Home » Exchange Server » Installing an Exchange Server 2013 Database Availability Group

Installing an Exchange Server 2013 Database Availability Group

The first article in this series on Exchange Server 2013 Database Availability Groups provided an overview of Exchange 2013 DAG concepts.

In this article we’ll go through the installation of a simple Exchange 2013 DAG with two members. The DAG will have a MAPI network as well as one replication network. The file share witness will be another member server in the domain that has no Exchange 2013 server roles installed.

Preparing to Deploy an Exchange Server 2013 Database Availability Group

Installing the Mailbox Servers

Database Availability Group members run the Mailbox server role. Although they can also run the Client Access server role this is separate and not required for DAG operations. In some situations the Client Access role should not be installed on the same server, for example:

  • if you plan to use Network Load Balancing for Client Access server high availability (NLB is not supported to co-exist with the Failover Clustering that DAGs leverage)
  • if you have any reason to believe you might later remove the Client Access server role (removal of a single server role is not possible in Exchange Server 2013)

Exchange Server 2013 can run on both Windows Server 2008 R2 and Windows Server 2012. However, due to the dependency on Failover Clustering you should note the following requirements:

  • Windows Server 2008 R2 must be Enterprise edition to support Failover Clustering
  • Windows Server 2012 can be either Standard or Datacenter edition

To install your Exchange Server 2013 DAG members:

In my example scenario I have two servers E15MB1 and E15MB2 both running Windows Server 2012. Each server is installed with both the Client Access and Mailbox server roles. A third server E15FSW exists for the file share witness.

Note: thanks to the concept of “incremental deployment” a DAG can be created using existing mailbox servers that are already in production with active mailboxes on them. There is no hard requirement to build brand new mailbox servers to be able to deploy a DAG.

Configuring Permissions on the File Share Witness

Because the file share witness server is not an Exchange server some additional permissions are required. The Exchange Trusted Subsystem group in Active Directory must be added to the local Administrators group on the server.

The file share witness also requires the File Server feature installed.

And you should verify that File and Printer Sharing is allowed through the firewall.

If the file share witness is another Exchange server, such as a Client Access server, it already has the correct permissions configured.

For more information see:

Configuring Networking for Exchange 2013 Database Availability Groups

In this example each server is connected to the network, which is the client-facing network. The two Exchange servers are also connected to the network which will be used for DAG replication traffic.

Dedicated replication networks are not a requirement for Database Availability Groups, however if you do choose to deploy one or more replication networks you must ensure that DNS registration is disabled the network interfaces connected to those networks.

The replication interfaces are also not configured with a default gateway. In the case where replication interfaces for the same replication network are on separate IP subnets, static routes are configured. However in this example that is not required.

The configuration of the network interfaces is important for DAG network auto-config to be successful. For more information see Misconfigured Subnets Appear in Exchange Server 2013 DAG Network.

Configuring Existing Databases

In my example the server E15MB1 and E15MB2 had databases that were automatically created during Exchange 2013 setup. To prepare for database replication within the DAG I performed the following tasks:

  • “Mailbox Database 1” on E15MB1, which already contains active mailboxes, has been moved from the default folder path onto storage volumes dedicated to databases and transaction log files
  • “Mailbox Database 2” on E15MB2, which contained no mailboxes, has been removed from Exchange

Those steps may not be required in your environment depending on your existing databases.

Pre-Staging the Cluster Name Object

Depending on your environment the pre-staging of the Cluster Name Object (CNO) may be required (it is a requirement if you are running Windows Server 2012 for the DAG members), but in any case it is a recommended best practice.

The CNO is simply a computer account object in Active Directory. There are two methods you can use to create the CNO.

The first is to manually create the CNO using Active Directory Users & Computers. Create a new computer object with the name that you intend to give to your DAG. Then disable the computer account.

Next, grant the computer account for the first DAG member Full Control permissions for the CNO computer account. Note that you may need to click the View menu in AD Users & Computers and enable Advanced Features before you can see the Security tab for the computer object.

The other method for creating the CNO is to use Michel de Rooij’s Cluster Name Object Pre-Staging script.

Deploying an Exchange Server 2013 Database Availability Group

Creating the Database Availability Group

In the Exchange Admin Center navigate to Servers -> Database Availability Groups and click the + icon to create a new DAG.

Enter the following details for the new Database Availability Group:

  • DAG name – this should match the CNO you pre-staged earlier
  • Witness server – this is required for all DAGs, even those that have an odd number of members and hence run in node majority quorum mode
  • Witness directory – this is optional. If you do not specify a directory Exchange will choose one for you.
  • IP address – the DAG requires an IP address on each IP subnet that is part of the MAPI network. If you do not specify IP addresses the DAG will use DHCP instead.

Click Save when you have entered all of the required details.

