Oracle Data Guard
Oracle Data Guard is a comprehensive set of services provided by Oracle Database that creates, maintains, manages, and monitors one or more standby databases to ensure high availability, data protection, and disaster recovery for enterprise data.[1] It enables the synchronization of standby databases with a primary production database, allowing seamless role transitions during outages such as hardware failures, site disasters, or human errors, thereby minimizing downtime and potential data loss.[2] Fully integrated with Oracle Database Enterprise Edition, Data Guard supports up to 30 geographically dispersed standby databases and is licensed as part of the core database offering.[1] At its core, Oracle Data Guard operates through redo transport services, which automate the transmission of redo data from the primary database to standby databases, and apply services, which replay this redo to keep standbys consistent with the primary.[1] There are three main types of standby databases: physical standbys, which are block-for-block identical copies of the primary and use Redo Apply for synchronization, with read-only access when open using the Active Data Guard option; logical standbys, which maintain the same logical data but allow structural differences and use SQL Apply for updates, facilitating tasks like software upgrades with minimal downtime; and snapshot standbys, which can be temporarily converted to an updatable state for testing or development while deferring redo application until reversion to a physical standby.[1][3] These configurations integrate with technologies like Oracle Real Application Clusters (RAC), Recovery Manager (RMAN), and Flashback Database to enhance resilience.[1] Data Guard offers three protection modes to balance data safety against performance and availability: maximum protection, which guarantees zero data loss by halting the primary if the standby is unavailable; maximum availability, which aims for zero loss except in rare double failures and prioritizes keeping the primary operational; and maximum performance, the default mode that minimizes impact on the primary while allowing potential data loss in the event of a failure.[1] Role management is simplified via the Oracle Data Guard Broker, a utility that automates configuration, monitoring, and operations like switchovers (planned transitions) and failovers (unplanned recoveries) through command-line (DGMGRL) or graphical interfaces.[1] Advanced features include Far Sync for zero-data-loss protection over long distances (requiring an Active Data Guard license), Application Continuity for rapid recovery from errors, and support for pluggable databases (PDBs) in multitenant environments since Oracle Database 12c, with enhanced management in later versions.[2][1]Introduction
Purpose and Benefits
Oracle Data Guard is Oracle's native high availability, data protection, and disaster recovery solution that creates, maintains, and manages one or more synchronized standby databases as copies of a production primary database, enabling rapid recovery from outages, data corruption, and site failures.[1] By continuously shipping and applying redo data from the primary to standby databases, it ensures business continuity with minimal or zero data loss, depending on the configured protection mode.[2] Key benefits of Oracle Data Guard include providing zero data loss protection through synchronous redo transport in maximum protection mode, automatic failover capabilities that can complete in seconds to maintain application availability, and the ability to offload read-only workloads—such as reporting and backups—to standby databases via Active Data Guard, thereby improving primary database performance.[1] It also supports seamless site failover for geographic redundancy, allowing organizations to survive disasters over any distance without compromising data integrity.[2] These features collectively reduce downtime, simplify maintenance, and enhance overall system resilience for mission-critical applications.[4] Introduced with Oracle Database 9i in 2002 as an evolution from earlier standby database capabilities, Data Guard has advanced significantly across versions to address growing enterprise needs.