In this series of blog post, I would like to share the steps for the Exchange 2019 disaster recovery. In the event of a hardware or software failure, multiple database copies in a DAG enable high availability with fast failover and little or no data loss. It’s important to keep the Exchange environment up and running without any interruptions to the Email services when a failure happens to the production site or datacentre. The first part of the article would cover the steps for preparing the Exchange environment across 2 Active directory sites hosted in Microsoft Azure Cloud. Please refer here for hosting production environment on Azure IaaS.

Below is the infrastructure setup with all the servers being Windows 2019 standard,

Server Name

Server Role


IP Address

Azure Region



DC Active directory Primary Domain controller with Certificate Authority Prod UAE North Dev-VNET Prod
ADC Additional Domain controller DR UAE North Dev-VNET DR
EXCH1 Exchange 2019 CU7 Mailbox Prod West Europe Exch-VNET ProdExch
EXCH2 Exchange 2019 CU7 Mailbox DR North Europe DRExch-VNET DRExch
Client Windows 10 UK South Client-VNET Client

Please find the below considerations:

  • It is not recommended to install the Certificate Authority in the domain controller in a production environment
  • VM’s are built in different regions due to the limitation of vCPU’s in Azure Trial account
  • Minimum resources were used to build Exchange 2019 but please follow the recommendations as mentioned here in the production environment
  • Load balancer is not being used in this deployment

In this article, I will cover the Exchange 2019 CU7 installation and configuration using command prompt/PowerShell and will share the information of other services like Active directory, etc.

Active Directory Domain Details:

Active Directory Certificate Authority Details:

Azure IaaS details:

Because the VM’s are built across multiple regions, multiple VNET’s were created. It is important to allow communication between the VNET’s and creating the required Network Security Groups for Azure VM’s. I have already shared the steps involved in configuring VNET peering in this post

VNET peering:

$VNET1 = Get-AzVirtualNetwork -Name “Dev-VNET”

$VNET2 = Get-AzVirtualNetwork -Name “Exch-VNET”

Add-AzVirtualNetworkPeering -Name ‘LinkADToExchPR’ -VirtualNetwork $VNET1 -RemoteVirtualNetworkId $VNET2.Id

Add-AzVirtualNetworkPeering -Name ‘LinkPRToAD’ -VirtualNetwork $VNET2 -RemoteVirtualNetworkId $VNET1.Id

Likewise, all the VNET’s are peered between each other for communication

Network Security Groups:

Below are the rules which are created for the DC VM for the communication between the Exchange servers and Domain controllers. Similar set of rules were also created on the Exchange VM’s to allow communication between the Exchange servers.

Please note: It’s not recommended to have firewall between Domain controllers and between Exchange & Domain controllers.

Exchange 2019 CU7 Installation:


  • .NET Framework 4.8

  • Visual C++ Redistributable Package for Visual Studio 2012

  • Visual C++ Redistributable Package for Visual Studio 2013

  • Unified Communications Managed API 4.0.

  • Windows Roles and Features

Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

Active Directory preparation for Exchange 2019

  • PrepareSchema

  • PrepareAD

  • Unattended mode installation

Exchange 2019 CU7 Configuration

IP-Less DAG: (DAC mode enabled)


Alternate FSW: (This is optional to be specified earlier or can be done when running Restore-DAG)

Certificate Request:

On DC,

Please note: Export the cert using MMC with private key and import it on the other server.

Virtual Directory URL Configuration

Connector Configuration

EAC -> Mailflow -> Send Connector


EAC is accessible using and with the valid certificate

Client machine



Great! Exchange environment is ready with 2 node IP-less DAG across 2 active directory sites and a client machine with outlook configured.

In the next post, we will perform the Failover and Failback.

Happy learning!! 🙂

By Ashok M

A technology enthusiast with 9+ years of experience in Planning, Designing, Implementation, Migration and Operations of various Microsoft Infrastructure & Cloud Services. Extensive knowledge of Cloud Computing, Microsoft Messaging & Collaboration, Digital Transformation, IT Services & Emerging technologies. • One of the Authors of the book – “Reimagine Remote Working with Microsoft Teams : A practical guide to increasing your productivity and enhancing collaboration in the remote world” - • Blogger at CloudExchangers - • Microsoft Community Contributor in Microsoft Q&A - • Microsoft Certified Professional in MS Azure, Microsoft365, MS Teams and Skype for Business