2 Separate RDS 2012 R2 Deployments in Same Domain ?

Similar Messages

• Can SCVMM 2012 R2 exist with SCVMM 2012 SP1 in the same AD domain

  We currently run System Centre 2012 SP1 (SCOM, SCCM, SCSM and SCVMM 2012 SP1). 
  There is no plan to upgrade the System Centre suite to R2 for another 6 months.
  But we do want to use SCVMM 2012 R2. I don’t plan to use SCVMM 2012 R2 with SCOM or SCCM 2012 SP1. 
  Can I build a separate SCVMM 2012 R2 in the same Active directory domain or forest (on a new server, with a separate database and with different service accounts)?
  Regards
  Tim
  Kind Regards Tim (Canberra)

  Hi Tim ,
  How are things going ?
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Users see all applications in RDS 2012 Web access in one-way trust domain environment

  Hello!
  We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
  A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
  every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
  In the security log of wa.domainA.local we can find an event :
  An account failed to log on.
  Subject:
  Security ID:                IIS APPPOOL\RDWebAccess
  Account Name:                RDWebAccess
  Account Domain:                IIS APPPOOL
  Logon ID:                0x2C7B16
  Logon Type:                        3
  Account For Which Logon Failed:
  Security ID:                NULL SID
  Account Name:                
  Account Domain:                
  Failure Information:
  Failure Reason:                An error occurred during logon
  Status:                        0xC000005E
  Sub Status:                0x0
  Also in network trace on wa.domainA.local kerberos error could be found:
  On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
  How to deal with this issue? The aim is to show only specified applications to domainB users.
  Any help would be appreciated.

  Hi,
  Thank you for your posting in Windows Server Forum.
  Please check below links might useful for your case.
  “After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
  this article)
  1. Remote APP list empty
  2. RD
  Web Access unable to access Source (RD Server)
  In respect to Kerberos Error, refer this link for troubleshooting.
  1. Troubleshooting Kerberos Authentication problems – Name resolution issues
  2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
  Hope it helps! 
  Thanks,
  Dharmesh

• RDS 2012 R2 cannot add 3rd party (parent domain) licensing server

  Hi,
  I have a RDS 2012 R2 farm and i cannot add a 3rd party licensing server that is in a parent domain (forest root domain - hosted by our corp HQ). I will edit deployment properties for the deployment in the first CB server to add a licensing server in per
  user mode. Seemes to work, however no licenses are given to SH servers. Have made GPO aswell to explicitly specify licensing server and mode, however i think this should not be neccessary.
  Any ideas?
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for posting in Windows Server Forum.
  1. In Server Manager -- RDS -- Overview -- Tasks -- Edit Deployment Properties -- RD Licensing tab, please make sure that the Licensing mode is set to match the type of licenses you purchased, and that the FQDN of your RD Licensing server is listed.
  2. In Server Manager -- RDS -- Collections -- <your collection> -- Host Servers, please make sure that your RDSH server is listed.  If you have more than one server with the RDSH Role Service in your deployment make sure that all of them are
  listed.  If they are not you may click Tasks -- Add RD Session Host Servers (make sure the servers are part of the Server Manager server pool prior to this).
  3. On Server 1, please open an Administrator PowerShell prompt and enter the following command:
  Add-WindowsFeature RDS-Licensing-UI
  4. After the above powershell command completes you should be able to open RD Licensing Manager (licmgr.exe) on Server 1 if you need to.  Please note that it is more important to have the licensing configured properly in deployment properties and your
  RDSH servers part of a collection than it is to be able to open RD Licensing Manager on both of your servers. 
  (Above one quoted from beneath thread)
  Source:
  RDS 2012 Can't add a licensing server
  In addition, check below article.
  RD Licensing Configuration on Windows Server 2012
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• RDS 2012 R2 Separate Session Collection Behavior

