We have two Exchange 2016 on-prem servers in the same physical location and on the same network running on VMware. Both mailbox servers are part of a single DAG. The two servers are currently only balanced via round robin DNS serving a total of 85 users with over 800 mailboxes (yes, that's right - we have a LOT of shared mailboxes that duplicate many of the same emails).
We're a little backwards in that we went to production first with only one server because we didn't have the hardware to support more, yet we needed to move from Groupwise to Exchange pronto. Now I have two working servers in the DAG, one active one passive. My question is, should I feel comfortable now that I have two servers in the DAG, or should I have a third? We only have hardware in this one location, so the third server would also be on the same local network. I thought of setting a third one with a lagged database copy in case, I dunno, someone deletes an account or something silly like that (although in 12 years of administering a single Groupwise server, we've never had to restore an account).
I realize this is more of a soliciation for educated opinions rather than a question with a straight right or wrong answer, but the folks here seem to be the best ones to ask. Am I really getting a significant benefit from having a third server in the DAG in my situation, or is that just overkill? I'm really trying to protect against Exchange database corruption as opposed to hardware failure as we are fully redundant there (at least as one can be inside a single location). What events might warrant having a third server with a lagged database copy?