Sometimes you have to move all mailboxes from one database to another database in Exchange…
Change DAG witness server and witness directory
The task is to change the Exchange Server DAG witness server to another server. Why is that? One of the reasons is that the witness server is not booting anymore. Another reason is that you want to decommission the server. This article will teach you how to move a DAG witness server and witness directory to another server.
Table of contents
Where to place the DAG witness server?
The question that you ask yourself is: Where do I need to place the DAG witness server?
The best practices are:
1. Single DAG deployed in a single datacenter
- Locate witness server in the same datacenter as DAG members
2. Single DAG deployed across two data centers; no additional locations available
- Locate witness server on a Microsoft Azure virtual network to enable automatic datacenter failover.
- Locate witness server in primary datacenter
3. Multiple DAGs deployed in a single datacenter
- Locate witness server in the same datacenter as DAG members. Additional options include:
• Using the same witness server for multiple DAGs
• Using a DAG member to act as a witness server for a different DAG
4. Multiple DAGs deployed across two datacenters
- Locate witness server on a Microsoft Azure virtual network to enable automatic datacenter failover, or
- Locate witness server in the datacenter that is considered primary for each DAG. Additional options include:
• Using the same witness server for multiple DAGs
• Using a DAG member to act as a witness server for a different DAG
5. Single or Multiple DAGs deployed across more than two datacenters
- In this configuration, the witness server should be located in the datacenter where you want the majority of quorum votes to exist.
Read more in the Microsoft documentation: Manage database availability groups.
Move witness server and witness directory
In this example, we will move the DAG witness server from FS01-2016 to FS02-2016.
It’s good to know that there are two options to change the DAG witness server and directory:
- Exchange Management Shell (PowerShell)
- Exchange Admin Center (EAC)
Before you choose which option you like to follow, you have to do the next step first.
Configure DAG permissions on a new server
Add “Exchange Trusted Subsystem” AD group to the local administrator’s group on the server FS02-2016.exoip.local.
We recommend you to use a file server and not any other server.
Important: Don’t use a domain controller as a witness server!
Sign in to the File Server. Go to Administrative Tools and start Computer Management.
Expand Local Users and Groups and click on Groups. Double-click on the Administrators group and add the group Exchange Trusted Subsystem.
You can choose to change the witness server and witness directory with PowerShell or Exchange Admin Center in the next step. Follow the steps and verify at the end.
Change DAG witness server with PowerShell
Get DAG witness server
Run Exchange Management Shell as administrator. Get the Database Availability Group name, witness server, and witness directory. Use the Get-DatabaseAvailabilityGroup cmdlet.
In this example, the DAG witness server configuration is on FS01-2016.
[PS] C:\>Get-DatabaseAvailabilityGroup -Identity "DAG01-2016" -Status | ft Name, Witness*,Servers
Name WitnessServer WitnessDirectory WitnessShareInUse Servers
---- ------------- ---------------- ----------------- -------
DAG01-2016 fs01-2016.exoip.local C:\DAG01-2016 Primary {EX02-2016, EX01-2016}Change DAG witness server and witness directory
Run the cmdlet Set-DatabaseAvailabilityGroup.
[PS] C:\>Set-DatabaseAvailabilityGroup -Identity "DAG01-2016" -WitnessServer "FS02-2016.exoip.local" -WitnessDirectory C:\DAG01-2016You can get the below output.
[PS] C:\>Set-DatabaseAvailabilityGroup -Identity "DAG01-2016" -WitnessServer "FS02-2016.exoip.local" -WitnessDirectory C:\DAG01-2016
WARNING: Unable to access file shares on witness server 'FS02-2016.exoip.local'. Until this problem is corrected, the database availability group may be more vulnerable to failures. You can use the
Set-DatabaseAvailabilityGroup cmdlet to try the operation again. Error: The network path was not found
Unable to change the quorum for database availability group DAG01-2016. The network path for witness server '\\FS02-2016.exoip.local\DAG01-2016.exoip.local' was not found. This may be due to firewall settings.
+ CategoryInfo : InvalidArgument: (:) [Set-DatabaseAvailabilityGroup], DagTaskProblemC...ptionBadNetPath
+ FullyQualifiedErrorId : [Server=EX01-2016,RequestId=68133d5b-592f-43ef-a18c-7f3318d3df0d,TimeStamp=1/12/2021 5:38:05 PM] [FailureCategory=Cmdlet-DagTaskProblemChangingQuorumExceptionBadNetPath] CC8C0577,Micros
oft.Exchange.Management.SystemConfigurationTasks.SetDatabaseAvailabilityGroup
+ PSComputerName : ex01-2016.exoip.localWARNING: Unable to access file shares on witness server ‘FS02-2016.exoip.local’. Until this problem is corrected, the database availability group may be more vulnerable to failures. You can use the Set-DatabaseAvailabilityGroup cmdlet to try the operation again. Error: The network path was not found Unable to change the quorum for database availability group DAG01-2016. The network path for witness server ‘\\FS02-2016.exoip.local\DAG01-2016.exoip.local’ was not found. This may be due to firewall settings.
