数据库可用性组Database availability groups

DAG (数据库) 是内置于邮箱服务器的高可用性和站点恢复框架的基础Microsoft Exchange Server。A database availability group (DAG) is the base component of the Mailbox server high availability and site resilience framework built into Microsoft Exchange Server. DAG 是一组邮箱服务器(最多可包含 16 个邮箱服务器),其中承载了一组数据库,可提供从影响单个服务器或数据库的故障中自动执行数据库级恢复的功能。A DAG is a group of up to 16 Mailbox servers that hosts a set of databases and provides automatic database-level recovery from failures that affect individual servers or databases.

重要

DAG 中的所有服务器都必须运行相同版本的 Exchange。All servers within a DAG must be running the same version of Exchange. 例如,不能在同一 DAG 中混合使用 Exchange 2013 服务器和 Exchange 2016 服务器。For example, you can't mix Exchange 2013 servers and Exchange 2016 servers in the same DAG.

DAG 是邮箱数据库复制、数据库和服务器切换和故障转移以及名为“活动管理器”的内部组件的边界。A DAG is a boundary for mailbox database replication, database and server switchovers and failovers, and an internal component called Active Manager. 运行于每个邮箱服务器上的活动管理器,在 DAG 中管理切换和故障转移。Active Manager, which runs on every Mailbox server, manages switchovers and failovers within DAGs. 有关 Active Manager 的详细信息,请参阅活动管理器For more information about Active Manager, see Active Manager.

DAG 中的任何服务器可以承载来自 DAG 中任何其他服务器的邮箱数据库副本。将服务器添加到 DAG 后,此服务器与 DAG 中的其他服务器协同工作,提供从影响邮箱数据库的故障(如磁盘、服务器或网络故障)中自动执行恢复的功能。Any server in a DAG can host a copy of a mailbox database from any other server in the DAG. When a server is added to a DAG, it works with the other servers in the DAG to provide automatic recovery from failures that affect mailbox databases, such as a disk, server, or network failure.

备注

有关创建 DAG、管理 DAG 成员身份、配置 DAG 属性、创建和监视邮箱数据库副本以及执行切换的详细信息,请参阅管理高可用性和站点恢复For more information about creating DAGs, managing DAG membership, configuring DAG properties, creating and monitoring mailbox database copies, and performing switchovers, see Managing high availability and site resilience.

Database availability group lifecycleDatabase availability group lifecycle

DAG 利用了增量部署的概念,即能够在安装 Exchange 后部署所有邮箱服务器和数据库的服务和数据可用性。DAGs leverage the concept of incremental deployment, which is the ability to deploy service and data availability for all Mailbox servers and databases after Exchange is installed. 在邮箱Exchange Server之后,可以创建 DAG,将邮箱服务器添加到 DAG,然后在 DAG 成员之间复制邮箱数据库。After you deploy Exchange Server Mailbox servers, you can create a DAG, add Mailbox servers to the DAG, and then replicate mailbox databases between the DAG members.

备注

支持创建包含物理邮箱服务器和虚拟化邮箱服务器组合的 DAG,但服务器和解决方案必须符合 Exchange Server 系统 要求以及 Exchange Server 虚拟化中提出的要求。It's supported to create a DAG that contains a combination of physical Mailbox servers and virtualized Mailbox servers, provided that the servers and solution comply with the Exchange Server system requirements and the requirements set forth in Exchange Server virtualization. 对于所有 Exchange 高可用性配置,必须确保 DAG 中所有邮箱服务器大小均已经过适当调整,可以处理计划中断和非计划中断过程中的必要工作负载。As with all Exchange high availability configurations, you must ensure that all Mailbox servers in the DAG are sized appropriately to handle the necessary workload during scheduled and unscheduled outages.