  Hi everyone!  I should start by saying that I've found a number of threads which are semi-related to this topic, but they just don't seem to address my particular complaint.  I'm not sure if this is a bug, a configuration error on my part, or if
  it is expected behavior (which would be unfortunate for my intended use cases).
  The issue is that I need to provide two separate collections of RemoteApps, and I only want the collection appropriate to the logged-in user to be displayed in Web Access (or in the feed, for that matter).  One collection includes an expansive set of
  RemoteApps, and the other collection includes a limited subset of those published in the first.
  Now, I know that a SH can only belong to one session collection.  That makes sense, and in my case, I wouldn't want it any other way.  It offers better separation between the user environment intended for use by employees, and the user environment
  intended for use by non-employees, which is a bit more restrictive.  (Those are the actual purposes of the two collections described earlier.)  So far, so good.  Now, it seems to me like every other role beside the SH role should be able to
  do its job for all collections.  What other purpose could the concept of a "Collection" possibly serve, after all?  If I had to stand-up Connection Broker, Web Access, Gateway, and Session Host for every collection of RemoteApps, then there
  wouldn't need to exist any concept in RDS 2012 R2 called "Collections".  So, I figured that Connection Broker, Web Access, and Gateway could serve all collections, and Session Host is of course limited to serving one single collection.  And,
  I guess, that's largely the way it works, with one exception.
  My issue is that in Web Access, all RemoteApps from all published RemoteApp collections are presented to every user who has access to one collection OR the other, despite my best intentions of having provisioned each collection with seprate user group assignments
  using two separate AD groups.  I don't want to advertise all RemoteApps from all collections in the Web Access namespace!  To me, the presence of "User Group" configuration at both the Collection level and at the RemoteApp level implies
  that there is some user group filtering going on, but so far that's looking like a false assumption.  Why would the RemoteApp list in one collection bleed into the RemoteApp list in the second collection?  Why would I want the users of one collection
  to see the applications of the other, even when they're not going to be able to launch them anyway?
  Does anyone have anything to add to the equation?  Is there something I'm missing?  Thanks ahead of time.

  This is now resolved.  There is obviously some additional configuration necessary in some relatively odd places when you want your RemoteApp collections to work as advertised.  I hope this thread can help others in that regard.
  The relevant (error) event generated for each "populate list of RemoteApps for Web Access" process (refreshing the web access portal was my test case), when my IIS application pool is provisioned by the new AD account is Event ID 10, Source: RDWebAccess. 
  In the body, it says "[...] unable to access rdcb1.[local]" and suggests that the RD Web Access server needs to be added to the TS Web Access Computers security group on the connection broker.  However, that was obviously already the case.
  Although not 100% correct in its suggested resolution, this error was helpful, because it shows that the break is occurring when Web Access tries to populate RemoteApps, and is shows that the break is occurring en-route to the CB server.  So, I added
  the new service account (for the Web Access application pool identity) to the Administrators group on the server with the CB role, and all is now resolved.  I now have two separate collections, the list of each appearing for the appropriate user scopes,
  but not for both user scopes like before. 
  Obviously, adding an account as an administrator fixes a lot of access related things very easily, but it is probably not the least-privileged way of doing things.  To that end, I'd like to know the least privileged way, but can certainly live with
  this much improved functionality as-is.
  Thanks for all your help, Razwer.

• 2012 RDS + Gateway Certificate and and .local domains

  Can someone verify this is the correct process to stop all certificate errors. 
  RDS 2012 R2 deployment that is the following. 
  1 server with broker web and gateway roles installed. 
  3 session hosts. 
  Domain is a .local
  I want to stop all certificate errors. I have a certificate for the gateway/broker/web server gateway.xxx.com 
  I have had a look at the Change published FQDN for Server 2012 or 2012 R2 RDS Deployment script
  https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  Do i just need to run this script on the gateway/broker/web server and will this stop the mismatch errors fro the session hosts?
  Thanks