Adding Database Availability Group Members

After the DAG has been created it still does not contain any actual members. These need to be added next.

Highlight the new Database Availability Group and click the icon to manage DAG membership.

Add the servers that you wish to join the DAG and then click Save. This process will install and configure the Failover Clustering feature of Windows Server 2012 and add the new DAG members to the cluster.

Note: if you’re using a non-Exchange server for the file share witness, and you have correctly configured the permissions on the FSW, you will still see a warning at this stage that the Exchange Trusted Subsystem is not a member of the local administrators group on the FSW. This is a bug that can be disregarded.

When the operation is complete the Database Availability Group will display the members you added.

In the next part of this series we will look at configuring the database copies in the DAG.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


      • Wasim says:

        Hi Paul,

        Thanks for providing step by step guides, really helpful articles.

        About CNO setup.
        Adding the 2nd member server to DAG will automatically get added to CNO permissions or there is no requirement for 2nd member. What if the 1st member (which has permissions configured on CNO) failed? will the other member be able to take control on CNO?

        Also a bit confused with the Network config for DAG.
        “the DAG requires an IP address on each IP subnet that is part of the MAPI network”
        If my network (client subnets) has 3 subnets 192.168.1.x, 2.x, 3.x. Do I need to assign 1 IP from each subnet?
        all 3 subnets can communicate with each other and also to the “server subnet” 10.10.10.x.

        Thanks for your time and help.

        • You only need to do the permissions on the CNO for the first DAG member.

          A DAG network is any network that a DAG node is connected to. So other subnets (such as where your client computers reside) are not considered to be DAG networks and don’t need to be configured as such.

          A DAG has only one MAPI (client-facing) network. But that network may include multiple IP subjects, such as when the DAG is multi-site. Therefore the DAG needs to be given an IP address in each of those IP subnets that exist in that DAG network.

  1. Hello Paul,

    Thanks a lot for such informational howto. I just configured DAG without any problems. However I’ve few questions in my mind which are still unanswered. If you can then please answer

    Q1. Is it essential to use non-exchange extra server as Witness Server or not ? Can I use Domain Controller (I am using DC for DFS also) or CAS as Witness Server ?

    Q2. If I do not want to use dedicated replication network then can I use my main connection for replication ?

    Q3. How I can assure my replication is working absolutely fine ?

    Q4. As you mentioned your other database is removed. Did you removed it yourself or DAG creation process done it ? Since my 2nd database (setup created when I installed mailbox role on 2nd server) didn’t deleted. Will this hurt DAG performance or some other potential issues can raise for this ?

    • 1. I use a non-Exchange server in this demo mainly so I can demonstrate the extra steps involved. It is generally recommended to use another Exchange server, eg a dedicated CAS, which has fewer steps because Exchange Trusted Subsystem is already configured correctly on that server.

      I do not recommend ever using a Domain Controller as the file share witness.

      2. Yes, a DAG can have only one network that it uses for both client and replication traffic.

      3. Get-MailboxDatabaseCopyStatus and Test-ReplicationHealth are two cmdlets for testing the health of your DAG.

      4. I removed it myself. The DAG setup does not remove existing databases. Consider that the existing databases can then have copies added in the DAG, so why would DAG setup remove them? It won’t hurt performance, but if you don’t want the database you should remove it so you don’t need to manage it (eg back it up) and so nobody accidentally puts mailboxes on it.

  2. Rogelio Garcia says:

    Hi Paul, i try to install DAG on Hyper-V Windows Server 2012, i have to Virtual Mailbox with Exchange 2013 and Server 2012 Standard. two nic VLAN,168 and for DAG VLAN,41. when a try to add the second node to DAG

    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster
    errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster
    operation. Error: Cluster API ‘”AddClusterNode() (MaxPercentage=100) failed with 0x5b4. Error: This operation returned
    because the timeout period expired”‘ failed.. [Server: simimx-mbexc01.simi.com]
    + CategoryInfo : InvalidArgument: (:) [Add-DatabaseAvailabilityGroupServer], DagTaskOperationFailedExcept
    + FullyQualifiedErrorId : F544CC70,Microsoft.Exchange.Management.SystemConfigurationTasks.AddDatabaseAvailabilityG
    + PSComputerName : simimx-mbexc01.simi.com

    i hope u can help me

    • Dick Turpin says:

      Try removing the teaming from the Hyper-V hosts. That worked for me.

      I have a call open with MS about this as it’s affecting a large number of deployments.

  3. Ishtvan Balint says:

    Running this setup in an hyper-v environment. Cannot add a second node and it does not matter which one. Always fails when adding the second. Is this supported?

  4. Alex says:

    Where do i place DAG Witness server if Mailbox and CAS server are co-located? General recommendation is to put it on CAS server but not on a Mailbox server in the DAG. Any idea what would be the best choice?