通过使用 New-DatabaseAvailabilityGroup cmdlet 创建 DAG。DAG 最初创建时是 Active Directory 中的一个空对象。该目录对象用于存储 DAG 的相关信息,比如服务器成员身份信息和某些 DAG 配置设置。将第一个服务器添加到 DAG 时,将为 DAG 自动创建故障转移群集。此故障转移群集由 DAG 独占使用,并且此群集必须专用于 DAG。不支持将此群集用于任何其他用途。A DAG is created by using the New-DatabaseAvailabilityGroup cmdlet. A DAG is initially created as an empty object in Active Directory. This directory object is used to store relevant information about the DAG, such as server membership information and some DAG configuration settings. When you add the first server to a DAG, a failover cluster is automatically created for the DAG. This failover cluster is used exclusively by the DAG, and the cluster must be dedicated to the DAG. Use of the cluster for any other purpose isn't supported.

除了创建故障转移群集外,还将启动监视服务器的网络或服务器故障的基础结构。然后,使用故障转移群集检测信号机制和群集数据库来跟踪和管理有关 DAG 可能快速更改的信息,比如数据库装入状态、复制状态和最后装入位置。In addition to a failover cluster being created, the infrastructure that monitors the servers for network or server failures is initiated. The failover cluster heartbeat mechanism and cluster database are then used to track and manage information about the DAG that can change quickly, such as database mount status, replication status, and last mounted location.

在创建过程中,会为 DAG 指定一个唯一名称,并分配一个或多个静态 IP 地址,或配置为使用动态主机配置协议 (DHCP),或者创建为不包含群集管理访问点。During creation, the DAG is given a unique name, and either assigned one or more static IP addresses or configured to use Dynamic Host Configuration Protocol (DHCP), or created without a cluster administrative access point. 没有管理访问点的 DAG 只能在运行 Exchange 2019、Exchange 2016 或 Exchange 2013 Service Pack 1 或更高版本(Windows Server 2012 R2 Standard 或 Datacenter 版本)的服务器上创建。DAGs without an administrative access point can be created only on servers running Exchange 2019, Exchange 2016, or Exchange 2013 Service Pack 1 or later, with Windows Server 2012 R2 Standard or Datacenter edition. 不包含群集管理访问点的 DAG 有以下特征:DAGs without cluster administrative access points have the following characteristics:

  • 没有为群集/DAG 分配 IP 地址,因此群集核心资源组中没有 IP 地址资源。There is no IP address assigned to the cluster/DAG, and therefore no IP Address Resource in the cluster core resource group.

  • 没有为群集分配网络名称,因此群集核心资源组中没有网络名称资源。There is no network name assigned to the cluster, and therefore no Network Name Resource in the cluster core resource group

  • 群集/DAG 的名称未在 DNS 中注册,并且无法在网络上进行解析。The name of the cluster/DAG is not registered in DNS, and it is not resolvable on the network.

  • 未在 Active Directory 中创建群集名称对象 (CNO)。A cluster name object (CNO) is not created in Active Directory.

  • 无法使用故障转移群集管理工具管理群集。群集必须使用 Windows PowerShell 进行管理,并且必须针对每个群集成员运行 PowerShell cmdlet。The cluster cannot be managed using the Failover Cluster Management tool. It must be managed using Windows PowerShell, and the PowerShell cmdlets must be run against individual cluster members.

本示例显示如何使用 Exchange 命令行管理程序 创建包含群集管理访问点并包含三台服务器的 DAG。其中两台服务器(EX1 和 EX2)位于同一个子网 (10.0.0.0) 中,第三台服务器 (EX3) 位于另一个子网 (192.168.0.0) 中。This example shows you how to use the Exchange Management Shell to create a DAG with a cluster administrative access point that will have three servers. Two servers (EX1 and EX2) are on the same subnet (10.0.0.0), and the third server (EX3) is on a different subnet (192.168.0.0).