  Does SSO not work on less than this as I have some XP clients and 8.1 is not available for them. 
  Hi,
  To support older clients you need to have the wildcard certificate set on the RDP-Tcp listener on all RDSH servers.  To do this you must import the certificate and its private key into the Local Computer\Personal store on each RDSH server, and then
  use WMI to set the certificate.  The below command should be run on each RDSH in an elevated command prompt after you have imported the certificate and its private key:
  wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"
  Substitute your certificate's thumbprint for the one shown above.
  Please note that you will not get the best experience with clients that are not at least RDP 8.0 capable, many features will not be available, and you may run into certain issues.  For XP you will want to install the RDP 7.0 client and make the registry
  changes on each client to enable CredSSP.
  Thanks.
  -TP

• Running two instances of Windows Server 2012 Essentials R2 on the same domain

  We have Windows Server 2012 Essentials R2 running as a domain controller -- and have installed another licensed copy of the same thing on the same domain.  We want to use the 2nd server for running an LOB application and provide backup for the
  AD services. 
  The 2nd server is a member of the domain. Can I do this and have the 2nd server provide AD failover services like they do with 2012 Standard? 

  Two things to consider. In the XP and 2003 era, the OS was not written in a security-first fashion. While XP did have LUA, almost nobody used them. Then came Vista and UAC, and those prompts were a major pain point because nobody wrote for security. Fast
  forward 6 years and standard accounts are a normal best practice. Almost nobody in business recommends running daily tasks as administrator.
  I mention all this to illustrate that, similar to admin accounts, what you used to get away with no longer applies. Running LOB apps on a DC is just bad. Many times, the app just doesn't work. But even if you could get it to work, it is a terrible idea.
  If the stories of Home Depot, Target, and most recently Sony don't already give it away, I'll spell it out. We no longer live in an age where you can take shortcuts and expect to be safe. Large organizations make national news when they screw up. But small
  businesses are targeted just as often and are at just as much risk. From "leaking" their client info to having their data held for ransom, the small business is abused regularly, but never makes national news because they are, by definition, small.
  If you can take simple easy steps to help minimize that risk, such as keeping a domain controller free of other software and locked down, then it is almost unethical to do Otherwise in the modern computing era. The world ha changed. It is our responsibility
  as I.T professionals to change with it. That's why we get to call ourselves "professionals" in relation to I.T.
  So, what bad things? Risking the customer's very livelihood. I consider that pretty darn bad.

• RDS 2012 Connection Broker and Web Access in different domains

  Hello!
  I'm trying to add Web Access (WA) server to RDS 2012 Deployment. WA server and other servers in Deployment are in different domains (in different forests with 2-way forest trust).
  WA server was added to Deployment
  successfully without any warnings.
  We have many applications published but in this new WA server there are no application icons in Rdweb page at all.
  There is nothing interesting in logs on WA server as well as on Connection broker servers. 
  Is this design
  acceptable? Which additional actions are needed to make application icons visible?

  Hi,
  Please refer below links and cross verify the Web Acess server settings.
  http://blog.kristinlgriffin.com/2010/03/rd-web-access-is-emply.html
  http://social.technet.microsoft.com/wiki/contents/articles/5974.the-case-of-invisible-remoteapp-programs-a-k-a-no-remoteapp-programs-listed-on-rd-web-access-site.aspx
  Regards,
  Manjunath Sullad

• How do I point my RDS 2012 R2 server to pick up the RDS licences from a dedicated RDS Licence server

  I have configured a dedicated server 2012 R2 box to be the RDS licence server for the Domain.
  When I use the Review configuration option, I get 2 green tick circles which indicate to me that all is well. However, when I built a separate RDS Server 2012 R2 box, this server does not seem to be picking up a licence.
  Can anyone help?

  Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing
  "Use the specified RD license servers" = myservername
  "Set the Remote Desktop licensing mode" = Per User
  OR
  In Server Manager -- Remote Desktop Services -- Overview -- Deployment Overview -- Tasks -- Edit Deployment
  Properties.

• How can two independent DirectAccess servers be set up safely in the same domain?

