DAG FSW permissions errors during creation process? – Try this

One of the really cool new features of Exchange 2010 is the ability to provide high-availability for all 4 server roles by using just 2 actual machines. There are definitely some caveats, like the fact that you need a hardware load-balancer to distribute inbound request to the CAS and HT roles (NLB simply doesn’t play well with our replication tech at the moment) but I honestly think we’ll see a greater adoption of high-availability using a multi rolled CAS/HT/MBX in the smaller or midsize business space with this model. HA for the masses, that can only be good news for everyone.

The 2010 DAG feature is shares some similarities with 2007’s CCR. One area is that it also requires a file share witness to act as a voting mechanism. Since your two Exchange servers are part of the DAG, one of the limits is neither can actually host the witness share. In this case you’ll need a 3rd server to act as the file share witness which would normally if possible be another Exchange server. In my lab set up the only other server I had was a domain controller so I decided to use that as my FSW instead of standing up another server. When I ran through DAG wizard I received the following error;

Warning: Specified witness server ‘DC01.test.com’ is not an Exchange server, or part of the Exchange Servers security group.

Warning: Insufficient permissions to access file shares on witness server ‘DC01.test.com’ Until this problem is corrected, the database availability group may be more vulnerable to failures. You can use the Set-DatabaseAvailabilityGroup cmdlet to try the operation again. Error: Access is denied

The DAG is still created, but really doesn’t have the FSW ability at this point. The first warning is also a little confusing because the problem actually lies in the Exchange Trusted Sub system group permissions, not the Exchange Servers security group. You can follow the steps below to resolve this and get your DC to act as FSW:

·       Add your domain controller’s computer account to Exchange Trusted Subsystem group in AD.

·       Add the Exchange Trusted Subsystem group to the Builtin\Administrators group of the domain.

Obviously the second change isn’t ideal and if you’re going to use the DAG features I’d really recommend putting your FSW folder on something other than a DC, our best practise recommendation in this area has not changed from Exchange 2007 – Hub servers.

At this point this issue should be resolved and you should see the FSW folder and share created on DC01.

I also found that if I created the folder on the DC ahead of time and then ran the DAG wizard it would fail because the folder and share permissions were not correct. The best action here is to not create the FSW folder or share ahead of time and just let the cmd-let take care of the hard work.


Hope this helps,  John 


Comments (3)
  1. Anonymous says:

    Using the DC and FSW Microsoft doesn´t recommend that, but if you have only limited number of servers, you dont have a choice:  You only ever need to add the Exchange Trusted Subsystem to the Local Administrator Group.  Or in this case, the Builtin Administrators group for the domain since you're using a DC

    To configure FSW on DC there are more steps to perform before configuration of FSW:

       Add domain controller to Exchange Trusted Subsystem security group

       Add Exchange Trusted Subsystem to BuildinAdministrators

       Create Directory on the DC and share the directory with the share name of the DAG

       Set sharing permissions so that virtual account for DAG will have Full Control

    Also You will need to disable firewall on DC

    Try browsing to the FSW folder from one of exchange servers example: start – run –  \DCFSW


  2. Elan Shudnow says:

    You don’t need to add the non-Exchange system account to the Exchange Trusted Subsystem.  You only ever need to add the Exchange Trusted Subsystem to the Local Administrator Group.  Or in this case, the Builtin Administrators group for the domain since you’re using a DC.

  3. German Pulido says:

    I tried creating a DAG on a lab environment (2 exchange 2010 servers w/ CAS,hub and mailbox and 1 Windows 2003 R2 DC) but despite doing _both_ things explained on this blog it fails to create the DAG. This is the error:

    Summary: 1 item(s). 0 succeeded, 1 failed.

    Elapsed time: 00:00:01




    Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))


    An unexpected error has occurred and a Watson dump is being generated: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

    Exchange Management Shell command attempted:

    New-DatabaseAvailabilityGroup -Name ‘DAG-01’ -WitnessServer ‘WIN2003DC’ -WitnessDirectory ‘c:w’

    Elapsed Time: 00:00:01

    Any hint on this is appreciated.


Comments are closed.

Skip to main content