Cluster Administrative Access Point and Database Availability Group

One of the new features in Windows Server 2012 R2 to decrease complexity is the so called Active Directory detached cluster. This is a regular Failover Cluster, but without a computer account in Active Directory. So, when deploying the Failover Cluster there’s no need to pre-create the Computer Name Object (CNO) anymore, but please note that the individual Cluster nodes still need to be a member of the Active Directory domain though.

Since the CNO is no longer available in an Active Directory detached cluster, the Cluster Administrative Access Point (CAAP) is not available either and in turn this cluster AAP was used by the Failover Cluster Management to access and manage the cluster. Since the cluster AAP is no longer available this is also referred to as an AAP-less, cluster AAP-less or CAAP-less cluster.

What does this mean for Exchange 2013 and Database Availability Groups? When you want to deploy a DAG on Windows Server 2012 R2 without the Administrative Access Point there’s no need to pre-create the CNO and grant the Exchange Trusted Subsystem permissions to it. It also frees up the use of an IP address. In a typical environment this is not a big deal, but in an environment like Office 365 with tens of thousands of DAGs this IS a big deal.

Creating a CAAP-less DAG is fairly simple and can be created using PowerShell using the following command:

New-DatabaseAvailabilityGroup –Name DAG01 –WitnessServer -DatabaseAvailabilityGroupIPAddresses ([System.Net.IPAddress])::None


Nothing special is done here, only the DAG object is created in Active Directory. Only when you add the individual Mailbox servers to the DAG the actual cluster is created. To add the Mailbox servers to the DAG you can use the following commands:

Add-DatabaseAvailabilityGroupServer –Identity DAG01 –MailboxServer EXCH01
Add-DatabaseAvailabilityGroupServer –Identity DAG01 –MailboxServer EXCH02

Adding the Mailbox databases to the DAG is not different than with the ‘old’ traditional DAG:

Add-MailboxDatabaseCopy –Identity MDB01 –MailboxServer EXCH02 –ActivationPreference:2
Add-MailboxDatabaseCopy –Identity MDB02 –MailboxServer EXCH01 –ActivationPreference:2


You can use PowerShell to check the Administrative Access Point (or better, the absence of) by using the (Get-Cluster –Name EXCH01).AdministrativeAccessPoint command which will return “None”. In this DAG there’s only one Cluster Resource, the File Share Witness which can be retrieved using the Get-ClusterResource command. Both can be seen in the following figure:


When you open the Failover Cluster Management it cannot find anything since the Administrative Access Point is no longer available:


If you check with ADSIEdit you can see the existence of the DAG by checking the CN=DAG01,CN=Database Availability Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ExchangeLabs,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com object in the Active Directory Configuration partition:


The only way to manage the DAG is using the Exchange Management Shell, for example with commands like the Get-DatabaseAvailabilityGroup or Get-MailboxDatabase | Get-MailboxDatabaseCopyStatus commands:

It is not possible (and thus not supported) to change an existing DAG that uses an AAP to a DAG that is not using an AAP. If you try stuff will break which will result in downtime. The only way to change to a DAG without a cluster AAP is to break down the DAG and rebuild it, but this will result in downtime. Scott Schnoll wrote about this in his Windows Server 2012 R2 and Database Availability Groups article.

More information can be found in the TechNet article What’s New in Failover Clustering in Windows Server.

2 thoughts on “Cluster Administrative Access Point and Database Availability Group”

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s