none
Exchange File Share Witness RRS feed

  • Question

  • Hi,

    We have Exchange 2013 deployed in as a example Data centre A and B already. The File share witness is another Data centre C.

    We are now planning to expand exchange  in Data Centre D  which is behind firewall. The exchange servers in Data Centre A , B and D will be in single exchange organisation and obviously in same AD forest. All the exchange servers in Datacentre D will have any any firewall connectivity with Exchange servers in  A and B Data centre as exchange does not supports putting firewall between.

    We want to put all exchange servers in A, B and D  in same DAG as Geo cluster.

    My question is will there be any problem to add  exchange servers in D Data center  into DAG while file share witness server in Data centre C  . We will  allow TCP 135, 139, 445 and UDP 137, 138 between exchange servers in D datacentre and file witness server in data centre C ? Will this cause any issue in normal exchange operation in Data centre A , B and D. We have a plan to decommission data centre A later after successful exchange deployment in Data centre D.

    Please advise/ help ..

    Friday, December 6, 2019 1:02 PM

All replies

  • Hi,

    We have Exchange 2013 deployed in as a example Data centre A and B already. The File share witness is another Data centre C.

    We are now planning to expand exchange  in Data Centre D  which is behind firewall. The exchange servers in Data Centre A , B and D will be in single exchange organisation and obviously in same AD forest. All the exchange servers in Datacentre D will have any any firewall connectivity with Exchange servers in  A and B Data centre as exchange does not supports putting firewall between.

    We want to put all exchange servers in A, B and D  in same DAG as Geo cluster.

    My question is will there be any problem to add  exchange servers in D Data center  into DAG while file share witness server in Data centre C  . We will  allow TCP 135, 139, 445 and UDP 137, 138 between exchange servers in D datacentre and file witness server in data centre C ? Will this cause any issue in normal exchange operation in Data centre A , B and D. We have a plan to decommission data centre A later after successful exchange deployment in Data centre D.

    Please advise/ help ..

     Its not supported to have firewalls between Exchange Servers unless you allow ALL ports. HAving said that, if you add more servers in D to the existing DAG and they can correctly talk to the other servers and the File Share Witness, it wont disrupt anything. 



    Friday, December 6, 2019 2:53 PM
    Moderator
  • Thanks Andy for this.

    Do we need to allow TCP 135, 139, 445 and UDP 137, 138 between exchange servers in D datacentre and file witness server in data centre C ? Is that enough  or Any-Any rule we have to put between exchange servers in D data centre and File share witness..

    I understand that any-any rule is needed to be put between exchange servers.

    Please help.

    Friday, December 6, 2019 3:02 PM
  • Thanks Andy for this.

    Do we need to allow TCP 135, 139, 445 and UDP 137, 138 between exchange servers in D datacentre and file witness server in data centre C ? Is that enough  or Any-Any rule we have to put between exchange servers in D data centre and File share witness..

    I understand that any-any rule is needed to be put between exchange servers.

    Please help.

    Yes ANY ANY between Exchange Servers

    https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Exchange-Firewalls-and-Support-8230-Oh-my/ba-p/595710

    The File Share Witness requires SMB. Each Exchange Server will need to be able to access the FSW. I recommend not blocking any , just allow all between all the DAG members and the FSW as well.
    Friday, December 6, 2019 7:37 PM
    Moderator
  • Hi Debmallya,

    As Andy mentioned, if the Windows Firewall is enabled on the intended witness server, you must enable the Windows Firewall exception for File and Printer Sharing.

    Additionally, the recommendation for deploying single DAG across more than two datacenters is to locate the witness server in the datacenter where you want the majority of quorum votes to exist. For reference: DAG witness server and witness directory

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, December 9, 2019 6:20 AM
    Moderator
  • Just checking in to see if above information was helpful. If you have any questions or need further help on this issue, please feel free to post back

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, December 12, 2019 9:45 AM
    Moderator
  • Here is a brief summary about replies above.

    Request:

    We have Exchange 2013 deployed in as a example Data centre A and B already. The File share witness is another Data centre C.

    We want to put all exchange servers in A, B and D  in same DAG as Geo cluster.

    My question is will there be any problem to add  exchange servers in D Data center  into DAG while file share witness server in Data centre C  . We will  allow TCP 135, 139, 445 and UDP 137, 138 between exchange servers in D datacentre and file witness server in data centre C ? Will this cause any issue in normal exchange operation in Data centre A , B and D. We have a plan to decommission data centre A later after successful exchange deployment in Data centre D.

    Suggestions:

    If the Windows Firewall is enabled on the intended witness server, you must enable the Windows Firewall exception for File and Printer Sharing. Each Exchange Server will need to be able to access the FSW. 

    Additionally, the recommendation for deploying single DAG across more than two datacenters is to locate the witness server in the datacenter where you want the majority of quorum votes to exist.

    References:

    DAG witness server and witness directory

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, December 18, 2019 9:46 AM
    Moderator