HA and Site resiliency


  • Hello All,

               I need to confirm a design along with failover, failback and site resiliency scenarios:



    There are total of two sties one is primary and the other is secondary (DR).  Primary site holds two HUB AND CAS combined with NLB, two Mailbox Servers in a DAG that have active and passive copies of each other.  Secondary site holds one combined HUB and CAS and a sinlge Mailbox Server part of the same DAG that has passive copies of the all the database in primary site.



    same certificate is installed on all three servers (two primary and one secondary) with SAN Name, and



    It is in Active Passive Model where all active database (and their one passive copy) are in Primary site and passive database copies in secondary site.  File Share Witness would in primary site.  Alternate Fileshare witness can be created on secondary site while doing site failover.


    1-  If in Primary Site, Mailbox Server 1 goes down, Would the Mailbox Server 2 in the same site active the passive copies automatically and continue to provide service?

    2-  If in Primary Site, Mailbox Server 2 goes down, Would the Mailbox Server 1 in the same site active the passive copies automatically and continue to provide service?

    3-  If in Primary Site, both Mailbox Server 1 and Mailbox Server 2 go down, Would the Mailbox Server 3 in the secondary site active the passive copies automatically and continue to provide service for both primary and secondary site clients?

    4-  If the link between primary and secondary site goes down, would Mailbox Server 1 and 2 continue to provide service?

    5-  In such a scenario, is it possible to achieve automatic site failover to secondary site?

    6-  If not, if by creating a alternative share witness on secondary site and activating passive copies and asking user to use for owa do the trick or something else would be required?

    7-  Am I placing the file share witness correctly.

    8-  Should i also create alternative file share witness in advance?

  • Hi,

    1.) If you block the databases in the DR site from automatically being activated then yes:

    Suspend-MailboxDatabaseCopy –identity <DatabaseID>\<ServerID> –ActivationOnly

    2.) Same answer as 1

    3.) No - you would loose qourum and therefore no databases would be able to mount without manual intervention

    4.) Yes - you still have quorum because of the file share witness

    5.) No

    6.) This should help

    7.) Yes

    8.) Not necessary


    1. Agree with Leif, for points 1 & 2, the default is not to block so it should be an automatic failover.
    2. You have clearly mentioned if you have 2 AD sites or a spanned AD site which can make a difference, for e.g you will have to update the RPCClientAccess value if you have 2 AD site each with it's own CAS Array.


  • Thanks for the replies.  Little clarification:  Both are difference Active Directory Sites.

    1-  So, I have to run the above command at DR Site in order to fulfill my requirement?

    2-  So, I have to run the above command at DR Site in order to fulfill my requirement?

    3-  What manual intervention would be required?  Can you please list the steps.  Thanks.

    4-  Thanks for the answer.

    5-  Thanks for the answer.

    6-  I have gone through the article, but I could not get around it.  I understand that DAC needs to be enabled at DR Site, but what exact steps are required in case of site failure.  If you can list the steps, that would be great.  Thanks.

    7-  Thanks for the answer.

    8-  Thanks for the answer.

    1. 1 & 2, if you requirement is to have these DB mount automatically (DB/Server failure) then dont prevent them from mounting.
    2. For 3&6 see digest this -


  • Hi,

    The reason that I suggested you disable the databases on the DR from automatic activation was that you asked if server1 would take over from server 2 and the other way round. You can only be sure of this if you disable the databases on the DR server from activation - otherwise the failover might occur to this site.

    See this to understand how database failover occurs.


  • Thanks for the replies, but it has left me a little confused.

    1 and 2 - Actually, I will be keeping two active databases on each of the servers in Primary Site that is two active databases on server1 and two active databases on server 2.  Both servers would also have passive copies of each other as well i.e. server1 would have passive copies of two databases on server2 and server2 will have passive copies fo two databases on server1.  For the DR Site, the only server there would hold all the four passive copies (2 of server1 and 2 of server2).  My goal is to achieve HA on Primary Site and Site Failover to Secondary (DR) Site in case servers are not available on Primary Site.  Essentially, when server1 goes down server2 should be available, when server2 goes down server1 should be available, when both go down, the server3 on the DR Site should be available and all the process should be automated.  I hope this clarifies it.  So, please do suggest.

    3 and 6 - I am reading on it and will update you guys if i have any confusion.

    Thanks in advance.

  • 1 & 2, that's is what will happen, it's will failover.


  • Hi,

    There is no automated process to fail-over to the DR site if you loose your 2 primary servers. The DAG will loose quorum (and therefore all databases will be dismounted) and you will need to perform a manual procedure.

    Configure DAc and perform the switch-over as described here:


  • Thanks for the replies.  It has left me little confused.

    @Sukh828 you are saying that it will automate, but @Leif is saying that it cannot be so I will rephrase my question again for clarity:

    1-  In a three-3 server scenario (two-2 at primary site and one-1 at secondary site) part of the same strectched active passive DAG, is it possible to automate Dacenter Failover from Primary Site to Secondary Site?

    2-  In this scenario, is DAC necessary for me to configure on the Secondary Site?  I plan to have passive copies there that too with lower precedence?

    Thanks in advance.

  • 1. "Sites" now if you are talking AD sites then no, it won't automatically failover, If you just mean physical sites and you;re using 1 AD site then it should.

    2. Enable DAC mode.


  • Thanks for the reply.

    1-  Yes they are AD Sites.

    2-  Why is DAC necessary in my scenario when I have precdence set?

  • What do you mean by "when I have precdence set"?

    Do you mean activation preference for the DB? If yes, you should still enable DAC mode, if primary site fails, then you mount DB at DR site, when Primary site comes back up, you want to make sure that these DB are not mounted automatically as Primary will have quorum.

    This is where DAC mode will help prevent this as the DAG node must communicate with all other nodes before mounting.  Otherwise you will have DB mounted a primary and DR.


  • Thanks for the replies.

    Question 1


    With DAC disabled



    Site A


    MBX1 = Active DB = DB1

                Passive DB = DB2

    MBX2 = Active DB = DB2

                Passive DB = DB1

    Site B


    MBX3 = Passive DB = DB1

                Passive DB = DB2

    If DB1 fails, it will failover to MBX2 and if that fails, it will failover to MBX3

    If DB2 fails, it will failover to MBX1 and if that fails, it will failover to MBX3

    And all of this would be automated?

    Question 2


    What would be required to enable DAC on MBX3 or on Site B for that matter.  Any command that can be shared?

    Kindly, confirm.  Thanks in advance.

  • hello all, any comments.
