• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Disclaimer & Policy

Elan Shudnow's Blog

MVP Logo
  • Azure
  • Exchange
  • Lync

Exchange 2010 Site Resilience, Multiple DAG IPs, and Cluster Resources

September 27, 2010 by Elan Shudnow 44 Comments

Exchange 2010 allows us to have Database Availability Group (DAG) members in several AD Sites.  For every subnet a DAG member’s MAPI NIC is in, we must obtain a DAG IP.  This DAG IP is a separate IP than is located on the MAPI NICs themselves. We take this DAG IP to the DAG using the Set-DatabaseAvailabilityGroup command.

Multiple DAG IPs

Let’s take a look at an example of how the architecture may look.

Taking a look at the above Visio diagram, we have two sites, Primary Site and DR Site, with one node in each.  The MAPI NIC in the Primary Site has an IP Address of 172.17.24.200.  That means that we’ll need to have a DAG IP that lives in this same subnet.  We choose a DAG IP of 172.17.24.120.  The MAPI NIC in the DR Site has an IP Address of 172.16.24.200. That means that we’ll need to have a DAG IP that lives in this same subnet.  We choose a DAG  IP of 172.16.24.120.

In order to add these MAPI IP Addresses, we’ll need to run the following the command.

Note: IPs on Replication NIC’s subnet do not get added to the Database AvailabilityGroupIPAddresses. Only MAPI NIC Subnets get added.

Keep in mind, when adding additional IPs in the future, it is important that you include all existing DAG IPs.  The Set-DatabaseAvailabilityGroup -DatabaseAvailabilityGroupIPAddresses property is not additive.

To verify the DAG IPs were added successfully, let’s check out our DAG Properties.

In Exchange 2010 SP1, we have the ability to add our DAG IPs via the GUI. If we go to the DAG Properties, we now see we can manage our Witness Server and Alternate Witness Server.

This allows us to do our IP Address configuration right from the GUI instead of needing to use Set-DatabaseAvailabilityGroup  with the DatabaseAvailabilityGroupIPAddresses property and needing to worry about all previous IP Addresses being included since the property isn’t additive.

Cluster Resources

So, let’s take a look at what really happens to the cluster resources and what determines which DAG IP is active.  Let’s open the Failover Cluster Manager.  Start > Administrative Tools > Failover Cluster Manager.

After selecting our DAG, let’s take a look at the cluster resources.  We can see from here that we have two Network IP Resources.

But let’s take even a deeper look.

Select the DAG from within the Cluster Core Resources > Right-Click > Choose Properties.

Now let’s take a look at the Dependencies Tab.

As we can see, the two DAG IPs are set up with an OR dependency which means that the cluster can activate either DAG IP at any given time.  As we saw earlier, the 172.16.24.120 IP is the existing DAG IP that is online which means the DRSiteNode’s DAG IP is currently the online Network IP resource.

Let’s run a cluster command so we can failover the default “Cluster Group” from one cluster node to another.

We now see the PrimarySiteNode is the node that has the “Cluster Group.”  Let’s go ahead and take a look at the Cluster Resources again and see which Network IP Resource is online.

Looks like the PrimarySiteNode’s DAG IP is now Online instead of the DRSiteNode’s DAG IP.  This means that the Network IP Resource that is online depends on which DAG Node has the “Cluster Group.”  If you recall from my previous articles, the DAG Node that has the “Cluster Group” is the DAG Node that acts as the Primary Active Manager.  The Primary Active Manager is the DAG Node responsible for choosing what databases get activated in a failover.  For more information on Active Manager, click here.

Share this:

  • Twitter
  • LinkedIn
  • Reddit

Filed Under: Exchange Tagged With: Exchange, Exchange 2010

Reader Interactions

Comments

  1. DrBCG says

    March 31, 2015 at 9:58 am

    What about the DAG´s DNS name? Should I add a record to point the DNS name to DR IP address?

    Reply
    • Elan Shudnow says

      May 13, 2015 at 7:27 am

      You don't have to do this. The Clustering Service will take care of all this during the DAG creation process or the failover process.

      Reply
      • Steven says

        May 13, 2015 at 7:38 am

        True dynamic DNS will take care of it. I think the only exception is if you've configured static DNS records. There were some issues with W2k8 dropping DNS records so there are cases where people elected to go static. Those issues were hot-fixed at some point.

