Thanks for highlighting this out.Anonymous
October 17, 2013
Can the web site name "Exchange Back End" change? I need to know the Exchange Back End site for a specified mailbox server. It seems there is no such PowerShell cmdlet. Do you think it is safe to hard code it? Thanks!Anonymous
December 01, 2013
Thanks. Question: the virtual directories site of the Mailbox Role have the same authentication settings and others configurations iqual to the site of the Client Access Role? or they are not really important for CAS to Mailbox communications?Anonymous
January 24, 2014
Just one comment on this one.New-WebApplication -Site "Exchange Back End" -Name EWS -PhysicalPath "C:Program FilesMicrosoftExchange ServerV15ClientAccessexchwebEWS" -ApplicationPool MSExchangeServicesThe ApplicationPool name should be “MSExchangeServicesAppPool”you get no warning about a non existens AppPool name when you run the command.Anonymous
March 20, 2014
Hi Craig,
Can you update please with the remark of @Bo ? Tks. Nice post.Anonymous
May 25, 2014
The comment has been removedAnonymous
June 04, 2014
Very useful!Anonymous
June 04, 2014
Very useful!Anonymous
July 15, 2014
The comment has been removedAnonymous
July 17, 2014
Thanks for the post. It was quite helpful in understanding virtual directories in Exchange 2013.Anonymous
August 16, 2014
I love you Dear.Anonymous
August 28, 2014
Exchange headaches - probably part 1Anonymous
August 28, 2014
Exchange headaches - probably part 1Anonymous
August 28, 2014
Exchange headaches - probably part 1Anonymous
August 28, 2014
Exchange headaches - probably part 1Anonymous
August 28, 2014
Exchange headaches - probably part 1Anonymous
August 28, 2014
Exchange headaches - probably part 1Anonymous
August 28, 2014
Exchange headaches - probably part 1Anonymous
August 28, 2014
Exchange headaches - probably part 1Anonymous
September 08, 2014
The comment has been removedAnonymous
September 08, 2014
The comment has been removedAnonymous
September 08, 2014
The comment has been removedAnonymous
September 01, 2015
Thanks. it took me a minute to remember this one.Anonymous
March 09, 2016
Can anyone help me as after I've installed exchange 2013 on 2 physical servers CAS & MBX and then when run exchange management shell on CAS can't run and opened shell for MBX server on CAS server; how can I return to management shell on CAS server