Managing DAG: Configuring a DAG Witness Server

In this post we are going over the process to manage a Share File Witness and how to move it around in case you need to.

Before starting the technical details, there are a few key items that an Exchange Admin must be aware when planning for the DAG Witness Server, as follows:

  • A DAG Witness Server cannot be a member of the DAG
  • The Operating System for it doesn’t really matter since it is just a Share where the DAG members can access it for quorum purposes
  • The DAG Witness Server will be useful with an even number of DAG members (2, 4, 6..)
  • If the DAG Witness is an Exchange Server 2013 then the local administration is not required because it is part of the Exchange Server 2013 deployment process
  • Don’t bother having File Cluster or DFS for that Share, the process to restore it is simpler than adding that complexity specially when dealing with several DAG members
  • It can be hosted in a Domain Controller but that is not a good idea
  • The same DAG Witness Server can be used for several DAG however they must use different shares for obvious reasons
  • Using Exchange Server 2013 and if you have two Datacenters with you DAG, it is a good idea to have the DAG Witness Server in a third datacenter to provide automatic failover


We are planning to build our first DAG and our first step is to create the DAG Witness Server which is going to be a regular Windows Server 2012 that was just installed with default settings and it was joined to domain and assigned a static IP address.


In this section we will cover the Security requirements on a DAG Witness Server, the first portion will be around the Windows Firewall (if you don’t use it, you can skip that portion) and the last one is around the Local Administrator group on that server.

Firewall Requirements

Let’s say that you use your Windows firewall like the image shown below and you have your Windows Server 2012 just installed with all default settings and joined to the domain.


In order to create automatically the Firewall exceptions to allow connectivity from the DAG members to this DAG Witness Server is to install the File Server role on it, as depicted in the figure below.


Local Administrator Group

Since the DAG Witness Server does not have Exchange Server installed on it, we need to add the group Exchange Trusted Subsystem to the local Administrators group.


A simple test…

The DAG Witness Server only hosts a share, so the basic testing is to try to access it (using \DAG-Witness-Server-Name) from any DAG member and the result should be similar to the figure below.


Creating a new DAG…

So, when do you configure this DAG Witness Server in Exchange Server 2013? Well, after having all prerequisites are in place, we just need to specify it during a new DAG creation for example.

Let’s say you don’t have a DAG and you are creating one from scratch, you will be opening the EAC (Exchange Admin Center), click on Servers, then click on database availability groups and click on + (add icon which is the first one) and on the new page, we have to choose the DAG name and the DAG Witness Server and a Witness Directory with an IP for the DAG, as shown in the figure below.

Note: If you are running your DAG members in Windows Server 2012 you need to create the DAG object in Active Directory first before running the wizard shown in the figure below and we are going to check how to do that in this series.