  5. Tarik says:

    All good, but one thing, how should the client access the server? how can he tell which server to go to?
    What if a server goes down? the client would probably have his outlook setup to one exchange.

    How can he still receives email when that server goes down?

    Please help me to understand this process.

    • The client connects to the Client Access server. Databases can failover, Mailbox servers can go down, but as long as the Client Access server(s) are available the client can still connect.

      There’s more to it obviously, but that is the basic concept.

      • Tarik says:

        Thanks for the reply Paul,

        But you are here setting both servers to have Client Access Server, my question is that to which server the client should go to when one goes down, or there should be a manual intervention from an admin to set the DNS/IP addresses.

        Would you suggest setting the CAS on some other server and have the Mailbox roles set on two other server? but the single point of failure would be the one CAS.

        Your information is very straight forward setting up the DAG, but the glitch I’m facing is the CAS.

        I hope you can clarify it to me.

        Best Wishes,

  6. Jeremy Chu says:


    Can we use a Domain Controller as a FSW ? What are the prerequisites for a Witness Server ?

    I use a test environnment, I have a DC with just 1GO RAM, I’d like to know if I can use it as a FSW for my DAG.


  7. JIm says:

    This is a good article…The only thing that got me was that I forgot to enable the DAg account after the DAG was created. It think it would be good to add this to the article.

  8. Stephan van der Plas says:

    Hello Paul,

    I followed your steps (though I use an exchange (CAS) server as witness), but I receive an 0x80070005 (E_ACCESSDENIED) message.
    How to troubleshoot this?

  9. Paul says:

    How could this be setup for geographical redundancy? ie. two locations connected via VPN tunnel. Could I still use only a 2 Exchange server configureation? Where would I have to put the witness share?

    • You would need to make sure you read the networking requirements for multi-site DAG. Yes you can use just 2 servers though that may not be the best approach. The witness server would go in the “primary” datacenter or even possibly a third site, depending on a lot of factors.

      Multi-site DAG is possible but needs to be designed properly.

  10. Hello Paul, Thank you for the superb article. This definitely helps in my configuration of our DAG 2013. I found one thing that I needed to do extra that was not mentioned in your article in order to create my DAG2013 and I would like to share that with everyone.

    When Pre-Staging the Cluster Name Object, I found that I also needed to add the following security group to the DAG Cluster name: “Exchange Trusted Subsystem” and give that group full control.

    Without the Exchange trusted subsystem, I keep getting Access Denied when trying to add my first DAG member. This is also the approach recommended by Microsoft technet at http://technet.microsoft.com/en-us/library/ff367878%28v=exchg.150%29.aspx.

    I hope this may help someone else in setting up DAG. I feel this should have been taken care of by Microsoft instead of having us pre-stage the cluster name object (seems silly to me).

    Thanks for the great article. I have my DAG running happily!

    Ed Osckar

    • You can either add the computer account for the first DAG member, or you can add Exchange Trusted Subsystem. The article you link to explains that. In my example above I added the computer account.

  11. Petros Patalas says:

    Hi Paul,
    thank you very much for your effort.
    After reading some of your articles, I am thinking of configuring the following:

    Two Exchange 2013 servers with both CAS and Mailbox roles, DAG between them (for 2 mailbox databases),
    and a third Exchange 2013 server holding the Archive database, also acting as the Witness Server.

    All above will run on Windows Server 2012 for the benefit of dynamic quorum.
    Does it looks like a nice configuration?


  12. teyob says:

    Hi Paul,
    Thank you for the guide.I just have a question:
    We created 2 exchange servers member of the DAG and One Witness server and everything looks OK but when the Active server is down and the Passive server Takes Over BUT the Office Outlook shows Disconnected. The Failover is not successful in the Office outlook 2010.

    Hope you can help me.

  13. teyob says:

    Hi paul,
    Thank you very much for the very quick response, i will do this one. For confirmation i just have some follow up on the following:
    1. In configuring a single namespace instead of the unique server FQDN for each, is this the command in the exchange Powershell?
    —[PS] C:\>Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostname mail.exchange2013demo.com -InternalClientsRequireSsl $false

    2. In configuring DNS records exist for that namespace and resolve to the Client Access servers.Is this the command??
    —PS C:\> Resolve-DnsName mail.exchange2013demo.com
    or i have to do it in DNS management and create a new record then issue the command

    Thanks again

  14. teyob says:

    Hi Paul,
    One more thing, how about the certificate?? Can we use the default certificate or create a new certificate to include the 2 exchange server and the created name in the DNS?? If we will create a new certificate please provide also on how to create a new certificate.

    Thank you very much for all the help.


  15. teyob says:

    Hi Paul,
    Thank you very much again for all the help..

    I need another help regarding our Active Directory, Our existing Active directory is windows 2003 server and the existing exchange server is exchange 2007.

