Data Guard Environments

You can configure standby databases in a variety of ways in a Data Guard environment, including the following:

■ Typical Two-Site Data Guard Environment ■ Data Divergence and Data Loss

■ Primary Database Protection Modes Overview ■ Standby Database No-Data-Loss Failover ■ Standby Database Data-Loss Failover

■ Primary Database Protection Modes Description Primary Database Transactions LGWR Synchronous/Asynchronous ARC0 FAL Online Redo Logs Oracle Net Oracle Net RFS ARC0 Standby Redo Logs Standby Database Reports MRP Remote Archived Redo Log Files Local Archived

Data Guard Environments

■ Data Divergence and Data Loss Summary ■ Delayed Standby

1.8.1 Typical Two-Site Data Guard Environment

A typical two-site Data Guard environment consists of a primary database and a standby database on a remote host connected by a network. Figure 1–4 shows a typical two-site Data Guard environment.

Figure 1–4 Typical Two-Site Data Guard Environment

San Francisco Boston Application 0003 Application 0001 0002 Online Redo Logs Archived Redo Logs 0001 0002 Local Archiving Primary Database Read/Write Transactions Read-Only Reports Oracle Net

Standby Database _Archived

Redo Logs

0001 0002 0003

Data Guard Environments

1.8.2 Data Divergence and Data Loss

Data divergence is the temporary state of the primary database that occurs when a standby database becomes inaccessible. While in the data divergence state, the primary database is able to commit transactions whose data modifications are not immediately available on the standby database. Data divergence also occurs when you use the LGWR or ARCn process for asynchronous standby database archival operations.

Data loss occurs when you fail over to a standby database whose corresponding primary database is in the data divergence state. To prevent primary database data divergence if network connectivity fails, use the guaranteed protection mode.

1.8.3 Primary Database Protection Modes Overview

The primary database protection modes are failure policies that dictate how to manage the primary database if a standby database becomes inaccessible. There are four primary database protection modes:

■ Guaranteed protection ■ Instant protection ■ Rapid protection ■ Delayed protection

Guaranteed protection mode dictates that the primary database modifications must always be available on at least one standby database; data divergence is prohibited

See Also: Section 6.2 for detailed information on creating a standby database on a remote site

Note: Use the LGWR process in conjunction with synchronous standby database archival operations to prevent data divergence as long as continuous network connectivity is available.

Note: When you have multiple standby databases, the primary database may have diverged relative to one standby database, but not necessarily with other standby databases. Also, the degree of divergence may differ with each standby database.

Data Guard Environments

by terminating the primary instance if it loses network connectivity to the last standby database.

Instant protection mode dictates that the primary database modifications always be available on at least one standby database. Unlike guaranteed protection mode, data divergence is not prohibited by the instant protection mode. Data divergence exists for the duration that standby database connectivity is unavailable, and can be resolved when network connectivity to the primary database is reestablished. Rapid protection mode indicates that primary database modifications are available to the standby database as soon as possible with minimal effect on primary

database performance.

Delayed protection mode indicates that primary database modifications will ultimately be available on the standby site, as long as the network is active. Both the rapid and delayed protection modes allow the primary database to diverge from all standby databases, even when network connectivity is available. The degree of data divergence is equivalent to the data contained in the unarchived primary database online redo logs.

1.8.4 Standby Database No-Data-Loss Failover

On a standby database, no-data-loss failover is possible only when the corresponding primary database is operating in a data protection mode that provides no-data-divergence semantics, such as guaranteed and instant protection mode. This means that all primary database archived redo logs necessary for no-data-loss failover are available. However, it is possible that the archived redo logs have not yet been applied to the standby database. No-data-loss failover requires that all archived redo logs are first applied. If the archived redo logs are not applied, failover to a standby database will result in data loss relative to the

primary database.

1.8.5 Standby Database Data-Loss Failover

Standby database data-loss failover occurs when primary database modifications have not all been applied, or when the corresponding primary database is operating in a data protection mode that allows data divergence semantics, such as rapid and delayed protection modes. This results in standby database data loss relative to the primary database. The amount of data loss can be controlled by primary database archived log destination attributes and the availability of standby redo logs at the standby database.

Data Guard Environments

1.8.6 Primary Database Protection Modes Description

No data divergence means the primary database will not acknowledge primary database modifications until they have been confirmed as being available on at least one standby database. Data is protected when primary database modifications occur while there is connectivity to the standby database. Data is unprotected when primary database modifications occur while connectivity to the standby database is not available.

The primary and standby databases are synchronized by applying archived redo logs from the primary database to the standby database. Although the goal is to keep the databases identical, the transactions applied to the standby database can sometimes lag behind the primary database.

This lag may occur either because the data has not yet reached the standby site, or it may have reached the standby site, but has not yet been applied to the standby database.

If the data needed to keep the databases synchronized is not yet available on the standby site, and you must fail over, the contents of the databases will diverge, and some of the data will be lost. You can be protected from data loss by ensuring that all the data is available on the standby site. Data divergence will be eliminated once all of the data is ultimately applied.

The amount of primary database data divergence and standby database data loss can be controlled, depending on the level of protection required by your business. By weighing your requirements for availability against user demands for response time and performance, you can determine how tightly you want to synchronize the primary and standby databases and how much data you can afford to lose.

You can set up the primary database to achieve the following levels of data protection:

■ Guaranteed protection

Guaranteed protection mode indicates that primary database modifications are available to the standby database, up to the last committed transaction, and protected against data loss, even if either site fails. This mode has the greatest effect on primary database performance.

Stock exchanges, currency exchanges, or financial institutions are examples of businesses that require guaranteed protection. When a customer requests a stock be sold at current market price, it must be traded exactly at that price, as the price fluctuates and cannot be executed again later on.

Data Guard Environments

Instant protection mode indicates that primary database modifications are available to the standby database, up to the last committed transaction, as long as both sites are active. This mode has less effect on primary database

performance than guaranteed protection mode.

An example of a business that requires instant protection is a manufacturing plant; the risks of having no standby database for a period of time and data divergence are acceptable, as long as no data is lost if failover is necessary. The loss of standby database network connectivity has the side effect of dynamically changing instant protection mode into delayed protection mode. Once network connectivity to the standby database is reestablished, instant protection mode resumes.

■ Rapid protection

Rapid protection mode indicates that primary database modifications are available to the standby database as soon as possible with minimal effect on primary database performance.

In an order processing system, orders may be reentered if they were written manually, or if a customer calls and says he did not receive the item. Another example is an online auction, where it is more important to be online than to lose a few bids in the case of a failover.

■ Delayed protection

Delayed protection mode indicates that primary database modifications will ultimately be available on the standby site, as long as the network is active. This mode has the least effect on primary database performance.

1.8.7 Data Divergence and Data Loss Summary

Table 1–1 summarizes the available data protection modes and their implications for primary database data divergence and standby database switchover and failover.

See Also: Section 3.6 for additional information on setting up a no-data-loss environment

Standby Database Operational Modes

1.8.8 Delayed Standby

By default, in managed recovery mode, the standby database automatically applies archived redo logs when they arrive from the primary database. But in some cases, you may want to delay applying the redo logs. A time lag can protect against the application of corrupted or erroneous data from the primary database to the standby database.