Log Shipping, Failover Cluster Instances & Quorum
HADR Options β Complete Referenceβ
HADR Options Overview
Log Shipping
BackupβCopyβRestore cycle. Simple, Standard Edition. Manual failover, 15 min RPO.
Always On AG
DB-level HA. Sync/async replicas, auto failover, readable secondaries. Enterprise on-prem.
FCI
Instance-level HA. Shared storage, system DBs included. Requires WSFC + shared disks.
Failover Groups
Azure PaaS DR. Auto failover, single endpoint, cross-region. For SQL DB and MI.
Log Shipping (SQL VM Only)β
The simplest DR solution β automated backup β copy β restore cycle.
Architectureβ
Log Shipping β 3-Job Cycle
Backup Job (Primary)
Backs up transaction log to file share
Every 15 minutes (default)
Copy Job (Secondary)
Copies .trn files from share to local
Runs on secondary server
Restore Job (Secondary)
Restores .trn files in order
NORECOVERY (not readable) or STANDBY (read-only between restores)
Three Jobs of Log Shippingβ
| Job | Runs On | Action | Default Interval |
|---|---|---|---|
| Backup | Primary | Backs up transaction log β file share | 15 minutes |
| Copy | Secondary | Copies .trn files from share to local | 15 minutes |
| Restore | Secondary | Restores .trn files on secondary DB | 15 minutes |
Restore Modesβ
| Mode | Secondary Readable? | Behavior |
|---|---|---|
| NORECOVERY | β | DB in Restoring state, cannot be queried |
| STANDBY | β (read-only) | Users disconnected during each restore cycle, then read access resumes |
π― Exam Focus
Log Shipping key facts: 1) NOT automatic failover β manual role change required. 2) RPO = backup interval (typically 15 min). 3) RTO = manual (could be hours). 4) Simpler than AG but less capable. 5) Works on Standard Edition (AG requires Enterprise on-prem).
π’ Real-World DBA Note
Oracle DBA parallel: Log Shipping = Oracle Data Guard in Maximum Performance mode with manual archive log shipping. The backup-copy-restore cycle is like manually shipping archive logs to a standby. Always On AG is far superior (like Data Guard in Maximum Availability mode with automatic switchover).
Log Shipping setup β enable orderβ
Configure Log Shipping
Set DB to FULL recovery
ALTER DATABASE ... SET RECOVERY FULL
Take a full backup first β chain starts here
Provision shared file share
Both SQL service accounts need read/write
On Azure: Premium File Share or shared VM SMB
Configure on primary
Enable log shipping in DB Properties
Set backup job interval (default 15 min)
Configure on secondary
Initialize secondary from full backup
Pick NORECOVERY or STANDBY mode
Define copy + restore jobs
Optional: monitor server
Central log_shipping_monitor instance
Alert on backup/copy/restore lag
Common ordering trap
Do not initialize the secondary from a backup taken before you set RECOVERY = FULL. The log chain breaks and the restore job fails on the first .trn. Always: SET FULL β take fresh full backup β restore to secondary WITH NORECOVERY β then enable log shipping jobs.
Log Shipping vs Always On AGβ
| Feature | Log Shipping | Always On AG |
|---|---|---|
| Auto failover | β Manual | β Automatic |
| Data loss (RPO) | Minutes (backup interval) | 0 (sync) or seconds (async) |
| Read secondary | β (STANDBY mode, interrupted) | β (always readable) |
| Monitoring | Alert job + history tables | AG dashboard + DMVs |
| SQL Edition | Standard + Enterprise | Enterprise (on-prem), any (Azure) |
| Failover time | Manual β hours | Seconds (automatic) |
| Max secondaries | Unlimited | 9 |
| Configuration | Simple | Complex (WSFC + endpoints) |
Failover Cluster Instance (FCI) on Azure VMsβ
Provides instance-level HA (whole SQL Server instance fails over), unlike AG which is database-level.
Architectureβ
Failover Cluster Instance (FCI) β Shared Storage
Active Node
Runs SQL Server. Owns the shared storage and cluster IP. Only one node active at a time.
Shared Storage
Azure Shared Disks, Storage Spaces Direct, or Premium File Share. Both nodes access same data.
Passive Node
Standby. On failover, starts SQL Server and attaches shared storage. System DBs transfer automatically.
