In the previous posts on RBAC we have looked at customising various roles to ensure that the role contained the minimum amount of cmdlets.  RBAC provides even more granularity, and we can add or remove specific parameters from a cmdlet.  Since some folks asked for examples on this topic here are a couple of quick examples and some considerations….

If you want to use ECP, please read all the way down to the bottom.  The initial examples will work with the Exchange Management Shell but there are a couple of extra considerations for ECP.

Setting The Stage

As a scenario, let’s invent a crappy work task that some unlucky person could be asked to perform.  Let’s say there is a mobile phone management team within a large business and their sole responsibility is to assign mobile phones and numbers to people.  As part of this they need to be able to update the MobilePhone property of all users.  They should not be  able to modify any other attributes at all.

The cmdlet that we want is Set-User  and the MobilePhone parameter.

Locate The Cmdlets

This section builds and creates the custom RBAC role that we will use.  Firstly lets see where the relevant cmdlets and parameters live!

We can use the Get-ManagementRole cmdlet to see where the cmdlet lives using the -Cmdlet and -CmdletParameters respectively.  Below we can see where both the Set-User and MobilePhone exist:

Since the Set-User with the MobilePhone parameter exists in the Mail Recipients role, let’s use that role.  As before the built-in roles are read only and we cannot make any changes to them.  So we need to make a copy of the role, and since this copy is writable we can make the necessary changes.  Our custom role will be called Mobile-Phone-Jockeys.

New-ManagementRole -Name "Mobile-Phone-Jockeys" -Parent "Mail Recipients"

If we check the contents of our new Management Role, we will see that it contains all the cmdlets and parameters present in the original parent role – not surprising since it was a copy….

Get-ManagementRoleEntry "Mail Recipients\*" | Measure-Object

Get-ManagementRoleEntry "Mobile-Phone-Jockeys\*" | Measure-Object

We need to remove all the cmdlets that we do not want, so the quickest way to do this is to get a list of cmdlets that do not match Get-User and then once we check the list, remove them.

Note: Always check the objects returned are as expected prior to piping to the remove cmdlet!

So in this case we would run

Get-ManagementRoleEntry  -Identity "Mobile-Phone-Jockeys\*" | Where-Object {$_.Name -ne 'Get-User'}

Only when we are happy with what is returned should we run:

Get-ManagementRoleEntry  -Identity "Mobile-Phone-Jockeys\*" | Where-Object {$_.Name -ne 'Get-User'} | Remove-ManagementRoleEntry

If we check to see what’s now in the Mobile-Phone-Jockeys Role, it only contains the Get-User cmdlet.

Get-ManagementRoleEntry –Identity "Mobile-Phone-Jockeys\*"

Add A Single Parameter

At this point the Get-User cmdlet is the only entry left in the Management Role.

Let’s add back the Set-User cmdlet, with *ONLY* the ability to set the MobilePhone parameter, and the identity parameter.

Add-ManagementRoleEntry "Mobile-Phone-Jockeys\Set-User"  -Parameters MobilePhone, Identity

Get-ManagementRoleEntry "Mobile-Phone-Jockeys\*"

This is a great example of adding in a specific parameter, when the cmdlet did not already exist.

If you are wondering about the Identity parameter that is also present with MobilePhone, keep reading!

Add Multiple Parameters

Taking the example above we could have specified multiple parameters in the same command.  if we deviate from the example above slightly and pretend that our Mobile-Phone-Jockey role has now become responsible for also assigning office phones then they need to also set the Phone attribute.  You can specify multiple parameters, separated with commas.