  I've got a single-tier certificate authority running on a 2008 r2 domain controller with an expiring root certificate. I have a new 2012 r2 domain controller with a new single-tier certificate authority. I also have a DirectAccess server running on 2012
  server (two NICs, NAT, IP-HTTPS only). I'd like to get a new DirectAccess server set up running server 2012 r2 using the new CA for the various DirectAccess server and client computer certs. I can get the new environment working and flip machines from
  the existing implementation to the new implementation.
  I was previously told by a tech working one of my Microsoft support tickets that two independent DirectAccess servers can't run in the same domain. However, I posted a related question
  https://social.technet.microsoft.com/Forums/projectserver/en-US/ab53a314-91ea-4d40-afd5-6b8f62698547/2012-directaccess-and-expiring-certificate-authority?forum=winserverNIS and got a response indicating that two independent DirectAccess servers can run
  in the same domain. If I can carefully get a second server operational within the same domain, I can build a reg file to deploy to all machines prior to the cutover that will simulate the gpupdate for broken machines in the field, getting them connected so
  the policy can be properly pulled from a DC. Would anyone else be willing to confirm or elaborate on operating two independent DirectAccess servers in the same domain? What are the gotchas?

  Hi,
  Yes you can have 2 Da deployments in one domain.
  I have done this a number of times for customer when upgrading from UAG DA to 2012.
  Make sure you use different Group policies for the DA servers and Clients. make sure you target the client with only one GPO at a time. Also use different AD groups.
  You then change the GPO assignment to the clients and they will flip when the client does a gp update. I have done this for a site that had over 5000 clients and we didn't have one call about it.
  You can use DirectAccess Offline Domain Join for any broken machines.
  https://technet.microsoft.com/en-gb/library/jj574150.aspx
  Regards, Rmknight

• Two sites, Two Exchange servers, same domain

  Exchange can seriously baffle me at the best of times. Which is why I'm writing here at the moment.
  I have 2 sites in two geographical locations for the same business connected via IPsec VPN. At each site we have:
  - Domain Controller (domain.local)
  - RDS Server
  - File server
  - Exchange server (domain.org.au) (SiteA - exch1, SiteB - exch2)
  All servers are Windows Server 2008R2, Exchange servers are 2010, Outlook is also 2010.
  Both exchange servers are set up with DAG replicating the primary mailbox database.
  Both RDS servers have outlook set up - users are currently connecting to exch1 for exchange connectivity (at both siteA and siteB)
  I want to configure the outlook clients so that SiteA uses exch1, and SiteB uses exch2.
  When testing, I manually set up an outlook profile and entered the server name as 'exch2', but upon clicking 'check name' it substituted 'exch2' for 'exch1'.
  I have had a look at implementing CAS array, but this will not work as we have DAG set up between exchange servers, and according to a microsoft article this cannot be done:
  ""WNLB can't be used on Exchange servers where mailbox DAGs are also being used because WNLB
  is incompatible with Windows failover clustering.""
  Is there something I need to change in either the Group Policy or Autodiscover instance, or even DNS to allow this to work? Is this even possible? Any help would be greatly appreciated.

  Forgive me - I still dont quite understand what's required..
  Because I have 2 physical sites with AD and Exchange, even though both sites are using the same domain and the same Exchange Mailbox Database, I still require 2 CAS arrays?
  Just to clarify, both DC's arent under separate sites within Active Directory Sites and Services - they are both members of the 'Default-First-Site-Name' site. Would this make any difference to the config I am aiming for?
  I can understand the concept of having 2 CAS arrays, one for physical site A and physical site B, so that their respective RDS servers outlook clients point to their own local exchange server - but if both exchange servers are replicating and using the one
  Mailbox Database, I'm not sure if that will cause any issues - Cant you only apply one CAS array per database?
  Also, if I am unable to use network load balancing because the software balancing service wont work with the cluster service, what IP(s) would I point the CAS array to - my guess is the local IP's of the exchange servers for its relevant site?

