Contents Resource Dependencies 1 Cluster Service Account Permissions 5 MsExchange_NodeState 9 DNS registration/Kerberos 12 AntiAffinityClassNames 16 Mount Point Drives 22 Creating an Exchange Virtual Server 33 Upgrading an Exchange Virtual Server to Exchange 2003 56 Removing an Exchange Virtual Server 64 Lab 5.1 : Clustering 88 Module 5: Clustering Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2003 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, Excel, Exchange Server 5.5, Exchange 2000 Server, Exchange Server 2003, Internet Explorer, Internet Information Server, Word are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein (Groupwise, Lotus cc:Mail, Lotus Notes) may be the trademarks of their respective owners. Module 5: Clustering 1 Resource Dependencies In an Exchange 2000 cluster, we need to create a new Cluster Group to house the Exchange Virtual Server. In order to successfully create a System Attendant Resource, we must first have a physical disk resource, an IP address, and a Network Name in that group. When we create the System Attendant resource, the other Exchange resources will be automatically created. During the creation process, a dependency tree will be created. The dependency tree is shown below. 2 Module 5: Clustering The Information Store resource has five dependencies: SMTP, HTTP, POP, IMAP and Microsoft Search service. The message transfer agent (MTA) and Routing Engine resources are directly dependant on the System Attendant. In the event of a failover, all resources that have a dependency must go offline before the resource that it is dependant on them can attempt to go offline. In the scenario above the SMTP, HTTP, IMAP4, POP3 and Microsoft Search service must successfully go offline (or fail) before the Information Store resource can attempt to go offline. The MTA and Routing Engine resources can attempt to go offline immediately, as they do not have any resources that are dependant on them. Traditionally in Exchange 2000 clusters, the SMTP and the Information Store resources took the longest amount of time to go offline/come online. This could be attributed to large SMTP queues or mounting/dismounting large databases. This obviously will lead to longer failover times as the Information Store resource has to wait for the SMTP resource to go offline before it can attempt to go offline/come online. Exchange 2000 Resource Dependency Tree Module 5: Clustering 3 In Exchange Server 2003, the resource-dependant tree has been altered so that all Exchange 2003 cluster resources are now directly dependant on the System Attendant resource. Here we see that all the Exchange related resources are now directly dependant on the System Attendant. This effectively means that the SMTP (and other protocol resources) can now be brought online/go offline in parallel with the store. This makes for faster failovers of the Exchange Virtual Server. During the creation of the Exchange Virtual Server process, the correct dependencies will be set. The POP3 and IMAP4 resources are not created by default. If they are created manually, then you will need to set a dependency on the System Attendant (this is mandatory). During an upgrade of an Exchange 2000 Exchange Virtual Server, the resource dependencies will be changed to the new Exchange 2003 resource dependency tree. From the “Exchange Server Setup Progress.log” file we can see these changes being made. Open the log file and search for ScUpgradeResourceDependencies. Here we will see each resource being changed. An SMTP resource being changed from the progress log: Resource Dependency Tree in Exchan g e 2003 Note 4 Module 5: Clustering [08:36:54] Entering ScUpgradeResourceDependencies [08:36:54] Checking dependencies of resource 'SMTP Virtual Server Instance - (EVS-01)' [08:36:54] Entering ScChangeResourceDependency [08:36:54] About to change resource dependency for resource 'SMTP Virtual Server Instance - (EVS-01)' [08:36:54] Leaving ScChangeResourceDependency You will see the above entries for all Exchange resources that are upgraded to Exchange 2003. Module 5: Clustering 5 Cluster Service Account Permissions Related articles/bugs:  329702.KB.EN-US In order to successfully create, delete or modify an Exchange 2000 Exchange Virtual Server, the Windows 2000 cluster service account required “Exchange Full Administrator” permissions at the organization level if it was the first Exchange Virtual Server in the org. If it was not the first Exchange Virtual Server in the org then it required Exchange Full Administrator on the Admin Group that it was being installed into. 6 Module 5: Clustering The Exchange Virtual Server creation process (shown above) can be broken down as follows: 1. User DOMAIN\Administrator logs in to one of the Nodes and starts Cluster Administrator (cluadmin.exe). The process cluadmin.exe runs as the currently logged in user (DOMAIN\Administrator). The Administrator then attempts to create a new Exchange System Attendant. Excluadmin.dll will gather information from Active Directory in order to create the System Attendant (e.g. Org name and Administrative Group name etc). The user DOMAIN\Administrator needs permissions to read from the configuration partition of the Active Directory. 2. When excluadmin.dll has collected the necessary information, it will then pass the information to exres.dll. Exres.dll is the Exchange resource dll. Exres.dll runs in the Resource Monitor process, which runs in the context of the Cluster Service Account. 3. Exres.dll will then load exsetdata.dll in order to create the objects in Active Directory. Exsetdata.dll also runs in the Resource Monitor process. 4. Exsetdata.dll will then create the necessary objects in the Active Directory. As Exsetdata.dll runs in the context of the Cluster Service Account, this account will require Full Exchange Administrator permissions in order to create the objects successfully. Permission requirements in Exchange 2000 Module 5: Clustering 7 In Exchange 2003 the permissions have changed in order to remove this requirement. Any person or application that runs as the Windows 2000 cluster service account essentially has the ability to destroy an Exchange 2000 organization. The Exchange 2003 permissions requirements are as follows: In the Exchange 2003 the Exchange Virtual Server creation process can be broken down as follows: 1. The user DOMAIN\Administrator logs in to a Node in the cluster and starts Cluster Administrator (cluadmin.exe). This process runs in the context of DOMAIN\Administrator. The Administrator then attempts to create a new Exchange System Attendant resource. Excluadmin.dll will gather information from Active Directory in order to create the System Attendant (e.g. Org name and Administrative Group name etc). The user DOMAIN\Administrator will need to permissions to read from Active Directory for this operation to be successful. 