Archive for November, 2009

HP Sizing and Configuration Tool for Microsoft Hyper-V

Monday, November 23rd, 2009

The HP Sizing and Configuration Tool for Microsoft Hyper-V is a downloadable, automated tool that provides a quick and consistent methodology to determine a “best-fit” server configuration for your virtualized Hyper-V environment. This tool enables you to quickly compare different solution configurations and obtain a highly detailed, customizable server and storage solution complete with a detailed bill of materials.

This sizer allows users to create new Hyper-V solutions, open already saved solutions, and use data compiled from other tools like Microsoft’s Assessment and Planning (MAP) toolkit to build rich Hyper-V configurations built on HP ProLiant server and storage technologies.

The sizer allows rapid comparisons of various Hyper-V characterizations and server platform choices. You can select and customize configurations for your particular environment by adding or substituting server types, number of servers, and server components.

The sizer was developed from knowledge gained during performance characterization testing of Microsoft Hyper-V in the HP Solutions Engineering lab in Houston, Texas

HP Sizing and Configuration Tool for Microsoft Hyper-V

How do I use the Windows 2008 R2 Recycle Bin feature ?

Saturday, November 21st, 2009
New in Windows 2008 R2 active directory is the concept of Active Directory Optional Features and the first of these which have been made available is the Recycle Bin feature. Ever since Active Directory was launched you have been able to recover individual deleted items by undertaking an authoritative restore of sections of the database, even down to an individual object. From 2003 onwards deleted objects have been tombstoned and you have been able to use the ADRestore tool (available to download from http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx). However, the issue with these methods has always been with back links or, to put it another way, restoring these items with any group membership they had and, yes, it has been possible to do that with multiple authoritative restores of the database but that is at best tiresome and at worse can be dangerous. What the Recycle Bin feature does for you is restore with these back links / group memberships in place.

However, to use this feature the first thing you need to do is have your Forest at the Windows 2008 R2 level. Whilst your schema may be at the R2 level (meaning your forest can play host to 2008 R2 Domain Controllers) your domains and forest may still be running Domain Controllers with previous operating systems such as 2008 RTM or 2003 R2. The easy way to check your domain level in Windows 2008 R2 is to start the new Active Directory Administrative Centre. If you select the domain node on the left hand side (the netbios name of my domain is philipflint) then you will be able to check and raise the domain / forest functional levels in the action pane on the right hand side.

 

 

Click to Enlarge

Click to Enlarge

 

If your forest level is not at Windows 2008 R2 you can raise it.

  

Click to Enlarge

Click to Enlarge

 

We can now install the Recycle Bin feature. Care should be taken before undertaking the next procedure. Enabling the Recycle Bin feature for a domain / forest is a one way process with no way back. In a typical environment the recycle bin feature will grow the Active Directory database by 10 – 20% which may have an affect on performance especially in larger environments which many thousands of users where servers have been sized to run the complete database in RAM.

You should also note that, even though the Recycle Bin is an optional feature, it cannot be added as a Role Service nor as a Feature.

 

Click to Enlarge

Click to Enlarge

 

Instead the role is enabled by running a command in PowerShell. PowerShell is installed by default Windows 2008 R2 servers. However, PowerShell itself has no knowledge of Active Directory. Instead we need to load up the scripts and Verbs that PowerShell needs to be aware of to connect and control Active Directory. There are two ways to do this. The first, and simplest, is to click on Start | All Programs | Administrative Tools | Active Directory Module for Windows PowerShell.

 

Click to Enlarge

Click to Enlarge

 

The other alternative is to start PowerShell by clicking on the below icon on the taskbar and then running the command below to import the Active Directory modules.

 

Import-Module ActiveDirectory

 

 

Click to Enlarge

Click to Enlarge

 

We can now enable the Recycle Bin Feature. Below is a piece of code that you can change to use in your environment.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=YourDomain,DC=ComOrNetOrLocal‘ –Scope ForestOrConfigurationSet –Target ‘YourDomain.ComOrNetOrLocal‘ –confirm:$false

I’ve highlighted in Red the three pieces of information you have to change. If you have a two tier domain name (such as .co.uk) then you will have to add another DC= section. An example is given below for a domain called philipflint.co.uk.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=philipflint,DC=co,DC=uk‘ –Scope ForestOrConfigurationSet –Target ‘philipflint.co.uk‘ –confirm:$false

After amendment for the appropriate domain name variables this command is simply cut and paste into the PowerShell window.

