How to Change DAG Witness Server and Witness Directory

Witness Server and Witness Directory are the most critical components of the Database Availability Group (DAG). DAG requires Witness Server or File Share Witness (FSW) and Directory to maintain the Quorum. In case of Witness Server failure, the Quorum is no longer maintained, leading to inconsistent DAG. In addition, the cluster may no longer respond or work, leading to downtimes if a disaster strikes.

However, you can change the Witness Server and Witness Directory to maintain the Quorum and ensure high availability when the Witness Server has failed, is unavailable, or does not boot.

Bring Back Failed Witness Server Online

Before changing or moving the Witness Server, try to bring back the File Share Witness online by following these steps:

1. Open the Failover Cluster Manager and check the Witness Server status.
2. If the Witness Server has failed and the cluster is offline, you will see a warning next to the Witness Server name. 
3. Right-click on the cluster name and then choose to bring resources online. Wait for a few minutes as this may take a while to finish. 
4. Once complete, you will see the cluster is online. However, if the Witness Server isn't back online, you will encounter any of the following error messages. 

The operation has failed. An error occurred while attempting to bring the resource 'Cluster Name' online. 

If so, continue following the steps discussed below.

To change the Witness Server and Witness Directory to a different server, you can use the Exchange Admin Center (EAC) or PowerShell cmdlets in Exchange Management Shell (EMS). 

You must have the Disaster Recovery role assigned to perform the below steps.

Change Witness Server and Directory using EAC

To change the Witness Server and Witness Directory using the Exchange Admin Center, follow these steps:

1. Log in to the Exchange Admin Center (EAC) and navigate to the servers > database availability groups. 
2. Select the DAG for which you need to change the Witness Server or Witness Directory and then click the edit icon. 
3. In the Witness server: field, enter the new file server FQDN. For instance, ws02-2019.contoso.com.
4. Enter the new Witness Directory path in the Witness directory: field. 
5. After changing the Witness Server and Directory, click Save.

To verify if the Witness Server and Witness Directory changes are successful, go to servers > database availability groups and click on the DAG. Then, look at the right pane for the Witness Server name.

You can also run the Get-DatabaseAvailabilityGroup cmdlet to view and verify the changes.  

Further, you will notice two files at the Witness Server C:\DAGName\<GUIDFodler> location, namely:

1. VerifyShareWitnessAccess.txt
2. Witness.log

Make sure to add an exclusion in your antivirus or malware security software for these files. 

Change Witness Server and Directory Using EMS

The steps to configure and change the DAG Witness Server and Witness Directory using the Exchange Management Shell are as follows:

Step 1: Set Up a New Server

You should set up a new File Server with an identical or better configuration than the failed Witness Server. Do not use the Domain Controller (DC) as Witness Server. We will configure this new server as Witness Server.  

For this guide, we will be naming the failed Witness Server as WS01-2019.contoso.com and the new Witness Server as WS02-2019.contoso.com.

Step 2: Configure the Permissions on New Server

You need to add the 'Exchange Trusted Subsystem' AD group to the local admin's group on the new server - WS02-2019. The steps are as follows:

• On the new file server (WS02-2019), open Administrative Tools and launch Computer Management.
• Navigate to the Local Users and Groups > Groups.  
• Double-click on the Administrators group and add the Exchange Trusted Subsystem.
• Click Apply > OK. 

Step 3: Change the DAG Witness Server 

We will use the Set-DatabaseAvailabilityGroup PowerShell cmdlets in the Exchange Management Shell (EMS) window to change the DAG Witness Server.

Check the cluster nodes using the following cmdlet:

Get-ClusterNode

Check the existing Witness Servers.

Get-DatabaseAvailabilityGroup -Identity "DAGName" -Status | ft Name, Witness*,Servers

For instance,

Get-DatabaseAvailabilityGroup -Identity "DAG01-2019" -Status | ft Name, Witness*,Servers

This will display the existing Witness Server and Witness Directory. 

To change the Witness Server and Directory to the new File Server, execute the following command:

Set-DatabaseAvailabilityGroup -Identity "DAG01-2019" -WitnessServer <FileShareWitnessServerName> -WitnessDirectory <NonRootLocalLongFullPath>

For instance,

Set-DatabaseAvailabilityGroup -Identity "DAG01-2019" -WitnessServer "WS02-2019.contoso.com" -WitnessDirectory C:\DAG01-2019

If you encounter the error 'Unable to access the file shared on witness server WS02-2019.contoso.com', add an exception in the Windows Firewall for File and Printer Sharing (SMB port 445). You may also disable the Windows Firewall (not recommended).

After making the changes to the firewall, re-run the cmdlet. It will change the Witness Server and Witness Directory without any error. 

Step 4: Verify the Changes

To ensure the Witness Server and Directory have changed, run the following cmdlet in the Exchange Management Shell.

Get-DatabaseAvailabilityGroup -Identity "DAG01-2016" -Status | ft Name, Witness*,Servers

Check the output and look for the updated DAG name, Witness Server, and Witness Directory path. 

Conclusion

You can use Exchange Management Shell cmdlets or the Exchange Admin Center to change or update the Exchange Server DAG Witness Server and Witness Directory. However, if the DAG member server goes down and cannot be brought back, you need to set up new servers, add the servers to the DAG, and then restore the mailboxes from backup. You can also use Exchange recovery software to export mailboxes from the failed server to the new server. The software comes in handy when the backup isn't available, obsolete, or not working. The software scans the database files on failed server, extracts the mailboxes, and exports them directly to the new or existing DAG member server.