    We will be building a New Windows 2012 Active Directory plus the 2013 exchange server, We will not touch or upgrade the existing Existing 2003 server and exchange 2007 so that we have a working Exchange server 2007 while preparing and building the exchange 2013.

    I need a help in Transfering the existing users from 2003 server to the new 2012 server active directory, i tried to look and search at microsoft the available ADMT(Active directory migration tool) is version 3.2 which is for 2008 server only.

    Is there any other tool that can transfer users from 2003 server to 2012 server Active directory. Hope you can help me with this.

    Thanks again…

  16. teyob says:

    hi paul,
    Thank you very much,the Failover is working now if the active exchange server is offline the Passive TakesOver but it took 10 to 15 minutes for the outlook to be connected again, is that normal??

    The Outlook anywhere is using the HTTP, is there a way to use HTTPS?? i tried HTTPS but i got an error in Certificate.

    Also about the Witness server, what will happen if the Witness server is OFFLINE??Will it affect the Cluster?

    Thank you very much again…

    • I wouldn’t consider that normal. You need to look at whether the databases actually mounted quickly, and whether the CAS load balancing was not detecting the server that was down quickly enough.

      Yes Outlook Anywhere can use HTTPS and requires a valid SSL certificate.

      The witness server can be up/down without impacting the cluster. It is only when a majority of cluster members (eg the witness + one DAG member) go offline that you risk the entire DAG/cluster going down.

  17. Brandon says:

    Paul —

    Wanted to start off by thanking you for this incredibly useful store of information helping me navigate my way through Exchange 2013 administration.

    Following your DAG step-by-step in my lab and came across an issue. Had a problem with getting the second of the Exchange 2013 servers for my DAG. The initial installation crashed with an error regarding an “Unstable” Exchange 2013 server. Formatted, reinstalled Windows 2012 Datacenter, renamed the server something different than before and successfully installed Exchange 2013, but now when I’m deleting the newly-created mailbox database per your instructions in this article, I noticed the old server name pop up in the Servers>Databases and the now-nonexistent server managed to set up a mailbox database that I can’t delete!

    I removed the computer account from Active Directory using ADSI Edit, but I have a feeling I need to do more to removed this nonexistent server from my AD. So my questions are: 1. Will this mess up my DAG? Should I stop the config and focus on getting rid of this thing? and 2. How do I get rid of this nonexistent server from AD?

    Thanks so much, and keep up the great work! Truly a big help to us Exchange newcomers!!!!!

  18. teyob says:

    Hi Paul,
    We are installing the Exchange server 2013 in Hyper-V Virtualization, Is it Ok to leave the Database in the Default Directory on C drive, so that we have one full BackUp only on the Virtualization drive?? and that we can mount it as a whole drive in any Physical server with Hyper-v??


  19. Yasin says:

    Hello Paul ,

    I created DAG 2013 ,when I tested DAG replication cmdlt , I have the issue with cluster network in one node of the DAG

    Cluster network “failed” Network ‘MapiDagNetwork’ has no network interface for server ‘ …

    for your help please.

    Thank you .

  20. teyob says:

    Currently our Outlook anywhere is using HTTP, Can you Please provide the STEPS in configuring the Outlook Anywhere to use HTTPS.

    Thank you very much.

  21. Ernesto says:

    Hi Paul,

    Thank you so much for the well-detailed steps in configuring DAG. I have one question before I will try the steps. Currently, we have installed Exchange Server 2013 on Windows Server 2008 R2 Enterprise SP1 on two HP Proliant Servers. One Exchange Server is Live and already running. We want to configure DAG so the other server will replicate the database of the Live Exchange Server. Is it necessary to have a third server to become a Witness Server or can we configure the Backup Exchange as the witness server itself and at the same time, it will be the member of the DAG? Thank you.

      • Ernesto says:

        Can it be a normal workstation with Windows 7 on it? I saw one screenshot in your tutorials which looks like a normal computer, the one with COMPUTER MANAGEMENT assigning Exchange Trusted Subsystem. Thanks for the reply. = )

        • Ernesto says:

          Hi Paul, it’s me again and thank you for the quick reply. One more thing if you can help me out regarding Mailbox Databases. In our Exchange Server, we would like to create 2 database files. Our Exchange Server is hosting 6 email domain. We would like to configure three email domains will be saved to DB1 mailbox database and the remaining three domains will be saved to DB2 mailbox database. In the ECP>SERVER>DATABASE, I have created two database files namely DB1 and DB2. How can I point the three email domain to DB1 and the remaining three email domains to DB2? Hope you understand my question. Thanks.

  22. theduke1989 says:


    thank you for the great tutorials.

