Managing DAG: Configuring a DAG Witness Server

Share this:

In this post we are going over the process to manage a Share File Witness and how to move it around in case you need to.

Before starting the technical details, there are a few key items that an Exchange Admin must be aware when planning for the DAG Witness Server, as follows:

  • A DAG Witness Server cannot be a member of the DAG
  • The Operating System for it doesn’t really matter since it is just a Share where the DAG members can access it for quorum purposes
  • The DAG Witness Server will be useful with an even number of DAG members (2, 4, 6..)
  • If the DAG Witness is an Exchange Server 2013 then the local administration is not required because it is part of the Exchange Server 2013 deployment process
  • Don’t bother having File Cluster or DFS for that Share, the process to restore it is simpler than adding that complexity specially when dealing with several DAG members
  • It can be hosted in a Domain Controller but that is not a good idea
  • The same DAG Witness Server can be used for several DAG however they must use different shares for obvious reasons
  • Using Exchange Server 2013 and if you have two Datacenters with you DAG, it is a good idea to have the DAG Witness Server in a third datacenter to provide automatic failover


We are planning to build our first DAG and our first step is to create the DAG Witness Server which is going to be a regular Windows Server 2012 that was just installed with default settings and it was joined to domain and assigned a static IP address.


In this section we will cover the Security requirements on a DAG Witness Server, the first portion will be around the Windows Firewall (if you don’t use it, you can skip that portion) and the last one is around the Local Administrator group on that server.

Firewall Requirements

Let’s say that you use your Windows firewall like the image shown below and you have your Windows Server 2012 just installed with all default settings and joined to the domain.


In order to create automatically the Firewall exceptions to allow connectivity from the DAG members to this DAG Witness Server is to install the File Server role on it, as depicted in the figure below.


Local Administrator Group

Since the DAG Witness Server does not have Exchange Server installed on it, we need to add the group Exchange Trusted Subsystem to the local Administrators group.


A simple test…

The DAG Witness Server only hosts a share, so the basic testing is to try to access it (using \DAG-Witness-Server-Name) from any DAG member and the result should be similar to the figure below.


Creating a new DAG…

So, when do you configure this DAG Witness Server in Exchange Server 2013? Well, after having all prerequisites are in place, we just need to specify it during a new DAG creation for example.

Let’s say you don’t have a DAG and you are creating one from scratch, you will be opening the EAC (Exchange Admin Center), click on Servers, then click on database availability groups and click on + (add icon which is the first one) and on the new page, we have to choose the DAG name and the DAG Witness Server and a Witness Directory with an IP for the DAG, as shown in the figure below.

Note: If you are running your DAG members in Windows Server 2012 you need to create the DAG object in Active Directory first before running the wizard shown in the figure below and we are going to check how to do that in this series.


Written by Anderson Patricio

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson has been contributing to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at,, and Anderson (Portuguese).

Related Post

Fixing the error “The network path was not found” ... In situations where a new server is built to be used as witness server the administrator can get the error “The network path was not found” during the...
Managing DAG: Creating a new DAG using EAC At this point of the series we created a DAG witness server, pre-staged the Active Directory that will be used by the DAG in this Tutorial and last bu...
Managing DAG in Exchange Server 2013 – The Series... In this series we are going over the entire process to create a DAG environment in Exchange Server 2013. At the end of the series we will have built ...
How to create a DAG in Exchange Server 2013 SP1 wi... In this Tutorial we are going to use a new feature introduced in Exchange Server 2013 SP1 which is the capability to create a DAG object without an AA...