Exchange 2013
the right way
Ensure that every database is replicated so that at least three copies exist
within a DAG. This level of redundancy ensures that the loss of one or two
servers will not remove service from users. For this reason, scale-out by
distributing mailboxes across multiple servers (that can support the multiple
database copies) rather than scale-up with large servers that support
thousands of users. Remember, a database can never be replicated on the
same server. Exchange high availability depends on the ability to maintain
replicated databases distributed across multiple servers.
Ensure that Exchange servers are configured with the appropriate level
of CPU, storage and memory to support the predicted workload. Use
the Microsoft Exchange Role Requirements calculator to come up with
basic configurations and then adjust to reflect the details of your specific
environment.
Follow best practice for the management and monitoring of Exchange 2013.
Remember that Managed Availability is active on all Exchange 2013 servers
to provide an element of automatic management. However, Managed
Availability does not monitor Windows or the hypervisor.
Never attempt to compensate or replace a feature built into Exchange with
what appears to be an overlapping hypervisor feature. Hypervisors are
not created specifically to support Exchange. Instead, they are designed to
support general-purpose computing and should be used in that fashion.
Exchange servers typically support third-party software products that are
integrated with Exchange to provide additional functionality to end users.
These products have to be validated against the selected hypervisor.
Best practice evolves over time as experience with software develops and
improvements emerge in hardware and software. Microsoft updates Exchange
2013 on a quarterly basis and this update cadence has to be factored into your
deployment plans.
Familiarity with a hypervisor and Windows is not sufficient knowledge to
deploy Exchange 2013. You need to understand all aspects of the equation
before you begin and you need to be able to manage the resulting
infrastructure.
Microsofts stance remains that they do not support NFS with Exchange,
whether the NFS storage is presented to physical Exchange servers or virtual
Exchange servers. Other shared storage alternatives such as iSCSI, SMB 3.0 or
Fibre Channel exist and are capable of delivering reliable storage to Exchange.
It is therefore Microsofts absolutely clear recommendation that any storage
presented to Exchange must be block-mode.
Differencing or delta disks are also unsupported with Exchange. One difference
between Exchange 2010 and Exchange 2013 is that the newer version supports
SMB 3.0 for VHD files. Microsoft recommends the use of the JetStress utility
to validate that the storage provided to virtual Exchange servers is capable of
handling the predicted load generated by mailboxes and other activities.
Each version of Exchange has different storage characteristics as Microsoft
continues to drive down physical I/O demands in favor of using more cached
in-memory data. At the same time, new features demand more resources.
Collectively, these facts make it imperative that sufficient hardware resources
are dedicated to ensure the success of a virtualized Exchange project and that
those resources are validated through testing.
In general, any storage provided to Exchange should be optimized for low I/O
latency and its ability to be used by the Exchange high availability features.
Given that Exchange 2013 is able to use many different kinds of storage from
enterprise-class to JBOD disks, providing the right kind of block-mode storage
should not be an issue.
Host-based clustering
Host-based clustering is supported by Exchange. This is a method to bring
machines back online after a hardware failure occurs on one host in a cluster.
Such an outage results in the transfer of the virtual machines running on that
host to another node in the cluster. However, host-based clustering does not
deliver true high availability for Exchange as the host has no knowledge of the
way that various Exchange features combine to contribute to high availability
for its databases and transport system. On the other hand, if you run singular
Exchange servers that are not part of a DAG, host-based clustering is an
effective manner to restore these servers to good health fast.
Although it handles hardware failures, host-based clustering does not resolve
other situations that are catered to by Exchange, such as the single page
patching facility used to resolve corrupt pages in replicated databases or
the automatic switchover of databases to another DAG member if Managed
Availability determines that a protocol has failed on a server. While realizing its
limitations, it is a good idea to use host-based clustering in combination with
Exchange high availability to achieve maximum protection against potential
failure.
10
Migration
Exchange 2013 supports migration technology with some limitations. For
example, you can use Hyper-Vs Live Migration or VMwares vMotion functions
to move virtual Exchange servers between hosts but you cannot use Hyper-Vs
Quick Migration facility. The essential thing is that a virtual machine running
Exchange must remain online during the migration.