Add-ManagementRoleEntry "Mobile-Phone-Jockeys\Set-User"  -Parameters MobilePhone, Phone, Identity

Changing Existing Parameters

If we want to go about modifying a cmdlet’s list of parameters, a good guess would be that we would use the Add-ManagementRoleEntry or Remove-ManagementRoleEntry but neither will do what we need.  They just add or remove the entire Management Role Entry.  In the case of changing the available parameters on an existing role entry we need to use the Set-ManagementRoleEntry cmdlet.  Its Parameters switch has the following modes:

1. When used with the AddParameter parameter, the parameters you specify are added to the role entry.
2. When used with the RemoveParameter parameter, the parameters you specify are removed from the role entry.
3. When neither the AddParameter nor RemoveParameter parameters are used, only the parameters you specify are included in the role entry. If you specify a value of $Null and neither the AddParameter nor RemoveParameter parameters are used, all of the parameters on the role entry are removed.

So if we want to remove all parameters from the Set-User cmdlet apart from MobilePhone and Identity we could run:

Set-ManagementRoleEntry "Mobile-Phone-Jockeys\Set-User" -Parameters MobilePhone, Identity

Get-ManagementRoleEntry "Mobile-Phone-Jockeys\*"

An alternative would have be to remove just the Phone parameter

Set-ManagementRoleEntry "Mobile-Phone-Jockeys\Set-User" -Parameters Phone –RemoveParameter

Get-ManagementRoleEntry "Mobile-Phone-Jockeys\*"

The end result is the same in this case, and you can choose the  method that makes the most sense!

Want To Live Like Common People

< Common People courtesy of Pulp >

One interesting thing to note is that when we try to prune out the parameters that we do not want, the common ones should typically be left.  They are needed to ensure that we can perform the basic aspects of the cmdlet.  This includes parameters like WhatIf, DomainController or Verbose.  None of these apply changes to a mailbox or user, but they allow us to control how the operation is performed.

Trying to see them can be a little tricky.  Look at the truncated display here indicated by the three periods:

To review all the parameters present in a Management Role Entry I like to do the following:

$Params = Get-ManagementRoleEntry  “Mail Recipients\Set-user” | Select Parameters

$Params.Parameters

$Params.Parameters  will output the entire content of the attribute to the screen. If we split the  output to see what parameters are the common ones and what are specific to the Set-User cmdlet we will see:

Specific Parameters

AssistantName, CertificateSubject, City, Company, CountryOrRegion, Department, DisplayName, Fax, FirstName, HomePhone, Initials, LastName, Manager, MobilePhone, Name, Notes, Office, OtherFax. OtherHomePhone, OtherTelephone, Pager, Phone, PhoneticDisplayName, PostalCode, PostOfficeBox,  ResetPasswordOnNextLogon, SamAccountName, SeniorityIndex, SimpleDisplayName, StateOrProvince,  StreetAddress, TelephoneAssistant, Title, UserPrincipalName, WebPage, WindowsEmailAddress

Common Parameters

Confirm, Debug, DomainController, ErrorAction, ErrorVariable, Identity, IgnoreDefaultScope, LinkedCredential, LinkedDomainController, LinkedMasterAccount, OutBuffer, OutVariable, RemotePowerShellEnabled, Verbose, WarningAction, WarningVariable, WhatIf

Why is this worth mentioning, well if the necessary common parameters to run cmdlet are not present then it does not run, savvy?

If Identity is not specified for the Set-User cmdlet then you are going to see this fun error:

The operation couldn't be performed because object 'test-6' couldn't be found on 'exch-dc.tailspintoys.com'.
    + CategoryInfo          : NotSpecified: (0:Int32) [Set-User], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : 98454A26,Microsoft.Exchange.Management.RecipientTasks.SetUser

Why can we not find the account? It is clearly there as we can see with the first command Get-User.

The identity parameter is not present on the Set-User cmdlet in the custom Management Role. This can be a little confusing as we can type "Set-user -Identity" so where is the Identity parameter coming from?   Note that the –identity parameter is visible since it is present within the Role Assignment Policy.  Role Assignment Policy is just for end user RBAC and is scoped to the individual user thus it cannot be used to modify other users. When we want to modify a user account that is not our own the Role Assignment Policy does not apply as it does not fall within  the scope of 'SELF", and we look to the other Management Role which is Mobile-Phone-Jockeys in this case.  Since Mobile-Phone-Jockeys does not have the Identity parameter the command fails to change the properties of user account Test-6".

