2

Imagine a standard setup with an Active Directory Server, 4 Exchange servers ( 2 with CAS roles, and two with Mailbox roles) with load balancing and failover.

This site talking about how putting the witness on the Domain Controller is bad practice.

Question:

(If that is actually true) Then where should it go and why? (Knowing fully well that it should not be on a CAS or MB server)

Quote:

Section on the site mentioning this, and they go into depth as to why it's not good practice.

Obligatory disclaimer: While this is definitely not recommended practise in a production environment, and may have undesirable results, it will probably work. I highly doubt Microsoft support this, though I have been unable to find any concrete evidence on it (frankly, it’s such terrible practise they shouldn’t have to publicise advice against it).

kemicofa ghost
  • 133
  • 7

1 Answers1

2

We typically use Exchange HUB as a File Share Witness server. Here are MS's recommendations

The witness server can't be a member of the DAG.
The witness server must be in the same Active Directory forest as the DAG.
The witness server must be running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, or Windows Server 2003.
A single server can serve as a witness for multiple DAGs. However, each DAG requires its own witness directory.

Source: Managing database availability groups
https://technet.microsoft.com/en-us/library/dd298065%28v=exchg.150%29.aspx
Applies to: Exchange Server 2013

EDIT: My mistake, the reference on using the Hub for FSW was from 2007/2010 rather than 2013. Exchange 2013 made an architectural change to exchange roles

Lex
  • 564
  • 1
  • 6
  • 16
  • There are no more Hub Transport servers on Exchange 2013, which went all the way back to the "all roles on the same servers" architecture used in Exchange 2003. – Massimo Jan 27 '16 at 22:54
  • Lex, if you copy & paste the recommendations from official documents, please also add the [source to that document](https://technet.microsoft.com/en-us/library/dd298065%28v=exchg.150%29.aspx). In addition to that the document says: *"Neither the witness server nor the witness directory needs to be fault tolerant or use any form of redundancy or high availability."* I'd say that qualifies as enough evidence to render the statement in that blog wrong. – Daniel Jan 28 '16 at 07:25
  • The main reason for not putting the FSW on to a domain controller is simply because you have to grant permissions to the Exchange Trusted Subsystem to manage it. On a DC that means that account needs to be a member of Domain Admins or Administrators - org wide permissions it really doesn't need. A member server can have the permissions restricted to just the server in question. Any member server will be fine - I often will use a file server or SQL server. I am not aware of any restriction on using the CAS role, although in Exchange 2013 and higher I never deploy separate CAS. – Sembee Jan 28 '16 at 08:20