Exchange DAG Overview
A DAG is a high-availability (HA) and data-recovery feature of the Microsoft Exchange Server. A DAG, which can consist of up to 16 Exchange mailbox servers, automates recovery at the database level after a database, server or network failure. You can now use CTE for Windows to encrypt Exchange DAG mailboxes.
You can encrypt the Exchange databases with a standard (offline) policy or an CTE-Live Data Transformation (CTE-LDT) policy. In an offline policy, users cannot access the database during initial data encryption. With a CTE-LDT policy, CTE encrypts the data while users and applications are accessing the files. CTE-LDT is used for Initial data transformation as well as transparent encryption and decryption.
For more information about CTE-LDT and standard data transformation, see CTE-Live Data Transformation with CipherTrust Manager, CTE-Live Data Transformation with Data Security Manager, or the CTE Data Transformation Guide.
Supported Use Cases for CTE in an Exchange DAG Environment
CTE has been tested by Thales in the following scenarios:
-
Initial data transformation of Exchange databases using either CTE-Live Data Transformation or standard data transformation.
-
Transparent encryption or decryption of the Exchange database on DAG nodes.
-
Key rotation using a CTE-LDT policy.
-
Adding a new node to the Exchange DAG Environment.
Thales has only tested an Exchange DAG environment with two nodes, however, Thales does not anticipate any issues with using more than two nodes.
Thales also tested the following Exchange DAG operations during the above scenarios:
-
Failover/Failback of databases from one node to another node and making both databases active on each node.
-
Adding new Databases to the existing nodes.
Unsupported Use Cases
The following scenarios are not supported:
-
Using different encryption keys on Exchange DAG nodes; both nodes must use the same encryption key
-
The encryption of Exchange Binaries.
-
Using nodes in a different subnet, data center, or site. (Thales is not testing this scenario, but we do not believe it will cause any issues.)