New-DatabaseAvailabilityGroup -Name DAG1 -WitnessServer EX4 -DatabaseAvailabilityGroupIPAddresses 10.0.0.5,192.168.0.5
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer EX1
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer EX2
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer EX3

用于创建不包含群集管理访问点的 DAG 的命令非常相似:The commands to create a DAG without a cluster administrative access point are very similar:

New-DatabaseAvailabilityGroup -Name DAG1 -WitnessServer EX4 -DatabaseAvailabilityGroupIPAddresses ([System.Net.IPAddress])::None
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer EX1
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer EX2
Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer EX3

将 EX1 添加到 DAG 后会为 DAG1 创建群集。The cluster for DAG1 is created when EX1 is added to the DAG. 在创建群集期间, Add-DatabaseAvailabilityGroupServer cmdlet 将检索为 DAG 配置的 IP 地址,并忽略与在 EX1 上找到的任何子网不匹配的 IP 地址。During cluster creation, the Add-DatabaseAvailabilityGroupServer cmdlet retrieves the IP addresses configured for the DAG and ignores the ones that don't match any of the subnets found on EX1. 在上述第一个示例中,将使用 IP 地址 10.0.0.5 创建 DAG1 的群集,而忽略 192.168.0.5。In the first example above, the cluster for DAG1 is created with an IP address of 10.0.0.5, and 192.168.0.5 is ignored. 在上述第二个示例中,DatabaseAvailabilityGroupIPAddresses 参数的值指示任务为不包含群集管理访问点的 DAG 创建故障转移群集。In the second example above, the value of the DatabaseAvailabilityGroupIPAddresses parameter instructs the task to create a failover cluster for the DAG that does not have an administrative access point. 因此,将使用核心群集资源组中的 IP 地址或网络名称资源创建群集。Thus, the cluster is created with an IP address or network name resource in the core cluster resource group.

然后,添加 EX2。 Add-DatabaseAvailabilityGroupServer cmdlet 将再次检索为 DAG 配置的 IP 地址。群集的 IP 地址没有更改,因为 EX2 与 EX1 位于同一子网。Then, EX2 is added, and the Add-DatabaseAvailabilityGroupServer cmdlet again retrieves the IP addresses configured for the DAG. There are no changes to the cluster's IP addresses because in EX2 is on the same subnet as EX1.

然后,添加 EX3。 Add-DatabaseAvailabilityGroupServer cmdlet 将再次检索为 DAG 配置的 IP 地址。因为与 192.168.0.5 匹配的子网在 EX3 上,所以地址 192.168.0.5 将作为 IP 地址资源添加到群集组中。此外,会为每个 IP 地址资源的网络名称资源自动配置 OR 依存关系。将群集核心资源组移动到 EX3 后,群集将使用 192.168.0.5 地址。Then, EX3 is added, and the Add-DatabaseAvailabilityGroupServer cmdlet again retrieves the IP addresses configured for the DAG. Because a subnet matching 192.168.0.5 is present on EX3, the 192.168.0.5 address is added as an IP address resource in the cluster group. In addition, an OR dependency for the Network Name resource for each IP address resource is automatically configured. The 192.168.0.5 address will be used by the cluster when the cluster core resource group moves to EX3.

对于包含群集管理访问点的 DAG,当网络名称资源进入联机状态时,Windows 故障转移群集会在域名系统 (DNS) 中注册群集的 IP 地址。For DAGs with cluster administrative access points, Windows failover clustering registers the IP addresses for the cluster in the Domain Name System (DNS) when the Network Name resource is brought online. 此外,当 EX1 被添加到群集中时,会在 Active Directory 中创建群集名称对象 (CNO)。In addition, when EX1 is added to the cluster, a cluster name object (CNO) is created in Active Directory. 群集的网络名称、IP 地址和 CNO 不用于 DAG 功能。The network name, IP address(es), and CNO for the cluster are not used for DAG functions. 管理员和最终用户不需要出于任何原因对接或连接群集/DAG 名称或 IP 地址。Administrators and end users don't need to interface with or connect to the cluster/DAG name or IP address for any reason. 某些第三方应用程序连接到群集管理访问点以执行管理任务,例如备份或监视。Some third-party applications connect to the cluster administrative access point to perform management tasks, such as backup or monitoring. 如果您不使用任何需要群集管理访问点的第三方应用程序,并且您的 DAG 在 Windows Server 2012 R2 上运行 Exchange 2016 或 Exchange 2019,我们建议您创建一个不含管理访问点的 DAG。If you do not use any third-party applications that require a cluster administrative access point, and your DAG is running Exchange 2016 or Exchange 2019 on Windows Server 2012 R2, then we recommend creating a DAG without an administrative access point. 这可以简化 DAG 配置,消除一个或多个 IP 地址的需求,并降低 DAG 受攻击的可能性。This simplifies DAG configuration, eliminates the need for one or more IP addresses, and reduces the attack surface of a DAG.

