The first article in this series on Exchange Server 2013 Database Availability Groups provided an overview of Exchange 2013 DAG concepts.

In this article we’ll go through the installation of a simple Exchange 2013 DAG with two members. The DAG will have a MAPI network as well as one replication network. The file share witness will be another member server in the domain that has no Exchange 2013 server roles installed.

Preparing to Deploy an Exchange Server 2013 Database Availability Group

Installing the Mailbox Servers

Database Availability Group members run the Mailbox server role. Although they can also run the Client Access server role this is separate and not required for DAG operations. In some situations the Client Access role should not be installed on the same server, for example:

  • if you plan to use Network Load Balancing for Client Access server high availability (NLB is not supported to co-exist with the Failover Clustering that DAGs leverage)
  • if you have any reason to believe you might later remove the Client Access server role (removal of a single server role is not possible in Exchange Server 2013)

Exchange Server 2013 can run on both Windows Server 2008 R2 and Windows Server 2012. However, due to the dependency on Failover Clustering you should note the following requirements:

  • Windows Server 2008 R2 must be Enterprise edition to support Failover Clustering
  • Windows Server 2012 can be either Standard or Datacenter edition

To install your Exchange Server 2013 DAG members:

In my example scenario I have two servers E15MB1 and E15MB2 both running Windows Server 2012. Each server is installed with both the Client Access and Mailbox server roles. A third server E15FSW exists for the file share witness.

Installing an Exchange Server 2013 Database Availability Group

Note: thanks to the concept of “incremental deployment” a DAG can be created using existing mailbox servers that are already in production with active mailboxes on them. There is no hard requirement to build brand new mailbox servers to be able to deploy a DAG.

Configuring Permissions on the File Share Witness

Because the file share witness server is not an Exchange server some additional permissions are required. The Exchange Trusted Subsystem group in Active Directory must be added to the local Administrators group on the server.

Installing an Exchange Server 2013 Database Availability Group

The file share witness also requires the File Server feature installed.

PS C:\> Add-WindowsFeature FS-FileServer

And you should verify that File and Printer Sharing is allowed through the firewall.

Installing an Exchange Server 2013 Database Availability Group

If the file share witness is another Exchange server, such as a Client Access server, it already has the correct permissions configured.

For more information see:

Configuring Networking for Exchange 2013 Database Availability Groups

In this example each server is connected to the 192.168.0.0/24 network, which is the client-facing network. The two Exchange servers are also connected to the 10.1.100.0/24 network which will be used for DAG replication traffic.

Installing an Exchange Server 2013 Database Availability Group

Dedicated replication networks are not a requirement for Database Availability Groups, however if you do choose to deploy one or more replication networks you must ensure that DNS registration is disabled the network interfaces connected to those networks.

Installing an Exchange Server 2013 Database Availability Group

The replication interfaces are also not configured with a default gateway. In the case where replication interfaces for the same replication network are on separate IP subnets, static routes are configured. However in this example that is not required.

The configuration of the network interfaces is important for DAG network auto-config to be successful. For more information see Misconfigured Subnets Appear in Exchange Server 2013 DAG Network.

Configuring Existing Databases

In my example the server E15MB1 and E15MB2 had databases that were automatically created during Exchange 2013 setup. To prepare for database replication within the DAG I performed the following tasks:

  • “Mailbox Database 1” on E15MB1, which already contains active mailboxes, has been moved from the default folder path onto storage volumes dedicated to databases and transaction log files
  • “Mailbox Database 2” on E15MB2, which contained no mailboxes, has been removed from Exchange

Those steps may not be required in your environment depending on your existing databases.

Pre-Staging the Cluster Name Object

Depending on your environment the pre-staging of the Cluster Name Object (CNO) may be required (it is a requirement if you are running Windows Server 2012 for the DAG members), but in any case it is a recommended best practice.

The CNO is simply a computer account object in Active Directory. There are two methods you can use to create the CNO.

The first is to manually create the CNO using Active Directory Users & Computers. Create a new computer object with the name that you intend to give to your DAG. Then disable the computer account.

Installing an Exchange Server 2013 Database Availability Group

Next, grant the computer account for the first DAG member Full Control permissions for the CNO computer account. Note that you may need to click the View menu in AD Users & Computers and enable Advanced Features before you can see the Security tab for the computer object.

Installing an Exchange Server 2013 Database Availability Group

The other method for creating the CNO is to use Michel de Rooij’s Cluster Name Object Pre-Staging script.

Deploying an Exchange Server 2013 Database Availability Group

Creating the Database Availability Group

In the Exchange Admin Center navigate to Servers -> Database Availability Groups and click the + icon to create a new DAG.

Installing an Exchange Server 2013 Database Availability Group

Enter the following details for the new Database Availability Group:

  • DAG name – this should match the CNO you pre-staged earlier
  • Witness server – this is required for all DAGs, even those that have an odd number of members and hence run in node majority quorum mode
  • Witness directory – this is optional. If you do not specify a directory Exchange will choose one for you.
  • IP address – the DAG requires an IP address on each IP subnet that is part of the MAPI network. If you do not specify IP addresses the DAG will use DHCP instead.

Installing an Exchange Server 2013 Database Availability Group

Click Save when you have entered all of the required details.

Adding Database Availability Group Members

After the DAG has been created it still does not contain any actual members. These need to be added next.

Highlight the new Database Availability Group and click the icon to manage DAG membership.

Installing an Exchange Server 2013 Database Availability Group

Add the servers that you wish to join the DAG and then click Save. This process will install and configure the Failover Clustering feature of Windows Server 2012 and add the new DAG members to the cluster.

Note: if you’re using a non-Exchange server for the file share witness, and you have correctly configured the permissions on the FSW, you will still see a warning at this stage that the Exchange Trusted Subsystem is not a member of the local administrators group on the FSW. This is a bug that can be disregarded.

Installing an Exchange Server 2013 Database Availability Group

When the operation is complete the Database Availability Group will display the members you added.

Installing an Exchange Server 2013 Database Availability Group

In the next part of this series we will look at configuring the database copies in the DAG.

[adrotate banner=”49″]

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. FIRAT BOYAN

    ” If you do not specify IP addresses the DAG will use DHCP instead.” Incorrect.
    If you do not specify IP addresses the DAG will be created with an IP address of 255.255.255.255, which is called IPless DAG.

  2. Ben Au

    Dear Sir,

    I am using codetwo to link up with my outlook in one computer. Then I have brought 12 licenses so that i can go to any computer and use outlook to link up with the master computer. but theyare going to shut down this operation permanently soon.

    can this exchange software help me? or you can recommend any software replacement to me?

  3. bharath

    hi anyone faced this error before.. exchange 2013 CU21. when i try to add 2 new mailbox to DAG. this is error i see..

    a server-side database availability group administrative operation failed. error the operation failed. createcluster errors may result from incorrectly configured static addresses.
    error: an error occurred while attempting a cluster operation.
    error: node is already joined to a cluster.. [Server: FQDN]

    thank you.