[5] Oracle Database 11g introduced Active Data Guard for real-time querying of standbys and 12c added Far Sync for extended-distance zero data loss; building on per-PDB protection introduced in 21c, recent releases like 23ai and 26ai have enhanced support for pluggable databases (PDBs) with improved broker automation.[6][3] Oracle Data Guard is available exclusively with Oracle Database Enterprise Edition and supports both single-instance and Oracle Real Application Clusters (RAC) environments, accommodating up to 30 standby destinations connected via Oracle Net Services for flexible deployment across local or remote sites.[3][7] The Data Guard Broker provides centralized management to streamline configuration and operations in these setups.[1]Core Architecture and Components
Oracle Data Guard's core architecture revolves around a primary database and one or more standby databases that work together to ensure high availability and data protection. The primary database serves as the production system, handling all user transactions and serving as the source of redo data generated from database changes. This redo data captures all committed transactions and is essential for maintaining synchronization with standby databases.[8] Standby databases act as synchronized copies of the primary database, remaining transactionally consistent through the application of redo data. These databases can assume the primary role during planned maintenance or in response to failures, enabling seamless role transitions without data loss in configured scenarios. A Data Guard configuration supports up to 30 standby databases, each capable of operating as a single-instance or Oracle Real Application Clusters (RAC) environment, mirroring the primary's setup.[8] Key components include redo transport services, which automate the shipment of redo logs from the primary to standby databases, handling any gaps in transmission to ensure complete data transfer. Apply services then replay this redo data on the standby databases to keep them synchronized with the primary. Role management services facilitate transitions between primary and standby roles, supporting both planned switchovers and emergency failovers.[8] Network connectivity is provided through Oracle Net, enabling communication between the primary and standby databases with no inherent geographic restrictions, allowing deployments across data centers or regions. Redo transport supports encryption via Secure Sockets Layer (SSL) for secure data transmission over Oracle Net sessions.[8] Oracle Data Guard requires Oracle Database Enterprise Edition for basic functionality, while advanced features such as Oracle Active Data Guard and Far Sync necessitate additional licensing. Protection modes—maximum protection, maximum availability, and maximum performance—influence architecture choices by balancing data loss prevention with performance impacts. The Data Guard Broker serves as an optional tool to automate the configuration and management of these core components.[9][8]Standby Database Configurations
Physical Standby Databases
A physical standby database in Oracle Data Guard is a block-for-block, physically identical copy of the primary database, maintaining synchronization through the application of redo data to ensure identical on-disk structures and content.[1] This replication occurs at the binary level using Redo Apply services, which replay redo streams from the primary to the standby, supporting all data types, DDL, and DML operations performed on the primary.[1] Unlike logical standbys, physical standbys prioritize exact fidelity for high-availability scenarios. To set up a physical standby database, the primary database is first prepared by enabling force logging, configuring redo transport destinations, and adding standby redo logs. The standby is then created by duplicating the primary using Recovery Manager (RMAN), which backs up data files and generates a standby control file for transfer to the standby host. Redo shipping is enabled via parameters likeLOG_ARCHIVE_DEST_n to asynchronously or synchronously transmit archived redo logs over Oracle Net services. Finally, managed recovery is initiated on the mounted standby database with the command ALTER DATABASE RECOVER MANAGED STANDBY DATABASE DISCONNECT FROM SESSION;, allowing real-time application of redo.