    My problem now is:

    Error:You must be a member of the ‘Organization Management’ role group or a member of the ‘Enterprise Admins’ group to continue.For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.GlobalServerInstall.aspxError:You must use an account that’s a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedBridgeheadFirstInstall.aspx


    i havr 3 server total for learning. Exchange1 had the same fault as the problem above but after adding: install-windowsfeature rsat-adds it worked on my first exchangeserver but on my second server i still get the error 🙁

    VM1= AD-DS (DC)
    2 NICS
    *1 = bridged
    *2 = LAN-SEGMENT1

    VM2= EXLAB-01
    Installed al the pre-installs what is needed for exchange 2013
    2 NIC's
    *1 = bridged
    *2 = LAN-SEGMENT2 <- address

    VM3= EXLAB-03
    Installed al the pre-installs what is needed for exchange 2013
    2 NIC's
    *1 = bridged
    *2 = LAN-SEGMENT2 <- address

    they are joined as an memberserver and are connected to my domain, administrator account using…

  23. theduke1989 says:

    Hej Paul,

    I am not at the point to actualy add members to my DAG.
    But i am getting some errors when i want to add them.

    See below for the error:
    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API ‘”CreateCluster() failed with 0x13c1. Error: The cluster IP address is already in use”‘ failed.. [Server: EXC-1.yakuzacorp.local]

    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API ‘”CreateCluster() failed with 0x13c1. Error: The cluster IP address is already in use”‘ failed.. [Server: EXC-2.yakuzacorp.local]

    its a test-facility to learn new things. Can you help me out here???

  24. Burletchris says:

    Hi Paul, thnak’s a lot for your article. It help me very lot.
    Ihave a similar problem than “theduke1989”! Can you help me? I seaurch on internet and i d’ont find the solution.

    WriteError! Exception = Microsoft.Exchange.Cluster.Replay.DagTaskServerTransientException: Échec d’une opération d’administration du groupe de disponibilité de base de données côté serveur à cause d’une erreur provisoire. Veuillez recommencer l’opération. Erreur : An error occurred while attempting a cluster operation. Error: Cluster API failed: “CreateCluster() failed with 0x13c1. Error: The cluster IP address is already in use” —> Microsoft.Exchange.Cluster.Shared.ClusterApiException: An error occurred while attempting a cluster operation. Error: Cluster API failed: “CreateCluster() failed with 0x13c1. Error: The cluster IP address is already in use”

    Before this error, il delete a first DAG and i would like reinstall it but i have this problem since the deleting DAG!
    I test with otheemerger IP DAG’s, i rebuild the first point and that’s OK. When i would like add my exchange server this error emerge!

    Thnak’s for your helping.

  25. Pam says:

    Thank you VERY much for all the time and effort you put into your blog. It is incredibly helpful. I use it over and over again for so many Exchange issues.

    I just configured the DAG that included 2 Exchange 2013Sp1 Hyper-V VMs running Windows Server 2012R2. It worked. No issues. No errors. Both VMs are connected to the network via virtual switches that were configured on hosts that had NIC teaming enabled before the virtual switches were configured. No issues. Thank you-

  26. Haitham says:

    i get this error

    i have exchnage with malti role cas,mab and one with MB only and windows 2012 witness server when i add dag mamber i get this erorr

    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API ‘”CreateCluster() failed with 0x13c1. Error: The cluster IP address is already in use”‘ failed.. [Server: Mail-srv.pop.local]

  27. chiemele akoma says:

    Hi, Please my main problem here is how was the second exchange server installed? I currently have 1 hyper-v machine running windows server 2012, with exchange 2013 installed. i m trying to install a second exchange 2013 server but unable to. please can you advice me on this

      • chiemele akoma says:

        I have followed all the pre installation steps (prerequisite). Now on trying to install exchange 2013 cu5, I ran it as administrator. On the first page, add server role, mailbox role, client access role, management tools were greyed out…indicating that it has already been installed. As a result I cannot progress to the next page.

        As part of the prerequisite,  I had prepared schema, restarted the server. On preparing AD, I got the message that an organisation already existed. I then preparedalldomains and tried the installation. 

        I don’t know what next to do. please I would appreciate your assistance

        • The AD preparations (schema prep, domain prep, etc) only need to be done when deploying the very first Exchange server into an AD forest. There is also usually another schema update with new service pack releases.

          If you’re installing a second Exchange server into the existing forest/organization you only need to build a new Windows server, install the pre-reqs, and then install Exchange.

          The UI for the Exchange setup is very white and washed out, so it is possible what you think are greyed out options are actually not. You would only find out if you click on them to try and tick the boxes.

          Another approach is do a command line install, which is quite easy.

  28. Jeremy says:

    Hi Paul,

    Thank you for all your articles, they have been invaluable to me during our Exchange migration.