    1. Ather

      go for cmdlet

      Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer MBX1

  4. Sreenivasa Reddy

    Do we still need FSW if we have 3 Nodes? As per your blog post if some one configured with 2 nodes and add 3rd node later point time time they will end with lots of quorum last errors.
    This blog post is not suitable if we have 3 node(s) majority Dag configuration.

    Suitable only for test labs

    1. Avatar photo
      Paul Cunningham

      Every DAG has an FSW configured. Not all DAGs make use of the FSW at all times though.

  5. balcigo

    Hi,
    I have two Exchange 2013 servers running on Windows 2012 R2
    Both of them have CU17 installed
    I try to enable DAG but getting the following error message
    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster
    errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster
    operation. Error: Cluster API failed: “CreateCluster() failed with 0x5b4. Error: This operation returned because the
    timeout period expired”
    Thank you for your help

  6. Ernesto Pangilinan

    Dear Paul,

    Just wanted to thank you for the guide in installing Exchange 2013 DAG. I have perfectly configured everything through your guide. All tests came PASSED when I run Test-ReplicationHealth from exchange management shell, there is no BAD COPY COUNT. All Databases, active and passive, are all in HEALTHY state on all DAG members. I just have some questions in my mind.
    Do I need to load the same certificate which we are using in the LIVE Exchange Server to all DAG members? How this will work? Let’s say the Live server shuts down for any reason and the other DAG member is up? How is it going to work? What are the settings we need to do in the other DAG member to minimize downtime? Thanks in advance for your input.

  7. waseemahmed

    thank u dear for this

  8. Najeeb Pallath

    Getting powershell error on one of the DAG member in DR site when starting Exchange Powershell and connecting successfully to primary site Exchange
    Applied Exchange 2013 CU14 to fix the issue, but still issue exists but don’t want to apply on primary DAG member which is on Exchange 2013 CU14 .
    Is there any other issues been in two different CU on DAG members?

  9. MAuricio

    Hi Paul, in the past I have successfully set up several DAG (2010 and 2013) with networks in AUTO mode and MANUAL, but right now I have a very strange problem…

    If I set the settings in AUTO mode, create the DAG sucessfull without errors, but the MAPI network and ISCI leave them enabled replication; that’s not good, you know. I caný disable replication because it is AUTO mode.

    Then if I switch to MANUAL mode, I can configure manually my 3 interfaces correctly and all good. But when you restart the Exchange 2013 Mailbox servers Exchange change my settings again and leaves interfaces and ICSI MAPI-enabled replication.

    I confirm you that I have reviewed 5 times each interface and each one is configured correctly according to the requirements of Microsfot and of ExchangeServerPro web site. I dont´have configuration interfaces failure. By the way, my networks ISCI and REPLICATION are private networks and isolated VLAN.

    You think it’s a new BUG/ISSUE of Exchange 2013 ??? My servers has SP3 with CU13.

    I hope you help me please , regards!

  10. Anoop

    HI paul

    I have installed exchange server 2013 enterprise edition at my home and whether it is possible to install the DNS and AD.
    How to be done?

    For just study purpose. Also am just learner.

  11. Aliyu Garba

    Configuring DAG i keep getting below issue.

    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Node amb-ad03 is already joined to a cluster.. [Server: AMB-EXCH02.]

    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API failed: “AddClusterNode() (MaxPercentage=100) failed with 0x5b4. Error: This operation returned because the timeout period expired”. [Server: AMB-EXCH02.]

    Any help i will Appreciate

  12. Carlo

    Hello Paul,

    Really nice right up!

    Can you please comment (explain more in detail) “if you have any reason to believe you might later remove the Client Access server role (removal of a single server role is not possible in Exchange Server 2013)”

    Thanks,
    Carlo

  13. Rob Scargo

    Hi Paul,

    Thank you for sharing your knowledge !
    I have succesfully created an Exchange 2013 2 node cluster DAG on Windows 2012R2, but the test-replicationhealth give me a *FAILED* on DataBaseRedundancy and DatabaseAvailability only. I have installed CAS and Mailbox role together on the servers. I have a MAPI and Replication NIC. Do I need a 3th NIC for the CAS server and if so I cannot give it a default gateway. I will use a hardware loadbalancer for the CAS servers.

  14. Jiro

    Hi there, I am running into a bit of an issue:
    I have 2 servers already in a DAG. Win2012 at site A
    I want to add another one in this DAG. Win2012R2 at site B
    All servers have been set up with Mailbox and CAS, all are SP1 (aka CU4) and all entreprise
    FSW is in site A. FSW is a regular windows file server.
    Latency between sites is 60ms

    After running Add-DatabaseAvailabilityGroupServer to add server 3 to the dag, I consistently get:”AddClusterNode() (MaxPercentage=100) failed with 0x5b4. Error: This operation returned because the timeout period expired”

    Did I missed anything obvious?

  15. Stefan Grech

    Hi Paul,

    We followed your guide on the DAG Installation at our office.

    Basically we have a Main Site Exchange 2013 with CAS and Mailbox Roles and all users connect to this exchange from their Outlook.

    Now we installed an other Exchange 2013 at the DR site.. Our main office and the DR site are connected with a Layer2 bridge so the two exchanges are joined to the same domain and are also on the same network subnet. So the two Exchange servers have one network card between them which is the LAN/Domain network.

    We created the DAG and the replication of the DBs works fine.. but the issue that we are currently facing is that some users are connecting directly to the DR Exchange from our Main office with their Outlook which is not what we would like to have.. We want that the DR hosts a copy of the DB and is activated only if some issues arise at the main site and we have to switch everything on the DR site manually.

    We noticed this issue when we went to check the connection status on their Outlook and noticed that the Proxy server that they are connected to is the DR exchange.

    Do you know how can we solve this issue please?

    Thanks & kind Regards,
    Stefan

  16. batho

    I have a mailing system running exchange 2010 and want to migrate it to 2013 exchange server. OS 2008 R2. One physical server in another site and the other two virtualized in another site. Now i need to migrate please help .The database size is around 600 GB there are 3 databases now i need to find the solutin of migrating without impact please help

  17. Roger Pereyra

    We are planning to deploy exchange 2013 DAG using shared storage by utilizing 3PAR. Is it possible? I yes, would it be fine if you share some procedures or a link that i can look up.

    Thank you and more power!

    1. Avatar photo
      Paul Cunningham

      DAG members don’t share storage, they each have their own storage.

  18. prasant

    Hi Paul,

    I have one server 2012 R2 with Exchange 2013 SP1 rollup 7 running for around 3 months after migration.
    I have second server with 2012 R2 where I am planning to deploy an Exchange 2013 and create DAG and use one of Win 2008 server as Witness.
    My existing Exchange server is ESX VM guest and the members I would be adding as DAG member and witness are both physical server.