 

Click to Enlarge

Click to Enlarge

 

I was not given a chance to back out of the addition of the feature as I used the PowerShell switch –confirm:$false which provides any confirmation when asked. If you do not include this switch then you will be asked to confirm the action.

NOTE: This command needs to be run for each domain in your forest for which the Recycle Bin should be installed.

After synchronising the domain the Recycle Bin will be active on all Domain Controllers and you can now test it out by creating test OU’s and test users and deleting them and restoring them. I have created two users called ‘William Shakespeare‘ and ‘Enid Blyton’ in an OU called ‘Authors‘.

They are both members of the Global Group ‘Famous‘ and the Domain Local group ‘Published‘.

 

Click to Enlarge

Click to Enlarge

 

We can now delete the William Shakespeare account.

 

 

Click to Enlarge

Click to Enlarge

 

To restore a user that has been deleted I have provided a script for you below.

Get-ADObject -Filter {samAccountName -eq “UserLogonName“} -IncludeDeletedObjects | Restore-ADObject

As before, simply change the section in Red with the display name of the user you want to restore. I use the logon name as its something that you can ask the user that they are likely to know but if they don’t know this (‘Its always there, I just enter my password’) then you can use another field which uniquely identifies them, their email address for example.

Get-ADObject -Filter {mail -eq “UsersEmailAddress“} -IncludeDeletedObjects | Restore-ADObject

To restore Williams account we can just enter the following in the PowerShell window.

Get-ADObject -Filter {samAccountName -eq “william.shakespeare“} -IncludeDeletedObjects | Restore-ADObject

 

Click to Enlarge

Click to Enlarge

 

The user account is now restored along with all group memberships.

 

Click to Enlarge

Click to Enlarge

Memberships below.

 

Click to Enlarge

Click to Enlarge

 

Now, of course, its possible that a user may be deleted who is in an OU that has also been deleted. It is not possible to restore the user without first restoring the OU of which they were a member or, in extreme cases, the whole OU tree if multiple OU’s have been deleted.

 

Unless your records are up-to-date there is a chance that you may not know what your exact OU structure was and so you need a method of finding out what was the parent object of a deleted user. The code to do this is below.

Get-ADObject -SearchBase “CN=Deleted Objects, DC=YourDomain,DC=ComOrNetOrLocal‘ ” -ldapFilter:”(msDs-lastKnownRDN=ObjectName)” –IncludeDeletedObjects –Properties lastKnownParent

For example, if we run the above for our deleted William Shakespeare account we would run the following.

Get-ADObject -SearchBase “CN=Deleted Objects, DC=philipflint,DC=com” -ldapFilter:”(msDs-lastKnownRDN=William Shakespeare)” –IncludeDeletedObjects –Properties lastKnownParent

 

 

Click to Enlarge

Click to Enlarge

 

As can be seen from the output, we can see that the last know parent (i.e. the containing OU for this user) was the Authors OU directly under the domain node. Note that the Authors OU has not been deleted and so the user object may be directly restored. Below is a screenshot with the same command but where the Authors OU has been deleted.

 

 

Click to Enlarge

Click to Enlarge

In this case we can query the Authors OU to find its last known good parent until we find a containing object which has not been deleted.

Once we know which is the first object to be restored we can begin the restoration process. Previously I have given you the code to restore a user. The command to restore an OU is slightly different and I show it below.

Get-ADObject -ldapFilter:”(msDs-lastknownRDN=NameOfYourOU)” -IncludeDeletedObjects | Restore-ADObject

In our case we would therefore run the following three commands to restore the OU and the 2 deleted accounts (William Shakespeare and Enid Blyton).

