This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 28.999999999999996%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECJ%3C/text%3E%3C/svg%3E)
I recently created a Database Availability Group for my Exchange 2019 Mailbox Servers.
However, I can't seem to add Members to the new DAG.
In looking at the DAG Tasks logs I keep seeing an Access Denied message.
I verified my user has adequate permissions (Organization Management), the Witness server is in the Exchange Trusted Subsystem and the Local Administrators group on the witness server has Exchange Trusted Subsystem.
The DAG CNO took awhile to show up in my AD and I verified it is not in Exchange Trusted Subsystem. Does it need to be?
Please note - The DAG was created before the Failover Cluster feature was installed on the Exchange Server. One article I read suggested this may be the problem. The DAG does not have permissions to the Failover Cluster Service because Failover Cluster did not exist when DAG was created. Do I need to recreate the DAG? And if so, how difficult is this task (given there are no members configured in the DAG)?
Please Advise.
Thank you,
You could give it full access to the Exchange Trusted Subsystem group, no need to add as a member,
however! :)
I would recreate the DAG myself and not create the CNO. its not needed unless you have a backup software or something similar that requires it.
Much easier to manage it then!
https://supertekboy.com/2015/06/30/create-an-ip-less-dag-no-administrative-access-point/
Thank you Andy....
Putting the CNO in Exchange Trusted Subsystem had no affect. This is the error i'm getting...
[PS] C:\Windows\system32>Add-DatabaseAvailabilityGroupServer -Identity "FDVA-EXCH-DAG" -MailboxServer "FDVA-ALT-EXCH"
WARNING: The operation wasn't successful because an error was encountered. You may find more details in log file
"C:\ExchangeSetupLogs\DagTasks\dagtask_2021-04-07_18-36-24.072_add-databaseavailabiltygroupserver.log" on
"FDVA-ALT-EXCH". A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster
errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster
operation. Error: Cluster API failed: "CreateCluster() failed with 0x5. Error: Access is denied"
I think my Failover Cluster is misconfigured. I will start looking at that.
I am also seeing an error in Event viewer "FcSvc" is corrupt or not installed. So it's possible I need to re-install the Failover Cluster feature or find a way to fix FcSvc.
Lastly, I am at a point where I am simply going to create a new DAG without removing the existing one. My fear is I'm going to run into the same problem.
I've been googling the message stated below (i.e. Access Denied) and not coming up with any specific solution.
Any thoughts?
Did you give the CNO full access to the Exchange Trusted Subsystem Security group via the security tab properties of the group?
You could also do the same thing with that first server you are tying to add - give the CNO full access via the security tab.
I still think you should create a new DAG and and set as a no admin point if you can, then add the mailbox server.
Good Afternoon Andy
My Exchange DAG is up and running with two members!
I ended up having to pro-stage the CNO and once I did that everything else worked out fine.
I had to make one adjustment and that was to increase the MaxEnvelopeSizekb WinRM was using and I had to do that on both of the exchange servers.
Now on to the tricky part: Database copies and replication.
Thank you for all your help!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @Catherine Jaszewski ,
You could try creating the CNO and give it a full control permission of Exchange Trusted Subsystem and your Exchange servers then disable it to add servers to the DAG.
Add the member servers first and then:
Read this article for more information: Prestage cluster computer objects in Active Directory Domain Services
Recreating a DAG is not a hard work, before removing the DAG, you should remove all member servers. In your case, you can directly remove it with no efforts.
Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you Lou,
Please see my comment to Andy.
I will take a look at Prestage Cluster computer object in AD DS article. However I was under the impression prestaging clusters was not required with Exchange 2019 DAGs.
I will keep you in the loop about the solution we find.
Thank you,
its not :) but you can still apply those perms and see if that works
Hi @Catherine Jaszewski ,
As Andy said, it's not required, but it's still worth a try.
Sometimes reboot the DC/Exchange server and recreate the DAG would fix these issues.
Are there any errors when creating DAG?
Regards,
Lou