    Unlike you example I do not have pre-installed DAG members but I am going to install Exchange on second server now.

    What are the precaution I should take before installing Exchange 2013 on second server to avoid any service conflict with existing Exchange server. Is it recommended to install both role like mail server or just keep mailbox? Do I need to create separate DB on second server to replicate from primary or it would just be one DB?

    1. Avatar photo
      Paul Cunningham

      Sounds like you have one multi-role server so far. So in your case I recommend deploying a second multi-role server. That allows you to do HA not only for mailbox (with the DAG) but also for CAS services.

      https://www.practical365.com/exchange-2013-client-access-server-high-availability/

      For precautions, the most important one is to set the Autodiscover URL/SCP immediately after you’ve installed the second server, to avoid certificate warnings for your Outlook users.

      You do not need to create a second database, you can instead just replicate your existing database to the second server after you’ve created the new DAG. It’s up to you whether you create more than one database at any stage in the future.

  19. Rada

    HI, Paul

    Sorry to ask this question, in your example you have two Windows Server 2012 installing both CAS and Mailbox. So we will have 2 CAS right? How do we configure that 2 CAS to work as one? sorry for my bad English.

    Thanks

    Best Regard

    SAVOEURN Rada

  20. Fadee Attieh

    Hello, would like to know what are the configurations or settings to do after installing a new exchange for database availability group. after the installation errors started pumping and the users lost connection to exchange until I uninstalled the new exchange.

  21. Rino Mardo

    hi. is failover clustering required to have DAG operative?

  22. Ahmad Mazhar

    My nodes are running windows server 2012 and 2012 R2, can i add them into DAG?

    1. Avatar photo
      Paul Cunningham

      All members of a DAG must be running the same version of Windows Server.

  23. boyet

    Hi Paul,
    I followed your steps and everything went smoothly with the installation and configuration. We have existing Exchange 2007 SP3, and we just installed 2 Exchange 2013 SP1 in DAG to co-exist with Exchange 2007.

    The OWA is working perfectly fine BUT our problem is with the Outlook anywhere, All new users(Outlook 2010,outlook 2013) cannot connect to the new Exchange server 2013. The Error is “The action cannot be completed. The connection to Microsoft Exchange is unavailable.Outlook must be online to complete this action.” The exchange 2007 clients are still ok connected to exchange 2007.

    Below is the details with Outlook anywhere and the Autodiscovery for your reference.

    [PS] C:Windowssystem32>Get-OutlookAnywhere
    RunspaceId : 48713c0e-2595-4e35-b93c-3818d5cba867
    ServerName : MAIL2
    SSLOffloading : False
    ExternalHostname : mail2.—–.com.sa
    InternalHostname :
    ExternalClientAuthenticationMethod : Ntlm
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods : {Ntlm}
    XropUrl :
    ExternalClientsRequireSsl : True
    InternalClientsRequireSsl : False
    MetabasePath : IIS://mail2.—–/W3SVC/1/ROOT/Rpc
    Path : C:WINDOWSSystem32RpcProxy
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags : {}
    ExtendedProtectionSPNList : {}
    AdminDisplayVersion : Version 8.3 (Build 83.6)
    Server : MAIL2
    AdminDisplayName :
    ExchangeVersion : 0.1 (8.0.535.0)
    Name : Rpc (Default Web Site)
    DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=MAIL2,CN=Servers,CN=Exchange
    Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
    Groups,CN=—–,CN=Microsoft
    Exchange,CN=Services,CN=Configuration,DC=atheeb-ingr,DC=com
    Identity : MAIL2Rpc (Default Web Site)
    Guid : 490e456f-b450-4711-a2ea-a1e14b6d4f9b
    ObjectCategory : atheeb-ingr.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
    ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
    WhenChanged : 11/9/2014 3:43:40 PM
    WhenCreated : 9/28/2010 12:46:33 AM
    WhenChangedUTC : 11/9/2014 12:43:40 PM
    WhenCreatedUTC : 9/27/2010 9:46:33 PM
    OrganizationId :
    OriginatingServer : dc2.—–.com
    IsValid : True
    ObjectState : Changed

    RunspaceId : 48713c0e-2595-4e35-b93c-3818d5cba867
    ServerName : MAIL3
    SSLOffloading : False
    ExternalHostname :
    InternalHostname : mail5.—–.com
    ExternalClientAuthenticationMethod : Ntlm
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
    XropUrl :
    ExternalClientsRequireSsl : False
    InternalClientsRequireSsl : True
    MetabasePath : IIS://Mail3.—–.com/W3SVC/1/ROOT/Rpc
    Path : C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyrpc
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags : {}
    ExtendedProtectionSPNList : {}
    AdminDisplayVersion : Version 15.0 (Build 847.32)
    Server : MAIL3
    AdminDisplayName :
    ExchangeVersion : 0.20 (15.0.0.0)
    Name : Rpc (Default Web Site)
    DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=MAIL3,CN=Servers,CN=Exchange
    Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
    Groups,CN=—–,CN=Microsoft
    Exchange,CN=Services,CN=Configuration,DC=atheeb-ingr,DC=com
    Identity : MAIL3Rpc (Default Web Site)
    Guid : 488b632e-ae52-48b3-b9f1-74faccf48eef
    ObjectCategory : atheeb-ingr.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
    ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
    WhenChanged : 4/14/2015 7:21:40 AM
    WhenCreated : 4/10/2015 10:31:36 AM
    WhenChangedUTC : 4/14/2015 4:21:40 AM
    WhenCreatedUTC : 4/10/2015 7:31:36 AM
    OrganizationId :
    OriginatingServer : dc2.atheeb-ingr.com
    IsValid : True
    ObjectState : Changed

    RunspaceId : 48713c0e-2595-4e35-b93c-3818d5cba867
    ServerName : MAIL4
    SSLOffloading : False
    ExternalHostname :
    InternalHostname : mail5.—–.com
    ExternalClientAuthenticationMethod : Ntlm
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
    XropUrl :
    ExternalClientsRequireSsl : False
    InternalClientsRequireSsl : True
    MetabasePath : IIS://—–/W3SVC/1/ROOT/Rpc
    Path : C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyrpc
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags : {}
    ExtendedProtectionSPNList : {}
    AdminDisplayVersion : Version 15.0 (Build 847.32)
    Server : MAIL4
    AdminDisplayName :
    ExchangeVersion : 0.20 (15.0.0.0)
    Name : Rpc (Default Web Site)
    DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=MAIL4,CN=Servers,CN=Exchange
    Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
    Groups,CN=—–,CN=Microsoft
    Exchange,CN=Services,CN=Configuration,DC=atheeb-ingr,DC=com
    Identity : MAIL4Rpc (Default Web Site)
    Guid : 55199969-d73c-4c70-bdf2-d3b4b6245c70
    ObjectCategory : —–/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
    ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
    WhenChanged : 4/14/2015 7:22:09 AM
    WhenCreated : 4/10/2015 12:12:33 PM
    WhenChangedUTC : 4/14/2015 4:22:09 AM
    WhenCreatedUTC : 4/10/2015 9:12:33 AM
    OrganizationId :
    OriginatingServer : dc2.—–.com
    IsValid : True
    ObjectState : Changed

