In this series of blog post, I would like to share the steps for the Exchange 2019 disaster recovery. In the event of a hardware or software failure, multiple database copies in a DAG enable high availability with fast failover and little or no data loss. It’s important to keep the Exchange environment up and running without any interruptions to the Email services when a failure happens to the production site or datacentre. The first part of the article would cover the steps for preparing the Exchange environment across 2 Active directory sites hosted in Microsoft Azure Cloud. Please refer here for hosting production environment on Azure IaaS.

Below is the infrastructure setup with all the servers being Windows 2019 standard,

Server Name

Server Role


IP Address

Azure Region



DC Active directory Primary Domain controller with Certificate Authority Prod UAE North Dev-VNET Prod
ADC Additional Domain controller DR UAE North Dev-VNET DR
EXCH1 Exchange 2019 CU7 Mailbox Prod West Europe Exch-VNET ProdExch
EXCH2 Exchange 2019 CU7 Mailbox DR North Europe DRExch-VNET DRExch
Client Windows 10 UK South Client-VNET Client

Please find the below considerations:

  • It is not recommended to install the Certificate Authority in the domain controller in a production environment
  • VM’s are built in different regions due to the limitation of vCPU’s in Azure Trial account
  • Minimum resources were used to build Exchange 2019 but please follow the recommendations as mentioned here in the production environment
  • Load balancer is not being used in this deployment

In this article, I will cover the Exchange 2019 CU7 installation and configuration using command prompt/PowerShell and will share the information of other services like Active directory, etc.

Active Directory Domain Details:

Active Directory Certificate Authority Details:

Azure IaaS details:

Because the VM’s are built across multiple regions, multiple VNET’s were created. It is important to allow communication between the VNET’s and creating the required Network Security Groups for Azure VM’s. I have already shared the steps involved in configuring VNET peering in this post

VNET peering:

$VNET1 = Get-AzVirtualNetwork -Name “Dev-VNET”

$VNET2 = Get-AzVirtualNetwork -Name “Exch-VNET”

Add-AzVirtualNetworkPeering -Name ‘LinkADToExchPR’ -VirtualNetwork $VNET1 -RemoteVirtualNetworkId $VNET2.Id

Add-AzVirtualNetworkPeering -Name ‘LinkPRToAD’ -VirtualNetwork $VNET2 -RemoteVirtualNetworkId $VNET1.Id

Likewise, all the VNET’s are peered between each other for communication

Network Security Groups:

Below are the rules which are created for the DC VM for the communication between the Exchange servers and Domain controllers. Similar set of rules were also created on the Exchange VM’s to allow communication between the Exchange servers.

Please note: It’s not recommended to have firewall between Domain controllers and between Exchange & Domain controllers.

Exchange 2019 CU7 Installation:


  • .NET Framework 4.8

  • Visual C++ Redistributable Package for Visual Studio 2012

  • Visual C++ Redistributable Package for Visual Studio 2013

  • Unified Communications Managed API 4.0.

  • Windows Roles and Features

Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

Active Directory preparation for Exchange 2019

  • PrepareSchema

  • PrepareAD

  • Unattended mode installation

Exchange 2019 CU7 Configuration

IP-Less DAG: (DAC mode enabled)


Alternate FSW: (This is optional to be specified earlier or can be done when running Restore-DAG)

Certificate Request:

On DC,

Please note: Export the cert using MMC with private key and import it on the other server.

Virtual Directory URL Configuration

Connector Configuration

EAC -> Mailflow -> Send Connector


EAC is accessible using and with the valid certificate

Client machine



Great! Exchange environment is ready with 2 node IP-less DAG across 2 active directory sites and a client machine with outlook configured.

In the next post, we will perform the Failover and Failback.

Happy learning!! 🙂

By Ashok M

Microsoft Certified Professional, Blogger, Author at, Real world technical contribution via Microsoft Communities (Social Technet/QnA). Extensive knowledge and experience in Messaging (Microsoft Exchange 2003 - 2019) and services including Infrastructure (Windows Server, Active Directory, ADFS, ADCS, File Servers, SCCM), Cloud (Microsoft Azure, Microsoft 365, EMS), Unified Communication (Skype for Business, Video conferencing room systems, Surface Hub), Virtualization (Hyper V), Database (SQL). Have experience in design, implementation, migration & support for various Microsoft infrastructure products across various industry verticals.

Leave a Reply

Your email address will not be published.