Morale of the story?  Be sure to include the necessary common parameters else you will get some “interesting” results…

Testing

Testing time, and arguable the most important section!!   Let’s assign the Mobile-Phone-Jockeys management role to a test user called User-15.

And to confirm the Mobile-Phone-Jockeys management role contains:

Testing via Exchange Management Shell on User-15’s Windows 7 x64 desktop shows that RBAC is working and they can modify the Mobile number for a separate user (Test-6):

Happy days?  Well almost…

You think you are done, and the testing was OK.  But then you get a call saying that  ECP cannot be used, as the option to view other mailboxes is not present.  Huh?  Are the permissions not correct?  Permissions are correct as we tested them, so what gives?  This is what User-15 sees in ECP, note there is no Manage My Organization option along the top, and the shortcut on the right pane does not take us their either.  The shortcut has this link:

https://mail.tailspintoys.com/ecp/PersonalSettings/HomePage.aspx?showhelp=false&#

How to fix this? We need to make ECP display the Manage My organization option.  We do this by adding cmdlet(s) that will force the option to be displayed, and the in this case we will add Get-Mailbox and Get-Recipient.  Lets add them in:

Add-ManagementRoleEntry Mobile-Phone-Jockeys\Get-Mailbox

Add-ManagementRoleEntry Mobile-Phone-Jockeys\Get-Recipient

Get-ManagementRoleEntry Mobile-Phone-Jockeys\*

With the modified Management Role Entries, User-15 now sees:

Note that the Manage My Organization is visible, and so are the mailboxes in the organization. The shortcut to Manage your organization link now takes us to the organization management page in ECP .

Double clicking to edit one shows that that User-15 has the permissions to edit the Mobile Phone field as it is not locked out.  Fields in grey are locked out.

Concluding Thoughts

We can see that RBAC allows for a great deal of customisation, right down to the individual parameters that are available!  This is an amazing amount of flexibility, and there is one glaring thing that should be striking Exchange 2003 and 2007 admins at this point.  Did we change a single ACL to the objects in AD?  NO!  Not a single one.  We focussed on the business requirement, which was to allow the phone team to update the mobile number assigned to users, and did not have to think about ACLs.  This is a huge win as having to get change records cut to modify AD ACLs is a challenge.

This is made possible by the Exchange Trusted Subsystem universal security group as it is that group that has the permissions to the AD objects.  RBAC enforces and controls the cmdlets and parameters that you can see and thus use thereby controlling what changes are made to the Exchange objects.

Cheers,

Rhoderick

>>>

To address the security issues present in bulletin MS13-105 all supported versions of Exchange 2007, 2010 and 2013 are receiving updates to allow customers to address the security vulnerabilities.   Depending upon the version of Exchange the delivery method will vary.  Exchange 2007 and 2010 provides updates and security fixes via Rollup Updates (RUs).  Exchange 2013 has a different servicing strategy where product updates are delivered by Cumulative Updates (CUs) and security fixes are provided in separate security releases.  In other words you do not have to deploy a CU just resolve a security issue.  This was an often requested feature as customers want to quickly patch for security issues, but evaluating other fixes that may be present in a RU and how that could affect the environment extended the patching time.

 Update 17-12-2013: Added link to issue with Exchange 2010 SP2 RU8 that my happen with certain languages, with message "Error Reading From File".

Update:  6-2-2014 Folder views are not updated when you arrange by categories in Outlook after you apply Exchange Server 2010 Service Pack 3 Update Rollup 3 or Update Rollup 4

Links To Updates

Exchange 2007 SP3 RU12

Exchange 2010 SP2 RU8

Exchange 2010 SP3 RU4

Exchange 2013 CU2

Exchange 2013 CU3

Note that Exchange 2003 is not listed in this security bulletin.