    [PS] C:Windowssystem32>Get-ClientAccessServer | FL AutoDiscoverServiceInternalUri
    Creating a new session for implicit remoting of “Get-ClientAccessServer” command…

    AutoDiscoverServiceInternalUri : https://mail2.—–.com/autodiscover/autodiscover.xml

    AutoDiscoverServiceInternalUri : https://autodiscover.—–.com/autodiscover/autodiscover.xml

    AutoDiscoverServiceInternalUri : https://autodiscover.—–.com/autodiscover/autodiscover.xml

    Hoping for your help…

  24. Yoncir Chiquito

    Hi Paul, first of all sincerely, Out this error when I try to make the DAG:

    Could not perform operation management availability group database due to a transient error. Retry the operation. Error: An error occurred while attempting a cluster operation. Error: Cluster API failed: “createCluster () failed with error 0x5b4. This operation is returned because the timeout is exhausted” [Server: ns5.gaopanama.com.ve]
    ERROR

    Unable to perform operation management availability group database server. Error: Could not perform the operation. CreateCluster errors can be caused by incorrect configuration of static addresses. Error: The computer account ‘DAG01’ could not be validated by the user ‘NT AUTHORITY SYSTEM’. Error: Error when trying to use the specified cluster name. There is already enabled computer object with that name in the domain [Server: ns6.gaopanama.com.ve]

    Configuration of servers:
    NS5: Exchange 2013 Domain controller (Replica to NS6)
    IP: 192.168.80.211
    Netmask 255.255.255.0
    Gategay 192.168.80.40 DNS 192.168.80.212, 8.8.8.8
    NS6: Exchange 2013 Domain controller (Replica to NS6)
    IP: 192.168.80.212
    Netmask 255.255.255.0
    Gategay 192.168.80.40 DNS 192.168.80.211, 8.8.8.8

    PC Witness
    Hyper-V, Windows 2008 server
    belongs to the domain
    IP: 192.168.80.213
    Netmask 255.255.255.0
    Gategay 192.168.80.40 DNS 192.168.80.211, 8.8.8.8

    What is wrong or what should I do to solve this problems .. Many thanks and grateful.

  25. Ali

    Hi Paul,

    Thanks for the great blog. Whenever I try to install exchange on a pre existing cluster it says it cannot be installed on a windows cluster. Uninstall the feature and retry. I tried looking it up, but no luck. Any ideas?

    Thanks!

    1. Avatar photo
      Paul Cunningham

      The error message is correct, you can’t install it on a pre-existing cluster.

  26. Dave

    Oh and what would you recommend for TTL value on the DNS records?

    Thanks,

    Dave

  27. Dave

    Thanks for the clarification. One other thing. You talk about having identical namespaces for internal and external url for OWA and Outlook Anywhere (e.g. mail.domain.com) would I do the same the EWS, ECP, Active-Sync, and OAB?

    Thanks again,

    Dave

  28. Dave

    Paul,

    Great article on DAG. I also read your article on CAS HA (https://www.practical365.com/exchange-2013-client-access-server-high-availability/) and plan to use both articles to set up HA for both roles. One part that confuses me in this DAG article is that you mention NLB is not supported to co-exist with the Failover Clustering that DAGs leverage. Are you referring to WNLB? Because your CA HA article mentions using DNS RR or a Hardware appliance LB to provide HA for your CAS servers and you used multi-role Exchange 2013 servers as your examples?

    Dave

    1. Avatar photo
      Paul Cunningham

      Yes, NLB = WNLB = Windows Network Load Balancing, as in the feature built-in to Windows Server.

      WNLB shouldn’t be used with Exchange 2013 at all, in my opinion. Use DNS RR or a hardware/virtual load balancer.

  29. Ricard Ibáñez

    We have two mailbox servers ( MBX1 and MBX2 ) , we also have two web access servers ( CAS1 and CAS2 ) .
    Our server DAG is the CAS1 , but when manually spent active database to MBX2 , the CAS1 not allow access to mailboxes by OWA and Outlook.
    I have reviewed the error events and do not refer to this problem . Neither from the IIS or Exchange events.
    When I manualy change active database from MBX2 to MBX1, I have restart IIS on 2 CAS servers.
    My version of Microsoft Exchange is 2013 CU7.

    Thanks for your atention!

  30. Sunith Philip

    We are migrating from Exchange 2007 to Exchange 2013.

    Exchange 2007 is a single box with all roles in one.

    OS – Windows Server 2008 Enterprise Version 6.0 (Build 6002) Service Pack 2

    Exchange – Microsoft Exchange Server 2007 Version 8.2.176.2

    All Mailbox servers on Exchange 2013 below are on

    Windows Server 2012 R2 Standard Build 9600
    Microsoft Exchange Server 2013 Service Pack 1 Version 15.0.847.32
    Our setup for Exchange 2013 is 4 mailbox servers and 1 CAS.

    EXMB01 – DB1 (Active) DB2 (Passive)
    EXMB02 – DB2(Active) DB3 (Passive)
    EXMB03 – DB3 (Active) DB1 (Passive)
    EXMB04 – DB 1, DB2 & DB3 (All Passive) – The main reason for this mailbox server is for running mailbox and db backups to ensure the other servers do not get loaded.
    My questions are:

    How do I setup a DAG in this setup.
    How many DAG groups must I have?
    I have a non-exchange machine setup as FSW. Kindly advise how I need to configure this?
    For coexistence between Exchange 2007 and Exchange 2013, kindly advise the minimum versions and/or service packs required.
    Appreciate your help in this to ensure the migration is smooth.

  31. Adeniyi

    Hi Paul,

    I need to deploy a Microsoft exchange 2013 to a client afresh, with 15 CAS. Your explanation on DAG was really good, please could your assist on the best way to configure CAS after the installation of exchange without any issue.

    I have an available server with Microsoft 2012 where i intend to install the exchange and another server for D.C. Is there any addition server needed after these?

    Your urgent reply would highly be appreciated.

    Adeniyi.

  32. Senthil Kumar

    I need some suggestion from you on implementing Exchange 2013 DAG.

