Switchover/Auto-failover

To ensure continuous performance and minimize service downtime, services can be switched from the active server of a high-availability cluster to the redundant, passive server. This feature is called "Switchover," or in some cases "Failover." This section explains the basics of these two concepts.

Switchover

Switchover refers to a switch from the active server to the redundant, passive server of a high-availability cluster. Under normal conditions, the active server manages all services. However, in the event the active server malfunctions, you can initiate a switchover and transfer all services to the passive server, assuming the passive server is functioning normally. In this case, the active server assumes the role of the passive server, and the passive server assumes the role of the active server.

To manually initiate a switchover:

1. Click the Manage button in the Cluster page
2. Click Switchover

Auto-failover

When certain errors occur, the system can automatically initiate a switchover of services to maintain performance. This event is called "failover." The system might initiate failover in the following situations:

• Crashed storage space: A storage space (e.g. volume, Disk Group, RAID Group, SSD cache, etc.) on the active server has crashed, but the corresponding storage space on the passive server is functioning normally. Please note the system will not initiate a failover if no volumes or iSCSI LUN (Block-Level) exist on the crashed storage space.
• Service error: An error occurred on a monitored service.
• Power failure: The active server is shut down or restarted; both power units on the active server have failed; or power is lost.

Switchover Failure

Switchover or auto-failover might not succeed in the following situations:

• Incomplete data replication: When you first combine two servers to create a high-availability cluster, the system requires time to replicate all data from the active server to the passive server.
• Storage space on passive server crashed: A storage space (e.g. volume, Disk Group, RAID Group, etc.) on the passive server has crashed.
• Power failure: The passive server is shut down or restarted; both power units on the passive server have failed; or power is lost.
• DSM update: When installing DSM updates, all services will be stopped, and will resume after DSM update installation is completed.

If you manually initiate a switchover, but services cannot be switched to the passive server, then the system will attempt to switch services back to the active server.

If failover is initiated but neither server can assume the role of the active server due to errors, the high-availability cluster will not be able to provide service normally. If the servers do not automatically return to standalone status (no passive server), please press the Reset button on both servers to restore default settings. Once default settings have been restored you can combine the servers and create a high-availability cluster again.

Uninterruptible Power Supply

High-availability clusters can be connected to uninterruptible power supply (UPS) units in order to reduce the risk of unexpected power loss. If power is lost, servers will receive backup power from any UPS units connected to them. When the UPS unit connected to the active server begins running low on power, the system will attempt to switch over services to the passive server.

To enable UPS support for either or both servers:

1. Go to DSM Control Panel > Hardware & Power > UPS.
2. Tick the Enable UPS Support checkbox for either or both servers.
3. Select a UPS type from the drop-down menu.
4. Set a Time before Synology NAS enters Standby Mode:
   • Select Same as server to shut down the Synology NAS when the server is shut down.
   • Select Customize time to specify the amount of time the Synology NAS has before it enters Standby Mode when power failure occurs.
5. Click Apply to save settings.

If you only connect and enable UPS support for the active server, in the event of power failure, the active server will receive backup power from its connected UPS unit. The UPS unit will soon send both servers into Standby Mode whereby all services will be stopped and volumes will be unmounted to prevent data loss. The system will be safely shut down once the UPS device also runs out of power.

If you connect and enable UPS support for both the active and the passive servers, the case can be a little different in the event of power failure:

• If both servers are connected to the same power source, then both servers may still enter Standby Mode when the UPS units run low on power.
• If the passive server is connected to a different power source, then the system may attempt to switch over services to the passive server when the active server and its UPS unit are low on power.

Please see the guidelines below if you use a network switch in your high-availability cluster:

• If the active and passive servers are attached to the same network switch, it is recommended to connect both servers to the same power source as the network switch.
• If the active and passive servers are attached to different network switches that use different power sources (e.g. electricity from different power companies), it is recommended to connect the active and passive servers to the same and corresponding power sources as their attached network switches.