此外,还将 DAG 配置为使用见证服务器和见证目录。见证服务器和见证目录可以由系统自动配置,还可以由管理员手动配置。在上面的示例中,手动将 EX4(不是也不会是 DAG 成员的服务器)配置为 DAG 的见证服务器。DAGs are also configured to use a witness server and a witness directory. The witness server and witness directory are either automatically configured by the system, or they can be manually configured by the administrator. In the examples above, EX4 (a server that is not and will not be a member of the DAG) is being manually configured as the DAG's witness server.

默认情况下,DAG 旨在使用内置连续复制功能在 DAG 中的服务器之间复制邮箱数据库。By default, a DAG is designed to use the built-in continuous replication feature to replicate mailbox databases among servers in the DAG. 如果使用的是支持 Exchange Server 中第三方复制 API 的第三方数据复制,则必须使用 New-DatabaseAvailabilityGroup cmdlet 和 ThirdPartyReplication 参数,以第三方复制模式创建 DAG。If you're using third-party data replication that supports the Third Party Replication API in Exchange Server, you must create the DAG in third-party replication mode by using the New-DatabaseAvailabilityGroup cmdlet with the ThirdPartyReplication parameter. 启用此模式后不能将其禁用。After this mode is enabled, it can't be disabled.

创建 DAG 后,可以将邮箱服务器添加到 DAG 中。将第一个服务器添加到 DAG 后,将形成群集以供 DAG 使用。DAG 使用 Windows 故障转移群集技术,例如群集检测信号、群集网络以及群集数据库(用于存储更改的数据,例如数据库状态从活动更改为被动或相反的情况,或从装入更改为卸除或相反的情况)。每个后续服务器在添加到 DAG 时,都会加入到基础群集,Exchange 会自动调整群集的仲裁模型,并且服务器会添加到 Active Directory 中的 DAG 对象。After the DAG is created, Mailbox servers can be added to the DAG. When the first server is added to the DAG, a cluster is formed for use by the DAG. DAGs make use of Windows failover clustering technology, such as the cluster heartbeat, cluster networks, and the cluster database (for storing data that changes, such as database state changes from active to passive or vice versa, or from mounted to dismounted and vice versa). As each subsequent server is added to the DAG, it's joined to the underlying cluster, the cluster's quorum model is automatically adjusted by Exchange, and the server is added to the DAG object in Active Directory.

在将邮箱服务器添加到 DAG 后,可以配置各种 DAG 属性,例如对 DAG 中的数据库复制使用网络加密还是使用网络压缩。您还可以配置 DAG 网络和创建附加 DAG 网络。After Mailbox servers are added to a DAG, you can configure a variety of DAG properties, such as whether to use network encryption or network compression for database replication within the DAG. You can also configure DAG networks and create additional DAG networks.

将成员添加到 DAG 并配置 DAG 后,可以将每个服务器上的活动邮箱数据库复制到其他 DAG 成员中。在创建邮箱数据库副本后,可以使用各种内置监视工具监视副本的运行状况和状态。此外,还可以执行数据库和服务器切换。After you add members to a DAG and configure the DAG, the active mailbox databases on each server can be replicated to the other DAG members. After you create mailbox database copies, you can monitor the health and status of the copies using a variety of built-in monitoring tools. In addition, you can perform database and server switchovers.