    Do we need to have separate CAS server as i am going to 2 Node DAG in HQ and i node in DR which will be part of the DAG nodes itself. What is your suggestion?
    And also SSL certificate for these servers as i wanted to use same SSL for theses 3 nodes. Kindly suggest the way forward.We have got two different domains (email.domain1.com and email.domain2.com) which needs to be protected using single certificate

  33. teyob

    Hi Paul…thanks again..How to check the AutoDiscover is working in workgroup computer?? If autodiscover is not in the DNS entry,please provide guide in setting the autodiscover in the DNS..

    Thank you very much..

    1. Avatar photo
      Paul Cunningham

      Add autodiscover.yourdomain.com to your DNS zone, basically. That is the quickest and easiest way.

  34. teyob

    Hi Paul…Thanks again for a very useful guide…Our exchange 2013 is now working fine in Domain environment…just one more Question for the clients in WORKGROUP because we have some Laptop which are not connected in the Domain, when we connect Manually the Exchange server there is an error “The action cannot be completed” or “The name cannot be resolved”. Is there a way to connect the Workgroup client in Exchange 2013.?? We tried Outlook 2010 and Outlook 2013 with the same result.

    Thanks again…

    1. Avatar photo
      Paul Cunningham

      Non-domain joined computers will use Autodiscover to work out their Outlook settings. So as long as Autodiscover records are in DNS (eg, autodiscover.yourdomain.com) and resolving to the Client Access server IP address then all they should need to do is enter their email address and password in the Outlook new account wizard at startup.

  35. Jeremy

    Hi Paul,

    Thank you for all your articles, they have been invaluable to me during our Exchange migration.

    I have a very similar setup to this article (2 Mailbox Servers in a DAG and a FSW) with a separate network for DAG replication traffic. I’m a little confused on configuring the networking for replication. I have given the DAG an IP address on the client-facing network (as you did with the 192.168.0.189 IP for your DAG)

    Now I want to ensure the DAG replication traffic actually goes over the NICs I want it to. In your example, would that just be a matter of adding the 10.1.100.0/24 network as a DAG network for the DAG?

    Thanks

    1. Avatar photo
      Paul Cunningham

      DAG networks in Exchange 2013 will auto-configure as long as you configure the adapters correctly. More info on that here:

      https://www.practical365.com/misconfigured-subnets-exchange-2013-dag-network/

      But you can save yourself a lot of trouble by not configuring dedicated replication networks. Just use one DAG network. Less complex and less prone to misconfiguration or other issues that might cause a problem with your DAG. For a small environment with 1Gbps or higher NICs on the server there’s no real benefit to dedicated replication networks.

      1. Jeremy

        Thanks for the reply, the link to your other article was helpful. The network setup for these is somewhat complex so I would prefer to configure the replication manually.

        I seemed to have a lot of finicky issues when configuring the DAG network in the ECP (wouldn’t let me uncheck the “Enable Replication” box within a DAG network, but the clicking “Disable Replication” on the DAG Network page would work, seemed to take awhile for my changes to show up in ECP, making me think they hadn’t been applied, etc). Hopefully that was a fluke thing with my installation. It probably would have been better to configure it from Powershell.

        After blowing away the DAG and recreating it, I think I’ve finally got it configured how I want.

        1. Jeremy

          Hi Paul,

          Wanted to run something by you real quick if you don’t mind…we are now adding an Exchange server at our offsite DR location. I will add it as a member of the DAG (which currently has 2 members + 1 FSW).

          Will I need to change any kind of quorum mode since I will now have 3 DAG members or will Exchange handle all that automatically? I’m assuming it is safe to not make any changes to the FSW and leave it in place?

          Thanks!

  36. chiemele akoma

    Hi, Please my main problem here is how was the second exchange server installed? I currently have 1 hyper-v machine running windows server 2012, with exchange 2013 installed. i m trying to install a second exchange 2013 server but unable to. please can you advice me on this

    1. Avatar photo
      Paul Cunningham

      There’s no special install steps required for the second server, you just install it as you did the first one.

      1. chiemele akoma

        I have followed all the pre installation steps (prerequisite). Now on trying to install exchange 2013 cu5, I ran it as administrator. On the first page, add server role, mailbox role, client access role, management tools were greyed out…indicating that it has already been installed. As a result I cannot progress to the next page.

        As part of the prerequisite,  I had prepared schema, restarted the server. On preparing AD, I got the message that an organisation already existed. I then preparedalldomains and tried the installation. 

        I don’t know what next to do. please I would appreciate your assistance

        1. Avatar photo
          Paul Cunningham

          The AD preparations (schema prep, domain prep, etc) only need to be done when deploying the very first Exchange server into an AD forest. There is also usually another schema update with new service pack releases.

          If you’re installing a second Exchange server into the existing forest/organization you only need to build a new Windows server, install the pre-reqs, and then install Exchange.

          The UI for the Exchange setup is very white and washed out, so it is possible what you think are greyed out options are actually not. You would only find out if you click on them to try and tick the boxes.

          Another approach is do a command line install, which is quite easy.

  37. Haitham

    i get this error

    i have exchnage with malti role cas,mab and one with MB only and windows 2012 witness server when i add dag mamber i get this erorr

    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API ‘”CreateCluster() failed with 0x13c1. Error: The cluster IP address is already in use”‘ failed.. [Server: Mail-srv.pop.local]

    1. Avatar photo
      Paul Cunningham

      From your error: “The cluster IP address is already in use”

      Seems like a clue to me.

      1. Huy Nguyen

        This error appear when they set IP for DAG by the in use IP. Find the avaiable IP in the network to set for DAG to fix this error.

  38. Pam

    Thank you VERY much for all the time and effort you put into your blog. It is incredibly helpful. I use it over and over again for so many Exchange issues.

    I just configured the DAG that included 2 Exchange 2013Sp1 Hyper-V VMs running Windows Server 2012R2. It worked. No issues. No errors. Both VMs are connected to the network via virtual switches that were configured on hosts that had NIC teaming enabled before the virtual switches were configured. No issues. Thank you-

  39. Burletchris

    Hi Paul, thnak’s a lot for your article. It help me very lot.
    Ihave a similar problem than “theduke1989”! Can you help me? I seaurch on internet and i d’ont find the solution.

    WriteError! Exception = Microsoft.Exchange.Cluster.Replay.DagTaskServerTransientException: Échec d’une opération d’administration du groupe de disponibilité de base de données côté serveur à cause d’une erreur provisoire. Veuillez recommencer l’opération. Erreur : An error occurred while attempting a cluster operation. Error: Cluster API failed: “CreateCluster() failed with 0x13c1. Error: The cluster IP address is already in use” —> Microsoft.Exchange.Cluster.Shared.ClusterApiException: An error occurred while attempting a cluster operation. Error: Cluster API failed: “CreateCluster() failed with 0x13c1. Error: The cluster IP address is already in use”

    Before this error, il delete a first DAG and i would like reinstall it but i have this problem since the deleting DAG!
    I test with otheemerger IP DAG’s, i rebuild the first point and that’s OK. When i would like add my exchange server this error emerge!

