Hello!

Suppose there are 4 Exchange CAS/MB servers - Exch1-Exch4 - in a single AD site, no DAG exists.

A user with a mailbox on Exch1 sends a message to a user on Exch3.

According to https://technet.microsoft.com/en-us/library/jj657495%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

"The Primary Safety Net exists on the Mailbox server that held the primary message before the message was successfully processed by the Transport service." - as far as I get it in my case the Primary Safety Net is on Exch1.

"The Shadow Safety Net exists on the Mailbox server that held the shadow message. " -

Q1: Which server is supposed to hold the shadow message (Exch2/Exch3/Exch4)?

Q2: In case a user sends a message outside his/her organization  where would the Shadow Safety Net exist?

Message resubmission from Safety Net

Message resubmissions from Safety Net are initiated by the Active Manager component of the Microsoft Exchange Replication service that manages DAGs and mailbox database copies. No manual actions are required to resubmit messages from Safety Net. For more information about Active Manager, see Active Manager.

There are two basic Safety Net message resubmission scenarios:

• After the automatic or manual failover of a mailbox database in a DAG.

• After you active a lagged copy of a mailbox database.

Q3: Does it mean lagged database copies can not exist without Safety Net? In other words, can lagged database copies work if Safety Net is disabled?

Thank you in advance,

Michael

• Edited by MF47 Friday, June 26, 2015 1:17 PM

Hi Michael,

For your question, the answer is below:
1. The Shadow Safety Net exists on the Mailbox server that held the shadow message, if not a DAG member, it has to be in the local AD; if so, it has to be a member of the same DAG.
2. Same with question 1.
3. DAG are not required for Safety Net. If a Mailbox server is not a DAG member, Safety Net will store a copy of the delivered e-mails in another Mailbox server in the same AD site as I mentioned above.
More details please refer to Safety Net section in Transport High Availability in Exchange 2013: http://www.msexchange.org/articles-tutorials/exchange-server-2013/high-availability-recovery/transport-high-availability-exchange-2013-part3.html

Thanks

Hi Allen_WangJF,

Thank you for your reply!

1) " The Shadow Safety Net exists on the Mailbox server that held the shadow message, if not a DAG member, it has to be in the local AD; if so, it has to be a member of the same DAG." - I understand it, what I do not understand is how can I predict on what exactly server this shadow message would be created.

Is it possible to answer this question "Which server is supposed to hold the shadow message (Exch2/Exch3/Exch4)?" (no DAG) - in terms of Exch2 or Exch3 or Exch4?

3) mmm... I was asking about lagged copies vs Safety Net, not about DAG/Safety Net...

Regards,

Michael

Hi Michael,

These are my take on your highly engaging questions.

Q1: Which server is supposed to hold the shadow message (Exch2/Exch3/Exch4)?
A: Each next hop for the primary message requires separate shadow queues.A transport server may be the primary server for some messages and the shadow server for other messages simultaneously.

So if your message directly flows from Exch1 to Exch3, then its Exch3, but if it hops through Exch2,Exch4 and then Exch3. Then all 3 would be the shadow servers.

A successfully delivered message doesn't need to be kept in a shadow queue, so once the shadow server knows the primary server has successfully transmitted the message to the next hop, the shadow server moves the shadow message from the shadow queue into Safety Net.

The same concepts about shadow redundancy, including the transport high availability boundary, primary messages, primary servers, shadow messages and shadow servers also apply to Safety Net.
i.e. "A transport server may be the primary server for some messages and the shadow server for others"  Single Message can have multiple Shadow Safety Net servers, depending upon the hops it performed to reach the destination.

{[I'm slightly in doubt on the last line though.]- Its true if message hops through multiple transport high availability boundaries.}

Q2: In case a user sends a message outside his/her organization  where would the Shadow Safety Net exist?
A:It would exist in all hops otherthan the primary sending server. Exch3 in your normal case.

Q3: Does it mean lagged database copies can not exist without Safety Net? In other words, can lagged database copies work if Safety Net is disabled?

A: Safety Net will only be triggered if Exchange considers that all other means of recovery has failed. For example, lagged DBs require the Transaction logs from Passive\Active copies to replay and become active. If you already have a Active\Passive copy why would you activate a lagged copy in normal scenarios. Usually it means all other copies\servers(including logs) have failed and hence only means to recover is SafetyNet.

