“Insufficient Permissions To Access File Share On Witness Server” Error While Adding Second Node To DAG…

MS Exchange

I was creating a test lab with Windows 2008 R2 as the base operating system and Exchange 2010, with a view to configure a DAG. I have explained the process of configuring a DAG in one of my previous articles.

While the DAG creation completed successfully, the completion wizard showed me a warning.

Warning DAG Creation

I wasn’t that bothered as the file share is not created until we add nodes to the DAG. I added the first node successfully. While adding the second node, the operation failed with the following error.

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:48

DAG02
Failed

Error:
There was a problem changing the quorum on cluster DAG1. File share witness ‘\2010DC.HEW10.LOCALDAG1.HEW10.LOCAL’ network name was not found. This may be due to a problem with firewall settings.

Warning:
Insufficient permissions to access file shares on witness server ‘2010DC.HEW10.LOCAL’. Until this problem is corrected, the database availability group may be more vulnerable to failures. You can use the Set-DatabaseAvailabilityGroup cmdlet to try the operation again. Error: Access is denied

Warning:
The operation wasn’t successful because an error was encountered. You may find more details in log file "C:ExchangeSetupLogsDagTasksdagtask_2009-12-12_22-51-11.198_add-databaseavailabiltygroupserver.log".

Exchange Management Shell command attempted:
Add-DatabaseAvailabilityGroupServer -Identity ‘DAG1’ -MailboxServer ‘DAG02’

Elapsed Time: 00:00:48

DAG 2nd Node Failure

The problem was that I gave the witness server to be my domain controller, a Windows 2008 R2 machine.

The solution is that “Exchange Trusted Subsystem” security group has to be added as a member of the local administrators group of the server. Since my witness server is a DC, I added the “Exchange Trusted Subsystem” group to the Administrators group in AD.

Add Group

Once the group was added, I could add my second node to the DAG successfully.

DAG Success

If you provide another Exchange 2010 server as your witness server, everything works fine. If not, the “Exchange Trusted Subsystem” group has to be given local admin rights.

Other Popular Articles


MS Exchange

Scripting Agent Initialization Failed: “File is not found” Error During Exchange 2016 Setup

MS Exchange

EAC Access While Co-Existing Exchange 2013 With 2010

MS Exchange

Delete All Calendar Entries In An Exchange 2010 Mailbox

9 thoughts on ““Insufficient Permissions To Access File Share On Witness Server” Error While Adding Second Node To DAG…”

  1. Typo: I have two Windows 2008 R2 server with Exchange as nodes + one another Windows 2008 R2 server to be configured as Witness server.

    Reply
    • Hi Abhi,

      Exchange trusted subsystem group should be added as a local admin on the witness server. Is that the case?

      Thanks.

      Reply
      • Thanks for the very right question. I had added the Witness server AD users–> Administrator to the group. But now after your question, when I checked in Local Users & Groups –> Groups–> Administrator Properties–> Exchange trusted subsystem grp wasn’t there. Now I added and I could successfully configure DAG

        Reply
  2. I have Windows 2008 R2 server with Exchange as nodes + one another Windows 2008 R2 server to be configured as Witness server.

    All the 3 systems are under “Exchange Trusted Subsystem” security group. However, my DAG configuration constantly fails with the error as below:

    “Warning:
    Insufficient permissions to access file shares on witness server ‘win-52-239.interopexchange.com’. Until this problem is corrected, the database availability group may be more vulnerable to failures. You can use the Set-DatabaseAvailabilityGroup cmdlet to try the operation again. Error: Access is denied

    Exchange Management Shell command completed:
    New-DatabaseAvailabilityGroup -Name ‘InteropDAG1’ -WitnessServer ‘win-52-239.interopexchange.com’ -WitnessDirectory ‘c:\witness’

    Elapsed Time: 00:00:00”

    Any help possible on this please?

    Reply
  3. Had to do the same thing. Surprised there's not a Technet article by now, but this is exctly how this is done. I also received a similar error until I made the DC's computer account part of the Exchange Servers Security Group. Those two changes work like a chanp! Thanks for posting.

    Reply

Leave a Comment