FCI vs AG β Key Differencesβ
| Aspect | FCI | AG |
|---|---|---|
| Scope | Entire SQL instance | Per-database |
| Shared storage | Required | Not needed (log shipping) |
| Both nodes run SQL? | β (passive is standby) | β (secondary is readable) |
| System databases | β Shared (master, msdb) | β Not replicated |
| SQL Agent jobs | β Shared (in msdb) | β Must sync manually |
| Instance-level objects | β (logins, linked servers) | β Must recreate |
| Read-only secondary | β | β |
| Cross-region DR | Complex | β (async replica) |
Shared Storage Options on Azureβ
| Option | Performance | Complexity | Cost |
|---|---|---|---|
| Azure Shared Disks | High (Premium SSD/Ultra) | Low | Medium |
| Storage Spaces Direct (S2D) | Very High | High | High |
| Premium File Share (SMB 3.0) | Medium | Low | Low |
π― Exam Focus
When to use FCI over AG:
- You need instance-level failover (logins, jobs, linked servers all fail over together)
- You have Standard Edition (AG Basic only supports 1 DB on Standard)
- You need system database failover When to use AG: everything else (it's more flexible and doesn't need shared storage)
FCI on Azure VMs β setup orderβ
Build a SQL FCI on Azure
AD + WSFC foundation
Domain-joined VMs in same AZ-aware placement
Install Failover Clustering, create cluster -NoStorage
Add Cloud Witness
Storage account in a different region
Required for 2-node clusters
Provision shared storage
Azure Shared Disks (simplest), S2D, or Premium File Share
Add as Cluster Shared Volume / Available Storage
Install SQL as cluster role
Setup.exe β "New SQL Server failover cluster installation" on node 1
"Add node" on node 2 (uses same cluster name)
Configure ILB for VNN
ILB frontend = SQL VNN IP, floating IP enabled
Probe port 59999 like AG Listener
Common ordering trap
Running standalone SQL setup first and then trying to "convert" to FCI is not supported. The first SQL install must be the clustered install path. Standalone-then-cluster forces a full uninstall/reinstall.
Quorum β Deep Diveβ
Quorum prevents split-brain β ensures only one partition of the cluster keeps running.
How Quorum Voting Worksβ
Quorum Voting
Majority Rule
N/2 + 1 votes needed. 2 nodes + witness = 3 votes β survives 1 failure (2/3 majority).
Cloud Witness
Recommended for Azure. Blob in storage account. Region-independent tiebreaker. No extra VM.
2 Nodes, No Witness
CANNOT survive any failure! Neither node has majority (1/2). Always add a witness.
Quorum Ruleβ
Majority (N/2 + 1) of total votes must agree for the cluster to stay online.
| Cluster Config | Total Votes | Node Fails | Remaining Votes | Survives? |
|---|---|---|---|---|
| 2 nodes, no witness | 2 | 1 node | 1/2 | β No majority |
| 2 nodes + Cloud Witness | 3 | 1 node | 2/3 | β Majority |
| 3 nodes, no witness | 3 | 1 node | 2/3 | β Majority |
| 3 nodes + Cloud Witness | 4 | 1 node | 3/4 | β Majority |
| 3 nodes + Cloud Witness | 4 | 2 nodes | 2/4 | β Majority |
| 4 nodes + Cloud Witness | 5 | 2 nodes | 3/5 | β Majority |
Witness Typesβ
| Witness | Where Stored | When to Use |
|---|---|---|
| Cloud Witness β | Azure Storage Account | Recommended for Azure VMs β region-independent, no extra VM |
| File Share Witness | SMB file share | Hybrid setups with an on-prem file server |
| Disk Witness | Shared cluster disk | Traditional on-prem with shared SAN |
π― Exam Focus
Critical quorum facts for DP-300:
- Cloud Witness is recommended for Azure clusters β it's a blob in a storage account
- 2-node cluster WITHOUT witness = CANNOT survive any failure (neither node has majority alone)
- Even number of nodes β always add a witness (tiebreaker)
- Witness should be in a different region from the cluster nodes for maximum resilience
Monitoring HA/DR Solutionsβ
| What to Monitor | How | Alert Threshold |
|---|---|---|
| AG synchronization state | sys.dm_hadr_database_replica_states | NOT SYNCHRONIZED |
| AG replica role | sys.dm_hadr_availability_replica_states | Unexpected role change |
| Log send/redo queue | sys.dm_hadr_database_replica_states | > acceptable RPO |
| Failover group lag | Azure Monitor metrics | Replication lag > threshold |
| Log shipping status | msdb..log_shipping_monitor_* tables | Backup/restore older than threshold |
| Cluster health | Failover Cluster Manager events | Node offline |
Anti-Patternsβ
- "Log shipping = HA." Log shipping is DR / read-only reporting, not HA β manual failover, RPO measured in restore-job intervals (typically 15 min). For HA use AG or FCI.