Performing a point-in-time save-to-disk and move is unsupported. The reason
is simple: to maintain the best possible performance, Exchange manipulates
a lot of data in memory. If the Exchange server is a member of a DAG, that
memory includes a view of the current state of the underlying Windows
Failover Cluster.
Save-to-disk and move might bring an Exchange server back online in a state
where the in-memory data causes inconsistency for the moved Exchange server
or for another server within the organization. For example, when you bring a
DAG member back online, that server might believe that it is a fully functioning
member of the Windows Failover Cluster and therefore will attempt to function
as such. But during the time that the migration was happening, the other
members of the DAG might have discovered that the server had gone offline
and will therefore have adjusted cluster membership by removing the offline
server. The result is a synchronization clash where one server has a certain view
of the cluster that is not shared by the other members. Restoring the DAG and
cluster to full operational health will require manual administrator intervention.
Keeping the virtual machine (and thus Exchange) online during migrations
avoids the issue as it avoids the need for other Exchange servers to take action
(such as activating database copies on other servers within a DAG or initiating
the replay of in-transit messages from Safety Net) because the other Exchange
servers register the fact that the server has failed.
The biggest issue that you are likely to face with migration is ensuring that DAG
member nodes continue to communicate during the move. Failure to achieve
this will cause the cluster heartbeat to timeout and the node being moved will
be evicted from the Windows Failover cluster that underpins the DAG. When
a migration happens, a point-in-time copy of the virtual machines memory
is taken from the source to the target host. At the same time, pages that are
being changed are tracked and these pages are also copied to the target as
the migration progresses. Eventually no more pages are being changed and
the brownout period occurs, during which the virtual machine is unavailable
because it is being transferred from the source host to the target.
1. Note: You can also use the Quick Create option which is great when you only want to deploy a stand-alone
VM. The moment you need networking between the different VMs in Azure, it is preferable to work with the
From Gallery option
11
If the brownout period is less than the cluster heartbeat timeout (typically five
seconds), the Exchange server can continue working from the point that the
brownout started and normal operations will continue. But if the brownout
lasts longer than the cluster timeout, Windows Failover clustering will consider
that the node has gone offline and will evict the node from the cluster. In turn,
this will cause the Active Manager process running within the DAG to initiate
a server failover for the now-evicted node and will activate its databases on
other DAG members. In effect, the migration failed because service was not
maintained and normal operations did not continue when the virtual machine
moved to the new host. The now-moved server will eventually come back
online and rejoin the cluster, but a separate, manual administrative intervention
will be necessary to reactivate the database copies on the server to rebalance
workload across the DAG.
Two steps can be used to mitigate the problem. The first is to ensure that
sufficient network bandwidth is available to transfer virtual machines without
running the risk that the brownout period exceeds the cluster heartbeat
timeout. The exact amount of bandwidth required depends on the size of the
virtual machine, the workload that it is under at the time and the version of the
hypervisor that is used, so some testing will be necessary to establish exactly
how quickly virtual machines can be moved. The second step is to adjust the
cluster heartbeat timeout to reflect the expected brownout period. Adjusting the
cluster heartbeat timeout is not usually recommended but it can be an effective
solution to the problem. If you do decide to adjust the timeout, the highest
value recommended by the Exchange development group is ten seconds.
See http://blogs.msdn.com/b/clustering/archive/2012/11/21/10370765.aspx
for more information about how to tune the heartbeat interval for Windows
Failover clusters.
Conflict with hypervisor disaster recovery features
Exchange 2013 is designed to be a highly available application that can
continue to provide an excellent service to clients even when common outage
scenarios such as disk or server failures affect databases. Together with many
other features, including Managed Availability, the Database Availability
Group and replicated databases are the fundamental building blocks used by
Exchange to provide high availability.
It is important to note that many hypervisor functions that are considered to
be high availability features are in fact technology designed to be used for
disaster recovery (DR). Its true that these features can contribute to the delivery
of a highly available service, but this is not the intent. DR features like Hyper-V
replica are intended to keep servers online following hardware outages rather
than allowing them to function at the application level when transactional
context and preservation are required to deliver robust, highly available services.