Regardless of what server is used as the witness server, if the Windows Firewall is enabled on the intended witness server, you must enable the Windows Firewall exception for File and Printer Sharing. The witness server uses SMB port 445. Another option is to disable Windows Firewall. After that, rerun the above command.
In the next step, you will verify your work.
Verify DAG witness server
The folder and share will be created automatically. Check if they are present on the server FS02-2016 in path C:\DAG01-2016.
[PS] C:\>Get-DatabaseAvailabilityGroup -Identity "DAG01-2016" -Status | ft Name, Witness*,Servers
Name WitnessServer WitnessDirectory WitnessShareInUse Servers
---- ------------- ---------------- ----------------- -------
DAG01-2016 fs02-2016.exoip.local C:\DAG01-2016 Primary {EX02-2016, EX01-2016}After you confirm that it looks great, there is one more step left for you. Exclude the folder C:\DAG01-2016 on FS02-2016 from your Antivirus.
Note: Exclude the File Share Witness folder from your Antivirus/Security product. Read more in the article Antivirus exclusions for Exchange Server.
Change DAG witness server in Exchange Admin Center
Get DAG witness server
Sign in to Exchange Admin Center. Go to servers > database availability groups. Have a look at the DAG witness server in the list view.
Change DAG witness server and witness directory
Click on the DAG in the list view. Click the edit icon in the toolbar.
Fill in the server’s FQDN to change the witness server.
Change the witness directory, or you can keep the same directory. Click on Save.
The next step is to verify the Database Availability Group witness server.
Verify DAG witness server
Check that the new server shows up as the witness server.
Go to the FS02-2016 C:\ drive and verify that the DAG01-2016 folder is created. After opening the folder, you will find a GUID folder, and in there, you will see two files with the name:
- VerifyShareWriteAccess.txt
- Witness.log
It can take a couple of minutes before both files show up. The size is small, and it will stay that way.
Note: Exclude the File Share Witness folder from your Antivirus/Security product. Read more in the article Antivirus exclusions for Exchange Server.
Conclusion
In this article, you learned how to change the DAG witness server and witness directory. Before you start, add the Exchange Trusted System AD group to the witness server’s local administrator group. After that, change the witness server and witness directory with PowerShell or Exchange Admin Center. Don’t forget to exclude the DAG witness folder in your Antivirus and verify the settings.
Did you enjoy this article? You may also like Balance mailbox databases in Exchange DAG. Don’t forget to follow us and share this article.
What Others Are Reading
Hello Ali
I currently have the witness on a DC 2012R2, the question is how can I move it to a DC 2016, the thing is that the local groups part no longer shows them to you, thank you very much
Local users and groups don’t show on a DC, and you should never use the DC as a witness server. Use another server.
Hello Ali
I’m trying to change Dag witness server and i get the following error when trying to open from ecp existing configured Dag.
An error occurred while attempting a cluster operation. Error: Cluster API failed: OpenByNames(‘EXCHANGE-03.domain.name’, ‘EXCHANGE-04.domain.name’) failed for each server. Specific exceptions: ‘An error occurred while attempting a cluster operation. Error: Cluster API failed: “OpenCluster(EXCHANGE-03) failed with 0x5. Error: Access is denied”‘, ‘An error occurred while attempting a cluster operation. Error: Cluster API failed: “OpenCluster(EXCHANGE-04) failed with 0x5. Error: Access is denied”‘.
Any idea on how to fix this,
Thanks
Hello, we recently lost our witness server.
We tried to create new witness server following your materials, but we receive this error:
Error: Cluster API failed: “ClusterResourceControl(controlcode=CLUSCTL_RESOURCE_SET_PRIVATE_PROPERTIES) failed with 0x52e. Error: The user name or password is incorrect”
Is it something you can help us with?
Hi Ali,
Thanks for this great article. I would like to ask you one question.
I configured an alternative witness server and a directory, but after alternative witness configuration had been completed, I realized that the alternative witness directory is empty. Is this a normal situation?
The witness directory should not be empty.
The DAG folder and GUID folder in the DAG folder should be generated automatically, including the two files below:
1. VerifyShareWriteAccess.txt
2. Witness.log
Hello Ali,
Thanks for post.
I hope you are fine. Why do you recommend to use a file server as a witness server?
Hello Ali!
I have a two node, two site, two fsw servers, two dcs, two subnet Exchange 2016 DAG running and working as expected.
When I run this:
WitnessShareInUse appears null
However, when I run this:
WitnessShareInUse shows “Primary”. Any idea what is up here?
That’s correct and how it should output.
You have to include the “-Status” parameter in the command so it can get the “WitnessShareInUse” value.
So it looks like:
Hi Ali
Thanks a lot For Useful Website .
I created DAG folder on File server . But after create DAG on ECP that folder will be delete completely and I can not see dag files on it becuse i did not find the folder . ( Also it is’nt hide and etc )
Could you help me in this issue please ?
It works, thanks a lot, greetings from Peru
Can I use this to change the witness server when my witness server and also one of the DAG nodes is down? Meaning I don’t have quorum.
How to recover from that situation.
Yes, that’s when you should follow this article.
About recovering Exchange DAG member, read the article: Recover Exchange DAG member.
Knowledgeable article..
Thank u…