Exchange 2013

Since Exchange 2013 allows security fixes to be released separately from the regular product CUs, implementing these security updates is easier compared to Exchange 2007/2010.   Update MS13-105  supersedes MS13-061.  There is no need to uninstall the previous security fix prior to installing MS13-015.  Note that there is no provided fix for Exchange 2013 RTM or Exchange 2013 RTM CU1.  Why you ask?  The answer is because those 2013 builds do not receive security updates or other fixes.

Please also review the posts on deploying Exchange 2013 RTM CU2 and CU3.

Exchange 2007 & Exchange 2010

With Exchange 2007 and 2010 security updates and product updates are both delivered via RUs.  Exchange 2010 SP3 RU3 was recently released, and Exchange 2010 SP3 RU4 contains only the additional fixes for the security issues.   For example if you are currently running Exchange 2010 SP3 RU1, then you will need to review the fixes present in Exchange 2010 SP3 RU2 and RU3.  A similar pattern is also present with Exchange 2010 SP2 and Exchange 2007 SP3.

For details on updates on previously released RUs please see the following posts:

Exchange 2007 SP3 RUs

Exchange 2010 SP2 RUs

Exchange 2010 SP3 RUs

Exchange 2010 SP2 RU8 has an installation issue with certain languages. You may get the "Error reading from file" message.  Please see the link for details and resolution.

Once you have reviewed the previous posts and then tested the updated in a lab then it is time to start the production rollout!

Cheers,

Rhoderick

>>>

When Exchange 2013 was released it heralded a different servicing strategy compared to Exchange 2007 and 2010 Rollup Updates (RU).  Exchange 2013 uses Cumulative Updates (CU) to deliver the servicing updates to customers.  As previously discussed, a CU is a different animal when it comes to the update methodology.  CUs are larger, cannot be uninstalled and are a full product installation.  This was announced by the Exchange team on the EHLO blog.  

Update 11-12-2013:  Updated post to reflect changes announced with Exchange 2013 RTM CU2

Update 23-03-2014: Updated post to add Exchange 2013 SP1 (Which is CU4)

Update 28-5-2014:  Updated post to add Exchange 2013 CU5

Update 17-7-2014: Moved security update information out of table

How Long Is A CU Supported?

The original support statement was to allow for a period of three (3) months after the release date of the next CU.

When Exchange 2013 RTM CU2 was released, an update was announced.  Customers will continue to receive assistance from Microsoft Support for the lifecycle of the Exchange server product - a customer is not required to be at the most current CU to receive assistance.  There are two scenarios to clarify though:

1. If during the course of a support incident it is determined that the solution is available in a published CU (e.g., CU2), the customer will be required to install the update that contains the fix. We will not be building a new fix to run on top of a CU published earlier (e.g., CU1).
2. If during the course of a support incident it is determined that you have discovered a new problem for which we confirm a fix is required, that fix will be published in a future CU that you can then install to correct the problem reported.

See also the note below regarding security updates and servicing. 

Exchange 2013 Release Dates And Security Update Status

The table below is based off the Exchange 2013 release dates TechNet article.  The intent is to show when an Exchange 2013 build was released and the availability of security updates.  Security updates will be available for 3 months after the next CU release date. 

Exchange Product Lifecycle

The Microsoft lifecycle site is available to indicate the release, Mainstream and extended support dates for Exchange 2013.  Please note that the support lifecycle site has now been updated for Exchange 2013 SP1. 

Exchange 2013 SP1 will be required on the 14th of April 2015.