    I have a very similar setup to this article (2 Mailbox Servers in a DAG and a FSW) with a separate network for DAG replication traffic. I’m a little confused on configuring the networking for replication. I have given the DAG an IP address on the client-facing network (as you did with the IP for your DAG)

    Now I want to ensure the DAG replication traffic actually goes over the NICs I want it to. In your example, would that just be a matter of adding the network as a DAG network for the DAG?


    • DAG networks in Exchange 2013 will auto-configure as long as you configure the adapters correctly. More info on that here:


      But you can save yourself a lot of trouble by not configuring dedicated replication networks. Just use one DAG network. Less complex and less prone to misconfiguration or other issues that might cause a problem with your DAG. For a small environment with 1Gbps or higher NICs on the server there’s no real benefit to dedicated replication networks.

      • Jeremy says:

        Thanks for the reply, the link to your other article was helpful. The network setup for these is somewhat complex so I would prefer to configure the replication manually.

        I seemed to have a lot of finicky issues when configuring the DAG network in the ECP (wouldn’t let me uncheck the “Enable Replication” box within a DAG network, but the clicking “Disable Replication” on the DAG Network page would work, seemed to take awhile for my changes to show up in ECP, making me think they hadn’t been applied, etc). Hopefully that was a fluke thing with my installation. It probably would have been better to configure it from Powershell.

        After blowing away the DAG and recreating it, I think I’ve finally got it configured how I want.

        • Jeremy says:

          Hi Paul,

          Wanted to run something by you real quick if you don’t mind…we are now adding an Exchange server at our offsite DR location. I will add it as a member of the DAG (which currently has 2 members + 1 FSW).

          Will I need to change any kind of quorum mode since I will now have 3 DAG members or will Exchange handle all that automatically? I’m assuming it is safe to not make any changes to the FSW and leave it in place?


  29. teyob says:

    Hi Paul…Thanks again for a very useful guide…Our exchange 2013 is now working fine in Domain environment…just one more Question for the clients in WORKGROUP because we have some Laptop which are not connected in the Domain, when we connect Manually the Exchange server there is an error “The action cannot be completed” or “The name cannot be resolved”. Is there a way to connect the Workgroup client in Exchange 2013.?? We tried Outlook 2010 and Outlook 2013 with the same result.

    Thanks again…

    • Non-domain joined computers will use Autodiscover to work out their Outlook settings. So as long as Autodiscover records are in DNS (eg, autodiscover.yourdomain.com) and resolving to the Client Access server IP address then all they should need to do is enter their email address and password in the Outlook new account wizard at startup.

  30. teyob says:

    Hi Paul…thanks again..How to check the AutoDiscover is working in workgroup computer?? If autodiscover is not in the DNS entry,please provide guide in setting the autodiscover in the DNS..

    Thank you very much..

  31. Senthil Kumar says:

    I need some suggestion from you on implementing Exchange 2013 DAG.

    Do we need to have separate CAS server as i am going to 2 Node DAG in HQ and i node in DR which will be part of the DAG nodes itself. What is your suggestion?
    And also SSL certificate for these servers as i wanted to use same SSL for theses 3 nodes. Kindly suggest the way forward.We have got two different domains (email.domain1.com and email.domain2.com) which needs to be protected using single certificate

  32. Adeniyi says:

    Hi Paul,

    I need to deploy a Microsoft exchange 2013 to a client afresh, with 15 CAS. Your explanation on DAG was really good, please could your assist on the best way to configure CAS after the installation of exchange without any issue.

    I have an available server with Microsoft 2012 where i intend to install the exchange and another server for D.C. Is there any addition server needed after these?

    Your urgent reply would highly be appreciated.


  33. Sunith Philip says:

    We are migrating from Exchange 2007 to Exchange 2013.

    Exchange 2007 is a single box with all roles in one.

    OS – Windows Server 2008 Enterprise Version 6.0 (Build 6002) Service Pack 2

    Exchange – Microsoft Exchange Server 2007 Version

    All Mailbox servers on Exchange 2013 below are on

    Windows Server 2012 R2 Standard Build 9600
    Microsoft Exchange Server 2013 Service Pack 1 Version 15.0.847.32
    Our setup for Exchange 2013 is 4 mailbox servers and 1 CAS.

    EXMB01 – DB1 (Active) DB2 (Passive)
    EXMB02 – DB2(Active) DB3 (Passive)
    EXMB03 – DB3 (Active) DB1 (Passive)
    EXMB04 – DB 1, DB2 & DB3 (All Passive) – The main reason for this mailbox server is for running mailbox and db backups to ensure the other servers do not get loaded.
    My questions are:

    How do I setup a DAG in this setup.
    How many DAG groups must I have?
    I have a non-exchange machine setup as FSW. Kindly advise how I need to configure this?
    For coexistence between Exchange 2007 and Exchange 2013, kindly advise the minimum versions and/or service packs required.
    Appreciate your help in this to ensure the migration is smooth.

