DAG FSW permissions errors during creation process? - Try this

  • Article

One of the really cool new features of Exchange 2010 is the ability to provide high-availability for all 4 server roles by using just 2 actual machines. There are definitely some caveats, like the fact that you need a hardware load-balancer to distribute inbound request to the CAS and HT roles (NLB simply doesn’t play well with our replication tech at the moment) but I honestly think we’ll see a greater adoption of high-availability using a multi rolled CAS/HT/MBX in the smaller or midsize business space with this model. HA for the masses, that can only be good news for everyone.

The 2010 DAG feature is shares some similarities with 2007’s CCR. One area is that it also requires a file share witness to act as a voting mechanism. Since your two Exchange servers are part of the DAG, one of the limits is neither can actually host the witness share. In this case you’ll need a 3rd server to act as the file share witness which would normally if possible be another Exchange server. In my lab set up the only other server I had was a domain controller so I decided to use that as my FSW instead of standing up another server. When I ran through DAG wizard I received the following error;

Warning: Specified witness server ‘DC01.test.com’ is not an Exchange server, or part of the Exchange Servers security group.

Warning: Insufficient permissions to access file shares on witness server ‘DC01.test.com’ Until this problem is corrected, the database availability group may be more vulnerable to failures. You can use the Set-DatabaseAvailabilityGroup cmdlet to try the operation again. Error: Access is denied

The DAG is still created, but really doesn’t have the FSW ability at this point. The first warning is also a little confusing because the problem actually lies in the Exchange Trusted Sub system group permissions, not the Exchange Servers security group. You can follow the steps below to resolve this and get your DC to act as FSW:

· Add your domain controller’s computer account to Exchange Trusted Subsystem group in AD.

· Add the Exchange Trusted Subsystem group to the Builtin\Administrators group of the domain.

Obviously the second change isn’t ideal and if you’re going to use the DAG features I’d really recommend putting your FSW folder on something other than a DC, our best practise recommendation in this area has not changed from Exchange 2007 – Hub servers.

At this point this issue should be resolved and you should see the FSW folder and share created on DC01.

I also found that if I created the folder on the DC ahead of time and then ran the DAG wizard it would fail because the folder and share permissions were not correct. The best action here is to not create the FSW folder or share ahead of time and just let the cmd-let take care of the hard work.

 

Hope this helps, John