Great blog post on installing rollup updates on DAG members.
Great blog post on installing rollup updates on DAG members.
Recently one of our Exchange MVPs posted a question to our support engineers…Is it necessary to move the cluster group / cluster core resources in Exchange 2007 / Exchange 2010?
As a reminder…the cluster core resources are generally the cluster name and cluster IP address. This is the management name specified when the cluster is created.
In Windows 2003 this would be known as the “Cluster Group” and would contain the cluster name, cluster IP address, and majority node set or quorum disk resource.
In Windows 2008 and Windows 2008 R2 this would be known as the “Cluster Core Resources” (the actual group in cluster though is still called the “Cluster Group”) and generally contains the cluster name, cluster IP address, and file share witness or quorum disk resource.
In Windows 2003 the cluster group is visible and manageable in cluster administrator. In Windows 2008 you can view the cluster core resources, but management requires using the cluster.exe command line (or powershell in Windows 2008 R2).
So…enough background and back to the question…
From the platforms perspective it should not be necessary to maintain either of these group or move the cluster core resources when rebooting nodes etc. When the resources are owned on a node where the cluster service is stopping, the resources will automatically be arbitrated to another node in the cluster.
I personally though do not prefer to take this approach. I prefer to know that the resources have been moved off the node that I’m managing and have been successfully arbitrated to another node in the cluster.
Therefore, I recommend the following…
Prior to managing a node verify whether or not the node owns the cluster core resources.
Run the following command – cluster.exe <FQDNCluster> group
C:>cluster dag.exchange.msft group
Listing status for all available resource groups:
Group Node Status
——————– ————— ——
Cluster Group DAG-3 Online
Available Storage DAG-1 Offline
As you can see from the output the “Cluster Group” currently resides on DAG-3 and is online.
If DAG-3 is the node to be rebooted, the cluster group can be moved to another node.
Run the following command – cluster.exe <FQDN> group “Cluster Group” /moveto:<NODE>
Here is an example of where the resources did not arbitrate successfully. You can see that the group successfully moved to the specified node, but the status is partially online.
C:>cluster.exe dag.exchange.msft group "Cluster Group" /moveto:DAG-1
Moving resource group ‘Cluster Group’…
Group Node Status
——————– ————— ——
Cluster Group DAG-1 Partially Online
Any other status but online should be investigated and corrected prior to rebooting or managing the cluster services on the nodes.
Here is an example of a successful move.
C:>cluster.exe dag.Exchange.msft group "Cluster Group" /moveto:DAG-1
Moving resource group ‘Cluster Group’…
Group Node Status
——————– ————— ——
Cluster Group DAG-1 Online
If the group successfully moved, the node information should display the name of the node where the group was moved and the status should show online.
In Exchange 2010 when using the Database Availability Group (DAG) we leverage the cluster services in Windows 2008 and Windows 2008 R2.
When utilizing the cluster services in Windows 2008 and Windows 2008 R2 the cluster core resources – cluster name is a Kerberos enabled name. This requires that a machine account be created within the directory for association with this cluster name resource. This is known as the CNO or cluster name object.
With previous versions of Exchange this Kerberos enabled machine account was created in the domain leveraging the credentials / rights assigned to the user logged into the machine using the failover cluster management tools to establish the clustered services. This would require either the user’s account have permissions to create and enable machine accounts within the domain or the machine account to be pre-staged with the appropriate rights assigned.
In Exchange 2010 the establishment of the cluster and the cluster name object is performed by using either the Exchange Management Console or Exchange Management Shell. Specifically the cluster creation occurs when running the command add-databaseavailabilitygroupserver when adding the first server to the database availability group. Since we are leveraging the Exchange management tools to establish the cluster service, this also means that we are utilizing RBAC. In this case when the first server is added to the DAG, the remote powershell contacts the replication service of the first node to be added. In turn, the replication service of that local machine installs the failover cluster management service and begins cluster creation utilizing the credentials assigned to LOCAL SYSTEM (since the replication service starts on the machine in the LOCAL SYSTEM security context). Therefore, the individual user rights to create machine accounts in the domain are not leveraged when establishing the clustered services for the database availability group, but rather that of the replication service.
In environments where computer account creation is restricted, it may become necessary to pre-stage the CNO for the clustered services and assign the appropriate rights. There are two methods which work to establish this security context:
1) Assign the machine account of the first node added to the DAG with full control of the pre-staged object.
2) Assign the Exchange Trusted Subsystem universal security group with full control of the pre-staged object.
The first method works by ensuring that the LOCAL SYSTEM security context will be able to manage the pre-staged computer account fully. The second method works because the Exchange Trusted Subsystem group contains the machine accounts of all Exchange servers in the domain. If utilizing method one you need to ensure that the first member added to the DAG is the machine granted permissions. If the second method is utilized any DAG member can be added as all members have rights to manage the account.
Here is an example of how to pre-stage the machine account utilizing the local system rights of the first DAG member.
1) Select the appropriate container in Active Directory where you wish the account to be created. Right click, select NEW –> COMPUTER.
2) In the Computer Name field, type the name that was assigned to the database availability group.
3) After the account is created, right click on the account and select properties. Select the security tab. (Note: You may have to enable advanced features in Active Directory Users and Computers).
4) Select the ADD button to present the add dialog.
5) Select the Object Types button. De-select all options and select the COMPUTERS option. Press OK.
