I was creating a test lab with Windows 2008 R2 as the base operating system and Exchange 2010, with a view to configure a DAG. I have explained the process of configuring a DAG in one of my previous articles.
While the DAG creation completed successfully, the completion wizard showed me a warning.
I wasn’t that bothered as the file share is not created until we add nodes to the DAG. I added the first node successfully. While adding the second node, the operation failed with the following error.
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:48
DAG02
Failed
Error:
There was a problem changing the quorum on cluster DAG1. File share witness '\\2010DC.HEW10.LOCAL\DAG1.HEW10.LOCAL' network name was not found. This may be due to a problem with firewall settings.
Warning:
Insufficient permissions to access file shares on witness server '2010DC.HEW10.LOCAL'. Until this problem is corrected, the database availability group may be more vulnerable to failures. You can use the Set-DatabaseAvailabilityGroup cmdlet to try the operation again. Error: Access is denied
Warning:
The operation wasn't successful because an error was encountered. You may find more details in log file "C:\ExchangeSetupLogs\DagTasks\dagtask_2009-12-12_22-51-11.198_add-databaseavailabiltygroupserver.log".
Exchange Management Shell command attempted:
Add-DatabaseAvailabilityGroupServer -Identity 'DAG1' -MailboxServer 'DAG02'
Elapsed Time: 00:00:48
The problem was that I gave the witness server to be my domain controller, a Windows 2008 R2 machine.
The solution is that “Exchange Trusted Subsystem” security group has to be added as a member of the local administrators group of the server. Since my witness server is a DC, I added the “Exchange Trusted Subsystem” group to the Administrators group in AD.
Once the group was added, I could add my second node to the DAG successfully.
If you provide another Exchange 2010 server as your witness server, everything works fine. If not, the “Exchange Trusted Subsystem” group has to be given local admin rights.
4 comments:
spot on, good post :)
Thanks Anonymous.
Had to do the same thing. Surprised there's not a Technet article by now, but this is exctly how this is done. I also received a similar error until I made the DC's computer account part of the Exchange Servers Security Group. Those two changes work like a chanp! Thanks for posting.
Good to know it helped you Todd. Thanks for the comment.
Post a Comment