  34. Dave says:


    Great article on DAG. I also read your article on CAS HA (http://practical365.com/exchange-2013-client-access-server-high-availability/) and plan to use both articles to set up HA for both roles. One part that confuses me in this DAG article is that you mention NLB is not supported to co-exist with the Failover Clustering that DAGs leverage. Are you referring to WNLB? Because your CA HA article mentions using DNS RR or a Hardware appliance LB to provide HA for your CAS servers and you used multi-role Exchange 2013 servers as your examples?


    • Yes, NLB = WNLB = Windows Network Load Balancing, as in the feature built-in to Windows Server.

      WNLB shouldn’t be used with Exchange 2013 at all, in my opinion. Use DNS RR or a hardware/virtual load balancer.

  35. Dave says:

    Thanks for the clarification. One other thing. You talk about having identical namespaces for internal and external url for OWA and Outlook Anywhere (e.g. mail.domain.com) would I do the same the EWS, ECP, Active-Sync, and OAB?

    Thanks again,


  36. Ali says:

    Hi Paul,

    Thanks for the great blog. Whenever I try to install exchange on a pre existing cluster it says it cannot be installed on a windows cluster. Uninstall the feature and retry. I tried looking it up, but no luck. Any ideas?


  37. Yoncir Chiquito says:

    Hi Paul, first of all sincerely, Out this error when I try to make the DAG:

    Could not perform operation management availability group database due to a transient error. Retry the operation. Error: An error occurred while attempting a cluster operation. Error: Cluster API failed: “createCluster () failed with error 0x5b4. This operation is returned because the timeout is exhausted” [Server: ns5.gaopanama.com.ve]

    Unable to perform operation management availability group database server. Error: Could not perform the operation. CreateCluster errors can be caused by incorrect configuration of static addresses. Error: The computer account ‘DAG01’ could not be validated by the user ‘NT AUTHORITY SYSTEM’. Error: Error when trying to use the specified cluster name. There is already enabled computer object with that name in the domain [Server: ns6.gaopanama.com.ve]

    Configuration of servers:
    NS5: Exchange 2013 Domain controller (Replica to NS6)
    Gategay DNS,
    NS6: Exchange 2013 Domain controller (Replica to NS6)
    Gategay DNS,

    PC Witness
    Hyper-V, Windows 2008 server
    belongs to the domain
    Gategay DNS,

    What is wrong or what should I do to solve this problems .. Many thanks and grateful.

  38. Fadee Attieh says:

    Hello, would like to know what are the configurations or settings to do after installing a new exchange for database availability group. after the installation errors started pumping and the users lost connection to exchange until I uninstalled the new exchange.

  39. Rada says:

    HI, Paul

    Sorry to ask this question, in your example you have two Windows Server 2012 installing both CAS and Mailbox. So we will have 2 CAS right? How do we configure that 2 CAS to work as one? sorry for my bad English.


    Best Regard


  40. prasant says:

    Hi Paul,

    I have one server 2012 R2 with Exchange 2013 SP1 rollup 7 running for around 3 months after migration.
    I have second server with 2012 R2 where I am planning to deploy an Exchange 2013 and create DAG and use one of Win 2008 server as Witness.
    My existing Exchange server is ESX VM guest and the members I would be adding as DAG member and witness are both physical server.

    Unlike you example I do not have pre-installed DAG members but I am going to install Exchange on second server now.

    What are the precaution I should take before installing Exchange 2013 on second server to avoid any service conflict with existing Exchange server. Is it recommended to install both role like mail server or just keep mailbox? Do I need to create separate DB on second server to replicate from primary or it would just be one DB?

    • Sounds like you have one multi-role server so far. So in your case I recommend deploying a second multi-role server. That allows you to do HA not only for mailbox (with the DAG) but also for CAS services.


      For precautions, the most important one is to set the Autodiscover URL/SCP immediately after you’ve installed the second server, to avoid certificate warnings for your Outlook users.

      You do not need to create a second database, you can instead just replicate your existing database to the second server after you’ve created the new DAG. It’s up to you whether you create more than one database at any stage in the future.

  41. Roger Pereyra says:

    We are planning to deploy exchange 2013 DAG using shared storage by utilizing 3PAR. Is it possible? I yes, would it be fine if you share some procedures or a link that i can look up.

    Thank you and more power!

  42. batho says:

    I have a mailing system running exchange 2010 and want to migrate it to 2013 exchange server. OS 2008 R2. One physical server in another site and the other two virtualized in another site. Now i need to migrate please help .The database size is around 600 GB there are 3 databases now i need to find the solutin of migrating without impact please help

  43. Stefan Grech says:

    Hi Paul,

    We followed your guide on the DAG Installation at our office.

    Basically we have a Main Site Exchange 2013 with CAS and Mailbox Roles and all users connect to this exchange from their Outlook.

