Module 7

Implementing High Availability

Module Overview

• Overview of High Availability Options

• Configuring Highly Available Mailbox Databases

• Deploying Highly Available Non-Mailbox Servers

• Deploying High Availability with Site Resilience

Lesson 1: Overview of High Availability Options

• What Is High Availability?

• Discussion: Components of a High Availability Solution

What Is High Availability?

High availability:

• Implements system design that ensures a high level of operational continuity

• Is measured by the percentage of time the application is available

Availability Target Permitted Annual Downtime

99% 87 hours, 36 minutes

99.9% 8 hours, 46 minutes

99.99% 52 minutes, 34 seconds

99.999% 5 minutes, 15 seconds

Discussion: Components of a High Availability Solution

• Which components are important for running a high availability solution?

• What are some single points of failure in a messaging solution?

Lesson 2: Configuring Highly Available Mailbox Databases• What Is a Database Availability Group?

• What is Quorum?

• What Is Active Manager?

• What Is Continuous Replication?

• How Are Databases Protected in a DAG?

• Configuring a Database Availability Group

• Configuring Databases for High Availability

• Demonstration: How to Create and Configure a DAG

• What Is the Transport Dumpster?

• Understanding the Failover Process

• Designing Monitoring and Management for a DAG

• Demonstration: How to Monitor Replication Health

What Is a Database Availability Group?

A DAG is a collection of servers that provides the infrastructure for replicating and activating database copies. DAGs:

• Require the failover clustering feature, although all installation and configuration is done with the Exchange Server management tools

• Use Active Manager to control failover

• Use an enhanced version of the continuous replication technology that Exchange Server 2007 introduced

• Can be created after the Mailbox server is installed

• Allow a single database to be activated on another server in the group without affecting other databases

• Allow up to 16 copies of a single database on separate servers

• Define the boundary for replication

What Is Quorum?

Exchange Server 2010 DAG quorums:

• Are based on votes in Windows Server 2008

• Allow nodes, file shares, and shared disks to have votes, depending on the quorum mode

• Use node majority with a witness server for quorum:

• DAGs with an even number of Mailbox servers use the witness server

• DAGs with an odd number of Mailbox servers use node majority

Quorum defines consensus that enough cluster members are available to provide servicesQuorum defines consensus that enough cluster members are available to provide services

What Is Active Manager?

Active Manager:

• Runs a process on each server in the DAG

• One node is the PAM

• Remaining nodes are SAM

• Manages which database copies are active and which are passive

• Stores database state information

• Manages database switchover and failover processes

• Does not require direct administration configuration

What Is Continuous Replication?

Database Availability GroupDatabase Availability Group

DB1DB1

File Mode

Block Mode

DB1DB1 DB1DB1

ES

E L

og

Bu

ffer

ES

E L

og

Bu

ffer

Rep

licati

on

Log

Bu

ffer

Rep

licati

on

Log

Bu

ffer

Rep

licati

on

Log

Bu

ffer

Rep

licati

on

Log

Bu

ffer

How Are Databases Protected in a DAG?

DB4DB4

DB2DB2

DB3DB3

DB1DB1

DB2DB2

DB4DB4 DB4DB4

DB2DB2

DB3DB3

Continuous replication protects databases across servers in the DAGContinuous replication protects databases across servers in the DAG

Configuring Database Availability Group

To configure DAGs you must define the following:

 

Additionally consider these settings for larger or multi-site implementations:

• Witness Server – Server used to store witness information

• Witness Directory – directory used on the witness server to store witness information

• Database availability group IP addresses – IP address(es) used by DAG

• DAG Networks including replication

• DAG Network Compression

• DAG Network Encryption

• Third-Party Replication Mode

• Alternative Witness Server

• Alternative Witness Directory

Configuring Databases for High Availability

After creating a DAG, adding Mailbox servers to the DAG, and configuring the DAG, you must still do the following:

• Create database copies

• Set truncation lag time

• Set replay lag time

• Set preferred list sequence number

Demonstration: How to Create and Configure a DAG

In this demonstration, you will see how to create and configure a DAG

What Is the Transport Dumpster?

The transport dumpster:

• Protects against Mailbox server failures when transaction logs have been lost

• Keeps copies of all messages delivered in the transport queue (mail.que) until the transaction logs have replicated to all servers in the DAG, or until the maximum dumpster size is reached

• Redelivers missing email messages when a failure occurs

Understanding the Failover Process

If a failure occurs, the following steps occur for the failed database:

Active Manager determines the best copy to activate

The replication service on the target server attempts to copy missing log files from the best “source”:

• If successful, the database mounts with zero data loss

• If unsuccessful (failover), the database mounts based on the AutoDatabaseMountDial setting

The mounted database generates new log files (using the same log generation sequence)

Transport dumpster requests are initiated for the mounted database to recover lost messages

When original server or database recovers, it determines if any logs are missing or corrupt, and fixes them if possible

Designing Monitoring and Management for a DAG

• Allocate the necessary permissions for managing a DAG• Organization Management

• DAGs

• Database copies

• Failure may not be noticed

• Exchange Server 2010 SP1 or newer includes several scripts and commands for DAG monitoring and management