Get-ADObject -ldapFilter:”(msDs-lastknownRDN=Authors)” -IncludeDeletedObjects | Restore-ADObject

Get-ADObject -Filter {samAccountName -eq “william.shakespeare“} -IncludeDeletedObjects | Restore-ADObject

Get-ADObject -Filter {samAccountName -eq “enid.blyton“} -IncludeDeletedObjects | Restore-ADObject

 

Click to Enlarge

Click to Enlarge

 

Note that all objects are restored with the appropriate backlinks in place

 

Click to Enlarge

Click to Enlarge

 

I hope you have found this useful, can see why this is such a powerful feature of the R2 and gives you one more good reason to go for the upgrade.

Audit Active Directory

Wednesday, November 18th, 2009

Want some free advice on what to audit in Active Directory ?

You could do worse than go to http://www.activedirsec.com/index.html – try out their free Gold Finger tool too.

What level is my Schema at ?

Wednesday, November 18th, 2009

Sometimes you need to have your Schema at a certain level of Windows or may even want to check that a Schema upgrade is successful. One way to do this is to use ADSI Edit and connect to the Schema contect. Looking at the properties of the Schema node we can see the objectVersion attribute of the Schema. For Windows 2008 R2 this is 47.

 

Click to Enlarge

Click to Enlarge

The objectVersion attribute has the values below for different levels of Schema upgrades.

 

Schema Version Release of Windows
13 Windows 2000
30 Windows 2003
31 Windows 2003 R2
44 Windows 2008
47 Windows 2008 R2

 

Of course, there may be a level of risk in accessing objects with ADSI Edit so you want to query the schema version from a command prompt. To do so you can download the free AdFind tool from http://www.joeware.net/freetools/tools/adfind/index.htm and open up an administrative level command prompt (right click cmd.exe ad select “Run As Administrator”), change your path to where you have saved AdFind.exe to and then run the command

Adfind –schema –s base objectVersion

 

Click to Enlarge

Click to Enlarge

Office 2010 Beta

Tuesday, November 17th, 2009

Office 2010 Beta is now available for download if you have an MSDN / Technet subscription – expect a public Beta real soon !

What is a Home Drive ?

Tuesday, November 17th, 2009

A standard configuration I see is organisations redirecting users “My Documents” to their “Home Drive”. When I ask them why I’m usually told that they don’t know why, because they’ve always done it or because they believe users “need” to see a drive letter in My Computer. Of course, you don’t HAVE to have a home drive to redirect the My Documents folder as the My Documents folder can be redirected to an UNC path (typically \\server\share\%username%) but you may still want to redirect them to a home drive as explained below. So, what is a home drive and why would you want to use one ?

Well, a home drive, or more correctly a home directory, is a special type of mapped drive that contains a users folders and can contain application data. It allows programmatic access to the home drive by assigning values to the variables:

  • HOMEDRIVE
  • HOMEPATH
  • HOMESHARE

For example, these three environment variables could contain the following:

HOMEDRIVE=<drive letter>:
HOMEPATH=\<path>
HOMESHARE=\\<server name>\<share name>

The home drive can then be accessed in a standard logon script. Below are some parameters that can be used and their meanings.

 

Parameter
Description
%HOMEDRIVE% The user’s local workstation drive letter connected to the user’s home directory
%HOMEPATH% The full path of the user’s home directory
%HOMESHARE% The share name containing the user’s home directory

 

So, we can assign a home drive rather than a standard “mapped” drive to enable us to reference the drive in scripts. But, is that all that using a home drive gives us ? The answer is “no”. If you have not assigned a home drive to a user in their Active Directory object then Windows (on clients) uses a default location, the users profile in Documents and Settings / Users directory for files and for user-specific application files such as .ini files it uses the users Windows directory which, be default, is the Windows directory on the client. Therefore one thing extra that using a home drive gives us (over a standard mapped drive) is a place to store user-specific application settings which will follow the user from machine to machine – note that this is distinct from roaming user profiles as these files are not stored in the users profile by default. Also, as the default home location is the users My Documents folder in their profile if we map a home directory we change the home location. This doesn’t mean that the users My Documents location is changed but it does mean that the default location for Open, Save As and command prompt start points is the users Home Directory.

From the above you can see that if we set a users home directory (Home Drive) to be H: then when they try to save a file in Microsoft Word, for example, it will offer to save the file to H: by default. It is for this reason that you often see My Documents redirected to the home drive location….. so that users will save to their My Documents location by default.