数据库可用性组仲裁模式Database availability group quorum models

每个 DAG 下均有一个 Windows 故障转移群集。Underneath every DAG is a Windows failover cluster. 故障转移集群使用仲裁概念,即利用投票者的共识来确保一次只有一部分群集成员(这可以指所有成员或大部分成员)在运行。Failover clusters use the concept of quorum, which uses a consensus of voters to ensure that only one subset of the cluster members (which could mean all members or a majority of members) is functioning at one time. 仲裁不是适用于仲裁的新概念Exchange Server。Quorum isn't a new concept for Exchange Server. Exchange 早期版本中的高可用性邮箱服务器同样使用故障转移群集及其仲裁概念。Highly available Mailbox servers in previous versions of Exchange also use failover clustering and its concept of quorum. 仲裁代表一个成员和资源的共享视图,仲裁一词也用于描述代表在所有群集成员间共享的群集中的配置的物理数据。Quorum represents a shared view of members and resources, and the term quorum is also used to describe the physical data that represents the configuration within the cluster that's shared between all cluster members. 因此,所有 DAG 都要求其基础故障转移群集具有仲裁。As a result, all DAGs require their underlying failover cluster to have quorum. 如果群集丢失仲裁,则所有 DAG 操作都将终止,DAG 中托管的所有装入数据库都将卸除。If the cluster loses quorum, all DAG operations terminate and all mounted databases hosted in the DAG dismount. 在这种情况下,需要管理员干预以更正仲裁问题并恢复 DAG 操作。In this event, administrator intervention is required to correct the quorum problem and restore DAG operations.

仲裁对于确保一致性,充当用于避免分区的关系断开裁判,以及确保群集响应能力而言非常重要:Quorum is important to ensure consistency, to act as a tie-breaker to avoid partitioning, and to ensure cluster responsiveness:

  • 确保一 致性:Windows 故障转移群集的主要要求是每个成员始终具有与其他成员一致的群集视图。Ensuring consistency: A primary requirement for a Windows failover cluster is that each of the members always has a view of the cluster that's consistent with the other members. 群集配置单元充当了与群集相关的所有配置信息的权威性存储库。The cluster hive acts as the definitive repository for all configuration information relating to the cluster. 如果 DAG 成员无法本地加载群集配置单元,则群集服务将不会启动,因为无法保证成员始终与该群集中其他成员保持一致这一要求。If the cluster hive can't be loaded locally on a DAG member, the Cluster service doesn't start, because it isn't able to guarantee that the member meets the requirement of having a view of the cluster that's consistent with the other members.

  • 充当关系断开器:仲裁见证资源在成员数为 1 的 DAG 中使用,以避免出现裂脑症状,并确保 DAG 中只有一个成员集合被视为正式集合。Acting as a tie-breaker: A quorum witness resource is used in DAGs with an even number of members to avoid split brain syndrome scenarios and to make sure that only one collection of the members in the DAG is considered official. 当仲裁需要见证服务器时,DAG 中任何能与见证服务器通信的成员均可以在见证服务器的 witness.log 文件上设置一个服务器消息块 (SMB) 锁定。When the witness server is needed for quorum, any member of the DAG that can communicate with the witness server can place a Server Message Block (SMB) lock on the witness server's witness.log file. 锁定见证服务器的 DAG 成员 (称为锁定节点) 出于仲裁目的保留额外投票。The DAG member that locks the witness server (referred to as the locking node) retains an additional vote for quorum purposes. 与锁定节点通信的 DAG 成员占多数,因此保留仲裁权。The DAG members in contact with the locking node are in the majority and maintain quorum. 无法与锁定节点通信的所有 DAG 成员占少数,因此会失去仲裁权。Any DAG members that can't contact the locking node are in the minority and therefore lose quorum.

  • 确保 响应能力 :为了确保响应能力,仲裁模型确保只要群集正在运行,分布式系统的足够成员就可以正常运行并进行通信,并且可以保证群集当前状态至少有一个副本。Ensuring responsiveness: To ensure responsiveness, the quorum model makes sure that, whenever the cluster is running, enough members of the distributed system are operational and communicative, and at least one replica of the cluster's current state can be guaranteed. 无需额外时间来为成员建立通信,或确定特定副本是否得到保证。No additional time is required to bring members into communication or to determine whether a specific replica is guaranteed.