12
13
Snapshots
Hypervisor snapshots are not supported as a way to restore an Exchange server
back to a point in time. This is a perfectly acceptable technique to use with test
Exchange servers but should never be done in production for much the same
reason as virtual Exchange servers must be kept online during migrations.
Consider the situation that would occur if you took a hypervisor snapshot of an
Exchange 2013 multi-role server that is part of a DAG and then attempted to
restore that snapshot at a later date. At the point when the snapshot is taken,
Exchange is probably manipulating a great deal of data in memory, including
some that has not yet been committed to databases and some that is being
replicated to other DAG members through block-mode transfer. It might also
be using classic file copy to transfer transaction logs to other DAG members.
All of this happens under the control of the Microsoft Exchange Replication
service, which understands what data needs to be replicated to different target
servers and what is the current state of replication.
When you restore the snapshot, you bring an Exchange server back into the
DAG as it was at the time when the snapshot was taken. This could be hours
or even days away from current time. The hypervisor has no information
about what processing Exchange was doing across the DAG when it took
the snapshot. Likewise, the hypervisor has no knowledge of what steps are
necessary to bring the server back into the DAG in a predictable and known
manner. And when the Exchange server wakes up, the Exchange Replication
service has no idea of what has happened between the time when the snapshot
was taken and the current state of replication across the other members of the
DAG. No code is included in Exchange to fix a DAG member by advancing it to
the current time in a controlled and consistent manner.
The result is that the restored snapshot will probably put the DAG into a state
where replication is in an inconsistent state for one or more databases. It is even
possible that some database corruption will occur, especially if some single page
patching had been performed to fix corrupt database pages when the server
was offline. It is even possible that the server will work smoothly after the
snapshot is restored, but it is impossible to guarantee that normal service will
resume after a restore, and Microsoft will not support you if problems occur.
Snapshots do have value in lab environments because they allow you to
return a server to a well-known situation, for instance before you applied a
new cumulative update to the server. Given the workloads that lab systems
are generally exposed to, you run less risk of encountering the problematic
conditions referred to above than you do with production servers in full flow.
Even so, if you elect to use snapshots in lab environments, you might have
to take snapshots of all members of a DAG so that you can roll-back to a
consistent point if necessary. Even introducing an aged snapshot to a test DAG
is unlikely to go well because Exchange 2013 is not built to handle time travel.
14
NUMA
NUMA is non-uniform memory access, a design used in multiprocessing
computer systems to increase processor speed without imposing a penalty on
the processor bus. The non-uniform part of the name arises from the fact
that some memory is closer to a processor than is other memory, so a uniform
access time is not experienced. Hypervisors use NUMA to make more efficient
use of memory across guest machines. For example, Hyper-V provides a feature
called virtual NUMA that groups virtual processors and the memory assigned
to guest machines into virtual NUMA nodes, and guest machines see a
topology that is based on the physical topology of the host system. When
a virtual machine is created, Hyper-V creates a configuration based on the
physical topology, taking into account the number of logical processors and
the amount of memory per NUMA node.
Unlike SQL, Exchange knows nothing about NUMA and will not experience any
scalability benefits from running on servers that have NUMA enabled. However,
Exchange will take advantage of the operating system optimizations for NUMA.
This is consistent with the recommendation to assign static CPU and memory
resources to virtual machines that run Exchange 2013 so that Exchange can
then manage the allocated resources across its different components.
Operational considerations
Once deployed, a virtualized Exchange environment must be maintained. Here
are some recommendations to help keep your virtual Exchange 2013 servers in
good health.
Deployment of virtual Exchange servers across hosts
In general it is better to scale-out Exchange by creating many virtual servers
than it is to scale-up and have everything located in a small number of very
large servers. This approach allows you to take maximum advantage of
Exchange high availability by distributing mailboxes across databases managed
in a DAG where each database has at least three copies. Along the same lines,
16
you should distribute the virtual Exchange servers across multiple physical
hosts so that a failure of a single host will impact as few Exchange servers as
possible. Even if the hardware can accommodate the load, it does not make
sense to run 10 or 12 virtual Exchange servers on one large host as a failure can
result in total loss of service to all clients.