        Reply
  2. Singh says

    December 9, 2014 at 9:51 am

    Hi Elan,

    We have a DAG environment with 4 DAG members in site A and 4 DAG members in site B, we were having only single IP address assigned to DAG which lives in Site A subnet, now as per the article above we had assigned an additional IP to DAG which lives in Subnet of Site B.

    Now the additional IP is only visible in EMC under DAG properties on IP address tab.
    But it is not visible in Failover cluster manager, only existing IP address is visible.

    Any idea what else can be done to fix this.

    Reply
  3. Steven says

    November 30, 2014 at 10:51 am

    Elan,

    I know this is an old post, I'm sorry to bother you, but I have a quick question. I added a 3rd IP address to my DAG to facilitate moving of passive servers to a new data center. The Set-DatabaseAvaliabilityGroup command worked without issue. I can see all the IPAddresses in both EMS and EMC, but I don't see it in the failover cluster manager.

    I'm not sure if maybe one of the nodes must come online in the other site, but was hoping you may have some input.

    Let me know. Thanks.

    Steven

    Reply
  4. HGowda says

    October 2, 2013 at 2:48 am

    I have 4 questions.

    1. I ran command as you mentioned (cluster group "cluster group" /move)
    in my environment it is not getting changed to PrimarySiteNode, instead it choosing another node in the DR.

    2. I have three AD sites (single DAG), do i have to provide three IP's from each production NICs for a DAG.

    3. Will they get register in DNS (with DAG name) automatically, or do i have to register them manually?

    4. I guess those IPs should respond to ICMP, if i ping it from my network. ( in my case not pinging)

    Reply
  5. Rick says

    July 9, 2013 at 8:32 am

    Great Article Elan,
    One question for you as I am current setting up this senerio with exchange 2010 Sp1. 2 mailbox servers in subnet A , 2 hub/cas servers in subnet A and a 3rd mailbox server in subnet B. Subnet A is in one AD site and subnet B is in another AD site, will the above still work in my situation? I just want a copy of the DB's off site , clients would still access the hub/cas servers in site A which is hardware load balanced.

    Thanks in advance for your time and the fantastic article!.

    Reply
    • Elan Shudnow says

      July 11, 2013 at 6:44 am

      Yes, this is the way it's supposed to work. The Mailbox Servers all would be in the same DAG but the offsite Mailbox Server for Site Resilience would be in another subnet which would be assigned another site. Then when you go through the DR procedures and you need to take down the DAG in SiteA/SubnetA, you would specify the SiteA site when removing those DAG members. Then you switchover to that 3rd Mailbox Server.

      Reply
  6. Ganesh says

    April 3, 2013 at 2:14 am

    Hi Elan,

    Nice Article..

    I have a query here, i have site A and Site B and streched DAG members, i dont want database to automatically failover to site b server even if site a server is down. I want only DB & Logs to be copied to another site server.

    thnks

    Reply
  7. Nate says

    March 30, 2013 at 12:05 pm

    Varun had an excellent question which has sadly remained unanswered. I am experiencing the exact same issue as Varun, and would like to know if there is anything that can be done about it.

    Any response at all would be greatly appreciated.

    Thanks,
    Nate

    Reply
    • Elan Shudnow says

      March 31, 2013 at 9:01 am

      I responded to Varun. Hope that information helps.

      Reply
  8. Varun says

    January 11, 2013 at 11:56 pm

    Hi, we hv the same simillar setup that ha shown above in diagram. We hv problem whenever network Links to DR unstable then the entire cluster is unstable and all exchange DB's are getting dismounted and getting mounted.. is there any way we can configure all servers in production within cluster and DR shld be used only for replication.

    Reply
    • Elan Shudnow says

      March 31, 2013 at 9:01 am

      There can only ever be 1 MAPI Network. The DAG chooses the NICs that are configured to register in DNS and have a valid DNS record. All the replication NICs need to have DNS registration disabled. If multiple NICs are registering in DNS, that can potentially cause the DAG to have some issues.

