I recently ran into what appeared to be an issue while creating an Exchange 2010 DAG for one of my customers. The issue arose because I wanted to create a 2-Server DAG using a non-Exchange Server as the FSW (File Share Witness).
There is a well-known bug in Exchange 2010 that generates a warning when a DAG is created and a non-Exchange Server is specified as the FSW Server. The warning is the following: ‘The Exchange Trusted Subsystem is not a member of the local Administrators group on specified witness server servername’. (servername is the server used to host the FSW.) A graphic of the error is shown below:
The warning states that the Exchange Trusted Subsystem group must be a local Administrator on the server that is being used as the FSW. This is required, and it’s important to remember that the Database Availability Group Creation Wizard does not automatically place the Exchange Trusted Subsystem group in the Local Admins group on the server to be used as the FSW. I had forgotten this fact so creating my DAG did give me some grief.
If you’re like me, some of you might be curious why the DAG Creation Wizard doesn’t place the Exchange Trust Subsystem group in the local Admins group on the FSW. If it’s required, why doesn’t the wizard handle this task for us? I asked this very question of the Exchange Team when I attended TechEd this year so I thought I’d share what I learned.
When Exchange 2010 was originally released, the Exchange Team expected most customers would separate the HUB/CAS and MB Roles onto different servers. When customers did this, the Exchange Team provided guidance to place the FSW on a CAS/HUB Server so messaging teams could maintain control over the Mailbox Servers and the server holding the FSW. If this recommendation was followed, then the Exchange Trusted Subsystem would already be in the Local Admins group because the Exchange Trusted Subsystem group is added to the Local Admins group on every server where Exchange 2010 is installed. Since it was assumed that the FSW would likely reside on an Exchange 2010 Server, code was never added to the DAG Creation Wizard to place the Exchange Trusted Subsystem group in the local Admin group of the FSW. It’s probably something that will be fixed in a future Exchange 2010 Roll Up or Service Pack. However, until that happens, as long as you’re prepared and you follow my tips at the bottom of this post, you won’t have any problem creating a DAG using a non-Exchange Server as your FSW.
So what’s the bug I mentioned at the beginning of this post? The bug is that the warning message is displayed every time you create a DAG using a non-Exchange Server as the FSW, even if the Exchange Trusted Subsystem is already a local Admin on the FSW server before the wizard is run.
Here are some tips to remember when creating a DAG when using a non-Exchange Server as the FSW:
- Prior to creating your DAG, make sure that all Exchange 2010 Servers that will participate in the DAG are members of the Exchange Trusted Subsystem Group. (Every Exchange 2010 Server should be added to this group by default during installation, but it never hurts to double-check this before you create your DAG.)
- Add the Exchange Trusted Subsystem Group to the local Admins group on the designated FSW server prior to creating your DAG.
- Remember that the step above is necessary and that the Database Availability Group Creation Wizard will not perform that task for you.
- Remember that Exchange 2010 will generate a warning stating that the Exchange Trusted Subsystem group is not a member of the Local Admins group on the FSW even when it is. (This is a known issue that will likely be addressed in a future Exchange 2010 Roll Up or Service Pack.)