Link to home
Start Free TrialLog in
Avatar of R2_D2
R2_D2

asked on

DAG - Witness is in a failed state

Hi Guys,

We are experiencing some problems with a DAG on exchange 2013.
There are 2 exchange servers in the organization each one located on different site, both servers have all the roles installed.

A DAG is configured and both exchange servers only have one NIC which is used for the DAG replication and mappi connections
 
There are several alerts about the witness server and I get following error on the exchange admin centre when accessing the DAG properties:

Database availability group 'SMDAG01' witness is in a failed state. The database availability group requires the witness server to maintain quorum. Please use the Set-DatabaseAvailabilityGroup cmdlet to re-create the witness server and directory.

As the above warning recommends I ran Set-DatabaseAvailabilityGroup cmdlet but it fails with the following error.

[PS] C:\Windows\system32>Set-DatabaseAvailabilityGroup -Identity SMDAG01 -WitnessDirectory C:\SMDAG01
WARNING: An unexpected error has occurred and a Watson dump is being generated: Some or all identity references could
not be translated.
Some or all identity references could not be translated.
    + CategoryInfo          : NotSpecified: (:) [Set-DatabaseAvailabilityGroup], IdentityNotMappedException
    + FullyQualifiedErrorId : System.Security.Principal.IdentityNotMappedException,Microsoft.Exchange.Management.Syste
   mConfigurationTasks.SetDatabaseAvailabilityGroup
    + PSComputerName        : d5ex01.mydomain.net


Also, on the failover cluster manager on both servers I noticed that one of the nodes is down ( see attached images ) and when i tried to bring the resource online I keep getting this error.

Cluster network name resource 'Cluster Name' cannot be brought online. The computer object associated with the resource could not be updated in domain 'mydomain.net' for the following reason:
Unable to obtain the Primary Cluster Name Identity token.

The text for the associated error code is: An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.
 
The cluster identity 'SMDAG01$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.

Finally, some how the DAG work as I was able to active the database copies on both servers before rebooting  them.

do you guys have an idea of what might be causing this issue ?

Regards

R2
Cluster-error-2.jpg
cluster-error-1.jpg
Avatar of Berkson Wein
Berkson Wein
Flag of United States of America image

It doesn't sound like you have a file share witness (FSW) server.  You either have an odd number of mailbox servers or you use a FSW to make it odd and thereby maintain quorum.  Really, all you need is another member server, it doesn't even need exchange on it.

A good explanation:
https://blog.credera.com/technology-insights/microsoft-solutions/when-do-dags-need-a-file-share-witness/

and here are the steps to get the FSW set:
http://exchangeserverpro.com/using-a-non-exchange-server-as-an-exchange-2013-dag-file-share-witness/

Hope this helps.
Avatar of R2_D2
R2_D2

ASKER

We do have a FWS in placed already. Anyway I have just checked all settings again to make sure is all correct.

- The Exchange Trusted Subsystem group in Active Directory must be added to the local Administrators group on the  server that will be the file share witness
- The File Server feature (FS-FileServer) is installed on the file share witness
- Windows Firewall is disabled on my witness server.
- From the exchange servers I was able to access the witness shared directory

Everything is correct but unfortunately the issue still present.
Avatar of R2_D2

ASKER

I've requested that this question be deleted for the following reason:

One of the attached files needs to be removed
Ah, ok, I misunderstood originally.

We have a similar setup at one of our clients, though there's only 1 site.  2 exchange servers with all roles.  1 fsw.  1 DAG.

I'm confused as to why you have a cluster at all.  If we run the Failover Cluster Manager, I don't see any setup, but the DAG works great.  Did you explicitly set up a cluster?
Avatar of R2_D2

ASKER

We inherit that set up from former IT admin and we are trying to fix it.

I was under the impression that the DAG automatically set up the failover cluster.
ASKER CERTIFIED SOLUTION
Avatar of dsnegi_25dec
dsnegi_25dec

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of R2_D2

ASKER

dsnegi_25dec,
Good link, the CNO rights were incorrect as a decommissioned old exchange server was the only computer account with full rights on the CNO, for that reason I added one of the existing exchange servers computer account as well as the exchange Trusted Subsystem group and provided full access to both. Unfortunately It did not help

weinberk
We would like to repair the DAG. Howerver, a new DAG is good option, need to be discussed with my colleagues.
I worry that repairing something (just getting it working) without knowing what was done previously and WHY will lead to future problems.  Get out of this hole while you can.
Yes, a new DAG is good option.

Please follow above link definitely that will help you.
Avatar of R2_D2

ASKER

Sorry for the late reply.

a DAG rebuild from scratch fixed the problem.

thank you all for your help.