Physical standby databases are ideal for disaster recovery, where they serve as hot backups that can assume the primary role with minimal data loss in zero-downtime failover scenarios using maximum protection or availability modes.[1] They also offload backup operations from the primary by allowing RMAN backups directly from the standby, reducing production impact, and support read-only queries when combined with Active Data Guard for reporting workloads.[1]
Key limitations include the standby operating in a mounted, read-only state during redo apply, preventing local updates or writes unless using Active Data Guard for open read access.[10] Additionally, physical standbys require compatible hardware and operating system (such as the same endianness, database block size, and character set), and the same Oracle Database software version as the primary for compatibility.[3]
In Oracle Database 23ai, physical standby databases were enhanced with automatic temporary file creation and management during role transitions, replicating temp file DDL changes (such as additions, removals, or size adjustments) from the primary without manual intervention, provided Oracle Managed Files (OMF) is enabled.[10] This feature applies to both container databases (CDBs) and Data Guard pluggable databases (DG PDBs), streamlining maintenance in multitenant environments.[10]
Logical Standby Databases
A logical standby database in Oracle Data Guard maintains the same logical information as the primary database but permits a different physical organization of data, enabling greater flexibility in database structure and operations. Unlike physical standbys, which replicate data at the block level for an exact copy, logical standbys use SQL Apply to extract SQL statements from archived redo logs transmitted via Redo Transport Services and apply them transactionally to the standby. This process relies on Oracle LogMiner to parse the redo streams into logical changes, ensuring the standby remains synchronized while allowing it to be open for read-write access during apply operations.[3] Setting up a logical standby database typically involves first creating a physical standby from a backup of the primary database, then converting it to logical using the SQL commandALTER DATABASE RECOVER TO LOGICAL STANDBY <db_name>, after stopping redo apply with ALTER DATABASE RECOVER MANAGED STANDBY DATABASE CANCEL. Direct creation without an intermediate physical standby is not supported; prerequisites include enabling ARCHIVELOG mode on the primary, ensuring tables have primary keys or unique constraints for row identification (verifiable via DBA_LOGSTDBY_NOT_UNIQUE), and building a LogMiner dictionary with DBMS_LOGSTDBY.BUILD. Post-conversion, the database is opened with ALTER DATABASE OPEN RESETLOGS, SQL Apply is started via ALTER DATABASE START LOGICAL STANDBY APPLY IMMEDIATE, and operations are verified using views like V$LOGSTDBY_PROGRESS. Protection modes such as Maximum Availability or Maximum Protection can influence the synchronous level of redo transport to the logical standby.[11]
Logical standby databases are particularly suited for use cases requiring minimal downtime on the primary, such as reporting queries that can run concurrently with apply services, database upgrades via rolling patches without outages, and schema migrations where the primary remains online. For instance, they support the creation and maintenance of materialized views for optimized querying or integration with Oracle Streams for additional data capture on maintained tables. These capabilities allow offloading analytical workloads or testing structural changes while keeping the standby in sync.[12][3]
Challenges in managing logical standbys include the automatic skipping of non-supported operations on the primary, such as SQL*Loader direct path loads or certain DDL like ALTER [TABLESPACE](/page/Tablespace), which are logged in DBA_LOGSTDBY_EVENTS and can be explicitly skipped using DBMS_LOGSTDBY.[SKIP](/page/Skip) for specific objects to prevent apply errors. Additionally, applied SQL statements may require post-apply recompilation of database objects, especially for DDL involving unsupported datatypes (e.g., post-12c types like JSON or identity columns) or functions like SYSDATE in triggers, potentially leading to schema divergence if not addressed manually. DDL transactions are applied serially, which can introduce lag compared to concurrent execution on the primary.[12][11][13]
In Oracle Database 26ai (released in 2025), improvements enhance DDL handling for better compatibility, including support for all temporary file-related DDL operations in Data Guard Pluggable Databases (DG PDBs), and new Transparent Data Encryption (TDE) options via the TABLESPACE_ENCRYPTION parameter for hybrid cloud/on-premises environments. These updates improve interoperability during upgrades and migrations.[13][3]
Snapshot Standby Databases
A snapshot standby database is a fully updateable standby database in Oracle Data Guard that is created by temporarily converting a physical standby database into an open, read-write database.[14] This conversion leverages Oracle Flashback Database technology to track changes made to the standby, allowing redo data from the primary database to be received and archived without being applied during the snapshot period.[9] When the snapshot standby is converted back to a physical standby, the local updates are discarded, and the archived redo is applied to synchronize it with the primary, ensuring the standby remains an exact replica.[14] To set up a snapshot standby, Flashback Database must be enabled on the physical standby database, which requires sufficient space in the fast recovery area for flashback logs.[14] The conversion process involves stopping managed recovery on the mounted standby and executing theALTER DATABASE CONVERT TO SNAPSHOT STANDBY statement via SQL*Plus, or using the Data Guard Broker command CONVERT DATABASE <db_name> TO SNAPSHOT STANDBY through DGMGRL.[15] Once converted, the database can be opened in read-write mode for updates, but Oracle recommends limiting the snapshot duration to minimize the volume of archived redo that must be applied upon reversion and to avoid significant divergence from the primary.[14]
