I received a question in my mailbox overnight from a reader of the 70-345 exam reference. I figured it would be helpful to post the answer here as well, since it is probably a question that many people wonder about.
Why is an additional domain controller in the Azure site required for providing a file share on a virtual machine in Azure?
Hosting the file share witness for an Exchange Server 2013 or 2016 database availability group in Azure has been supported since early 2015.
I’m happy to announce support for use of an Azure virtual machine as an Exchange 2013 Database Availability Group witness server. Automatic datacenter failover in Exchange 2013 requires three physical sites, but many of our customers with stretched DAGs only have two physical sites deployed today. By enabling the use of Azure as a third physical site, this provides many of our customers with a cost-effective method for improving the overall availability and resiliency of their Exchange deployment.
However, there's sometimes confusion about what that actually means. The short answer is:
- Using an Azure virtual machine (VM) running Windows Server as the file share witness for a DAG is supported.
- Other Azure services such as Cloud Witness or Azure File Storage are not supported today, and I don't know whether they ever will be, though it would be nice if they were and I'm sure the Exchange product group will be exploring any option that makes it easier to improve a DAG's resilience.
In other words, don't think of the Azure support statement as being any different to running a third datacenter of your own that hosts the file share witness. The third site (Azure) needs to be configured with a separate AD Site boundary (meaning a separate IP subnet is required), which requires at least one domain controller. The TechNet guidance includes this diagram, which should make it easier to visualize the requirements.
So, acknowledging that at least one domain controller is required in Azure, why can't the domain controller also be the file share witness? It can, but it's not recommended, and never has been, though it is supported.
It is technically possible to use a single Azure VM for this purpose and place the file witness share on the domain controller. However, this will result in an unnecessary elevation of privileges. Therefore, it is not a recommended configuration.
A separate file share witness is preferable, which means a minimum of two virtual machines in the Azure site.
Hopefully that answers the question for any of you that have been wondering about the requirement for a domain controller VM when using Azure as the third site for an Exchange database availability group.