• RDS 2012 R2 - RemoteApp Disconnected

  Hi RDS 2012 R2 Experts,
  I would like some guidance here if possible
  My setup is a follow.
  1x 2012r2 with the following role, Broker, Web access, Gateway and License called RDS01
  2x 2012r2 Session Host called RSH01 an RSH02
  1x wildcard cert
  I would like to my users to be able to either internal and external to use the same link, remote.mydomain.com since my internal domain is mydomain.local
  What i have done so far.
  Created a DNS Zone called remote.mydomain.com and added the following records there.
  REMOTE, it points to web access server IP 192.168.1.31 ( same server for Gateway and Broker )
  2x RDSFarm, one record points to RSH01 and the other to RSH02, 192.168.1.32 and 33
  Gateway, the record points to 192.168.1.31 ( same servers as broker and web access)
  Broker, the record points to 192.168.1.31 ( same servers as web access and gateway)
  i have set the gateway manager the following
  Edited the deployment RD Gateway to remote.mydomain.com
  Installed the wildcert for all the roles, *.mydomain.com in all 4 roles
  created Manage Local computer groups and added both RSH01 and 02, RDSFarm record, remote record, gateway record and broker record
  linked the allowed resources with the policy and users ( also tried allow users to connect to any resources )
  configure the gateway in the RD Gateway farm
  Configured the IIS to
  auto redirect
  and the DefaultTSGAteway under Pages to remote.mydomain.com
  Also I used the Set-PublishName (http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80) to change it to broker.mydomain.com
  Now, the issue I have is, when users either internally or externally try to launch a RemoteApp they get the error.
  RemoteApp Disconnected
  This computer cant connect to the remote computer.
  Try connecting again.
  To overcome this error I did the following:
  Set-PublishName to RDSFarm.mydomain.com ( it is using the round robin to get to the session host servers)
  There is two problem with this setup.
  I no longer can shadow the users under Connections in the broker ( it seems to be bypassed )
  I get certificate mismatch due the servers names
  What I would like to achieve is to fix both problems above.
  Thanks for any advice in advance.
  N0tl3_Bouya

  Hi,
  Thank you for posting in Windows Server Forum.
  Initially check that you have applied external used FQDN of server under Server name in RD Gateway Deployment properties and used Bypass RD Gateway for local address. 
  Please try to perform the steps 
  •  Create a new DNS zone, .COM to allow split-brain DNS (so that internal clients can resolve external names internally)
  •  Create a relevant DNS entry in the aforementioned zone to point to the RDS environment’s internal IP address
  •  Create a relevant DNS entry in external DNS to point to the firewall which is publishing RDS’s external IP address
  •  Use the following script to change the FQDN of the RDP files provided by RD Web Access / RemoteApp and Desktop connection feed 
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  In addition, for shadow related issue you can use the server in administrative mode use mstsc /shadow command and check the result. 
  Detailed walkthrough on Remote Control (Shadowing), reintroduced in Windows Server 2012 R2  
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• RDS 2012 R2 best design possible with wildcard certificate

  Hi!
  I am looking for some guidance for my RDS 2012 R2 design flaw. 
  What I would like to achieve?
  *I would like my users either internal or external to be able to connect to RDWeb via one single webaddress ( remote.mydomain.com)
  What I have in place?
  1x Broker
  1x WebAccess
  1x Gateway (also license server)
  1x SessionHost
  1x Wildcard Certificate
  my internal domain is mydomain.local and external is mydomain.com
  I have tried ( http://msfreaks.wordpress.com/2013/12/23/windows-2012-r2-remote-desktop-services-part-2/) without success.
  Any guidence here will be very helpfull.
  cheers
  Elton