Ideally, it should be possible for the Exchange servers that remain online
following the failure of a host to restore full service through the activation of
database copies on the remaining servers. Achieving this goal calls for careful
planning of mailbox and database placement and attention to detail for other
dependencies, such as witness servers, Active Directory domain controllers,
load balancers, and so on. It also requires ongoing monitoring to ensure that
databases are not being activated in an unplanned manner due to automated
failovers invoked by Managed Availability, server maintenance or other
operational reasons.
Although Exchange is designed to be a highly available application and
incorporates a large number of features to realize this goal, its successful
operation requires all layers of the solution to function properly from the
base hardware upward. Hypervisors are not magic and do not automatically
attribute high availability to virtualized applications. The same is true of the
high availability features built into Exchange 2013. The combination of the high
availability features can complement each other but neither will be effective
unless high availability is designed into a deployment. This means that:
Exchange 2013 high availability features are used as the prime protection for
Exchange data
Hypervisor high availability features such as migration are used to fill in gaps
that might exist
Attention is given to other elements of the solution such as Active Directory,
load balancers and witness servers
The resulting configuration is tested to ensure that it provides sufficient
resilience against common failure conditions such as the loss of a host
machine, storage controller, network links and so on.
It is also true that those running the environment need to be able to cope with
failure because it is certain that some failures will occur over time. It makes
sense to prepare for failure by implementing adequate redundancy in both
hardware and software and multiple paths to essential infrastructure.
17
Upgrades
Microsoft issues a new cumulative update for Exchange 2013 quarterly, and
the latest available update must be installed before Microsoft will support a
system. Therefore, you must be prepared to deploy cumulative updates on a
regular basis. At the same time, you must be prepared to apply regular updates
to Windows, the hypervisor, hardware drivers, and other applications and thirdparty products that are used alongside Exchange 2013.
Updating an Exchange 2013 server is not difficult and the application of the
latest cumulative update brings the server completely up to date with the latest
features and bug fixes. However, the history of Exchange 2013 cumulative
updates is spotted with small, but irritating, errors that have caused grief
to customers. For this reason it is essential that a new cumulative update is
carefully tested in an environment that accurately mimics the production
environment before it is introduced into production.
Backups
It is possible to take a host-based backup that backs up a complete server,
including Exchange. In order to produce a backup that can be successfully
used to restore a viable Exchange server, it is necessary that the backup
utility is aware of Exchange and interacts with the product to capture the
server configuration together with databases at the time the backup is taken.
The most important thing is that the backup utility uses Windows Volume
ShadowCopy Services (VSS) to interact properly with the Information Store and
that log truncation occurs properly. Note that the log truncation process differs
for standalone Exchange 2013 mailbox servers and those that are members
of a DAG. It is therefore critical that the backup software uses the proper VSS
API calls to prepare Exchange for backup and then informs Exchange after a
successful backup is achieved. It is also important that backed up databases
are in a clean state so that they can be used immediately if they need to be
restored.
The only real way to know whether backups are successful is their ability to
be used as the recovery source for data. For this reason it is important to test
that backups taken from virtual Exchange 2013 servers can be quickly and
reliably restored. Make sure that this test is done regularly so that operations
staff is familiar with the steps necessary to restore a server from backup and
to validate that the restored databases contain what is expected and do not
need to be put into a clean state before they are used. Particular care should be
taken when recovering databases that belong to a DAG.
18
Summary
The decision to virtualize Exchange 2013 should never be made in a vacuum. It
is a complex decision that requires many factors to be weighed and assessed
in the context of the IT environment into which Exchange is to be deployed,
the business need to be satisfied and the long-term technical strategy of
the company. Microsoft has made Exchange 2013 an excellent candidate for
virtualization, providing that the caveats explained in this paper are respected.
The question, therefore, is whether physical or virtual Exchange 2013 systems
best serve the needs of your company. And only you can answer that question.
19
20
21