    Thnak’s for your helping.

  40. theduke1989

    Hej Paul,

    I am not at the point to actualy add members to my DAG.
    But i am getting some errors when i want to add them.

    See below for the error:
    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API ‘”CreateCluster() failed with 0x13c1. Error: The cluster IP address is already in use”‘ failed.. [Server: EXC-1.yakuzacorp.local]
    FOUT

    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API ‘”CreateCluster() failed with 0x13c1. Error: The cluster IP address is already in use”‘ failed.. [Server: EXC-2.yakuzacorp.local]

    its a test-facility to learn new things. Can you help me out here???

    1. Avatar photo
      Paul Cunningham

      “The cluster IP address is already in use” seems to be the biggest clue there.

  41. theduke1989

    Hello,

    thank you for the great tutorials.

    My problem now is:

    Error:You must be a member of the ‘Organization Management’ role group or a member of the ‘Enterprise Admins’ group to continue.For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.GlobalServerInstall.aspxError:You must use an account that’s a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedBridgeheadFirstInstall.aspx

    etc

    i havr 3 server total for learning. Exchange1 had the same fault as the problem above but after adding: install-windowsfeature rsat-adds it worked on my first exchangeserver but on my second server i still get the error 🙁

    VM1= AD-DS (DC)
    AD-DS
    2 NICS
    *1 = bridged
    *2 = LAN-SEGMENT1 192.168.3.253
    DHCP
    NAT <- CONNECTED TO NIC1

    VM2= EXLAB-01
    Installed al the pre-installs what is needed for exchange 2013
    2 NIC's
    *1 = bridged
    *2 = LAN-SEGMENT2 <- 10.1.100.1 address

    VM3= EXLAB-03
    Installed al the pre-installs what is needed for exchange 2013
    2 NIC's
    *1 = bridged
    *2 = LAN-SEGMENT2 <- 10.1.100.1 address

    they are joined as an memberserver and are connected to my domain, administrator account using…

  42. Ernesto

    Hi Paul,

    Thank you so much for the well-detailed steps in configuring DAG. I have one question before I will try the steps. Currently, we have installed Exchange Server 2013 on Windows Server 2008 R2 Enterprise SP1 on two HP Proliant Servers. One Exchange Server is Live and already running. We want to configure DAG so the other server will replicate the database of the Live Exchange Server. Is it necessary to have a third server to become a Witness Server or can we configure the Backup Exchange as the witness server itself and at the same time, it will be the member of the DAG? Thank you.

    1. Avatar photo
      Paul Cunningham

      The witness must be a separate server, not one of the DAG members.

      1. Ernesto

        Can it be a normal workstation with Windows 7 on it? I saw one screenshot in your tutorials which looks like a normal computer, the one with COMPUTER MANAGEMENT assigning Exchange Trusted Subsystem. Thanks for the reply. = )

        1. Avatar photo
          Paul Cunningham

          No, it must be a server. Desktop OS is not supported as an FSW. The screenshot is from a server.

        2. Ernesto

          Hi Paul, it’s me again and thank you for the quick reply. One more thing if you can help me out regarding Mailbox Databases. In our Exchange Server, we would like to create 2 database files. Our Exchange Server is hosting 6 email domain. We would like to configure three email domains will be saved to DB1 mailbox database and the remaining three domains will be saved to DB2 mailbox database. In the ECP>SERVER>DATABASE, I have created two database files namely DB1 and DB2. How can I point the three email domain to DB1 and the remaining three email domains to DB2? Hope you understand my question. Thanks.

        3. Avatar photo
          Paul Cunningham

          You’ll need to manually choose the database when you create the mailboxes.

  43. teyob

    Currently our Outlook anywhere is using HTTP, Can you Please provide the STEPS in configuring the Outlook Anywhere to use HTTPS.

    Thank you very much.

  44. ajhstn

    Hi Paul, I hope that you can help with this issue.

    I have 2x cas2013 and 2x mb2013 exchange servers. On the EXMB4 server I created the dag, no worries, and added EXMB4 server. I cannot however add a second mb server. during the process I can watch it attach to the cluster in FCM, but then later an error event states that “Cluster node EXMB3 has been evicted from the failover cluster”.

    I performed this using the ECP and so the gui response was A server-side database availability group administrative operation failed with a transient error. Please try the operation again. Error: An error occurred while attempting a cluster operation. Error: Cluster API failed: “AddClusterNode() (MaxPercentage=100) failed with 0x5b4. Error: This operation returned because the timeout period expired” [Server: EXMB4]

    I have triple checked the replication adapter, does not have a gateway, no dns registration, no lmhost. It is 2nd in order of priority to the mapi network. I can ping each server using both mapi and replication network.

    Any clues?

  45. Yasin

    Hello Paul ,

    I created DAG 2013 ,when I tested DAG replication cmdlt , I have the issue with cluster network in one node of the DAG

    Cluster network “failed” Network ‘MapiDagNetwork’ has no network interface for server ‘ …

    for your help please.

    Thank you .

  46. andrew

    the exchange trusted subsystem is a universal group. and i can’t add it to my fs server, local admin group.

    1. Avatar photo
      Paul Cunningham

      Yes, it is a universal security group, and I’ve added it to the local administrators group on my FSW just fine.

  47. teyob

    Hi Paul,
    We are installing the Exchange server 2013 in Hyper-V Virtualization, Is it Ok to leave the Database in the Default Directory on C drive, so that we have one full BackUp only on the Virtualization drive?? and that we can mount it as a whole drive in any Physical server with Hyper-v??

    Thanks

  48. Brandon

    Paul —

    Wanted to start off by thanking you for this incredibly useful store of information helping me navigate my way through Exchange 2013 administration.

    Following your DAG step-by-step in my lab and came across an issue. Had a problem with getting the second of the Exchange 2013 servers for my DAG. The initial installation crashed with an error regarding an “Unstable” Exchange 2013 server. Formatted, reinstalled Windows 2012 Datacenter, renamed the server something different than before and successfully installed Exchange 2013, but now when I’m deleting the newly-created mailbox database per your instructions in this article, I noticed the old server name pop up in the Servers>Databases and the now-nonexistent server managed to set up a mailbox database that I can’t delete!

    I removed the computer account from Active Directory using ADSI Edit, but I have a feeling I need to do more to removed this nonexistent server from my AD. So my questions are: 1. Will this mess up my DAG? Should I stop the config and focus on getting rid of this thing? and 2. How do I get rid of this nonexistent server from AD?

    Thanks so much, and keep up the great work! Truly a big help to us Exchange newcomers!!!!!

    1. Avatar photo
      Paul Cunningham

      I would recommend doing a recovery installation of the failed server, then cleanly remove the mailbox database and then uninstall the server itself cleanly.

