Is it advisable to use a domain controller as the witness server for the Database Availability Group in Exchange Server?

Narayan Das Kohli 5 Reputation points
2024-12-05T10:56:12.1133333+00:00

We have on-premise exchange server setup in windows server 2019 standard environment. Two for primary site and two for DR site with one Witness server (Domain Controller). Is it recommended to use DC as DAG witness or not. If not, how does it impact. Kindly share the recommended architecture for the witness server. Thank you

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,849 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,486 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,766 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,658 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,725 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Andy David - MVP 151K Reputation points MVP
    2024-12-05T11:27:58.7533333+00:00

    Its not, you should use a small sized server. Why? Because if you have to do any troubleshooting, avoid the need to mess with a DC.

    It also means adding the Exchange Trusted SubSystem group to the DC:

    https://support.microsoft.com/en-us/topic/the-exchange-server-is-not-a-member-of-exchange-trusted-subsystem-2c4d47c7-d5a2-8976-c059-132b43104fd2

    So, all in all, not recommended for mgmt and security reasons.

    0 comments No comments

  2. Jake Zhang-MSFT 7,925 Reputation points Microsoft Vendor
    2024-12-06T06:36:21.7566667+00:00

    Hi @Narayan Das Kohli ,

    Welcome to the Microsoft Q&A platform!

    Microsoft generally does not recommend using a domain controller (DC) as a database availability group (DAG) witness server. Here are the reasons and recommended architectures:

    Why not use a DC as a DAG witness server?

    1. The witness server should be a minimal role server to reduce the attack surface. DCs have broader roles and run more services, which increases risk.
    2. The additional load on the DC affects its primary function, which can affect the overall performance of the network.
    3. Combining roles makes troubleshooting more complex and time-consuming.

    Recommended architecture for a witness server :

    1. Ideally, the witness server should be a dedicated server that does not perform any other roles. This minimizes security risks and simplifies management.
    2. If possible, place the witness server in a third site. This helps ensure that the witness server is available even if one of the primary sites fails.
    3. Make sure the witness server is configured with the necessary permissions and belongs to the same Active Directory domain as the DAG members.

    For detailed guidance on setting up a DAG and preferred architecture, you can refer to Microsoft's Exchange 2019 preferred architecture.


    Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

    Best,

    Jake Zhang


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.