    Now we installed an other Exchange 2013 at the DR site.. Our main office and the DR site are connected with a Layer2 bridge so the two exchanges are joined to the same domain and are also on the same network subnet. So the two Exchange servers have one network card between them which is the LAN/Domain network.

    We created the DAG and the replication of the DBs works fine.. but the issue that we are currently facing is that some users are connecting directly to the DR Exchange from our Main office with their Outlook which is not what we would like to have.. We want that the DR hosts a copy of the DB and is activated only if some issues arise at the main site and we have to switch everything on the DR site manually.

    We noticed this issue when we went to check the connection status on their Outlook and noticed that the Proxy server that they are connected to is the DR exchange.

    Do you know how can we solve this issue please?

    Thanks & kind Regards,

  44. Jiro says:

    Hi there, I am running into a bit of an issue:
    I have 2 servers already in a DAG. Win2012 at site A
    I want to add another one in this DAG. Win2012R2 at site B
    All servers have been set up with Mailbox and CAS, all are SP1 (aka CU4) and all entreprise
    FSW is in site A. FSW is a regular windows file server.
    Latency between sites is 60ms

    After running Add-DatabaseAvailabilityGroupServer to add server 3 to the dag, I consistently get:”AddClusterNode() (MaxPercentage=100) failed with 0x5b4. Error: This operation returned because the timeout period expired”

    Did I missed anything obvious?

  45. Rob Scargo says:

    Hi Paul,

    Thank you for sharing your knowledge !
    I have succesfully created an Exchange 2013 2 node cluster DAG on Windows 2012R2, but the test-replicationhealth give me a *FAILED* on DataBaseRedundancy and DatabaseAvailability only. I have installed CAS and Mailbox role together on the servers. I have a MAPI and Replication NIC. Do I need a 3th NIC for the CAS server and if so I cannot give it a default gateway. I will use a hardware loadbalancer for the CAS servers.

  46. Carlo says:

    Hello Paul,

    Really nice right up!

    Can you please comment (explain more in detail) “if you have any reason to believe you might later remove the Client Access server role (removal of a single server role is not possible in Exchange Server 2013)”


  47. Aliyu Garba says:

    Configuring DAG i keep getting below issue.

    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Node amb-ad03 is already joined to a cluster.. [Server: AMB-EXCH02.]

    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API failed: “AddClusterNode() (MaxPercentage=100) failed with 0x5b4. Error: This operation returned because the timeout period expired”. [Server: AMB-EXCH02.]

    Any help i will Appreciate

  48. Anoop says:

    HI paul

    I have installed exchange server 2013 enterprise edition at my home and whether it is possible to install the DNS and AD.
    How to be done?

    For just study purpose. Also am just learner.

  49. MAuricio says:

    Hi Paul, in the past I have successfully set up several DAG (2010 and 2013) with networks in AUTO mode and MANUAL, but right now I have a very strange problem…

    If I set the settings in AUTO mode, create the DAG sucessfull without errors, but the MAPI network and ISCI leave them enabled replication; that’s not good, you know. I caný disable replication because it is AUTO mode.

    Then if I switch to MANUAL mode, I can configure manually my 3 interfaces correctly and all good. But when you restart the Exchange 2013 Mailbox servers Exchange change my settings again and leaves interfaces and ICSI MAPI-enabled replication.

    I confirm you that I have reviewed 5 times each interface and each one is configured correctly according to the requirements of Microsfot and of ExchangeServerPro web site. I dont´have configuration interfaces failure. By the way, my networks ISCI and REPLICATION are private networks and isolated VLAN.

    You think it’s a new BUG/ISSUE of Exchange 2013 ??? My servers has SP3 with CU13.

    I hope you help me please , regards!

  50. Najeeb Pallath says:

    Getting powershell error on one of the DAG member in DR site when starting Exchange Powershell and connecting successfully to primary site Exchange
    Applied Exchange 2013 CU14 to fix the issue, but still issue exists but don’t want to apply on primary DAG member which is on Exchange 2013 CU14 .
    Is there any other issues been in two different CU on DAG members?

  51. Ernesto Pangilinan says:

    Dear Paul,

    Just wanted to thank you for the guide in installing Exchange 2013 DAG. I have perfectly configured everything through your guide. All tests came PASSED when I run Test-ReplicationHealth from exchange management shell, there is no BAD COPY COUNT. All Databases, active and passive, are all in HEALTHY state on all DAG members. I just have some questions in my mind.
    Do I need to load the same certificate which we are using in the LIVE Exchange Server to all DAG members? How this will work? Let’s say the Live server shuts down for any reason and the other DAG member is up? How is it going to work? What are the settings we need to do in the other DAG member to minimize downtime? Thanks in advance for your input.

Leave a Reply

Your email address will not be published. Required fields are marked *