As you can see from the above a Home Drive is not just another mapped drive but has a real affect on the end user experience and where files are saved.

How to install Exchange 2010

Tuesday, November 17th, 2009
Exchange 2010 shipped just over a week ago so I thought it a good time just to walk through a quick and easy way to get Exchange installed on a single server. Note that this isn’t a guide to upgrading your existing environment, just walking you through how to get Exchange installed into a pristine environment.

In my lab I have a domain called philipflint.com and a domain controller called DC1. I’ll be installing Exchange on a server called EXCH1 with the CAS, Hub Transport and Mailbox roles. All servers will be running WIndows Server 2008 R2 Enterprise Edition for no reason other than that’s what I tend to install in my labs. Certainly, everything in this post will work on Standard Edition.

One trick that will save you time is installing the required pre-requisites. These are listed here. Simply find the list of roles you want to install an the operating system that will be hosting Exchange and copy and paste the commands.

As I will be running Windows Server 2008 R2 with all three roles on the server I first install the 2007 Office System Converter Pack found here. This is a very simple installation of the next, next, next variety. After installing the pack, we start PowerShell (See the blue Icon next to the start button) and then run the command Import-Module ServerManager. To do this, and run subsequent commands, we need to run PowerShell as an Administrator. Simply right click the PowerShell icon and choose “Run As Administrator“.

 

 

Powershell Icon above.

 

 

This imports the ServerManager cmdlts into PowerShell. Once this is done we can run the commands that install our pre-requisites. For a typical installation these are:

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart

Click to Enlarge

Click to Enlarge

 

Once the pre-requisites are installed, the server will reboot. After rebooting we need to start an elevated PowerShell command prompt (by right clicking the icon and choosing “Run As Administrator“) and run the command Set-Service NetTcpPortSharing -StartupType Automatic. Now we’re ready to install. Simply insert the DVD or double click on setup.exe on the DVD drive.

The first step after installing the pre-requisites is to choose an installation language (Step 3 on the GUI). When you click on it you get the selection below.

 

Click to Enlarge

Click to Enlarge

I choose “Install only languages from the DVD“. You’re then free to move to Step 4 “Install Microsoft Exchange” !

 

Click to Enlarge

Click to Enlarge

 

The installation will start and take you through the guided installation wizard. First, click Next on the introduction screen.

Click to Enlarge

Click to Enlarge

Read and Accept the license agreement if you want to continue.

Click to Enlarge

Click to Enlarge

If you prefer to make Exchange a more stable product for all users, enable error reporting and click on Next.

 

Click to Enlarge

Click to Enlarge

For a typical installation, leave the selection at its default. Here, you can change the placement of installation binaries, For large scale or more secure systems you may want to move the binaries to separate spindles or a different location.

Click to Enlarge

Click to Enlarge

 

For more complicated installations, select Custom Exchange Server Installation. Even though I am going to perform a typical installation I show below the Custom Installation screen.

 

 

Click to Enlarge

Click to Enlarge

Notice the difference between Exchange Server 2007 and Exchange Server 2010 ? There are no choices for clustered mailbox servers as Exchange 2010 now uses Database Availability Groups (DAG) for replicating databases.

As this is a pristine installation, we’re now asked to give our Exchange Organization a name (this would not be the case if we were installing into an existing installation).

Click to Enlarge

Click to Enlarge

We’re then asked if we require a public folder database to support connectivity from Outlook 2003 / Entourage for Mac clients. Depending on your corporate policy you may want to create public folders but for a pristine implementation running up to date clients then I would consider not using Public Folders at all.

Click to Enlarge

Click to Enlarge

 

If your CAS servers (Outlook Web Access, Active Sync, Outlook Anywhere) are internet facing then you can enter the public URL for this service.

 

Click to Enlarge

Click to Enlarge

 

Again, if you want to improve future editions of Microsoft Exchange the sign up for the Customer Experience Improvement program.