• Consider using System Center Operations Manager 2012

Demonstration: How to Monitor Replication Health

In this demonstration, you will see how to:

• Monitor replication health using the Exchange Management Console and the Exchange Management Shell

• View various status messages

• View available statistics

Lesson 3: Deploying Highly Available Non-Mailbox Servers

• How High Availability Works for Client Access Servers

• How Shadow Redundancy Provides High Availability for Hub Transport Servers

• How High Availability Works for Edge Transport Servers

How High Availability Works for Client Access Servers

A client access array is created with multiple Client Access servers. You can achieve high availability and load balancing by using one of these methods:

• Software-based NLB

• Hardware-based NLB

• Round-robin DNS

To configure a client access array:

• Configure existing databases using the Set-MailboxDatabase cmdlet with the RpcClientAccess parameter

• Use the New-ClientAccessArray cmdlet

• Configure internal URIs for Exchange services

Transport server delays message deletion until it verifies that the message has been delivered past the next hopTransport server delays message deletion until it verifies that the message has been delivered past the next hop

How Shadow Redundancy Provides High Availability for Hub Transport Servers

HubHub

External SMTP Mail

Server

External SMTP Mail

Server

Edge2Edge2

Edge1Edge11. Deliver to

Edge1

1. Deliver to Edge1

2. Deliver to next hop

2. Deliver to next hop

3. Query discard status

3. Query discard status

4. If failure, resubmit

4. If failure, resubmit

How High Availability Works for Edge Transport Servers

Load balancing and high availability methods for Edge Transportinclude:

• Multiple DNS MX records that are created to specify multiple authoritative SMTP servers for the domain.

• Hardware-based load balancing that is used to load balance inbound SMTP connections to any available Edge Transport server.

Load balancing and high availability methods for Edge Transportinclude:

• Multiple DNS MX records that are created to specify multiple authoritative SMTP servers for the domain

• Hardware-based load balancing that is used to load balance inbound SMTP connections to any available Edge Transport server

Lesson 4: Deploying High Availability with Site Resilience

• Requirements for Creating a Multiple Site DAG

• What Is Datacenter Activation Coordination Mode?

• Deploying Exchange 2010 for Site Resilience

• Switchover and Switchback Process with Site Resilience

• Best Practices for Site Resilient Solutions

Requirements for Creating a Multiple Site DAG

Requirements include:

• Other server roles must be available in each site

• At least one Mailbox server in each site

• DAC mode for DAGs that span multiple locations

• Prevents split-brain syndrome

• Round-trip network latency time of maximum 500 milliseconds between DAG members

What Is Datacenter Activation Coordination Mode?

DAC mode:

Data center 1

Data center 1

Data center 2

Data center 2

DACP=1DACP=1 DACP=1DACP=1 DACP=1DACP=1

DAG in DAC Mode

DAG in DAC Mode

DACP=0DACP=0DACP=0DACP=0

• Prevents split-brain syndrome

• Uses the DACP Protocol to decide if a database can be mounted

• 0 : Database cannot be mounted

• 1 : Database can be mounted

No DACP=1, no database mounted

No DACP=1, no database mounted

Mountdatabase

Mountdatabase

Data center 2

Data center 2

DACP=1DACP=1DACP=1DACP=1DACP=1DACP=1

Data center 1

Data center 1

DAG in DAC Mode

DAG in DAC Mode

Deploying Exchange 2010 for Site Resilience

Site resiliency:

• Does not require any special configuration for Hub Transport and Client Access servers

• The Edge Transport server:

• Requires Internet connectivity for the alternate data center

• Requires multiple MX records for incoming messages

• Requires the following server roles to be available in each site (besides the Mailbox role):

• Active Directory Domain Controller

• Hub Transport server

• Client Access server

Switchover and Switchback Process with Site Resilience

Site ASite A Site BSite B

DAG

Hub Transport(FSW)

Hub Transport(FSW)

Hub TransportHub TransportClient AccessClient Access Client AccessClient Access

(Alt FSW)(Alt FSW)

Best Practices for Site Resilient Solutions

Best practices include:

• Verify failover functionality with periodic testing

• Reduce failover time by using low TTL on DNS records for the Client Access server array, Client Access server URLs, and SMTP records

• Closely monitor replication health and other system components to ensure failover health

• Follow proper change-management procedures

• Prevent cluster network cross-talk

Lab: Implementing High Availability

• Exercise 1: Deploying a DAG

• Exercise 2: Deploying Highly Available Hub Transport and Client Access Servers

• Exercise 3: Testing the High Availability Configuration

Logon information

Estimated time: 60 minutes

Lab Scenario

You are the messaging administrator for A. Datum Corporation. You have completed the basic installation for three Exchange servers. Now you must complete the configuration so that they are highly available.

Lab Review

• When might you choose to initiate a database switchover?

• If you deploy only two Hub Transport servers in an Active Directory site, would shadow redundancy protect messages between mailboxes in the same site?

Module Review and Takeaways

• Review Questions

• Common Issues and Troubleshooting Tips

• Real-World Issues and Scenarios

• Best Practices