Snapshot standby databases are particularly useful for scenarios requiring temporary read-write access to a recent copy of production data without disrupting the primary database, such as application testing, software patching, or development iterations.[9] For example, developers can perform intensive write operations on the snapshot to simulate real-world usage, then revert it to catch up with primary changes, enabling repeated cycles of testing and resynchronization while preserving disaster recovery capabilities.[9] This approach balances data protection with the need for an updatable environment, as the standby continues to receive redo from the primary throughout the snapshot phase.[14]
Key limitations include the requirement for adequate undo and flashback space to handle the accumulated changes, which can grow substantially with heavy write activity.[14] While in snapshot mode, the database cannot serve as a switchover or failover target and is unsuitable for production workloads due to the eventual discard of local modifications upon reversion.[14] Additionally, it cannot be the sole standby in a maximum protection configuration during this period.[14]
Introduced in Oracle Database 11g Release 2, snapshot standby databases integrate seamlessly with physical standby configurations and have been refined in subsequent versions to enhance manageability through tools like the Data Guard Broker.[15] This feature relies on Flashback Database as the enabling technology for tracking and reverting changes during role transitions back to a physical standby.[14]
Management Tools
Data Guard Broker
The Oracle Data Guard Broker is an integrated management framework that automates the creation, maintenance, and monitoring of Data Guard configurations to ensure high availability, data protection, and disaster recovery for Oracle databases.[7] It provides a centralized interface through the Data Guard Manager Command-Line Interface (DGMGRL) and integration with Oracle Enterprise Manager Cloud Control, enabling administrators to perform tasks such as setup, health checks, and role transitions without relying on manual SQL commands.[7] The broker operates via the DMON background process on each database instance, which communicates over a network using the broker protocol to coordinate actions across primary and standby databases.[7] Key features of the Data Guard Broker include the use of binary configuration files stored on each database to maintain state information, dynamic property settings for customizing behavior such as redo transport and apply services, built-in validation scripts to verify configuration health and readiness for operations like switchovers, and support for scripted operations through DGMGRL commands or PL/SQL APIs in the DBMS_DG package.[16][17] These elements allow for automated monitoring of redo transport lag, apply lag, and overall configuration status, with diagnostic logs (drc*.log) providing detailed troubleshooting information.[7] The broker also facilitates the configuration of protection modes and the orchestration of role transitions, such as switchovers and failovers, in a coordinated manner.[7] To set up the Data Guard Broker, administrators first enable it on the primary and standby databases by setting the DG_BROKER_START initialization parameter to TRUE, which starts the DMON process. A configuration object is then created using DGMGRL commands, such as CONNECT and CREATE CONFIGURATION, specifying the primary database and adding standby databases with identifiers like database_unique_name.[18] Once enabled, the broker performs initial validation and can be managed through commands like SHOW CONFIGURATION for status or EDIT CONFIGURATION for property adjustments.[18] In Oracle Database 26ai (released in 2025), enhancements to the Data Guard Broker include new dynamic performance views such as VDG_BROKER_PROPERTY and VDG_BROKER_ROLE_CHANGE, which allow querying the entire broker configuration from any member database, simplifying monitoring in multitenant environments.[7] Additionally, PDB-specific management is supported through Data Guard for Pluggable Databases (DG PDB), enabling granular protection and role transitions at the PDB level using commands like EDIT PLUGGABLE DATABASE to control apply states (e.g., APPLY-ON or APPLY-OFF) and properties tailored to individual PDBs within a container database.[19][3] New DGMGRL commands, such as VALIDATE DGConnectIdentifier and EDIT ALL MEMBERS, further streamline validation and multi-member operations.[7] The advantages of using the Data Guard Broker include a significant reduction in manual SQL errors during configuration and maintenance, as it abstracts complex operations into high-level commands and automates validation to ensure consistency.[7] It also provides robust support for the fast-start failover observer, allowing up to four observers to monitor the configuration and automatically initiate failovers when conditions like lag thresholds are met, enhancing overall resilience without constant human intervention.[7]Protection Modes
Oracle Data Guard offers three distinct protection modes that allow administrators to balance data protection against performance and availability requirements. These modes—maximum protection, maximum availability, and maximum performance—determine how redo data is transported from the primary database to standby databases, ensuring varying levels of data safety during failures. In maximum protection mode, the highest level of data safety is provided by requiring synchronous redo transport to at least one standby database. Transactions on the primary database do not commit until the redo data is received and written to the standby redo log on a synchronized standby, with the primary acknowledging the commit only after this confirmation. If no synchronized standby is available, the primary database shuts down to prevent any data loss. This mode necessitates the use of theSYNC and AFFIRM attributes in the LOG_ARCHIVE_DEST_n parameters and requires at least two standby databases for fault tolerance.
