Wednesday, February 22, 2012 9:20 PM
I work at a campus that has a second datacenter in another building. We would like to install a CAS server, HT server and an MB server there for high availability in case the primary data center goes offline. I have a 4 node DAG, with one node holding all the passive copies. The witness server is running on a HT server in the primary data center. The plan was to take the node with the passive copies and put it in the second data center. Then if we have an outage, this node would make all of it's databases active.
I have been reading up on this and now I am not sure this will work because I won't have a quorum in the primary data center goes down. Am I right in thinking that with a 4 node cluster that I will need 3 votes in order to have an automatic failover? And if so, any suggestions on how to achieve automatic failover to the second data center in the case of an outage?
Thank you for your help.
Thursday, February 23, 2012 12:35 AM
You will need 3 voters.
For the 2nd building, you will have to force DB online or I would have 2 nodes in each building. If building 1 goes down, then you can configure an Alternate FSW at building 2.
Thursday, February 23, 2012 1:33 AM
Note that you are describing site resiliency, i.e. having multiple locations to serve mail. High availability is what happens inside a site.
Exchange expects site activations to be a manual process, as it needs a human to evaluate the situation and to make the decision to activate DR or not. If the WAN is down for only 15 minutes more should we pull the trigger on an activation... probably not.
Depending if you have DAC (datacentre activation coordination) enabled or not will determine how you restore service to the DR site.
May be of use:
Datacenter Switchovers http://technet.microsoft.com/en-us/library/dd351049.aspx
Thursday, February 23, 2012 2:20 PM
Thanks for the info. So for a 4 node DAG we need 3 votes for automatic failover. That is what I was afraid of. The 3 nodes with all the active databases are all on blade servers. The 4th node with the passive copies is on it's on server, which I can move to the other data center. The reason we went with an active/passive design like this is so that we can run backups off of the passive node without impacting clients, and also we were hoping to move it to out second data center to give us some level of DR.
I was hoping this setup could give us HA as well as DR. But the more I thought about this yesterday, the more I started thinking about what you said Rhoderick. Is this a disaster? Do we want to fail over to the other site? That is a managers decision and should not be an automatic process.
It is just that these two buildings are right down the road from each other with a 10GB connection between them. If I lose power in the primary builiding, there is no reason why users should not still be able to get to their mail, if I can fail over to the secondary site. It is the majority votes that are killing this.
Sukh mentioned 2 nodes in each building and an alternate FSW. Would that give me automatic failover or would that also require a manual site switchover?
Anyway that you can think of that I can achieve an automatic failover solution between the two buildings?
Thursday, February 23, 2012 2:27 PMIf you have 2 in each building and configure an Alternate FSW, then there wouuld be 3 votes in the 2nd building, databases can then mount.
Thursday, February 23, 2012 2:50 PM
That would be great. I might be able to do that. I will look into the alternate FSW some more. Thank you for your help!
Friday, February 24, 2012 1:05 PM
Hi Kevin - just in closing the Alternate FSW is only used when you are performing the site recovery. It will not allow the databases to automatically mount in the second site, you will need to recover Exchange into the second site which is when the Alternate FSW is invoked.
I mention this as there is a lot of confusion over AFSW, and just because it is set on the DAG properties does not mean that it is actually being used :)
Friday, February 24, 2012 1:48 PM
yes, just to clarify on that, databases can mount cleanly without forcing them to using the AFSW, it will still require administrative effort to do this.
Having the AFSW is just a planned prep for site failover.