2. When excluadmin.dll has collected the necessary information, it will then load Exsetdata.dll directly. Exsetdata.dll runs in the same process as Excluadmin.dll (DOMAIN\Administrator). 3. Exsetdata.dll will then create the objects in Active Directory. As exsetdata.dll runs in the context of DOMAIN\Administrator, it is this account that requires the Exchange Full Administrator permissions to the configuration partition of Active Directory. Permissions requirements in Exchan g e 2003 8 Module 5: Clustering After an Exchange 2000 Exchange Virtual Server has been successfully upgraded to Exchange 2003 the cluster service account for that cluster can be removed from the organization and/or Administrative Group objects’ permissions using the delegate control wizard. Remember that if that account is used by other Exchange 2000 clusters, then you will have to leave the permissions in place until they have been upgraded to Exchange 2003 Windows 2000 Cluster Service Account:  Local Administrator on each Node in the cluster  Exchange Full Administrator on org object if other Exchange 2000 clusters remain in org Windows 2003 Cluster Service Account  Local Administrator on each Node  No permissions required on org Permissions required quick check: [...]... as the hosting volume Module 5: Clustering 5 In this scenario we are going to use Disk R: which is a disk in our cluster 6 I have created a new folder on R:\ called Mount which will host the new volume 25 26 Module 5: Clustering 7 Give the volume a label and then format it using NTFS It must be formatted with NTFS 8 Click Next to complete the New Partition Wizard Module 5: Clustering 27 9 We can... two nodes Module 5: Clustering 11 From the Exchange Server Setup Progress log we can see Setup writing these attributes: [02: 25:1 3] Entering CAtomClusterServer::ScSetExchangeStateOnCluster [02: 25:1 3] Entering CAtomClusterServer::ScSetNodeProperty [02: 25:1 3] Setting DWORD MSExchange_NodeState=1 on node 'NODE1' [02: 25:1 3] Setting DWORD MSExchange_CurrentBuild=452526080 on node 'NODE1' [02: 25:1 3] Leaving... the cluster.exe command line tool Module 5: Clustering When one creates an Exchange 2003 virtual server on a Windows 2003 cluster this attribute will be automatically set to “Microsoft Exchange Virtual Server” If you are seeing it set to some other string then it has probably been changed manually and should be changed back to the default setting 19 20 Module 5: Clustering Using Cluster Administrator,... inside another folder that is hosted by another volume Module 5: Clustering The steps to create a mount point drive available for cluster use are as follows: 1 A new unformatted disk will be available in Disk Manager Make sure that it is a Basic Volume Right-click it and choose new partition 2 Choose Primary partition and click Next 23 24 Module 5: Clustering 3 Set the size for the partition and click... cluster.exe tool as follows: Cluster res “my EVS Network Name” /priv Windows 2000 SP3 Module 5: Clustering 13 In Windows 2000 this can only be set by using the command line tool cluster.exe In the screenshot above, the cluster.exe command has already been used to change the RequireDNS property to a value to “1” 14 Module 5: Clustering In Windows 2003 Server these properties are changeable from the GUI of... normal folder 28 Module 5: Clustering 11 Now we have to create the cluster resource for the Mount Point Drive Note The Mount Point Drive resource must be in the same cluster group as our hosting disk R:\ Using Cluster Administrator, locate the correct Cluster Group and then create a new resource Give the resource a name and choose Physical Disk for the resource type Click Next Module 5: Clustering 12... that we created earlier If you are unsure, then use Disk Manager to locate the correct disk number Module 5: Clustering 15 After clicking “Finish,” the Mount Point Drive resource will now appear in Cluster Administrator 16 The Mount Point Drive properties can then be seen in the registry: 31 32 Module 5: Clustering A few rules of thumb regarding Mount Point Drives: 1 The partition must be mounted inside... 'NODE1' [02: 25:1 3] Leaving CAtomClusterServer::ScSetNodeProperty [02: 25:1 3] Leaving CAtomClusterServer::ScSetExchangeStateOnCluster [02: 25:1 3] Entering CAtomClusterServer::ScEnableNodeAsPossibleOwer [02: 25:1 3] Leaving CAtomClusterServer::ScEnableNodeAsPossibleOwer This can also be seen from the cluster log: 00000550.00000308::2003/04/20-00: 25:1 3.497 INFO [DM] Setting value of MSExchange_NodeState for key... and will therefore have this right by default A detailed description of the Network Name resources in Windows 2003 can be obtained in article 302389 16 Module 5: Clustering AntiAffinityClassNames AntiAffinityClassNames is a new feature of Windows 2003 clustering It gives us the ability to assign a node as a hot spare for a particular cluster group in a cluster of three or more Nodes AntiAffinityClassNames... 00000550.00000308::2003/04/20-00: 25:1 3.497 INFO [DM] Setting value of MSExchange_NodeState for key Nodes\1\Parameters to 0x00000001 00000550.00000308::2003/04/20-00: 25:1 3.497 INFO [DM] Setting value of MSExchange_CurrentBuild for key Nodes\1\Parameters to 0x1af90000 12 Module 5: Clustering DNS registration/Kerberos Related articles: Article 235529 Windows 2000 SP3 added support for Kerberos authentication against clustered . Removing an Exchange Virtual Server 64 Lab 5.1 : Clustering 88 Module 5: Clustering Information in this document, including URL and other Internet Web. nodes. Note Module 5: Clustering 11 From the Exchange Server Setup Progress log we can see Setup writing these attributes: [02: 25:1 3] Entering