 

Click to Enlarge

Click to Enlarge

 

The installation will then perform its readiness checks to ensure that the server meets the basic pre-requisites for installation of Exchange. You will no doubt note that I have not performed any schema , forest or domain preparation. I am installing Exchange as the forest root administrator and so installation will proceed as expected. For larger implementations then Active Directory may need to be extended and prepared from on one of the Domain Controllers. A note should be taken that, if we prepare the domain, no Exchange 2007 or earlier servers will be able to be added to the Organization.

Click to Enlarge

Click to Enlarge

 

You can now click on Install to install the binaries. When the installation has completed, check that everything installed OK and click on Finish

Click to Enlarge

Click to Enlarge

The Exchange Management Console will open but leave that for a bit and go back to the setup screen. The final choice is to Get Critical Updates for Microsoft Exchange.

 

Click to Enlarge

Click to Enlarge

 

Clicking on the link will take you to the Microsoft Updates site where you can agree to download updates for software other than just Microsoft Windows (i.e. Exchange Server). Simply follow the wizard through to update your software.

Click to Enlarge

Click to Enlarge

 

That now gets you to the point that you have a basic installation of Exchange. This doesn’t mean that you have a working copy of Exchange, we have merely installed the binaries on the server. In my next post I walk you through configuring Exchange for the first time.

Should I virtualise my Domain Controllers ?

Thursday, November 12th, 2009

Now that’s a difficult question. If you asked me “Can I virtualise my Domain Controllers” then that’s a different question to which the answer is “Of course, its fully supported depending on your virtualisation platform and the version of Windows being used but if you’re on the latest Hyper-V and the latest Windows then its fine”. The question “Should I virtualise my Domain Controllers ?” recognises that you can but that you have a choice as to whether you do or not and, as with any IT decision, you should research, size and plan. What I’d like to talk about today is two items to consider when thinking of virtualising domain controllers.

The first is around synchronisation of system clocks. As mentioned in a previous article windows Servers use time synchronisation to ensure against replay attacks and thus increase the security of Kerberos authentication within an Active Directory environment. However, virtual platforms such as VMWare or Hyper-V also allow you to synchronise a virtual machines clock with the physical host. What this means though is that, if the server host is showing a different time from the root PDC Emulator then any virtualised domain member server or domain controller will set its clock against the domain and then set its clock against the physical host and then against the domain and then against the physical host and so on ad nauseum. This can cause five issues:

  1. If there is more than the amount of “difference” between the DC clock and other domain controller clocks then the server will not be able to synchronise
  2. Similarly, as the DC clock will different from those of clients, clients will fail authentication against this domain controller.
  3. This constant re-synchronisation will cause clock “flapping” so that any events or logs written will have events recorded in an incorrect order. This is an issue not only for domain controllers but also for other servers such as SQL or Exchange where they record the time of records being changed or messages arriving.
  4. If you run an environment where accurate times are important then this will into be possible with “flapping” clocks. For example, if you require staff to “clock in” and penalise them for late arrival then your solution will be at risk if your clock cannot keep accurate time.

So, by all means virtualise your domain controllers but don’t allow them to synchronise their clocks with the physical host. In Hyper-V this behaviour can be disabled by opening the Hyper-V Manager Console. selecting the virtual machine and clicking on Settings in the Actions pane for that virtual machine. Under the Management node select Integration Services and clear the Time Synchronization check box.

 

Click to enlarge

Click to enlarge

Click on Apply and that virtual machine will now synchronise its clock solely based on the settings within its operating system.

The second item to consider before virtualising your domain controllers concerns “snapshotting”. Snapshots allow you to take a point in time view of a server and then record differences to the virtual disk of that server over time. In this way you can “roll back” a virtual machine to the point the snap shot was taken by removing the changes made. However, this gives an issue when we consider domain controllers.

When a change is made on a Domain Controller it updates its own Update Sequence Number (USN) and, when a synchronisation is due with other domain controllers, issue the update to them. These USN’s are maintained per Domain Controller and a certain change may register on DC1 as 12345 and hold the USN of 7657622 on the far older DC2. You can see the USN on a particular Domain Controller by looking at the highestCommittedUSN value using ADSIEdit to connect to the RootDSE default naming context.