Cheers,

Rhoderick

The syntax to install Exchange Cumulative Updates (CU) via the command line is pretty straight forward. However there are some common themes that still pop up in the TechNet forums, cases and customers that I speak with.  So I wanted to discuss some of the issues that can and will arise.  There are a range of issues in here from:

• Setup can't continue with the upgrade because the PowerShell has open files *
• You need to accept the license terms to install Microsoft Exchange Server 2013
• I just installed a CU and it is not showing in Add/Remove programs
• I just installed a CU and it is not showing in Programs and Features
• Exchange 2013 CU was installed but version number stayed the same
• Exchange 2013 CU was installed but build number stayed the same

 
Update 11-12-2013: Added note back to the TechNet Exchange 2013 unattended documentation

Update 15-10-2014: Added note to not run the shortcut commands.  Full syntax should be used to prepare the Schema and AD.

Meet Our Guinea Pig Server

No it is not a cute and fluffy rodent!  On this Exchange 2013 RTM CU2 lab machine, the CU3 bits are present on the D:\ drive which is a DVD.  The necessary steps to update  the AD schema, etc. were already done by the relevant AD team.  Well that was me wearing a different hat – the grumpy triangle hat!

We can see the commands executed below:

Note: This article was written in the CU2 timeframe.  There are issues running the shortcut commands in the newer Exchange 2013 builds,  Please use the full syntax and not the shortcut syntax that is shown below.

setup.exe  /PS    /IAcceptExchangeServerLicenseTerms

setup.exe /PAD  /IAcceptExchangeServerLicenseTerms

setup.exe /PD    /IAcceptExchangeServerLicenseTerms

So let’s not worry about the Prepare Schema aspects or the permissions required to execute them.  We want to focus on a simple server installation.

We shall look at server called F2013-CAS1, which is an Exchange 2013 CAS with CU2 installed.  In  the DVD drive Exchange 2013 RTM CU3 is loaded. The starting build version, which is CU2,  can be seen below:

What are some of the issues that can cause grief when installing ?

Issue #1 - Running setup.com

There is no setup.com in Exchange 2013.  Setup.exe is used for both GUI and command line installations.  It’s  a habit to get out of.  And yes, I frequently autopilot to this!

Issue #2 – Not Specifying License Acceptance Switch

In an automated Exchange 2010 installation there was a pause to allow the admin the chance to reject the license terms.  If the admin did nothing then the license was accepted.  In Exchange 2013 the license terms must be explicitly accepted.  Using GUI setup we have the ticky box, and in command line setup we use this setup parameter:

/IAcceptExchangeServerLicenseTerms

If this is not entered on a command line task, then the task will fail.  You will be the lucky owner of the following error message:

Welcome to Microsoft Exchange Server 2013 Cumulative Update 3 Unattended Setup
You need to accept the license terms to install Microsoft Exchange Server 2013.
To read the license agreement, visit http://go.microsoft.com/fwlink/p/?LinkId=150127. To accept the license agreement, add the /IAcceptExchangeServerLicenseTerms parameter to the command you're running. For more information, run setup /?

Issue #3 – Exchange Tools Left Open

This could also affect an Exchange 2010 installation as well.  The issue here is that there are Exchange tools still running on the server when trying to apply the CU.  Make sure all other users are logged off, you are the only one connected and the Exchange Management Shell is closed.

Installation should be done from an elevated prompt.  DO NOT use the Exchange Management Shell to launch command line Exchange installations.  Your installation will fail as PowerShell will still have files open and you will get the following error:

[PS] D:\>.\Setup.exe /Mode:Upgrade /IAcceptExchangeServerLicenseTerms

Welcome to Microsoft Exchange Server 2013 Cumulative Update 3 Unattended Setup
Copying Files...
File copy complete. Setup will now collect additional information needed for installation.
Languages
Client Access role: Front End Transport service
Management tools
Client Access role: Client Access Front End service

Performing Microsoft Exchange Server Prerequisite Check

    Configuring Prerequisites                                                                      COMPLETED
    Prerequisite Analysis                                                                             FAILED
     Setup can't continue with the upgrade because the powershell (4484) has open files. Close the process, and then restart Setup.
     For more information, visit: http://technet.microsoft.com/libraryEXCHG.150)/ms.exch.setupreadiness.ProcessNeedsToBeClosedOnUpgrade.aspx

The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the  < SystemDrive>:\ExchangeSetupLogs folder.
[PS] D:\>

If you are interested, use Process Explorer to verify which process running is responsible for the open files.

