I just had a conversation about how many nodes can fail in a three node DAG and since there was a misconception present I figured I should point out a section of the “Planning For High Availability and Site Resilience” article on TechNet.
From “Witness Server Requirements”
DAGs with an odd number of members do not use a witness server. All DAGs with an even number of members will use a witness server. The witness server can be any computer running Windows Server.
What does this mean? You need to have node majority within the DAG; if you have a three server DAG and two fail you only have one left and therefore don’t have majority. If you want to sustain two failures in a DAG then you need to design your DAG with four nodes and use a witness server.
When you add/remove a server from the DAG (note that a node failing does not count) the addition or removal of a witness server happens automatically. You can either specify a directory (The witness server cannot be a member of the DAG) or by automatically selecting a 2010 Hub Transport server in the site that does not have the Mailbox role installed.
Questions are welcome in the comments, a link to the TechNet article is below.
Planning for High Availability and Site Resilience: Exchange 2010 Help
Subscribe – To get an automatic feed of all future posts subscribe to our RSS feed here or subscribe via e-mail here. You should follow us on Twitter here.
Tags: Exchange, High Availability
Hi Jeremy,
I have been going through the web trying to get a clear answer on site replication using only 2 exchange 2010 servers and 1 database.
I have 2 locations A and B seperated by a WAN. Each site will contain 1 Exchange 2010 server that will replicate a single database. I understand a DAG will need to be created with a Witness server. The problem is where to you place the witness server as if the WAN goes down between the sites then according to what i have read the site without the witness server database will go offline until a witness server is found. Is that right? if so that means you would have to replicate the witness server as well! It kind of defeates the object of replicating the database over a WAN or is there something i have missed? Thanks Regards
Jason
01.07.10 at 10:49 am
That’s pretty much the case Jason, but there is redundancy built in with AlternateWitnessServer and AlternateWitnessDirectory, parameters used solely for datacenter switchover process. Are these servers all-in-one boxes or are they standalone mailbox and HT/CAS?
01.08.10 at 4:02 pm
Many thanks for your response Jeremy, i have looked at the Set-DatabaseAvailabilityGroup cmdlet with the AlternateWitnessServer and AlternateWitnessDirectory parameters. My Exchange knowledge limited to 2003 so its like starting again with Exchange as everything has changed. But there are so many great improvemts enough for us to decide to take the leap to 2010. I will see if i can use these in my test environmet, the Exchange setup is 2 standalone servers with mailbox, HT and CAS. I am looking to setup an automatic failover if one server/site fails.
01.11.10 at 3:49 am
You’re most welcome. Yes, 2003 to 2010 is a huge change but it’s definitely well worth it; 2010 is a much nicer system in my opinion.
Please don’t hesitate to contact me if you have any other questions.
Thanks!
Jeremy
01.11.10 at 9:18 am
I have the exact same issue, and I have looked at this issue 10 different ways in my lab. Here is the scenario:
2 sites, each with a local mailbox server, connected via a WAN.
The witness server has to be 1 site or the other. for the sake of this example, it doesn’t matter which.
Both sites are replicating to the other site’s mailbox server. about as simple a setup as you can get.
When there is a simple WAN outage, the site with the witness server stays fine, but the other site, oh boy does the other site suck.
At the other site, the local database goes offline, because that MBX server has lost majority, and it down’s the DB’s to correct this.
Now, in an automatic failover situation, I can understand this. How does it know what server has the active DB? it doesn’t. it has to protect itself.
However, I don’t use automatic failover. I turn that off. I don’t want a 3 minute WAN blip to flip over my DB’s, it won’t do my any good.
I have researched and researched, and tested and tested, and there is no way around this. I have come up with 1 way to make it work, but from a licensing perspective, it’s not realistic.
basically i’d create 2 DAG’s, each having a local witness server. but because each MBX server can only participate in 1 dag at a time…..yup you guessed it, an extra mbx server at each site, just to house the replicated databases. that means enterprise windows, and an exchange license. ouch.
if anyone finds a way around this, please let me know.
oh also, i have a 3 site dag, and have the same issue, it doesn’t matter how many sites, please don’t say use DAC, as that is for “primary” and “failover” datacenter type scenarios, not 2 active offices, with active and passive DB scenarios, it just doesn’t work.
HELP!!!
02.04.10 at 2:58 pm
Matt,
Any particular reason you’re doing active/passive across sites? You’re correct that there is significant complexity added.
Thanks,
Jeremy
02.04.10 at 3:08 pm
Hi Jeremy,
Yes, because I have 3 offices, all with a local mailbox server. I need the mailbox server local for various reasons, mainly performance.
I really like the DAG feature in Exchange 2010, but it clearly was designed for the datacenter model, and not a multi-office model, at least those that run active/passive.
Got any ideas for me??
02.05.10 at 10:42 am
you’d think there would be a setting that says if you configure manual DB activation, then never dismount the DB, if you lose majority. that would solve my entire issue.
i want to use the DAG for DR purposes only, and that would do it.
but because of this issue, i have to continue to use 3rd party tools, or potentially MS DPM 2010. bleh. DAG’s are just so easy.
02.05.10 at 10:50 am