poulpreben.com

Backup an Exchange 2013 IP Less DAG

Recently, there has been a lot of talks on public forums about the new Simplified DAG or IP Less DAG introduced with Exchange Server 2013 SP1. While this significantly reduces the complexity of managing the entire Exchange stack and thus providing higher availability, it does introduce some new challenges as a result of the cluster’s new charateristics.

This article looks at the new features from a data protection perspective, so if you are considering deploying Exchange 2013 SP1 and leveraging the new features, this article is relevant for you.

Introducing the IP Less DAG

With Exchange 2013 SP1 running on Windows Server 2012 R2, it is possible to leverage Database Availability Groups (DAG) without the requirement for a Microsoft Failover Cluster.

Quoting TechNet article:

DAGs without cluster administrative access points have the following characteristics:

  • There is no IP address assigned to the cluster/DAG, and therefore no IP Address Resource in the cluster core resource group.
  • There is no network name assigned to the cluster, and therefore no Network Name Resource in the cluster core resource group
  • The name of the cluster/DAG is not registered in DNS, and it is not resolvable on the network.
  • A cluster name object (CNO) is not created in Active Directory.
  • The cluster cannot be managed using the Failover Cluster Management tool. It must be managed using Windows PowerShell, and the PowerShell cmdlets must be run against individual cluster members.

From this information, we can learn that it is only possible to manage the Exchange DAG through Exchange Administration Center (EAC) or Exchange Management Shell (EMC), as there is no IP address, DNS or CNO to connect to (referred to as DatabaseAvailabilityGroupIpAddresses ([System.Net.IPAddress])::None).

This is completely transparent to the client using the Exchange service, as end-users still connect to the Client Access Servers (CAS). Instead of relying on the underlying DAG’s virtual IP address assigned to the Cluster Name Object (CNO), using APIs built-in to Exchange Server application itself, the user will be routed to the appropriate active mailbox node.

Agent based backups do not work

One user over on TechNet seems to have learnt this the hard way > Assigning IP to an “IP-less DAG”. Should I expect downtime?

“So it turns out that most backup software + monitoring software connect to DAG using its IP, which is also called admin access point.”

Most backup and monitoring leverage agents to backup Exchange. When protecting a DAG, the agent will lookup the DAG cluster directly by the Administrative Access Point (IP address or FQDN), and query which nodes are active or passive. Depending on the settings, either the active or the passive node will be used for backups. This is normally a great solution, but as there is no longer any Administrative Access Point to connect to, such legacy methods no longer work.

Some additional examples are highlighted over here on Jetze’s blog > Considering an Exchange 2013 DAG without AAP? Careful!

The solution

This is yet an example of agent-based backups not working in the modern datacenter. Working for Veeam, one of our Systems Engineers asked internally if Backup & Replication would support such configuration. Note that this is my response as of November 22, 2014 (already more than six months ago):

Having researched a bit on this, this is exactly why agent-based solutions do not ‘just work’. The reason legacy solutions are in trouble here, is because their agents communicate directly with the DAG or mailbox server(s) to pull out items for granular restores. Since they communicate over IPv4, they are in trouble, because – surprise – an IP less DAG does not have an IP address to communicate with.

Veeam Backup & Replication quiesces the application and creates a snapshot for the entire VM, and for restore purposes it will communicate with Exchange just like any other client: Through the Client Access Server. While it is still recommended to backup the passive mailbox server to avoid DAG failover due to fixed timeout values on Exchange Server, both backup and restores are not affected, if there is no IP address assigned to the DAG. Actually, it is even possible to backup and restore from a mailbox server with all NICs disconnected. While this is highly unlikely on an Exchange server, this shows the true value of having a fully agentless backup product.

Share it

Thanks to my fellow Microsoft MVP, Mike Resseler (@MikeResseler) for reviewing this blog post, before it was published. As I am not Microsoft Exchange expert, please let me know if you have any comments.

If you found this blog post to be helpful, I would be happy to see you sharing it with your social networks.