6) In the Enter the object name to select field, type the name of the first DAG member. Select Check Name to ensure the name resolves to a valid account in the directory. Select OK to add the account.
7) Select the machine account in the Group or User Names field, assign the machine account full control. Press OK.
8) Locate the account in the container where it was created. Right click on the account and select disable account.
9) When presented with the disable dialog, select YES.
10) After the object has been successfully disabled, press the OK button on the success confirmation.
11) At this point allow time for active directory replication to occur. Once replication has completed, the first database availability group member can be added and the cluster services established.
======================================
Update 3/14/2010
======================================
It was recently asked how can I programmatically achieve establishing these permissions? Thanks to Jeff Kizner and Robert Gillies for providing these instructions.
cd ad:
$comp = Get-ADComputer DAG01
$sid = (Get-ADGroup "Exchange Trusted Subsystem").sid
$rights = [System.DirectoryServices.ActiveDirectoryRights]::GenericAll
$perm = [System.Security.AccessControl.AccessControlType]::Allow
$acl = get-acl $comp
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid, $rights, $perm
$acl.AddAccessRule($ace)
set-acl -AclObject $acl $comp
======================================
The official TechNet documentation for establishing a Windows 2003 / Exchange 2007 SP1 cluster can be found at:
What I want to do in this blog post is outline an alternate method for installing the cluster different from the instructions referenced above for Windows 2003 clustered nodes.
The first recommendation that I make when establishing the cluster service is to not use the GUI mode setup included with Exchange 2007. My main rational for this advice is that when GUI mode setup fails you generally have to revert to command line setup to correct conditions and repeat the setup operations. With this in mind it’s much easier to start with the command line setup and continue through.
In each of the links above you will see that the basic structure of a command line setup for the active roles installation is:
setup.com /mode:install /roles:mailbox /newCMS /cmsName /cmsIPAddress [/css] [/cmsDataPath]
The passive role installation is:
setup.com /mode:install /roles:mailbox
The way to think about the active role command is the combination of the passive role (setup.com /mode:install /roles:mailbox) with the establishment of the clustered services (setup.com /newCMS /cmsName /cmsIPAddress [/css] [/cmsDataPath]).
These commands do not have to be run together. With this in mind my second recommendation is to establish the passive role first on each clustered node. I recommend this for a few reasons:
Now I will outline for you the steps that I use when establishing a Windows 2003 / Exchange 2007 SP1 Cluster. Please refer to these additional blog posts for some other helpful information regarding these installations:
In all instructions below the assumption is that the cluster service and appropriate quorum type have been established and fully configured. The instructions also outline only the establishment of the Exchange resources, the TechNet documentation referenced above should be used to establish the specific cluster service requirements and other installation / management tasks for an Exchange 2007 SP1 clustered installation on Windows 2003.
Windows 2003 / Exchange 2007 SP1 Cluster Continuous Replication (CCR)
At this point the replication service will begin copying log files from the new databases created and bring both sides into synchronization. This completes the setup of a Windows 2003 / Exchange 2007 SP1 CCR cluster.
Windows 2003 / Exchange 2007 SP1 Single Copy Cluster (SCC)
By using these steps you should hopefully be able to simply your Exchange 2007 SP1 clustered installation on Windows 2003 and more easily address errors that may arise during the clustered setup.
The official TechNet documentation for establishing a Windows 2008 / Exchange 2007 SP1 cluster can be found at:
What I want to do in this blog post is outline an alternate method for installing the cluster different from the instructions referenced above for Windows 2003 clustered nodes.
The first recommendation that I make when establishing the cluster service is to not use the GUI mode setup included with Exchange 2007. My main rational for this advice is that when GUI mode setup fails you generally have to revert to command line setup to correct conditions and repeat the setup operations. With this in mind it’s much easier to start with the command line setup and continue through.
In each of the links above you will see that the basic structure of a command line setup for the active roles installation is:
setup.com /mode:install /roles:mailbox /newCMS /cmsName /cmsIPAddress [/css] [/cmsDataPath]
The passive role installation is:
setup.com /mode:install /roles:mailbox
The way to think about the active role command is the combination of the passive role (setup.com /mode:install /roles:mailbox) with the establishment of the clustered services (setup.com /newCMS /cmsName /cmsIPAddress [/css] [/cmsDataPath]).
These commands do not have to be run together. With this in mind my second recommendation is to establish the passive role first on each clustered node. I recommend this for a few reasons:
Now I will outline for you the steps that I use when establishing a Windows 2008 / Exchange 2007 SP1 Cluster. Please refer to these additional blog posts for some other helpful information regarding these installations:
In all instructions below the assumption is that the cluster service and appropriate quorum type have been established and fully configured. The instructions also outline only the establishment of the Exchange resources, the TechNet documentation referenced above should be used to establish the specific cluster service requirements and other installation / management tasks for an Exchange 2007 SP1 clustered installation on Windows 2008.
Windows 2008 / Exchange 2007 SP1 Cluster Continuous Replication (CCR)
At this point the replication service will begin copying log files from the new databases created and bring both sides into synchronization. This completes the setup of a Windows 2008 / Exchange 2007 SP1 CCR cluster.
Windows 2008 / Exchange 2007 SP1 Single Copy Cluster (SCC)
By using these steps you should hopefully be able to simply your Exchange 2007 SP1 clustered installation on Windows 2008 and more easily address errors that may arise during the clustered setup.