Even if the data is not available or SafetyNet is OFF, Lagged DB will work, but would be missing the data and cause inconsitencies, might require manual intervention for it to mount.

"The main requirement for successful resubmission from Safety Net for a lagged copy is...", so there can be failed resubmission too.

"The mailbox database copy being activated must have all log files to the point in time to which you want to recover it. Keep in mind that database transactions can span multiple log files when determining the point in time to which you want to recover."

Activate a lagged mailbox database copy by using SafetyNet recovery: Move-ActiveMailboxDatabase
"At this point, the database will automatically mount and request redelivery of missing messages from SafetyNet." You can see this is one of the options, not the only one.

Below terms are relative to the current message position on the transport pipeline:

They change roles as the message traverses between hops.

Primary server	The transport server that's currently processing a message.
Shadow server	The transport server that holds shadow copies of a message after delivering the message to the primary server.

Nice Illustrations: Understanding Shadow Redundancy

Hi Michael,

Some Corrections:

For messages with multiple recipients, each next hop for the primary message requires separate shadow queues(not necessarily mean separate server). [Queues are DBs in C:\ drive usually]

The location at which this redundant copy is created depends on the origin and destination of the original message. (And boundaries)

This would mean in your scenario even though Email hops between 4 servers the copies would be two servers only.
Exch1 - Primary
Exch3 - destination, hence it would be Ex2 or Ex4.

There are no, multiple ShadowSafetyNet servers for single boundary message. Once message is delivered to the destination the PrimarySafetyNet Triggers the copy(discard ShadowRedundancy) on SecondarySafetyNet(Ex2 or Ex4).

Safety Net period should be at least equal or greater than your LAGGED database time to prevent data loss.

References:
https://technet.microsoft.com/en-us/library/jj657506(v=exchg.150).aspx

Hi Satyajit,

Thank you for the detailed answer!

1) "A successfully delivered message doesn't need to be kept in a shadow queue, so once the shadow server knows the primary server has successfully transmitted the message to the next hop, the shadow server moves the shadow message from the shadow queue into Safety Net." - the last option in theShadow Redundancy Message Flow says:

"
In this scenario, the message flow goes through following stages:

...

c) The Hub Transport server deletes the list of messages from its shadow queue." - it says nothing about" the shadow server moves the shadow message from the shadow queue into Safety Net" - why?

2) "Q2: In case a user sends a message outside his/her organization  where would the Shadow Safety Net exist?
A:It would exist in all hops otherthan the primary sending server. Exch3 in your normal case." - please excuse me if my question was not informative enough: I mean where the shadow copy will be created in case Exchange sends a message to a NON-Exchange server (some Internet server) that does not support shadow copies.

3) "If you already have a Active\Passive copy why would you activate a lagged copy in normal scenarios. " - for example to cancel the latest db modifications and it is the case I'm asking for: I do NOT need Safety Net to activate a lagged copy, don't I?

Regards,

Michael

Hi Michael,

Q1. c) The Hub Transport server deletes the list of messages from its shadow queue." - it says nothing about"the shadow server moves the shadow message from the shadow queue into Safety Net" - why?

A. The article was for Ex2010, hence good to understand but would lack of the Ex2013 improvements. Ex2010 just deletes the message,doesn't move it any where. Transport Dumpster in 2010 is not like SafetyNet, its Shadow Redundancy with extra condition of successful DAG replication.

Q2:I mean where the shadow copy will be created in case Exchange sends a message to a NON-Exchange server (some Internet server) that does not support shadow copies.

A. Sorry, I misunderstood the question earlier. NON-Exchange server sender will be considered as "Messages received from outside a transport high availability boundary". The Mailbox server isn't concerned about the support or lack of support for shadow redundancy by the sending server. It will create a copy anyways, apart from keeping the original with itself.

Hence the server in your case would be the one responsible for getting external email(primary) + another one for the shadow copy.(selection algorithm is not shared,but it will be within the boundary)

Q3.  cancel the latest db modifications, I do NOT need Safety Net to activate a lagged copy, don't I? 

A. Yes, that can be considered out of normal operations, hence you can activate the Lagged copy without SafetyNet.

Set-TransportConfig

-ShadowRedundancyEnabled $false

Putting this below point across just to clarify,my earlier confusing statements:

"The main goal of shadow redundancy is to always have two copies of a message within a transport high availability boundary while the message is in transit."