- "FCI shared disk on Azure VMs = use Premium SSD with each VM." FCI requires shared storage β on Azure that's Azure Shared Disks (ZRS) or Storage Spaces Direct (S2D). Single-attach Premium SSD does NOT work for FCI.
- "3 nodes in cluster = quorum is fine." With 3 nodes and No Majority quorum mode, losing 2 nodes loses quorum. Use Node Majority + Cloud Witness for cross-region clusters or odd counts.
- "Cloud Witness in same region as cluster." Defeats the purpose for region-failure scenarios. Place Cloud Witness in a separate region for DR-aware quorum.
- "Log Shipping STANDBY mode β users can read forever." STANDBY disconnects users during each restore cycle. For 24/7 reporting use AG read-only routing instead.
- "AG without listener β apps connect to current primary directly." That breaks on failover. Always configure listener + use it in connection strings.
β οΈ Watch Out
FCI on Azure VMs requires Standard Load Balancer with Floating IP enabled and a probe on TCP/SQL port. Without the LB + Floating IP, the FCI virtual name is not reachable from clients. Same rule as AG listener.
Migration Between HA/DR Topologiesβ
| From β To | Path | Cost |
|---|---|---|
| Standalone SQL VM β Log Shipping (DR) | Configure backup/copy/restore jobs to secondary VM | Easy; manual failover; periodic data loss |
| Log Shipping β Always On AG | Build cluster + AG; remove LS jobs | Cuts RPO; gain auto-failover; complexity |
| AG (sync, 1 secondary) β AG (sync + async secondary) | Add async secondary in DR region | DR coverage; secondary VM cost |
| AG β FCI | FCI only useful when shared storage required (legacy) | Rare in cloud; requires shared disk |
| Node Majority β Node + Cloud Witness | Reconfigure quorum via FCM | Removes file-share witness dependency |
| File-share witness β Cloud Witness | Same as above | Tiny storage cost; cross-region resilient |
| AG sync mode β distributed AG | Forwarder pattern across regions | Cross-region; very complex topology |
| FCI on iSCSI β FCI on Azure Shared Disks ZRS | Reconfigure storage | Native Azure resilience |
Most expensive moves: FCI on cloud (often the wrong tool) and distributed AG (operational complexity).
Real Scenariosβ
- DR-only secondary, no auto-failover required β Log shipping with 15-min copy/restore, STANDBY mode for read reports. Driver: cheap, simple. Trade-off: RPO = 15 min, manual failover.
- 2-node AG sync + 1-node async DR β Cross-region async secondary in addition to local sync replica. Driver: HA + DR. Trade-off: 3 VMs licensed for SQL.
- Legacy ERP requiring FCI β 2-node FCI on Azure Shared Disks ZRS, Standard LB + Floating IP, Cloud Witness in a 3rd region. Driver: app vendor mandates FCI. Trade-off: shared disk SKU + LB cost.
- 24/7 reporting workload β AG with read-only routing to async secondary. Driver: offload reads from primary. Trade-off: read-only secondary slightly behind.
- Cross-region quorum without an extra VM β Node Majority + Cloud Witness in a third region. Driver: avoid 3rd VM cost. Trade-off: storage account dependency for quorum.
Flashcardsβ
What are the 3 jobs in Log Shipping?
Click to reveal answer
1) Backup Job (on primary β backs up transaction log). 2) Copy Job (on secondary β copies .trn files). 3) Restore Job (on secondary β restores .trn files). Default interval: 15 minutes each.
1 / 8
Quizβ
A company uses SQL Server Standard Edition and needs a simple DR solution with up to 15-minute RPO. Which solution fits?