When creating a new Database Availability Group, there was a bit of rude shock when the installation failed. This customer had deployed multiple Exchange 2010 DAGs over the lifespan of the product, yet their latest build ran into an issue. They were able to create the DAG, but when adding the first mailbox server to the DAG, the operation failed.
This was not due to an underlying issue where the Windows edition was missing the failover cluster feature. The OS was Windows Server 2012 Standard edition. In Windows 2012 Standard has the necessary components, and thus is not an Issue. Exchange 2010 SP3 RU10 was installed onto the server which was the latest available build of Exchange 2010 when the issue occurred.
Let’s reproduce the issue using the Tailspintoys lab. The same version of Windows and Exchange was deployed.
Creating New DAG
Exchange 2010 SP3 RU10 was installed onto Windows 2012 Standard edition. All Windows updates were installed. The DAG was created using New-DatabaseAvailabilityGroup. This cmdlet completed successfully.
The results are shown below.
Note that the DAG is empty at this point since, it is essentially a placeholder object in AD DS.
Adding First Mailbox Server Into DAG
Since it is the act of adding the first mailbox server to the DAG that really kicks the tyres and forms the underlying cluster, it is not totally unexpected that this is the stage where issues are observed.
When adding the first mailbox server to the DAG, an error stating that “you must provide a value for this property” was returned. The full error text is below:
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer Tail-CA-Exch-2
You must provide a value for this property.
+ CategoryInfo : NotSpecified: (0:Int32) [Add-DatabaseAvailabilityGroupServer], DataValidationException
+ FullyQualifiedErrorId : C4B79117,Microsoft.Exchange.Management.SystemConfigurationTasks.AddDatabaseAvailabilityGroupServer + PSComputerName : tail-ca-exch-2.tailspintoys.ca
Adding the first mailbox server to the DAG failed, and the underlying cluster was not formed.
While there are a couple of other situations that can generate the same error message, the cause in this case was already mentioned in the opening paragraphs.
Since the DAG is using a Windows 2012 server, it is necessary to pre-stage the DAG CNO.
Pre-Staging The DAG CNO
Pre-staging the Cluster Network Object (CNO) is required for Windows Server 2012 DAG members due to permission changes in Windows Server 2012 for computer objects. As mentioned above Exchange 2010 is installed onto Windows 2012. This is (at the time of writing) the latest version of Windows that is supported by Exchange 2010. Support for Windows Server 2012 R2 was added later.
You create and disable a computer account for the CNO and then either:
-
Assign full control of the computer account to the computer account of the first mailbox server you're adding to the DAG.
-
Assign full control of the computer account to the Exchange Trusted Subsystem (ETS) universal security group (USG).
After completing the following steps, allow time for Active Directory replication to occur. After the object is replicated, you can add the first member to the DAG.
In the example below, the first mailbox server that is to be added to the DAG will be granted the necessary permissions. In Active Directory Users & Computers, a new computer object is created. This will be the name of the DAG. The uber-imaginative name of DAG1 was used in the below example.
After creating then CNO, it is then necessary to assign the necessary permissions. As mentioned above, this can be either the ETS group or first mailbox server computer account that is to be added. The computer account option was selected since this will not work until you change the search options, since computer objects are not included in the default search results.
Opening the properties of the CNO, we click Add and the change the displayed Object Types to also include computer objects. The first mailbox server computer account was added, and then the changes are saved.
The assigned entity, either first mailbox server or ETS, must then be assigned Full Control over the CNO. The computer account that we selected is the server Tail-CA-Exch-2, and this has been assigned Full Control over the CNO in the below screenshot.
Note: the CNO is disabled to facilitate the cluster cleanly taking ownership of the object.
Creating DAG After CNO Pre-Staged
Now that CNO for the DAG was successfully pre-staged, we can move on and create our DAG and add the first mailbox server.
In the below example we create the DAG, add the first mailbox server, and then use Get-DatabaseAvailabilityGroupto demonstrate that the server was indeed added to the DAG. Commands used were:
New-DatabaseAvailabilityGroup -Name DAG1
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer Tail-CA-Exch-2
Get-DatabaseAvailabilityGroup
The significant items are highlighted:
Success!
Bootnote
It is possible that you have sidestepped this issue if you were already pre-staging CNO objects due to AD DS permissions in your environment. If AD DS was tied down, then this forced Exchange admins to get CNO pre-staged even before it became a requirement with Windows 2012.
Cheers,
Rhoderick