Does DAG CNO need to be in Exchange Trusted Subsystem?

Catherine Jaszewski 716 Reputation points
2021-04-07T17:45:38.597+00:00

I recently created a Database Availability Group for my Exchange 2019 Mailbox Servers.
However, I can't seem to add Members to the new DAG.
In looking at the DAG Tasks logs I keep seeing an Access Denied message.
I verified my user has adequate permissions (Organization Management), the Witness server is in the Exchange Trusted Subsystem and the Local Administrators group on the witness server has Exchange Trusted Subsystem.

The DAG CNO took awhile to show up in my AD and I verified it is not in Exchange Trusted Subsystem. Does it need to be?

Please note - The DAG was created before the Failover Cluster feature was installed on the Exchange Server. One article I read suggested this may be the problem. The DAG does not have permissions to the Failover Cluster Service because Failover Cluster did not exist when DAG was created. Do I need to recreate the DAG? And if so, how difficult is this task (given there are no members configured in the DAG)?

Please Advise.

Thank you,

Exchange | Exchange Server | Management
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2021-04-07T18:04:58.797+00:00

    You could give it full access to the Exchange Trusted Subsystem group, no need to add as a member,

    however! :)

    I would recreate the DAG myself and not create the CNO. its not needed unless you have a backup software or something similar that requires it.
    Much easier to manage it then!

    https://supertekboy.com/2015/06/30/create-an-ip-less-dag-no-administrative-access-point/

    85422-image.png


1 additional answer

Sort by: Most helpful
  1. Anonymous
    2021-04-08T03:52:48.397+00:00

    Hi @Catherine Jaszewski ,

    You could try creating the CNO and give it a full control permission of Exchange Trusted Subsystem and your Exchange servers then disable it to add servers to the DAG.
    85480-image.png
    Add the member servers first and then:
    85537-image.png

    Read this article for more information: Prestage cluster computer objects in Active Directory Domain Services

    Recreating a DAG is not a hard work, before removing the DAG, you should remove all member servers. In your case, you can directly remove it with no efforts.

    Regards,
    Lou


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.