locked
Exchange 2010 site resiliency design question RRS feed

  • Question

  • I'm working on DR for our Exchange 2010 setup and after reading up on DAGS and HA am looking for some reassurance that my thoughts are valid.

     

    We have one domain and two sites at two different physical locations connected by a 50MB EPL.  We want all active mailboxes/databases to be at site A, while site B is purely for a DR situation.  Everything is in VMWare on a SAN (one at each location).

     

    Site A currently has 1 CAS/HT server and 1 MBX server.

     

    Site B I'm preparing to build out now.  I am thinking I can build 1 server with all 3 roles, CAS/HT/MBX(passives).

     

    In a disaster, everything in the company would be brought to site B, including public DNS.  I'm mainly concerned with the mailbox data itself being available quickly in this situation.  So if site A blows up, we make the server at site B active and change our OWA/activesync/RPC/autodiscover/MX to look at siteB.

     

    Another wrinkle is the consideration to add a second MBX server at site A, have the the active and passive databases split between the two at site A, and a second copy of all passives at the single Site B server.  (I understand if I only have 2 DAG members I would also need to add a FSW.)  Like most companies, we're trying to have a solid DR plan while spending as little as possible.

     

    Hopefully this is coherent enough.  Is this sound enough or am I missing something rather obvious?  

    Thanks in advance for any advice.

    Jason

    Wednesday, February 16, 2011 9:49 PM

Answers

  • For site resilience your setup works just fine, but you will have no redundancy in site A or site B. I think there will be more times when you can use another server in site A then having site resilience to site B. But I don't think you will need redundancy in site B since that site is for disaster only and I'm guessing that the plan is to restore functionality to site A again? So in short you should consider the following:

    Site A
    Load Balancer
    Server 1 - HUB,CAS,Mailbox
    Server 2 - HUB,CAS,Mailbox

    Site B
    Server 3 - HUB,CAS,Mailbox


    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    • Proposed as answer by Alan.Gim Wednesday, February 23, 2011 8:10 AM
    • Marked as answer by jasvic Wednesday, February 23, 2011 1:38 PM
    Friday, February 18, 2011 8:07 AM

All replies

  • I think you are on the right track. Even if there are more advantages with having a three member DAG, such as the reduced need of backup, you will be just fine with a two member DAG and a FSW. But there are some things to consider when planning a DAG that extends over multiple sites.

    Have you read the following articles on Technet? http://technet.microsoft.com/en-us/library/dd638104.aspx#PDS If not, that is a good place to start. Pay special attention to the section about Planning for Datacenter Switchovers. I hope this clears things up a bit and just let us know if you got any more thoughts or questions.


    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    Thursday, February 17, 2011 9:31 AM
  • Thanks for responding.  I have read that, among other articles.  I know several things I've read make reference to using a load balancer for the CAS/HT servers in both locations, but in our case I feel like that's not necessary.  We have an ISA server front ending all connections, and holding the public certs, and the DR plan is to bring that up at site B along with everything else, it would just need to point to the failover server.  We also have acceptable downtimes for maintenance, like patching the servers.  I only want site B to activate in the .0001% chance of a true disaster.  Also am ok with manually switching to the 2nd site as opposed to an automatic failover.  In fact, I'd prefer it.

    Basically, I'm being insecure and looking for reassurance that what I'm planning is sound.  Mainly combining all roles on the failover box and a copy of all passive databases there as well.  Essentially making it a cold spare needing manual intervention to make it hot.

    Thanks,

    Jason

    Thursday, February 17, 2011 7:32 PM
  • you will be able to switchover to siteB however, at site B you do not have highly availability, everything is one box. i would considering one more server with all three roles installed Behind a load balencer to avaoid single point of failure in site B

    you can always deploy high availability incrementaly. you might need to do this in case siteA is not recoverable for long time or not at all recoverable

     


    Dhruv
    Friday, February 18, 2011 5:25 AM
  • For site resilience your setup works just fine, but you will have no redundancy in site A or site B. I think there will be more times when you can use another server in site A then having site resilience to site B. But I don't think you will need redundancy in site B since that site is for disaster only and I'm guessing that the plan is to restore functionality to site A again? So in short you should consider the following:

    Site A
    Load Balancer
    Server 1 - HUB,CAS,Mailbox
    Server 2 - HUB,CAS,Mailbox

    Site B
    Server 3 - HUB,CAS,Mailbox


    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    • Proposed as answer by Alan.Gim Wednesday, February 23, 2011 8:10 AM
    • Marked as answer by jasvic Wednesday, February 23, 2011 1:38 PM
    Friday, February 18, 2011 8:07 AM
  • What you are planning is essentially right, remember about your alternative file share witness which should be located on Site B, with 2 servers and a file share witness in Site A when and if you loose Site A your Exchange in Site B will never get majority and the original nodes from Site A will need removing from the DAG via powershell to get the single node to have majority over the DAG.

    I tested this exact failover in a training env and after evicting the nodes from the primary site the secondary site was granted majority in the DAG and brought the databases online.

    This would give you a warm standby scenario.

     

    Monday, February 21, 2011 2:02 PM
  • When link to site A is lost and site B has no witness server or alternative witness server. Can site B server be manually forced to become active? 

     

    Thanks,

    Shuja Najmee



    Sunday, February 5, 2012 4:15 AM
  • Yes, the databases on server in site B can be forced online and active.
    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    Monday, February 6, 2012 10:07 PM