      For proper NIC/Network configuration, see the following link: http://technet.microsoft.com/en-us/library/dd6381…

      Reply
  9. Adrian says

    October 8, 2012 at 2:06 am

    Hi James, we use arcserve r16 and when backing up the DAG it's best to use the DAG DNS name although you can use IP addresses or HOSTS file when backing up pre-prod DAG via a production backup server.

    Reply
  10. James says

    October 4, 2012 at 1:42 pm

    Hi Elan

    I think I have this almost figured out. I just have two questions. I have 2 mailbox servers in subnet A and both are members of DAG1. I am adding a 3rd mailbox server in subnet B. Do I add the DAG Ip address for subnet B then add the third server to the DAG? or add the server to the DAG and then add the subnet B address to the DAG. Second question, do I add the subnet B DAG IP to DNS? We use Netbackup which does query DNS for the DAG IP address.

    Reply
    • Elan Shudnow says

      October 6, 2012 at 6:46 am

      Add the DAGIP beforehand. You do not need to manage DNS manually for your DAG. When the DR Server becomes the Primary Active Manager (Default Cluster Group is on DR DAG Server), DNS is updated to point to that Cluster IP. But, clients don't connect to that Cluster IP like they did in Exchange 2007. They connect to the CAS Server's RPC Client Access FQDN which then makes the appropriate MBX connections.

      Reply
      • Rusty Shackleford says

        July 17, 2013 at 12:44 pm

        If the DAG is running from production site then the DAG Name IP address will be registered in DNS (such as 10.201.17.236). However, the disaster recovery site DAG IP (10.15.5.90) will not be registered in DNS. However, how do I prevent other hosts (and administrators) from using the IP address I entered in the DAG properties for the disaster recovery site (10.15.5.90)? Thank you kindly.

        Reply
        • Elan Shudnow says

          July 19, 2013 at 7:08 am

          A DAG still creates a Network Name and Network IP Resource in the cluster. If a cluster fails over, DNS is updated and the DAG Cluster IP for the second site is brought online.

          Reply
          • Rusty Shackleford says

            July 19, 2013 at 12:16 pm

            Currently, if I ping our DAG (DAG01.domain.net), I will get a reply and host name, such as….
            Pinging dag01.domain.net [10.201.17.236] with 32 bytes of data:
            Reply from 10.201.17.236: bytes=32 time<1ms TTL=128

            However, if I ping the secondary site DAG IP address it does not reply and does not provide a hostname, such as…..
            C:Users…..>ping -a 10.15.5.90

            Pinging 10.15.5.90 with 32 bytes of data:
            Request timed out.

            I certainly understand that the ping to the second IP address would not reply but I am concerned that no hostname is provided either. If another adminstrator is building an unrelated server in that subnet they could grab 10.15.5.90 and assign it to their server. The other adminitrator would not think anything of it because there is no name or ping reply are associated with and assign it to their server. The other adminitrator would not think anything . All is well until I fail over the DAG.

            Any suggestions how to prevent someone or something else from grabbing the secondary site IP address when the DAG is hosted in the primary site?

            As always, thank you for sharing your knowledge with us.

  11. JazManUni says

    September 24, 2012 at 8:22 am

    Hi Elan,
    I f I have a small site of 2000 users, I want to have 2 cas/hub servers in 1 cas array and 2 additional mailbox servers in DAG can I put the FSW on one of the CAS/HT servers?
    Is there an issue putting the FSW on a cas array member?
    Alternatively, if I create a third mailbox server instaed will this be overkill for 2000 users?
    Thanks for your help

    Reply
    • Elan Shudnow says

      September 26, 2012 at 9:55 pm

      Sure, you can have a FSW on a HUB/CAS. In fact, if you don't manually designate a specific server/share for the FSW, a HUB Server in the same site will automatically be chosen to put the FSW on that HUB in C:\. If you had a separate HUB Server and a separate CAS Server, you could also choose to put it on a CAS.

      I would honestly be reluctant to tel you adding a third server would be overkill. It depends on your business requirements in regards to data retention, high availability, DR, etc… But in simple fashion, a single server can easily handle 2000 users if you spec it to have the necessary cpu, memory, and disk requirements.

      And by the way, I would opt to deploy multi-role servers with a hardware load balancer. I'm not a fan of separation of roles. Either is Microsoft.