  49. malliklearning

    Hi Paul,

    Thanks for the efforts and for educating the people.

    I have a question regarding DAG IP.

    What is the use/role of a DAG IP,IP which we are configuring as DAG IP is used in which communication ,is it used in checking the heart beat ?

    Could you please clarify?

    Eager to see your comments.

    Thanks,
    Mallik

  50. teyob

    hi paul,
    Thank you very much,the Failover is working now if the active exchange server is offline the Passive TakesOver but it took 10 to 15 minutes for the outlook to be connected again, is that normal??

    The Outlook anywhere is using the HTTP, is there a way to use HTTPS?? i tried HTTPS but i got an error in Certificate.

    Also about the Witness server, what will happen if the Witness server is OFFLINE??Will it affect the Cluster?

    Thank you very much again…

    1. Avatar photo
      Paul Cunningham

      I wouldn’t consider that normal. You need to look at whether the databases actually mounted quickly, and whether the CAS load balancing was not detecting the server that was down quickly enough.

      Yes Outlook Anywhere can use HTTPS and requires a valid SSL certificate.

      The witness server can be up/down without impacting the cluster. It is only when a majority of cluster members (eg the witness + one DAG member) go offline that you risk the entire DAG/cluster going down.

  51. teyob

    Hi Paul,
    Thank you very much again for all the help..

    I need another help regarding our Active Directory, Our existing Active directory is windows 2003 server and the existing exchange server is exchange 2007.

    We will be building a New Windows 2012 Active Directory plus the 2013 exchange server, We will not touch or upgrade the existing Existing 2003 server and exchange 2007 so that we have a working Exchange server 2007 while preparing and building the exchange 2013.

    I need a help in Transfering the existing users from 2003 server to the new 2012 server active directory, i tried to look and search at microsoft the available ADMT(Active directory migration tool) is version 3.2 which is for 2008 server only.

    Is there any other tool that can transfer users from 2003 server to 2012 server Active directory. Hope you can help me with this.

    Thanks again…

    1. Erward Osckar

      On your exchange 2007, you can script powershell command to export everyone’s mailbox to PST
      http://blogs.technet.com/b/exchange/archive/2007/04/13/3401913.aspx

      You can then upload all of the PSTs to the new Exchange 2013 environment and import from PST
      http://technet.microsoft.com/en-us/library/ff607310(v=exchg.150).aspx

      quite tedious, especially if you have hundreds or thousands of users. but if you script it right, it can be only two command that you need to execute 🙂

      Why don’t you upgrade your AD to 2008R2, then co-exist your exchange 2007/2013 and save you a lot of pain.

      Good luck!

  52. teyob

    Hi Paul,
    One more thing, how about the certificate?? Can we use the default certificate or create a new certificate to include the 2 exchange server and the created name in the DNS?? If we will create a new certificate please provide also on how to create a new certificate.

    Thank you very much for all the help.

    regards

  53. teyob

    Hi paul,
    Thank you very much for the very quick response, i will do this one. For confirmation i just have some follow up on the following:
    1. In configuring a single namespace instead of the unique server FQDN for each, is this the command in the exchange Powershell?
    —[PS] C:\>Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostname mail.exchange2013demo.com -InternalClientsRequireSsl $false

    2. In configuring DNS records exist for that namespace and resolve to the Client Access servers.Is this the command??
    —PS C:\> Resolve-DnsName mail.exchange2013demo.com
    or i have to do it in DNS management and create a new record then issue the command

    Thanks again

    1. Avatar photo
      Paul Cunningham

      1) Yes, but you need to change the internal host name to one that is valid for your environment

      2) You need to create the DNS records. That command just tests that they are resolving.

  54. teyob

    Hi Paul,
    Thank you for the guide.I just have a question:
    We created 2 exchange servers member of the DAG and One Witness server and everything looks OK but when the Active server is down and the Passive server Takes Over BUT the Office Outlook shows Disconnected. The Failover is not successful in the Office outlook 2010.

    Hope you can help me.

  55. Petros Patalas

    Hi Paul,
    Thank you very much for your prompt reply.
    Petros

  56. Petros Patalas

    Hi Paul,
    thank you very much for your effort.
    After reading some of your articles, I am thinking of configuring the following:

    Two Exchange 2013 servers with both CAS and Mailbox roles, DAG between them (for 2 mailbox databases),
    and a third Exchange 2013 server holding the Archive database, also acting as the Witness Server.

    All above will run on Windows Server 2012 for the benefit of dynamic quorum.
    Does it looks like a nice configuration?

    Thanx
    Petros

    1. Avatar photo
      Paul Cunningham

      I don’t know your business requirements, but I don’t see anything *wrong* with that. You could also make the third server a member of the DAG for even more resilience.

      1. Wiseman

        TYVM you’ve solved all my preoblms

  57. maximilian

    Hi Paul

    I have a question about DAG 2013. I have configured DAG and all things working fine but if I lose entire DAG I can use the procedure in this link?

    Rebuild an Entire Database Availability Group
    http://technet.microsoft.com/en-us/library/gg513521(v=exchg.141).aspx

    Is it supported for exchange 2013?

    If it is not possible could you route me to right procedure in order to rebuild DAG 2013?

    Cheers
    Maximilian

  58. Erward Osckar

    Hello Paul, Thank you for the superb article. This definitely helps in my configuration of our DAG 2013. I found one thing that I needed to do extra that was not mentioned in your article in order to create my DAG2013 and I would like to share that with everyone.

    When Pre-Staging the Cluster Name Object, I found that I also needed to add the following security group to the DAG Cluster name: “Exchange Trusted Subsystem” and give that group full control.

    Without the Exchange trusted subsystem, I keep getting Access Denied when trying to add my first DAG member. This is also the approach recommended by Microsoft technet at http://technet.microsoft.com/en-us/library/ff367878%28v=exchg.150%29.aspx.

    I hope this may help someone else in setting up DAG. I feel this should have been taken care of by Microsoft instead of having us pre-stage the cluster name object (seems silly to me).

    Thanks for the great article. I have my DAG running happily!

    Ed Osckar

    1. Avatar photo
      Paul Cunningham

      You can either add the computer account for the first DAG member, or you can add Exchange Trusted Subsystem. The article you link to explains that. In my example above I added the computer account.

  59. Manguon055

    my system have 5 Server 2 CAS, 2 DB and 1 Witness
    I Cannot connect to CAS Server when one in two Server database is down.
    Help me…
    Thanks

  60. Paul

    How could this be setup for geographical redundancy? ie. two locations connected via VPN tunnel. Could I still use only a 2 Exchange server configureation? Where would I have to put the witness share?

    1. Avatar photo
      Paul Cunningham

      You would need to make sure you read the networking requirements for multi-site DAG. Yes you can use just 2 servers though that may not be the best approach. The witness server would go in the “primary” datacenter or even possibly a third site, depending on a lot of factors.

