DAG - Witness is in a failed state

Hi Guys,

We are experiencing some problems with a DAG on exchange 2013.
There are 2 exchange servers in the organization each one located on different site, both servers have all the roles installed.

A DAG is configured and both exchange servers only have one NIC which is used for the DAG replication and mappi connections
 
There are several alerts about the witness server and I get following error on the exchange admin centre when accessing the DAG properties:

Database availability group 'SMDAG01' witness is in a failed state. The database availability group requires the witness server to maintain quorum. Please use the Set-DatabaseAvailabilityGroup cmdlet to re-create the witness server and directory.

As the above warning recommends I ran Set-DatabaseAvailabilityGroup cmdlet but it fails with the following error.

[PS] C:\Windows\system32>Set-DatabaseAvailabilityGroup -Identity SMDAG01 -WitnessDirectory C:\SMDAG01
WARNING: An unexpected error has occurred and a Watson dump is being generated: Some or all identity references could
not be translated.
Some or all identity references could not be translated.
    + CategoryInfo          : NotSpecified: (:) [Set-DatabaseAvailabilityGroup], IdentityNotMappedException
    + FullyQualifiedErrorId : System.Security.Principal.IdentityNotMappedException,Microsoft.Exchange.Management.Syste
   mConfigurationTasks.SetDatabaseAvailabilityGroup
    + PSComputerName        : d5ex01.mydomain.net


Also, on the failover cluster manager on both servers I noticed that one of the nodes is down ( see attached images ) and when i tried to bring the resource online I keep getting this error.

Cluster network name resource 'Cluster Name' cannot be brought online. The computer object associated with the resource could not be updated in domain 'mydomain.net' for the following reason:
Unable to obtain the Primary Cluster Name Identity token.

The text for the associated error code is: An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.
 
The cluster identity 'SMDAG01$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.

Finally, some how the DAG work as I was able to active the database copies on both servers before rebooting  them.

do you guys have an idea of what might be causing this issue ?

Regards

R2
Cluster-error-2.jpg
cluster-error-1.jpg
R2_D2Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Berkson WeinTech FreelancerCommented:
It doesn't sound like you have a file share witness (FSW) server.  You either have an odd number of mailbox servers or you use a FSW to make it odd and thereby maintain quorum.  Really, all you need is another member server, it doesn't even need exchange on it.

A good explanation:
https://blog.credera.com/technology-insights/microsoft-solutions/when-do-dags-need-a-file-share-witness/

and here are the steps to get the FSW set:
http://exchangeserverpro.com/using-a-non-exchange-server-as-an-exchange-2013-dag-file-share-witness/

Hope this helps.
0
R2_D2Author Commented:
We do have a FWS in placed already. Anyway I have just checked all settings again to make sure is all correct.

- The Exchange Trusted Subsystem group in Active Directory must be added to the local Administrators group on the  server that will be the file share witness
- The File Server feature (FS-FileServer) is installed on the file share witness
- Windows Firewall is disabled on my witness server.
- From the exchange servers I was able to access the witness shared directory

Everything is correct but unfortunately the issue still present.
0
R2_D2Author Commented:
I've requested that this question be deleted for the following reason:

One of the attached files needs to be removed
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Berkson WeinTech FreelancerCommented:
Ah, ok, I misunderstood originally.

We have a similar setup at one of our clients, though there's only 1 site.  2 exchange servers with all roles.  1 fsw.  1 DAG.

I'm confused as to why you have a cluster at all.  If we run the Failover Cluster Manager, I don't see any setup, but the DAG works great.  Did you explicitly set up a cluster?
0
R2_D2Author Commented:
We inherit that set up from former IT admin and we are trying to fix it.

I was under the impression that the DAG automatically set up the failover cluster.
0
dsnegi_25decCommented:
I believe you had given proper rights to CNO below is the url to varify please check

http://windowsitpro.com/blog/exchange-2013-dags-windows-2012-and-cno
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Berkson WeinTech FreelancerCommented:
I checked a couple different exchange configs.  none have clusters, but all have DAG running.

Here's how we do it, without a real cluster and without a separate replication network:
http://msexchangeguru.com/2014/03/21/e2013sp1-ip-less-dag/

Since your setup isn't working, do you have the luxury of creating a new DAG as above and then migrating the mailboxes to the a new database in that new DAG?   If so, you could do that and then kill the old config.
0
R2_D2Author Commented:
dsnegi_25dec,
Good link, the CNO rights were incorrect as a decommissioned old exchange server was the only computer account with full rights on the CNO, for that reason I added one of the existing exchange servers computer account as well as the exchange Trusted Subsystem group and provided full access to both. Unfortunately It did not help

weinberk
We would like to repair the DAG. Howerver, a new DAG is good option, need to be discussed with my colleagues.
0
Berkson WeinTech FreelancerCommented:
I worry that repairing something (just getting it working) without knowing what was done previously and WHY will lead to future problems.  Get out of this hole while you can.
0
dsnegi_25decCommented:
Yes, a new DAG is good option.

Please follow above link definitely that will help you.
0
R2_D2Author Commented:
Sorry for the late reply.

a DAG rebuild from scratch fixed the problem.

thank you all for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.