Database Availability Groups and Windows Azure

Published Aug 07 2013 08:16 AM 15K Views

Update 8/13/15: Since publication of this blog post, there have been change in our Azure support statement related to Exchange Server. Please see KB 2721672 and Using an Azure VM as a DAG Witness Server for more information.

At TechEd North America 2013, we announced that we had begun testing and validation of a new configuration for a database availability group (DAG) that would enable automatic site resilience when two datacenters were used in concert with a witness server that was deployed in a Windows Azure IaaS environment.

During the validation phase of our testing, it became clear that the Windows Azure infrastructure did not support the necessary underlying network components to allow us to configure a supported solution. As a result, we are not yet able to support the use of Azure for a DAG’s witness server.

Background Information

The goal was to derive a supported configuration for Azure subscribers that already had at least two datacenters of their own.  Two of the on-premises datacenters would house the Exchange DAG members, and the witness server would be deployed as an Azure file server VM, which would be located in a third datacenter (the Azure cloud).

In order to configure a DAG and its witness across three datacenters, you must meet the following requirements:

  • You need two well-connected datacenters, in which Exchange is deployed
  • You need a third location that is connected via the network to the other two datacenters
  • The third location needs to be isolated from network failures that affect the other two datacenters

Unfortunately, Azure does not provide the necessary infrastructure to provide us with a third location with the appropriate network connectivity.

Azure Networks

Today, Azure provides support for two types of networks:

  1. A single site-to-site VPN – a network that connects two locations
  2. One or more point-to-site VPNs – a network that connects a single VPN client to a location

To have a server deployed in Azure act as a witness server for the DAG, you would require two site-to-site VPN connections (one connecting each Exchange datacenter to the Azure infrastructure). This is not possible today, as Azure supports only a single site-to-site VPN connection per Azure network. Without a second site-to-site VPN connection for the other datacenter, only one datacenter can have persistent network connectivity with the Azure servers.

A point-to-site VPN cannot be used in the second datacenter for a variety of reasons:

  • A point-to-site connection is designed to be a client VPN connection that connects a single host to the Azure cloud service
  • Point-to-site VPN connections have timeouts and will automatically disconnect after a certain period of time
  • Point-to-site VPN connections do not automatically reconnect and require administrative intervention

Witness Server Placement Considerations

The placement of a DAG’s witness server will depend on your business requirements and the options available to your organization. Exchange 2013 includes support for new DAG configuration options that are not recommended or not possible in previous versions of Exchange. These options include using a third location, such as a third datacenter or a branch office.

The following table lists general witness server placement recommendations for different deployment scenarios.

Deployment Scenario Recommendation
Single DAG deployed in a single datacenter Locate witness server in the same datacenter as DAG members
Single DAG deployed across two datacenters; no additional locations available Locate witness server in primary datacenter
Multiple DAGs deployed in a single datacenter Locate witness server in the same datacenter as DAG members. Additional options include:
  • Using the same witness server for multiple DAGs
  • Using a DAG member to act as a witness server for a different DAG
Multiple DAGs deployed across two datacenters Locate witness server in the same datacenter as DAG members. Additional options include:
  • Using the same witness server for multiple DAGs
  • Using a DAG member to act as a witness server for a different DAG
Single or Multiple DAGs deployed across more than two datacenters In this configuration, the witness server should be located in the datacenter where you want the majority of quorum votes to exist.

When a DAG has been deployed across two datacenters, a new configuration option in Exchange 2013 is to use a third location for hosting the witness server. If your organization has a third location with a network infrastructure that is isolated from network failures that affect the two datacenters in which your DAG is deployed, then you can deploy the DAG’s witness server in that third location, thereby configuring your DAG with the ability automatically failover databases to the other datacenter in response to a datacenter-level failure event.

For more information on the witness server and witness server placement, see Managing Database Availability Groups.

Moving Forward From Here

Unfortunately, without the required networking infrastructure in the Azure service, a DAG cannot be deployed on-premises using a witness server in the Azure cloud.  The Exchange Product Group has made a formal feature request from the Azure team for multiple site-to-site VPN support. If that feature is introduced by the Azure team, then testing and validation of the Azure witness will reconvene with the hope of producing a supportable solution. In the meantime, Azure is not supported for use as a DAG witness.


Scott Schnoll

Not applicable

Wait... I thought Exchange wasn't supported at all in Azure.  ala

Not applicable

@Alan Ross, Correct; Exchange is not supported on Azure.  But here we are talking about the possibility we looked into about using a file server in an Azure IaaS infrastructure as a witness server for a database availability group. As the witness server does not need to run Exchange (as it's just a simple Windows Server file share), we aren't talking about running Exchange on Azure.

Not applicable

Too bad, it would have been a very usefull feature suitable for many customers. Let´s hope that the Azure team will implement the support needed, thanks for the update Scott!

Not applicable

I commend the team for trying. I have a feeling this isn't over yet, I'm sure the guys are exploring other methods to achieve the same goal.

I'm looking forward to seeing the results!


Not applicable

Can we place witness in third location (Different AD SITE) in exchange 2010 , so that automatic failover happen,if some thing goes wrong on primary datacenter.

Not applicable

@Jeevan, no, that option is for Exchange 2013 only.  See which discusses why.

Not applicable

@Scott is there any option to use cloud as DR site for exchange 2013 ?

Not applicable

@Satya11, not at this time.

Not applicable

Hi Scott, could you explain to us which new process makes possible the location of the file share witness in a third datacenter unlike in exchange 2010. According to your great article, the SMB lock placed by a first node on the witness.log file would always prevent another node from locking it and become the locking node. From that moment, the only way for a second dag member to participate in quorum was to be able to communicate with the the locking node to remain functionnal. Is there something new ?

Not applicable

@Cohnelly, there are several changes in Exchange 2013 that make it possible, including server role consolidation changes, internal architecture changes, load balancing and namespace simplification changes and options, de-coupling of CAS and Mailbox from a recovery and AD standpoint, and others.  I discuss these in my sessions on Exchange 2013 HA and Site Resilience, which you can watch at any of the following links (most recent session at the bottom):

Hope this helps.

Version history
Last update:
‎Jul 01 2019 04:14 PM
Updated by: