Error Creating an Exchange 2013 Database Availability Group (DAG)

First of all, I’m new to Exchange 2013. I had one major deployment back then with 2k version and that’s all. Now Exchange and I meet again. With problems, as you can guess.

A friend of mine and myself were given a task of implementing an Exchange 2013 organization. One of requirements was creating a Database Availability Group or DAG. Planning, preparations and lab tests went just fine, but when we tried to deploy this DAG in production, creating DAG passes but adding servers fails with this error message:

A server-side database availability group administrative operation failed.
Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses.
Error: Computer account ‘DAG-MAILBOX’ couldn’t be validated by user ‘NT AUTHORITY\SYSTEM’.
Error: The security database on the server does not have a computer account for this workstation trust relationship.
[Server: NB-BN-MBX1.somedomain.com]

How nice this is šŸ˜¦

I wouldn’t preach now about Exchange too much, because I’m still learning, but rather describeĀ our solution.Ā We didĀ our share of reading and troubleshooting and none of them yield in a success.

What we have done:

  • Created two networks, Replication or DAG network and MAPI network
  • Set up adapter bindings so the MAPI network is listed first
  • Setup each adapter properties as suggested by Microsoft
  • Created computer object in Active Directory
  • Assigned full control permission to Exchange Trusted Subsystem and first DAG member
  • Set up static persistent host routing towards DAG members
  • Set up IP parameters such as addresses, DNS settings and registrations, gateway(s)
  • Assigned cluster IP addresses to belong to MAPI network
  • ….

No matter what, the same error keeps popping up. In the Exchange log file we could see this error message:

WriteError! Exception = Microsoft.Exchange.Cluster.Replay.DagTaskOperationFailedException: A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: Computer account ‘DAG-MAILBOX’ couldn’t be validated by user ‘NT AUTHORITY\SYSTEM’. Error: The security database on the server does not have a computer account for this workstation trust relationship. —> Microsoft.Exchange.Cluster.Replay.DagTaskComputerAccountCouldNotBeValidatedException: A server-side database availability group administrative operation failed. Error Computer account ‘DAG-MAILBOX’ couldn’t be validated by user ‘NT AUTHORITY\SYSTEM’. Error: The security database on the server does not have a computer account for this workstation trust relationship.

Behold “CreateCluster errors may result from incorrectly configured static addresses“! This took away quite some time, because it directed us in a wrong troubleshooting way.

The copping around this could take forever…

Fortunately, by doing another project in parallel, we introduced a Windows Server 2012R2 Server Core domain controller. AndĀ can you believe itĀ – we successfully added DAG members to the cluster!

Former domain and forest functional levels were Windows Server 2008 and this was not changed. Yes, the schema was prepared for Windows 2012 domain controllers but what does this have to do with DAG? We could not find anything about having Windows 2008/2012 DCsĀ regarding (un)successful DAG implementation. Perhaps we missed something?

So, if you run into problem such as this one and you have Windows 2008 DCs, consider introducing a Windows 2012R2 DC. You will have to do this eventually, so why not now šŸ™‚

 

Thanks for reading!

Ā 

 

 

 

Advertisements
This entry was posted in Exchange, Microsoft, Windows and tagged , . Bookmark the permalink.

4 Responses to Error Creating an Exchange 2013 Database Availability Group (DAG)

  1. Looks like you are creating a DAG using Windows Server 2012 members and you forgot to pre-stage the CNO account.

    • Sasa says:

      Actually we did pre-stage the CNO:

      “ā—¾Assigned full control permission to Exchange Trusted Subsystem and first DAG member”

      Thanks.

  2. Bhawesh says:

    First of all we have to tackle the access denied part of it and it can be cleared by checking and assigning the required permissions.
    Error is also showing that static IP has miss-configured so ensure that it is assigned perfectly as per the necessity. There might not be a DAG1 account created by whereas DAG account could be there which an Exchange Console formulate without any problems/error. So ensure that DAG1 account has created in the place.
    http://www.tips.omsaitech.co.in/a-server-side-database-availability-group-administrative-operation-failed-error-the-computer-account-dag1-could-not-be-validated-access-was-denied-check-that-the-current-user-nt-authoritysy/

  3. First of all we have to tackle the access denied part of it and it can be cleared by checking and assigning the required permissions. Error is also showing that static IP has miss-configured so ensure that it is assigned perfectly as per the necessity

    There might not be a DAG1 account created by where as DAG account could be there which an Exchange Console formulate without any problems/error. So ensure that DAG1 account has created in the place. You can also simply remove DAG pre-stage DAG user in AD and assign full permission on DAG Object; donā€™t forget to deactivate the DAG computer A/c. Read more here:

    http://www.tips.omsaitech.co.in/error-the-operation-failed-createcluster-errors-may-result-from-incorrectly-configured-static-addresses-error-the-computer-account-dag1%E2%80%B2-could-not-be-validated-access-was-denied/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s