Issue # 4 – Not Using An Elevated Prompt

Ensure that the prompt being used is elevated if UAC is enabled. This ensures that the setup process is launched with the required rights.  As with some of the other issues above, this was also an issue with Exchange 2010 installations.   Recent Exchange 2010 updates error and say the installation ended prematurely, though some of the earlier Exchange 2010 updates would do some unpleasant things.

Always install from an elevated command Prompt!

Issue # 5 - Pending Restart

Make sure that the server is in a known good state to receive the CU.  There should be no pending restart tasks on the server which could be caused by installing other pieces of software.  In larger organisations ironically this may not be caused by the Exchange admins, rather other teams that are responsible for managing different aspects of the company.  This could be due to installing or updating backup, AV, monitoring, patching, hardware tools or VM add-ons.  The other team is happy that their maintenance went OK, but they left a pending file operation that needs a restart but the required restart never occured.  The poor Exchange admin either has to get permission to deviate from their prescribed maintenance activity or abort and reschedule for later.

There are several places a restart flag could be squirreled.  This is not an exhaustive list:

• Look at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
  • PendingFileRenameOperations
• Use Sysinternals Pendmoves.exe to see if there are pending operations
• HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing
  • RebootPending

Issue # 6 – Reinstalling The Existing CU

We saved the best for last! This is one of those “tearing my hair out as I swore that I just installed that CU” but:

• The Exchange version remains the same. Or put another way the build number remains the same.
• I do not see my CU listed in add/remove programs (or whatever it is called this month).
• I installed a CU but an issue that was meant to be resolved is not fixed

There are a few more variants of the angst described above, but let’s discuss the issue rather than go down that rabbit hole further.  As we saw in Issue #3, running setup in the Exchange Management Shell (EMS) causes issues so what some admins then do is close EMS and then fire up a standard PowerShell prompt.  As discussed in Issue #4 this should be elevated.

In the example below, we can see that this is indeed a standard PowerShell prompt which is elevated.  Note that we changed to the root of D:\ which is our Exchange 2013 RTM CU3 installation media.  All good so far! We then kick off the CU3 installation process.

setup.exe /Mode:Upgrade /IAcceptExchangeServerLicenseTerms

That looks great!  But is it?  The answer is no.

If you look very closely at what Exchange has said to us in the very first line we see this

Welcome to Microsoft Exchange Server 2012 Cumulative Update 2 Unattended Setup

Did you spot the issue there?  Go back and re-read if not.

You should be thinking what the heck?  I Launched CU3 setup, and Exchange is telling me that it’s re-installing CU2???  I already installed CU2, why is it re-installing the old CU?

This is not an Exchange issue, this is a base PowerShell piece of functionality.  PowerShell wants to know exactly where the item you are running is located and in this case because you did not specify a local copy of setup.exe  using syntax .\Setup.exe then it has gone and searched through the path statement to locate a copy.

Let’s take a simple example to open a text file called File.txt in the C:\Temp folder.  Look what happens below when entering only  “File.txt”  and compare that to “.\File.txt”.

Note the last command completed successfully, it is prefixed by .\

This prefixing happens automatically with tab complete, so you may not have previously noticed this.  But when pasting in commands into PowerShell make sure .\ is used to explicitly state what command you are running .  If we check the PowerShell help by reviewing the output from:

Get-Help about_Command_precedence

To run a script that is in the current directory, specify the full  path, or type a dot (.) to represent the current directory.  For example, to run the FindDocs.ps1 file in the current directory,  type:

    .\FindDocs.ps1

If you do not specify a path, Windows PowerShell uses the following  precedence order when it runs commands:

     1. Alias
     2. Function
     3. Cmdlet
     4. Native Windows commands

What copy did it find?  It found the CU2 Setup.exe that is the Exchange BIN folder.  The BIN folder is included in the path which is why we located it.  We can see this here.