  Hi Elton
  I have a similar configuration working with 2012 R2. However, my config is slightly different, namely:
  2 x RDSH servers
  1 x all other roles (web, gateway etc).
  However, I am using a valid single URL cert on the gateway/web server, which is accessible using remote.domain.com. I did NOT replace the cert on the RDSH servers (using WMI), because you end up with 0x607authentication errors if the certificate is not fully
  valid - corrrect name, trusted, and recovation information available. If you have purchased a  commercial wildcard cert, this should work.
  I did some testing and concluded the following, may be of interest:
  If you are just using the farm for internal connections, you can use an internal CA, and create self signed certs for the gateway, and the RDSH servers. You could use individual
  certificates for the servers, wildcard or SAN certificates. Then you will have no errors when connecting from internal clients. This will not work from external clients however, even if you trust your root or issuing CA  manually on the external client,
  because the revocation information will not be available to clients outside the domain or network, and you will get 0x607 authentication errors.
  If you are connecting from outside your network, you have 3 options:
  Use self signed certs created during the role installation, don't change any RDP certs on RDSH servers. Then manually place the gateway certificate in trusted root authorities on the external
  client.
  Purchase commercial certificates for the gateway, and optionally all of the RDSH servers. This will avoid any warnings. You could either use separate certs, wildcard or SAN. If you replace
  the certificates on the RDSH servers, they must be valid and match the names.
  Purchase just one certificate for the external URL for accessing the gateway, leaving the default self-signed certificates on the RDSH servers. This will mean that there is no warning
  when connecting to RDWeb, but there may be warnings when the connection establishes. I use this option with one free StartSSL certificate.
  To summarise, you can use either commercial or self signed for the RDWeb page. However, if you replace the certificate on the RDSH servers, this MUST be valid commercial for external clients to be able to connect. Otherwise
  just leave it as self signed.
  In my case, I can use remote.domain.com from either outside or inside the network. So, I configure the deployment to use the external URL, and that URL works from inside too. This is because it resolves to the external
  address, so requests go out to the firewall and then back in again. This way you do not have to worry about the internal connections not using a matching URL as on the certs. Or, create an internal DNS record, so that remote.domain.com points to your internal
  address of the RDweb server. This should work as well.

• RDS 2012 Architecture Documentation

  I am looking for some guidance or documentation about designing a RDS 2012 environment both session hosted and virtual desktops.
  Some actual questions I have around RDS 2012 are:
  - Can RD Connection brokers shared over more than 1 datacenter with one collection of Session hosts? What connection is required between the datacenters?
  - Can RD Gateway shared over more than 1 datacenter with one of more collections? What connection is required between the datacenters?
  - Can we have 1 RD Gateway for more than 1 RDS Session host deployment in te same domain (not collections but complete seperated RDS environments)
  - Can we have 1 RD Web Access for more than 1 RDS Session host deployment in the same domain (not collections but complete seperated RDS environments)
  The only documentation I have found is the IPD of RDS 2008 R2, however there are a lot of changes in RDS 2012. Technet also doesn't have the RDS 2012 documentation online.
  Thnx,

  Hi have a look at the following site:
  RDS 2012 Deployment Guides and Info
  Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer

• Multiple ADFS farm or two IDP in same domain

  Greetings,
   I have requirement, please give me idea whether two ADFS farm is possible in the same domain. .
  Eg: one ADFS1 farm pointing to Webserver1 and another ADFS farm pointing to Webserver2.
  ADFS1 should act as point to contact for ADFS2.
  When traffic come and hit ADFS1, for webserver2. ADFS1 should give to ADFS2 for other process.
  Two IDP is possible in single Domain:
  ADFS2.0 for Web1 and Ping federate for web2.
  All traffic should pass through ADFS and then to ping federate to access web2 application.

  Forgive me - I still dont quite understand what's required..
  Because I have 2 physical sites with AD and Exchange, even though both sites are using the same domain and the same Exchange Mailbox Database, I still require 2 CAS arrays?
  Just to clarify, both DC's arent under separate sites within Active Directory Sites and Services - they are both members of the 'Default-First-Site-Name' site. Would this make any difference to the config I am aiming for?
  I can understand the concept of having 2 CAS arrays, one for physical site A and physical site B, so that their respective RDS servers outlook clients point to their own local exchange server - but if both exchange servers are replicating and using the one
  Mailbox Database, I'm not sure if that will cause any issues - Cant you only apply one CAS array per database?
  Also, if I am unable to use network load balancing because the software balancing service wont work with the cluster service, what IP(s) would I point the CAS array to - my guess is the local IP's of the exchange servers for its relevant site?