Demystifying Exchange 2010 database availability group (DAG)
What is a DAG?
A database availability group (DAG) is the base component of the high availability and site resilience framework that is built into Exchange 2010. A DAG is a group of up to 16 Mailbox servers that host a set of databases and provide automatic database-level recovery from failures that affect individual servers or databases. Exchange 2010 uses the same continuous replication technology found in Exchange 2007. Exchange 2010 combines on-site data replication (CCR) and off-site data replication (SCR) into a single framework which is the DAG. Once servers have been added to a DAG, administrators can add replicated database copies incrementally, and Exchange 2010 switches between these copies automatically, as needed, to maintain availability.
When can I create a DAG?
After you've deployed Exchange 2010, you can create a DAG, add Mailbox servers to the DAG, and then replicate mailbox databases between the DAG members. A DAG can be created using the New Database Availability Group wizard in the Exchange Management Console, or by running the New-DatabaseAvailabilityGroup cmdlet in the Exchange Management Shell. When creating a DAG, you provide a name for the DAG, and optional witness server and witness directory settings. In addition, one or more IP addresses are assigned to the DAG, either by using static IP addresses or by allowing the DAG to be automatically assigned the necessary IP addresses using Dynamic Host Configuration Protocol (DHCP).
Do I need to setup windows cluster for the DAG to work?
No, there is nothing called a standalone or clustered Exchange 2010 installation. After you install a normal Exchange 2010 mailbox server, you need to run the New-DatabaseAvailabilityGroup cmdlet to create a DAG, once the DAG has been created, mailbox servers can be added to the DAG. When the first server is added to the DAG, a cluster is formed for use by the DAG. DAGs make limited use of Windows Failover Clustering technology, namely the cluster heartbeat, cluster networks, and the cluster database (for storing data that changes or can change quickly, such as database state changes from active to passive or vice versa, or from mounted to dismounted and vice versa). As each subsequent server is added to the DAG, it is joined to the underlying cluster (and the cluster's quorum model is automatically adjusted by the system, as needed), and the server is added to the DAG object in Active Directory. And because DAGs rely on Windows Failover Clustering, they can only be created on Exchange 2010 Mailbox servers that are running Windows Server 2008 Enterprise Edition or Windows Server 2008 R2 Enterprise Edition. In addition, each Mailbox server in the DAG must have at least two network interface cards in order to be supported
What's happening when I create a DAG or join a server to an existing DAG?
When the first Mailbox server is added to a DAG, the following occurs:
- The Windows Failover Clustering component is installed, if it is not already installed.
- A failover cluster is created using the name of the DAG.
- A cluster network object (CNO) is created in default computers container.
- The name and IP address of the DAG is registered as a Host (A) record in DNS.
- The server is added to DAG object in Active Directory.
- The cluster database is updated with information on the databases that are mounted on the added server.
When the second and subsequent servers are added to the DAG, the following occurs:
- The server is joined to Windows Failover Cluster for the DAG.
- The quorum model is automatically adjusted:
- A Node Majority quorum model is used for DAGs with an odd number of members.
- A Node and File Share Majority quorum is used for DAGs with an even number of members.
- The witness directory and share are automatically created by Exchange when needed.
- The server is added to DAG object in Active Directory.
- The cluster database is updated with info on mounted databases
Can I have DAG members from different subnets?
Yes, during the cluster creation, the Add-DatabaseAvailabilityGroupServer task retrieves the IP address(es) configured while you are creating the DAG, takes whatever appropriate IP and ignores the ones don't match any of the subnets found on the server. This gives you the flexibility to have a DAG with members on the same or different subnets "in case you will have a DAG node in another datacenter".
Can I use a 3rd party replication tool to replicate the databases in the DAG?
By default, a DAG is designed to use the built-in continuous replication feature to replicate mailbox databases between servers in the DAG. If you are using third-party data replication that supports the Third Party Replication API in Exchange 2010, you must create the DAG in third party replication mode by using the New-DatabaseAvailabilityGroup cmdlet with the ThirdPartyReplication parameter, but note that Once this mode is enabled, it cannot be disabled.
Can I encrypt the DAG network traffic?
DAGs support the use of encryption by leveraging the encryption capabilities of the Windows Server operating system. DAGs use Kerberos authentication between Exchange servers. Microsoft Kerberos SSP’s EncryptMessage/DecryptMessage APIs handle encryption of DAG network traffic. Microsoft Kerberos SSP supports multiple encryption algorithms. The Kerberos authentication handshake picks the strongest encryption protocol supported in the list: typically AES 256-bit, potentially with a SHA Hash Message Authentication Code (HMAC) to maintain integrity of the data
Can I compress the DAG network communication?
DAGs also support built-in compression. When compression is enabled, DAG network communication uses XPRESS, which is Microsoft’s implementation of the LZ77 algorithm. This is the same type of compression used in many Microsoft protocols, in particular, MAPI RPC compression between Outlook and Exchange
What is the minimum network interfaces required for a DAG?
Although a single network is supported, we recommend that each DAG have at least two networks: a single MAPI network and a single Replication network. This provides redundancy for the network and the network path, and enables the system to distinguish between a server failure and a network failure. Using a single network adapter prevents the system from distinguishing between these two types of failures.
What will happen if one of my DAG networks encountered a failure?
In the event of a failure affecting the MAPI network, a server failover will occur (assuming there are healthy mailbox database copies that can be activated). In the event of a failure affecting the Replication network, if the MAPI network is unaffected by the failure, log shipping and seeding operations will revert to use the MAPI network. When the failed Replication network is restored, log shipping and seeding operations will revert back to the Replication network. To increase the high availability on your DAG, additional MAPI and/or Replication networks can be added, as needed. Also you can prevent an individual network from being a single point of failure by using network adapter teaming or similar technology.
Can I host other roles on a mailbox server that is member of a DAG?
Unlike Exchange 2007, where clustered mailbox servers required dedicated hardware, Mailbox servers in a DAG can host other Exchange roles (Client Access, Hub Transport, Unified Messaging), providing full redundancy of Exchange services and data with just two servers. This can be an excellent option for small and medium organizations where the number of mailboxes and email traffic doesn't require a dedicated hardware for each role.
Comments
Anonymous
February 03, 2011
So what kind of traffic is the DAG actually sending? Based on what is here, I see MAPI traffic is a part of it, but what is the "Replication" traffic - is that SMTP, or something else?Anonymous
February 04, 2011
Looks like Exchange 2007 used SMB for the replication (log shipping), but all I see for 2010 is that is now using TCP (www.howexchangeworks.com/.../log-shipping-in-exchange-2010-dag.html). Surely there is some sort of file transfer protocol involved?Anonymous
May 16, 2011
Is it possible to prevent the replication traffic failing over to the MAPI network? We push Replication over an intersite WAN implemented on different technology (point-point fiber) to the user (MAPI) traffic (MPLS), and couldn't tolerate the replication bandwidth on the MPLS. We'd rather recover the link and let the replication catch up. Can this be done?