Get-ChildItem env:path | Fl

C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft\Exchange Server\V15\bin;C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Native\

And for giggles, lets use Process Monitor to show which Setup.exe has been used.  When .\ is omitted and only setup.exe is entered in PowerShell. we observed Setup.exe being located in the C:\Program Files Folder even though we launched from the D:\ drive.

In this instance we launched using .\Setup.exe  from the root of the D:\ Drive

Bit of a difference, no?

The Exchange 2013 Unattended Mode documentation on TechNet does state that a command prompt should be used.

Note that the PowerShell path may be different from the CMD path statement.

How do we fix this?  There are two choices:

1. Adhere to PowerShell’s stricter path syntax and specify .\Setup.exe
2. Use elevated CMD prompt

Successful examples of both are shown below:

Bonus Issue # 7 – Shortcut Syntax

This is an addition after the initial post.  In the newer builds of Exchange 2013, there are some issues with running commands with the shortcut syntax. 

Please ensure that you are using the full syntax to prepare the Schema and AD.  If you look at the TechNet documentation the full syntax is used. 

Summary

I’d love to hear feedback from the field if this is helpful or if you have other questions / comments on the topic!

To recap:

1. Exchange 2013 does not have setup.com
2. Always specify the license acceptance switch.
3. Close all Exchange tools prior to starting installation
4. Install using elevated prompt
5. Check that there are no pending restart operations
6. Check PowerShell syntax so you don’t re-install the current CU

Cheers,

Rhoderick

* - (sic)

Exchange 2010 introduced the concept of Datacentre Activation Coordination  (DAC). DAC is a property found on a Database Availability Group (DAG).  It still remains slightly mysterious to some folks out in the field, so its certainly worth bringing it back up for discussion.

Tim McMichael’s famous paper plate demo with lots of willing participants was one of my MCM 2010 highlights!

Typically we see the following questions around DAC:

• Does a DAG have DAC enabled by default
• How do I enable DAC
• How do I disable DAC
• What benefits does DAC give me with two AD sites
• Should I enable DAC for a DAG in a Single AD site
• Is enabling DAC on a DAG in a single AD site supported
• What benefits does DAC give me in a single AD site

Is DAC Enabled By Default

NO.   You must explicitly enable it in Exchange Management Shell

To Enable DAC

Set-DatabaseAvailabilityGroup  -Identity DAG-01 -DatacenterActivationMode DagOnly

 

To Disable DAC

Set-DatabaseAvailabilityGroup  -Identity DAG-01 –DatacenterActivationMode Off

 

 

What Benefits Does DAC Give Me With Two AD Sites

TechNet has a good write up on DAC.  DAC mode is designed to prevent split brain from occurring by including a protocol called Datacenter Activation Coordination Protocol (DACP). Why is this needed?  Let’s go back in history for a quick story.  

I used to have an Exchange 2007 CCR cluster in Toronto and a  SCR node in Vancouver.  When the power failed (as it often did) in Toronto, we would activate the SCR node and get service restored.  That was all good, but when the power came back up in Toronto the CCR cluster had quorum, and since the cluster service was responsible for mounting databases, the databases were mounted.  The network team would need to do their magic on the WAN, but that was not always quick.  Spot the problem there?  I have one instance of DB1 mounted and running in Toronto and another instance of DB1 mounted and running in Vancouver!   There is no network access between sites, and AD cannot replicate with the changes.  Holy database divergence Batman!!  Since the DBs had diverged, say hello to all databases being reseeded over the WAN back to Toronto.  I used to work around this by setting the BIOS on the physical Exchange boxes not to power on after power loss, and there were copious stickers instructing the NOC not to power on without permission.  When it came time to power on, servers were started one at a time and the cluster service was stopped to prevent the databases from mounting. Pretty ugly.  Pretty manual.