具有偶数个成员的 DAG 使用故障转移群集的节点和文件共享多数仲裁模式,该模式采用外部见证服务器充当关系断开裁判。DAGs with an even number of members use the failover cluster's Node and File Share Majority quorum mode, which employs an external witness server that acts as a tie-breaker. 在此仲裁模式中,每个 DAG 成员都将获得一票。In this quorum mode, each DAG member gets a vote. 此外,还将使用见证服务器向某个 DAG 成员提供一份权重投票(例如,获得两投票而不是一份)。In addition, the witness server is used to provide one DAG member with a weighted vote (for example, it gets two votes instead of one). 默认情况下,群集仲裁数据存储在每个 DAG 成员的系统磁盘中,并且在这些磁盘间保持一致。The cluster quorum data is stored by default on the system disk of each member of the DAG, and is kept consistent across those disks. 但是,仲裁数据的副本并不存储在见证服务器上。However, a copy of the quorum data isn't stored on the witness server. 见证服务器上的一个文件用于记录哪个成员拥有最新的数据副本,但见证服务器没有群集仲裁数据的副本。A file on the witness server is used to keep track of which member has the most updated copy of the data, but the witness server doesn't have a copy of the cluster quorum data. 在此模式中,大多数的投票者(DAG 成员加上见证服务器)必须工作正常并且能够相互通信以保留仲裁权。In this mode, a majority of the voters (the DAG members plus the witness server) must be operational and able to communicate with each other to maintain quorum. 如果大多数投票者不能相互通信,则 DAG 基础群集将失去仲裁权,并且 DAG 需要管理员干预才能恢复正常工作。If a majority of the voters can't communicate with each other, the DAG's underlying cluster loses quorum, and the DAG will require administrator intervention to become operational again. 有关详细信息,请参阅数据中心切换和 Restore-DatabaseAvailabilityGroup。For more information, see Datacenter switchovers and Restore-DatabaseAvailabilityGroup.

具有奇数个成员的 DAG 使用故障转移群集的节点多数仲裁模式。在此模式中,每个成员将获得一票,且每个成员的本地系统磁盘用于存储群集仲裁数据。如果 DAG 配置发生更改,此更改将反映在不同磁盘上。仅当更改发生在一半(向下舍入)加一数目的成员的磁盘上,该更改才会被视为已提交并永久保存。例如,在五个成员的 DAG 中,更改必须发生在二加一个成员上,即共三个成员上。DAGs with an odd number of members use the failover cluster's Node Majority quorum mode. In this mode, each member gets a vote, and each member's local system disk is used to store the cluster quorum data. If the configuration of the DAG changes, that change is reflected across the different disks. The change is only considered to have been committed and made persistent if that change is made to the disks on half the members (rounding down) plus one. For example, in a five-member DAG, the change must be made on two plus one members, or three members total.

仲裁要求大多数投票者能够相互通信。请考虑具有四个成员的 DAG。因为此 DAG 具有偶数个成员,所以使用外部见证服务器向其中一个群集成员提供第五个决定性投票。为了保留大多数投票者(进而保留仲裁权),至少必须有三个投票者能够相互通信。任何时候,在不中断服务以及数据访问的前提下,最多有两个投票者可以处于脱机状态。如果有三个或更多个投票者脱机,DAG 将失去仲裁权,且服务和数据访问将中断,直至问题解决。Quorum requires a majority of voters to be able to communicate with each other. Consider a DAG that has four members. Because this DAG has an even number of members, an external witness server is used to provide one of the cluster members with a fifth, tie-breaking vote. To maintain a majority of voters (and therefore quorum), at least three voters must be able to communicate with each other. At any time, a maximum of two voters can be offline without disrupting service and data access. If three or more voters are offline, the DAG loses quorum, and service and data access will be disrupted until you resolve the problem.