Applies to: Exchange Server 2013
Topic Last Modified: 2015-03-09
In Microsoft Exchange Server 2013, the primary mechanism of mailbox high availability is the database availability group (DAG). For more information about DAGs, see Managing database availability groups. The transport dumpster was first introduced in Exchange 2007, and was further improved in Exchange 2010 to provide redundant copies of messages after they're successfully delivered to mailboxes in DAGs. In Exchange 2010, the transport dumpster helped protect against data loss by maintaining a queue of successfully delivered messages that hadn't replicated to the passive mailbox database copies in the DAG. When a mailbox database or server failure required the promotion of an out-of-date copy of the mailbox database, the messages in the transport dumpster were automatically resubmitted to the new active copy of the mailbox database.
The transport dumpster has been improved in Exchange 2013 and is now called Safety Net.
Here's how Safety Net is similar to the transport dumpster in Exchange 2010:
- Safety Net is a queue that's associated with the Transport service on a Mailbox server. This queue stores copies of messages that were successfully processed by the server.
- You can specify how long Safety Net stores copies of the successfully processed messages before they expire and are automatically deleted. The default is 2 days.
Here's how Safety Net is different in Exchange 2013:
- Safety Net doesn't require DAGs. For Mailbox servers that don't belong to a DAGs, Safety Net stores copies of the delivered messages on other Mailbox servers in the local Active Directory site.
- Safety Net itself is now redundant, and is no longer a single point of failure. This introduces the concept of the Primary Safety Net and the Shadow Safety Net. If the Primary Safety Net is unavailable for more than 12 hours, resubmit requests become shadow resubmit requests, and messages are re-delivered from the Shadow Safety Net.
- Safety Net takes over some responsibility from shadow redundancy in DAG environments. Shadow redundancy doesn't need to keep another copy of the delivered message in a shadow queue while it waits for the delivered message to replicate to the passive copies of mailbox database on the other Mailbox servers in the DAG. The copy of the delivered message is already stored in Safety Net, so the message can be resubmitted from Safety Net if necessary.
- In Exchange 2013, transport high availability is more than just a best effort for message redundancy. Exchange 2013 attempts to guarantee message redundancy. Because of this, you can't specify a maximum size limit for Safety Net. You can only specify how long Safety Net stores messages before they're automatically deleted.
Contents
How Safety Net works
Shadow redundancy keeps a redundant copy of the message while the message is in transit. Safety Net keeps a redundant copy of a message after the message is successfully processed. So, Safety Net begins where shadow redundancy ends. The same concepts about shadow redundancy, including the transport high availability boundary, primary messages, primary servers, shadow messages and shadow servers also apply to Safety Net. For more information, see Shadow redundancy.
The Primary Safety Net exists on the Mailbox server that held the primary message before the message was successfully processed by the Transport service. This could mean the message was delivered to the Mailbox Transport service on the destination Mailbox server. Or, the message could have been relayed through the Mailbox server in an Active Directory site that's designated as a hub site on the way to the destination DAG or Active Directory site. After the primary server processes the primary message, the message is moved from the active queue into the Primary Safety Net on the same server.
The Shadow Safety Net exists on the Mailbox server that held the shadow message. After the shadow server determines the primary server has successfully processed the primary message, the shadow server moves the shadow message from the shadow queue into the Shadow Safety Net on the same server. Although it may seem obvious, the existence of the Shadow Safety Net requires shadow redundancy to be enabled, and shadow redundancy is enabled by default in Exchange 2013.
The parameters used by Safety Net are described in the following table.
| Parameter | Default value | Description |
|---|---|---|
SafetyNetHoldTime on Set-TransportConfig
|
2 days
|
The length of time successfully processed primary messages are stored in Primary Safety Net, and acknowledged shadow messages are stored in Shadow Safety Net.
You can also specify this value in the Exchange Administration Center (EAC) at Mail flow > Receive connectors > More options
 > Organization transport settings > Safety Net > Safety Net hold time.
Unacknowledged shadow messages eventually expire from Shadow Safety Net after the sum of SafetyNetHoldTime andMessageExpirationTimeout on Set-TransportService.
To avoid data loss during Safety Net resubmits, the value of SafetyNetHoldTime must be greater than or equal to the value ofReplayLagTime on Set-MailboxDatabaseCopy for the lagged copy of the mailbox database.
|
ReplayLagTime on Set-MailboxDatabaseCopy
|
Not configured
|
The amount of time that the Microsoft Exchange Replication service should wait before replaying log files that have been copied to the passive database copy. Setting this parameter to a value greater than 0 creates a lagged copy of the mailbox database. The maximum value is 14 days.
To avoid data loss during Safety Net resubmits, the value of ReplayLagTime must be less than or equal to the value ofSafetyNetHoldTime on Set-TransportConfig for the lagged copy of the mailbox database.
|
MessageExpirationTimeouton Set-TransportService
|
2 days
|
How long a message can remain in a queue before it expires.
|
ShadowRedundancyEnabledon Set-TransportConfig
| $true |
A redundant Safety Net requires shadow redundancy to be enabled.
|
How Safety Net Works
While Shadow Redundancy preserves a redundant copy of the e-mail while this is in transit, Safety Net preserves a redundant copy of the e-mail after this is processed successfully. Basically, safety net begins where shadow redundancy ends. Safety net uses the same concepts of boundary of transport high availability, primary e-mails, primary servers, shadow e-mails and shadow servers.
Figure 3.1: Exchange 2013 Transport High Availability
The Primary Safety Net, seen in the picture above, is located on the server that was holding the primary e-mail before it was processed successfully by the Transport service. This does not necessarily mean the destination Mailbox server, as the e-mail could have come through a Mailbox server in an AD site configured as a hub site. After the primary e-mail is processed by the primary server, it is moved to the Primary Safety Net on the same server from the active queue.
Shadow Safety Net, also seen in the picture above, is located on the server that was holding the shadow e-mail. When the shadow server determines the e-mail was processed successfully, it moves the shadow e-mail to the Shadow Safety Net on the same server from the shadow queue.
As Safety Net and Shadow Redundancy are very much interlinked, Shadow Redundancy needs to be enabled for Shadow Safety Net to work, which it is by default.
The following Set-TransportConfig parameters are used by Safety Net:
- ShadowRedundancyEnabled enables ($True) or disables ($False) Shadow Redundancy for all transport servers. Remember that Shadow Redundancy needs to be enabled for a redundant Safety Net;
- SafetyNetHoldTime specifies how long (2 days by default) successfully processed e-mails are kept in the Primary Safety Net and how long acknowledged shadow e-mails are stored in Shadow Safety Net. You can also set this value using the EAC by navigating to more options in the Receive connectors pane. Shadow e-mails that are not acknowledged expire from Shadow Safety Net after SafetyNetHoldTime +MessageExpirationTimeout. When using lagged database copies, in order to prevent data loss during Safety Net resubmits, SafetyNetHoldTime has to be the same or greater than ReplayLagTime on Set-MailboxDatabaseCopy.
The MessageExpirationTimeout parameter on Set-TransportService specifies how long an e-mail remains in a queue before expiring (2 days by default).
Please note that when running Get-TransportConfig we can still see the MaxDumpsterSizePerDatabase andMaxDumpsterTime parameters:
Figure 3.2: Legacy Dumpster Parameters
However, both these parameters are only used by Exchange 2010 and not 2013. MaxDumpsterSizePerDatabase has no replacement in Exchange 2013 while MaxDumpsterTime is replaced by the SafetyNetHoldTime parameter as already discussed.
No hay comentarios:
Publicar un comentario