Tài liệu Module 5: Clustering doc

Contents

Resource Dependencies 1

Cluster Service Account Permissions 5

MsExchange_NodeState 9

DNS registration/Kerberos 12

AntiAffinityClassNames 16

Mount Point Drives 22

Creating an Exchange Virtual Server 33

Upgrading an Exchange Virtual Server to

Exchange 2003 56

Removing an Exchange Virtual Server 64

Lab 5.1 : Clustering 88

Module 5: Clustering

Information in this document, including URL and other Internet Web site references, is subject to

change without notice. Unless otherwise noted, the example companies, organizations, products,

domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,

and no association with any real company, organization, product, domain name, e-mail address,

logo, person, place or event is intended or should be inferred. Complying with all applicable

copyright laws is the responsibility of the user. Without limiting the rights under copyright, no

part of this document may be reproduced, stored in or introduced into a retrieval system, or

transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or

otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

 2003 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, Excel, Exchange Server

5.5, Exchange 2000 Server, Exchange Server 2003, Internet Explorer, Internet Information Server,

Word are either registered trademarks or trademarks of Microsoft Corporation in the United States

and/or other countries.

The names of actual companies and products mentioned herein (Groupwise, Lotus cc:Mail, Lotus

Notes) may be the trademarks of their respective owners.

Module 5: Clustering 1

Resource Dependencies

In an Exchange 2000 cluster, we need to create a new Cluster Group to house

the Exchange Virtual Server. In order to successfully create a System Attendant

Resource, we must first have a physical disk resource, an IP address, and a

Network Name in that group.

When we create the System Attendant resource, the other Exchange resources

will be automatically created. During the creation process, a dependency tree

will be created. The dependency tree is shown below.

2 Module 5: Clustering

The Information Store resource has five dependencies: SMTP, HTTP, POP,

IMAP and Microsoft Search service. The message transfer agent (MTA) and

Routing Engine resources are directly dependant on the System Attendant. In

the event of a failover, all resources that have a dependency must go offline

before the resource that it is dependant on them can attempt to go offline.

In the scenario above the SMTP, HTTP, IMAP4, POP3 and Microsoft Search

service must successfully go offline (or fail) before the Information Store

resource can attempt to go offline. The MTA and Routing Engine resources can

attempt to go offline immediately, as they do not have any resources that are

dependant on them.

Traditionally in Exchange 2000 clusters, the SMTP and the Information Store

resources took the longest amount of time to go offline/come online. This could

be attributed to large SMTP queues or mounting/dismounting large databases.

This obviously will lead to longer failover times as the Information Store

resource has to wait for the SMTP resource to go offline before it can attempt to

go offline/come online.

Exchange 2000

Resource Dependency

Tree

Module 5: Clustering 3

In Exchange Server 2003, the resource-dependant tree has been altered so that

all Exchange 2003 cluster resources are now directly dependant on the System

Attendant resource.

Here we see that all the Exchange related resources are now directly dependant

on the System Attendant. This effectively means that the SMTP (and other

protocol resources) can now be brought online/go offline in parallel with the

store. This makes for faster failovers of the Exchange Virtual Server.

During the creation of the Exchange Virtual Server process, the correct

dependencies will be set.

The POP3 and IMAP4 resources are not created by default. If they are

created manually, then you will need to set a dependency on the System

Attendant (this is mandatory).

During an upgrade of an Exchange 2000 Exchange Virtual Server, the resource

dependencies will be changed to the new Exchange 2003 resource dependency

tree. From the “Exchange Server Setup Progress.log” file we can see these

changes being made. Open the log file and search for

ScUpgradeResourceDependencies. Here we will see each resource being

changed.

An SMTP resource being changed from the progress log:

Resource Dependency

Tree in Exchange 2003

Note

4 Module 5: Clustering

[08:36:54] Entering ScUpgradeResourceDependencies

[08:36:54] Checking dependencies of resource 'SMTP Virtual

Server Instance - (EVS-01)'

[08:36:54] Entering ScChangeResourceDependency

[08:36:54] About to change resource dependency for resource

'SMTP Virtual Server Instance - (EVS-01)'

[08:36:54] Leaving ScChangeResourceDependency

You will see the above entries for all Exchange resources that are upgraded to

Exchange 2003.

Module 5: Clustering 5

Cluster Service Account Permissions

Related articles/bugs:

„ 329702.KB.EN-US

In order to successfully create, delete or modify an Exchange 2000 Exchange

Virtual Server, the Windows 2000 cluster service account required “Exchange

Full Administrator” permissions at the organization level if it was the first

Exchange Virtual Server in the org. If it was not the first Exchange Virtual

Server in the org then it required Exchange Full Administrator on the Admin

Group that it was being installed into.

6 Module 5: Clustering

The Exchange Virtual Server creation process (shown above) can be broken

down as follows:

1. User DOMAIN\Administrator logs in to one of the Nodes and starts Cluster

Administrator (cluadmin.exe). The process cluadmin.exe runs as the

currently logged in user (DOMAIN\Administrator). The Administrator then

attempts to create a new Exchange System Attendant. Excluadmin.dll will

gather information from Active Directory in order to create the System

Attendant (e.g. Org name and Administrative Group name etc). The user

DOMAIN\Administrator needs permissions to read from the configuration

partition of the Active Directory.

2. When excluadmin.dll has collected the necessary information, it will then

pass the information to exres.dll. Exres.dll is the Exchange resource dll.

Exres.dll runs in the Resource Monitor process, which runs in the context of

the Cluster Service Account.

3. Exres.dll will then load exsetdata.dll in order to create the objects in Active

Directory. Exsetdata.dll also runs in the Resource Monitor process.

4. Exsetdata.dll will then create the necessary objects in the Active Directory.

As Exsetdata.dll runs in the context of the Cluster Service Account, this

account will require Full Exchange Administrator permissions in order to

create the objects successfully.

Permission

requirements in

Exchange 2000

Module 5: Clustering 7

In Exchange 2003 the permissions have changed in order to remove this

requirement. Any person or application that runs as the Windows 2000 cluster

service account essentially has the ability to destroy an Exchange 2000

organization.

The Exchange 2003 permissions requirements are as follows:

In the Exchange 2003 the Exchange Virtual Server creation process can be

broken down as follows:

1. The user DOMAIN\Administrator logs in to a Node in the cluster and starts

Cluster Administrator (cluadmin.exe). This process runs in the context of

DOMAIN\Administrator. The Administrator then attempts to create a new

Exchange System Attendant resource. Excluadmin.dll will gather

information from Active Directory in order to create the System Attendant

(e.g. Org name and Administrative Group name etc). The user

DOMAIN\Administrator will need to permissions to read from Active

Directory for this operation to be successful.

2. When excluadmin.dll has collected the necessary information, it will then

load Exsetdata.dll directly. Exsetdata.dll runs in the same process as

Excluadmin.dll (DOMAIN\Administrator).

3. Exsetdata.dll will then create the objects in Active Directory. As

exsetdata.dll runs in the context of DOMAIN\Administrator, it is this

account that requires the Exchange Full Administrator permissions to the

configuration partition of Active Directory.

Permissions

requirements in

Exchange 2003