OS X Server failover

Ideally, I'd like to have two OS X Servers running in different geographic locations (and thus on different public IP addressing schemes) so I would imagine that DNS may be involved.

You're opening up a whole can of worms. Are you ready for this? 🙂

Let's start with the easy one - web service.

The first issue is one of content replication.
Is your web content static? i.e. a series of static .html pages and images? or is it dynamic (uses database-driven content, for example)?
If it's static content, then a periodic rsync might be sufficient. If it's dynamic, though, you have a whole other set of issues to deal with - how to replicate your data to the second site and how you manage fallback (when you want to go back to the main site)

Some database engines (such as MySQL) include replication technology which might be sufficient for you, but you'll need some MySQL skills to set it up.

Next comes mail. For the most part here I recommend evaluating how long you expect to run in the secondary site. If it's a number of hours then don't bother.

The reason I say this is because the cost of fallback is high here. If your main mail server is at location A and you failover to location B you have all kinds of issues in synching mailboxes (messages that came into user X's mailbox on server B need to be merged into his mailbox on server A - a file-based sync is not sufficient).

SMTP (the mail transport protocol) has significant fault-tolerances built-in. If your server is offline for several hours remote mail servers will just queue up the messages, retrying periodically until the mail goes through or a timeout expires (typically 3 days).
Even if that isn't sufficient for you, you can setup multiple MX records in DNS, each with a different priority. Now your mail server in location B can accept mail for your domain but only on a store-and-forward basis (it holds the mail indefinitely, until server A comes back online). In this way you don't have the issue of mail being filtered into mailboxes that need to be synched.
This does mean that your users won't get mail for a while (until either server A comes back up, or you kick server B into full mail server mode instead of store-and-forward), but at least no mail will bounce.

Once you have those elements worked out the actual failover process typically involves changing DNS zone data to include your failover addresses (unless you're running some fancy load balancing option that handles this in real-time). How long it takes people to get the failover addresses and start using the failover server depends on many factors, not least the TTL on your zone data.
If your TTL is 24 hours, for example, then anyone who looked up your address in the previous 24 hours will use their cached response (server A) and not notice the failover address until the TTL expires.
Most people get around this by using a lower TTL. This means you get more hits to your DNS server since people aren't caching replies as much. You need to balance TTLs and server load against failover time.

Mail has no way, or at least I haven't seen a way to have failover. Now another company, Kerio, is looking into this and how it can be done. For now what I have done is multiple MX records for different IP's so this way the chances are slim if we loose internet. If we loose power for days then you need to look into mail bagging. This will allow you to accumulate all the email but no way to access it till you come back live.

Remember email was created a looooong time ago and has out grown how people use and need it. I would set the expectations correctly. Look at IP addressing and how we are moving to v.6. But mail bagging should be good enough for a few days till you come back up. Worst case you have a backup and you move the store to another computer and start collecting email on that computer.

The question is - can users be without their email for a few days?!!!

It's not really a case of 'can users be without mail for a few days'.

It really is a matter of you determining how long your primary site is going to be offline.

If your Datacenter A has fallen into the ground and there's no chance of it coming back in weeks or months then you can make the decision within a couple of minutes to use Server B in Datacenter B as your primary mail server and users can now get mail from Server B (as soon as you change the mail server to store the mail, and DNS resolution kicks in).

If you think your Datacenter A is only going to be offline for a few minutes (or hours - you decide how long you're prepared to wait), you may just prefer to let SMTP failover to the secondary site (via MX records - this happens automatically) and tell your users to wait until server A comes back up before they can get mail again.

You may decide that you can't do without mail for 1 hour and therefore want to kick your failover plan into action sooner. It's all a matter of how much pain you're prepared to tolerate and the cost of fallback.

More than one OS X mailserver can share the same mailstorage in 10.5 - the storage has to be on xsan though. This should help a failover strategy…

Yes thats true but it wont work if the storage is in another facility. Great idea for server failover