      Reply
  12. prakash says

    August 7, 2012 at 5:55 am

    Hi Elan

    my self prakash..am facing a prob ..in OWA am unable to delete move search the mail.. but in outlook it was fine
    we r running windows2008R2 with exchange 2010sp1 updated rollup1…but on that day on wards am facing these probs

    Reply
  13. Adrian says

    July 26, 2012 at 3:57 pm

    Thanks Elan, here is my setup with single DAG IP set statically. Will I need to set multiple DAG IP Addresses?

    server1 at site A IP address: 172.29.0.98/23 and GW 172.29.0.1
    server 2 at site A IP Address 172.29.0.99/23 and GW 172.29.0.1
    server 3 at site B IP Address 172.29.8.47/23 and GW 172.29.8.1

    Reply
    • Elan Shudnow says

      July 26, 2012 at 4:37 pm

      Site B is a different network. Therefore, you need one DAG IP in the subnet located at Site A and another DAG IP in the subnet located at Site B. The way it's set up right now is potentially incorrect. The reason I say potentially is the same as the reason I gave in my previous comment to you.

      Reply
  14. Adrian says

    July 25, 2012 at 5:24 pm

    So if I have a three node DAG across two subnets and I have NOT configured multiple DAG IP's is my configuration incorrect?

    Reply
    • Elan Shudnow says

      July 25, 2012 at 9:08 pm

      Not necessarily. If no IP Addresses are entered, it will use DHCP to obtain a cluster IP for each segment just as long as DHCP is available to on the same subnet that hosts the MAPI IPs. Many environments don't have DHCP on the subnets. Since your DAG is working, it sounds like DHCP is available. But while it may be available for the MAPI Network that is hosted in one site, it may still not be available in the other site that hosts that MAPI Network.

      I typically assign static IPs.

      Reply
  15. Sean O'Farrell says

    March 1, 2012 at 5:05 am

    Super post. Thanks.

    Reply
  16. Luis Chavez says

    January 26, 2012 at 12:11 pm

    Thanks Elan, Excellent Article really this is helpful document.

    Reply
  17. Mohamed says

    January 18, 2012 at 2:19 am

    So Elan im starting get confused let me tell you what i have

    DC1

    Domain 2008

    Cas Array 2010 using WNLB.

    HUB on 2 server's Using Fail-over.

    Dag01
    DC1 all ready installed on it certificate after reading information i think will need to buy new San certificate hold primary and secondary site names also auto discovery.

    the Second DC2
    i think i will do the followin ti apply Active Passive Scenario wit the same name

    Install Additional A.D In the Second Data-center.
    add database copy from the primary Data center to the second Data Center ……. here now
    i will run this command

    Set-DatabaseAvailabilityGroup -DatabaseAvailabilityGroupIPAddresses [ Primary Dag IP only !!!!! ]

    that what i think only one DAG with one witness share …… that wht i understand from you

    so what i do next

    thank you

    Mohamed,

    Reply
  18. MOahmed says

    January 16, 2012 at 5:31 am

    Now i have previous DAG should i create new dag to the DR or Branch site or add th DR site Mailbox to the primary site dag.

    Thank You

    Regards
    Mohamed

    Reply
    • Elan Shudnow says

      January 16, 2012 at 8:20 am

      Without knowing much about your business requirements and what the conceptual design is, it's hard to be definitive. But typically, if you have a Primary Site and a Failover Site you would use the same DAG for both locations so you can replicate databases from Server in Primary Site to Server in Failover Site.

      Reply
      • Mohamed says

        January 18, 2012 at 2:00 am

        Thank you very Much Elan

        Reply
  19. Ian Salgado says

    August 16, 2011 at 12:45 am

    Hi Elan,

    Thank You for your quick response.

    On the MAPI NIC – Obvisouly traffic between the different MAPI connections needs to be open, right ? so that mail flow can occur.

    On the REPLICATION NIC –

    1. Does this network segment needs to be SEPARATE FROM the MAPI NIC segment ? ie: MAPI-NIC=192.168.1.xxx & REP-NIC=192.168.2.xxx
    2. Again all traffic between DAG member on this REP-NIC's will need to be open ?

    Thank You

    Regards

    Ian

    Reply
  20. Ian Salgado says

    August 14, 2011 at 2:03 am

    Hi, I refer u to your diagram above

    Are the 2 Nic for MAPI & Replication 2 different physical NIC’s?