If only we had something else that was smarter than the cluster service and was aware of such a situation…

That’s where DAC comes in.  Think of DAC as application level quorum, over and above what is present in the Windows failover cluster service. 

DAC is designed to prevent databases mounting is such a situation.  Even if some servers have obtained quorum at the Windows cluster level they are still not allowed to mount databases.  Remember that Exchange 2010 does not install  Exchange specific resources into the cluster, and Exchange itself is responsible for database failover and mounting.  This is why Active Manager was added.  But don't go looking for a Windows service called Active Manager, all of this code runs within the Replication Service.  DAC makes Active Manager store a bit in memory (you can’t see it so don't go looking) and when the server starts up the bit is set to zero.  Databases can only be mounted if the bit is set to one. How does the bit get set to one?  Either that server:

• Can contact all the servers on the StartedMailboxServers list – i.e. have access to all necessary nodes
• Can contact another server on this DAG with the bit set to 1.

A database can only be mounted on the server if the bit is set to 1.   Tim describes this as the “Mummy, may I ?” bit.  In other words, Active Manager starts up and seeks permission before it blindly mounts databases. 

Taking our Toronto / Vancouver scenario into the Exchange 2010 world we would have a DAG that spans two Active Directory sites (no more LCR/CCR/SCR complexity).  There would be two Mailbox servers in Toronto and a third in the Vancouver site.  We must manually enable DAC. 

When the Toronto side went down we would perform the necessary manual steps to activate the Vancouver DR infrastructure.  And when the power came back in Toronto we see a difference.  The servers could start up and if they could form a cluster with quorum, the cluster service would be up and running.  Because the DACP bit is set to 0 on start-up and the Toronto servers cannot get over the WAN to a Vancouver server with the DACP bit set to 1, the Toronto servers cannot change their bit to 1.  Since the Toronto servers have a DACP bit of 0, they are unable to mount databases even if the cluster service has quorum. 

When the WAN comes back, the servers can then communicate and the Toronto server’s DACP bit will go to 1.  They can then mount databases.  However the Toronto database copies need to get synchronised with the changes written to the log stream in Vancouver.   If all the necessary log files are present the databases will update and the full reseed operation is prevented.  Also note there is none of that nasty database divergence stuff!

DAC also simplifies the process of restoring service into the DR data centre.  See the section at the bottom for more details on this.

Should I Enable DAC for a DAG In A Single AD Site

At this point the value of DAC can be seen, and this is how it was with Exchange 2010 RTM -  DAC was only supported with 3+ member DAGs in multiple AD sites. 

Exchange 2010 SP1 added more high availability features, and extended DAC so that it supports a DAG in a single data center.  This is buried in the New High Availability and Site Resilience Functionality in Exchange 2010 SP1 article.

In Exchange 2010 SP1, DAC mode has been extended to support two-member DAGs that have each member in a separate data center. DAC mode support for two-member DAGs uses the witness server to provide additional arbitration. In addition, DAC mode has been extended to support DAGs that have all members deployed in a single Active Directory site, including single Active Directory sites that have been extended to multiple locations.

What Benefits Does DAC Give Me In A Single AD Site

In addition to the datacentre resilience aspects there is also another benefit with DAC.  If DAC is not enabled then we need to kick it old school and use failover cluster techniques to manage service restoration.  If DAC is enabled we do not have to do this, and we can control all of the work from the native Exchange management shell. 

• Stop-DatabaseAvailabilityGroup
• Restore-DatabaseAvailabilityGroup
• Start-DatabaseAvailabilityGroup

For details on DAC and Data Centre activation please see:

TechNet  - Datacenter Switchovers

Tim’s Datacenter Switchover Tool on the Exchange team blog

Tim's blog

 

Cheers,

Rhoderick

 >>>