      Multi-site DAG is possible but needs to be designed properly.

  61. Stephan van der Plas

    Hello Paul,

    I followed your steps (though I use an exchange (CAS) server as witness), but I receive an 0x80070005 (E_ACCESSDENIED) message.
    How to troubleshoot this?

  62. JIm

    This is a good article…The only thing that got me was that I forgot to enable the DAg account after the DAG was created. It think it would be good to add this to the article.

    1. Avatar photo
      Paul Cunningham

      Interesting. I don’t recall having to do that step at all. And there’s log entries in the dag setup logs that suggest Exchange did it for me.

      1. Randy Sieren

        I HAD to leave it disabled. When you add the first server to the DAG, it enables the computer account. If you enable it before – it errors out adding the first server saying the computer account is already enabled.

      2. Alessandro Matano

        Correct. I left (forgot) disabled, and Exchange enabled it for me.

  63. Jeremy Chu

    Hi,

    Can we use a Domain Controller as a FSW ? What are the prerequisites for a Witness Server ?

    I use a test environnment, I have a DC with just 1GO RAM, I’d like to know if I can use it as a FSW for my DAG.

    Regards,

  64. Tarik

    All good, but one thing, how should the client access the server? how can he tell which server to go to?
    What if a server goes down? the client would probably have his outlook setup to one exchange.

    How can he still receives email when that server goes down?

    Please help me to understand this process.

    1. Avatar photo
      Paul Cunningham

      The client connects to the Client Access server. Databases can failover, Mailbox servers can go down, but as long as the Client Access server(s) are available the client can still connect.

      There’s more to it obviously, but that is the basic concept.

      1. Tarik

        Thanks for the reply Paul,

        But you are here setting both servers to have Client Access Server, my question is that to which server the client should go to when one goes down, or there should be a manual intervention from an admin to set the DNS/IP addresses.

        Would you suggest setting the CAS on some other server and have the Mailbox roles set on two other server? but the single point of failure would be the one CAS.

        Your information is very straight forward setting up the DAG, but the glitch I’m facing is the CAS.

        I hope you can clarify it to me.

        Best Wishes,

        1. Avatar photo
          Paul Cunningham

          It involves setting up a highly available CAS. I’m going to write up some articles on the topic very soon actually.

  65. Alex

    Where do i place DAG Witness server if Mailbox and CAS server are co-located? General recommendation is to put it on CAS server but not on a Mailbox server in the DAG. Any idea what would be the best choice?

  66. Ishtvan Balint

    Running this setup in an hyper-v environment. Cannot add a second node and it does not matter which one. Always fails when adding the second. Is this supported?

  67. Rogelio Garcia

    Hi Paul, i try to install DAG on Hyper-V Windows Server 2012, i have to Virtual Mailbox with Exchange 2013 and Server 2012 Standard. two nic VLAN 192.168.100.166,168 and for DAG VLAN 192.168.103.40,41. when a try to add the second node to DAG

    A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster
    errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster
    operation. Error: Cluster API ‘”AddClusterNode() (MaxPercentage=100) failed with 0x5b4. Error: This operation returned
    because the timeout period expired”‘ failed.. [Server: simimx-mbexc01.simi.com]
    + CategoryInfo : InvalidArgument: (:) [Add-DatabaseAvailabilityGroupServer], DagTaskOperationFailedExcept
    ion
    + FullyQualifiedErrorId : F544CC70,Microsoft.Exchange.Management.SystemConfigurationTasks.AddDatabaseAvailabilityG
    roupServer
    + PSComputerName : simimx-mbexc01.simi.com

    i hope u can help me
    Thanks

    1. Dick Turpin

      Try removing the teaming from the Hyper-V hosts. That worked for me.

      I have a call open with MS about this as it’s affecting a large number of deployments.

      1. Ian Wright

        Was there any update on the call you have open? I think I am experiencing the same issue.

        Great article!

  68. Hello Paul,

    Thanks a lot for such informational howto. I just configured DAG without any problems. However I’ve few questions in my mind which are still unanswered. If you can then please answer

    Q1. Is it essential to use non-exchange extra server as Witness Server or not ? Can I use Domain Controller (I am using DC for DFS also) or CAS as Witness Server ?

    Q2. If I do not want to use dedicated replication network then can I use my main connection for replication ?

    Q3. How I can assure my replication is working absolutely fine ?

    Q4. As you mentioned your other database is removed. Did you removed it yourself or DAG creation process done it ? Since my 2nd database (setup created when I installed mailbox role on 2nd server) didn’t deleted. Will this hurt DAG performance or some other potential issues can raise for this ?

    1. Avatar photo
      Paul Cunningham

      1. I use a non-Exchange server in this demo mainly so I can demonstrate the extra steps involved. It is generally recommended to use another Exchange server, eg a dedicated CAS, which has fewer steps because Exchange Trusted Subsystem is already configured correctly on that server.

      I do not recommend ever using a Domain Controller as the file share witness.

      2. Yes, a DAG can have only one network that it uses for both client and replication traffic.

      3. Get-MailboxDatabaseCopyStatus and Test-ReplicationHealth are two cmdlets for testing the health of your DAG.

      4. I removed it myself. The DAG setup does not remove existing databases. Consider that the existing databases can then have copies added in the DAG, so why would DAG setup remove them? It won’t hurt performance, but if you don’t want the database you should remove it so you don’t need to manage it (eg back it up) and so nobody accidentally puts mailboxes on it.

  69. Rasheedah

    For the CNO process is adding one (first) DAG member sufficient enough? Thanks!

      1. Wasim

        Hi Paul,

        Thanks for providing step by step guides, really helpful articles.

        About CNO setup.
        Adding the 2nd member server to DAG will automatically get added to CNO permissions or there is no requirement for 2nd member. What if the 1st member (which has permissions configured on CNO) failed? will the other member be able to take control on CNO?

        Also a bit confused with the Network config for DAG.
        “the DAG requires an IP address on each IP subnet that is part of the MAPI network”
        If my network (client subnets) has 3 subnets 192.168.1.x, 2.x, 3.x. Do I need to assign 1 IP from each subnet?
        all 3 subnets can communicate with each other and also to the “server subnet” 10.10.10.x.

        Thanks for your time and help.

        1. Avatar photo
          Paul Cunningham

          You only need to do the permissions on the CNO for the first DAG member.

          A DAG network is any network that a DAG node is connected to. So other subnets (such as where your client computers reside) are not considered to be DAG networks and don’t need to be configured as such.

          A DAG has only one MAPI (client-facing) network. But that network may include multiple IP subjects, such as when the DAG is multi-site. Therefore the DAG needs to be given an IP address in each of those IP subnets that exist in that DAG network.

  70. AMIT

    Informative

Leave a Reply