Click to enlarge

Click to enlarge

DC1 would look like above and DC2 would have the USN below, for example.
Click to enlarge

Click to enlarge

Now, it’s a basic premise that the USN on a domain controller should only ever get bigger, and not smaller. After all, transactions can’t just disappear. Indeed, domain controllers use this USN to keep track of the updates they have received from each other. The last USN received from each replicating partner is stored in a High Watermark Vector Table on each DC. In this way, the receiving domain controller knows which was the last change it received form a replicating partner. When it next wants to replicate it sends its high watermark value to the DC it wants to replicate from (the source domain controller). The source DC then uses the information in the high watermark value to determine which objects to replicate back to the target Domain Controller. This can be represented by the following table:

Step DC USN High Watermark Value Action
1 DC1 100 200 Initial Value
DC2 200 100
2 DC1 108 200 Changes made on DC1 (New user created for example)
DC2 200 100
3 DC1 108 200 DC2 requests changes, synchronises and updates it high watermark value for DC1
DC2 200 108
4 DC1 127 200 Further changes are made on DC1
DC2 200 108
5 DC1 127 200 Only changes 109 to 127 are synchronised to DC2
DC2 200 127

 

So far so good. So, what’s the issue. The issue is that if we had taken a snapshot of DC1 at, say, step 3 and rolled back then the following would happen.

Step DC USN High Watermark Value Action
1 DC1 100 200 Initial Value
DC2 200 100
2 DC1 108 200 Changes made on DC1 (New user created for example)
DC2 200 100
3 DC1 108 200 DC2 requests changes, synchronises and updates it high watermark value for DC1
DC2 200 108
4 DC1 127 200 Further changes are made on DC1
DC2 200 108
5 DC1 127 200 Only changes 109 to 127 are synchronised to DC2
DC2 200 127
6 DC1 108 200 Active Directory database “restored” on DC1
DC2 200 127
7 DC1 119 200 Further updates made on DC1 raising its USN past the old value of 127
DC2 200 127
8 DC1 147 200 DC2 requests changes past 127 – DC1 send changes 128 to 147 – the “new” changes in the range 109 to 127 are lost and never synchronised
DC2 200 127

 

So, by restoring Active Directory from a snapshot we would run the risk of losing updates IF Active Directory allowed us to do this. Fortunately the clever guys at Microsoft have worked this out and from Windows 2003 SP1 this is not likely to happen because AD will recognise that the USN’s have become out of sequence and will refuse to allow DC1 to synchronise. You will know if this has happened to you not only because your domain will not synchronise properly but you will see an event similar to the below logged in the event viewer on the “restored” Domain Controller.

Click to enlarge

Click to enlarge

 As you can see, the only solution for this is to forcibly demote the domain controller and start again. Of course, the situation is even worse if ALL domain controllers are snapshotted and then restored. It’s perfectly possible that you can end up without an operating Active Directory environment ! So, the original question was “Should I virtualise my Domain Controllers ?” and I say that this is a decision that you have to make yourself and the risk you want to assume. However, I would suggest that a best practice is to:

  • Never synchronise Domain Controller clocks with the virtualisation host
  • Never snapshot domain controllers
  • Always have at least one (and preferably two) physical domain controllers in case you have to force demote all virtualised domain controllers

If you follow the above advice I believe the risks in virutalising DC’s are relatively low.

Exchange 2010 RTM

Tuesday, November 10th, 2009

Exchange 2010 RTM is now available for download from MSDN and volume licensing sites.

Virtualisation and Exchange 2010 DAG

Saturday, November 7th, 2009

Just a quick note – are you supported if you virtualise Exchange 2010 mailbox servers hosting Database Availability Groups ? The short answer is “yes”. The long answer is “Yes ….. unless you want to use Live Migration / XenMotion / VMotion … then you are NOT supported”.

To explain, DAG is a high availability strategy in and of itself. If you want to virtualise servers hosting DAG then you may but those servers should run on stand alone virtualisation hosts. Layering any sort of hardware higher availability on top of DAG high availability will invalidate your support. In truth, this shouldn’t be an issue as virtualisation only provides redundancy at the hardware level with Live Migration / XenMotion / VMotion whereas Exchange DAG provides hardware, O/S, binary and data redundancy (i.e. full redundancy) but you should take account of this in any plans you have for virtualising Exchange 2010.