    Cheers

    Ian

    Reply
    • Elan Shudnow says

      August 15, 2011 at 6:48 am

      Ian, they are two different physical NICs. One Physical NIC for the MAPI Network and a separate Physical NIC for the Replication NIC.

      Reply
  21. Guest says

    July 18, 2011 at 2:09 am

    Nice, this is a real good article and saved lot of my time…Excellent work.

    Reply
  22. admin2010 says

    July 9, 2011 at 5:47 am

    Thanks for the article. I would like to know that the MAPI NIC ip is belongs to the LAN network and Replication NIC is belongs to the heartbeat???? File sharing option should be enabled on heartbeat connection or not???

    Reply
    • Elan Shudnow says

      August 5, 2011 at 6:35 pm

      Well in Exchange 2010 both NICs do heartbeating. In fact, the Exchange 2010 documentation wants you to ACL the network so MAPI NIC on Node A cannot talk to MAPI NIC on Node B to prevent any heartbeat crosstalk. Here is a good article on NIC configuration: http://www.howexchangeworks.com/2010/05/network-a…

      Reply
  23. Tariq.Muhammad says

    June 3, 2011 at 2:03 am

    Nice posting…… this is helpful document……. Thanxxxxs.

    Reply
  24. Johnson says

    November 10, 2010 at 6:42 am

    I was searching for this document. Thanks alot for the explanation.

    Reply
  25. Chris Lehr says

    October 1, 2010 at 7:49 am

    Good article. The cluster.exe command needs to be documented more. However, your article starts with a MAPI and a DAG network, and then your DAG networks only cover/address one of the networks you started the article with.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

  • LinkedIn
  • RSS
  • Twitter
  • YouTube

More to See

Azure Event Grid and Serverless PowerShell Functions – Part 1

March 16, 2020 By Elan Shudnow

Retrieving Activity Log Data from Azure Log Analytics – Part 3

March 6, 2020 By Elan Shudnow

Retrieving Activity Log Data from Azure Log Analytics – Part 2

March 6, 2020 By Elan Shudnow

Retrieving Activity Log Data from Azure Log Analytics – Part 1

March 5, 2020 By Elan Shudnow

Tags

ACR Always Encrypted Ansible Azure Azure AD Connect Azure Application Gateway Azure Disk Encryption Azure Firewall Azure Key Vault Azure Load Balancer Azure Monitor Azure Web App Backup Exec CCR CDN DevOps Docker DPM Event Grid Exchange Exchange 2010 Exchange Online Forefront Function App Hyper-V ISA iSCSI Log Analytics Logic App Lync Management Groups NLB OCS Office Office 365 Personal PowerShell RBAC SCOM SQL Storage Accounts Symantec Virtual Machines Windows Server 2008 Windows Server 2008 R2

Footer

About Me

Chicagoland consultant focused on Azure IaaS, PaaS, DevOps, Ansible, Terraform, ARM and Powershell.

Previously a 6x Microsoft MVP in Exchange Server then Lync Server.

My hobbies include watching sports (Baseball, Football and Hockey) and participating in my 14 year old Stepson’s sports.

Recent

  • Azure Event Grid and Serverless PowerShell Functions – Part 2
  • Azure Event Grid and Serverless PowerShell Functions – Part 1
  • Retrieving Activity Log Data from Azure Log Analytics – Part 3
  • Retrieving Activity Log Data from Azure Log Analytics – Part 2
  • Retrieving Activity Log Data from Azure Log Analytics – Part 1

Search

Tags

ACR Always Encrypted Ansible Azure Azure AD Connect Azure Application Gateway Azure Disk Encryption Azure Firewall Azure Key Vault Azure Load Balancer Azure Monitor Azure Web App Backup Exec CCR CDN DevOps Docker DPM Event Grid Exchange Exchange 2010 Exchange Online Forefront Function App Hyper-V ISA iSCSI Log Analytics Logic App Lync Management Groups NLB OCS Office Office 365 Personal PowerShell RBAC SCOM SQL Storage Accounts Symantec Virtual Machines Windows Server 2008 Windows Server 2008 R2

Copyright © 2021 · Magazine Pro on Genesis Framework · WordPress · Log in