STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide

V-259709

CAT II (Medium)

Exchange must provide mailbox databases in a highly available and redundant configuration.

Rule ID

SV-259709r961620_rule

STIG

Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-002385

Discussion

Exchange Server mailbox databases and any data contained in those mailboxes should be protected. This can be accomplished by configuring Mailbox servers and databases for high availability and site resilience. A database availability group (DAG) is a component of the Mailbox server high availability and site resilience framework built into Microsoft Exchange Server 2019. A DAG is a group of Mailbox servers that hosts a set of databases and provides automatic database-level recovery from failures that affect individual servers or databases. A DAG is a boundary for mailbox database replication and database and server switchovers and failovers. Any server in a DAG can host a copy of a mailbox database from any other server in the DAG. When a server is added to a DAG, it works with the other servers in the DAG to provide automatic recovery from failures that affect mailbox databases, such as a disk, server, or network failure.

Check Content

Review the Email Domain Security Plan (EDSP).

Determine if a Database Availability Group exists.
From Exchange Admin Center:
1. In the pane on the left, navigate to "servers". 
2. In the pane on the right, navigate to the "database availability groups" tab.
3. Verify a database availability group is configured with member servers.

If two or more member servers are not listed, this is a finding.

From Exchange PowerShell, run the following cmdlet:

Get-DatabaseAvailabilityGroup

If no DatabaseAvailabilityGroup is listed or a Database Availability Group is listed but has no member servers, this is a finding.

Determine if the Exchange Mailbox databases are using redundancy.
From Exchange Admin Center:
1. In the pane on the left, navigate to "servers".
2. In the pane on the right, navigate to the "databases" tab.
3. For each database, check the column "SERVERS WITH COPIES".

Unless specified in the EDSP, if the "SERVERS WITH COPIES" column does not have two or more servers listed, this is a finding.

From Exchange PowerShell, run the following cmdlet:

Get-MailboxDatabaseCopyStatus -Identity <DatabaseName>

Unless specified in the EDSP, if the output of this cmdlet does not show more than one copy, this is a finding.

Fix Text

Update the EDSP to specify how Exchange Mailbox databases use redundancy.

Add two or more Mailbox servers to the database availability group.

Add a database copy to one or more member servers within the database availability group.