Maximum availability mode prioritizes zero data loss while maintaining resilience against standby failures. It operates similarly to maximum protection by using synchronous redo transport (SYNC with AFFIRM or NOAFFIRM), committing transactions only after the redo is written to the standby redo log. However, if communication with the standby is lost, the mode automatically falls back to asynchronous transport (maximum performance mode) to avoid shutting down the primary, resuming synchronous operation once the standby recovers. This ensures no data loss in normal operation but provides a safety net for transient issues.
Maximum performance mode, the default configuration, minimizes impact on the primary database's throughput by shipping redo data asynchronously to standby databases. Transactions commit immediately after the redo is written to the primary's online redo log, without waiting for standby acknowledgment, using the ASYNC and NOAFFIRM attributes in LOG_ARCHIVE_DEST_n. While this avoids latency from network delays, it carries a risk of data loss if the primary fails before the redo reaches the standby.
Protection modes are configured using SQL commands on the primary database, such as ALTER DATABASE SET STANDBY DATABASE TO MAXIMIZE PROTECTION;, or through the Data Guard Broker for automated management. The LOG_ARCHIVE_CONFIG parameter must first be set to include the database unique names in the configuration, e.g., ALTER SYSTEM SET LOG_ARCHIVE_CONFIG='DG_CONFIG=(primary,standby)';. The current mode can be verified with SELECT PROTECTION_MODE FROM V$DATABASE;. Redo transport services implement these modes by handling the synchronous or asynchronous delivery of redo data.
The trade-offs among these modes primarily involve commit latency, network bandwidth usage, and potential data loss. Synchronous modes (maximum protection and availability) introduce commit delays due to round-trip network acknowledgment, potentially reducing primary database performance under high load or poor connectivity, and consume more bandwidth for immediate data transfer. Asynchronous mode (maximum performance) eliminates these delays for optimal throughput but risks losing committed transactions in a primary failure. Administrators select modes based on recovery point objective (RPO) needs, with maximum protection offering zero RPO at the cost of availability risks, while maximum performance prioritizes speed over absolute safety.
| Protection Mode | Redo Transport | Data Loss Risk | Performance Impact | Key Requirement |
|---|---|---|---|---|
| Maximum Protection | Synchronous (SYNC/AFFIRM) | None | High (commit waits for standby) | At least two standbys; standby redo logs |
| Maximum Availability | Synchronous (SYNC/AFFIRM or NOAFFIRM), fallback to async | None (if standby available) | Medium (minimal with NOAFFIRM) | Standby redo logs |
| Maximum Performance | Asynchronous (ASYNC/NOAFFIRM) | Possible | Low (no commit delay) | None beyond basic config |
Operational Processes
Redo Transport and Apply Services
Oracle Data Guard relies on redo transport services to ship redo data from the primary database to one or more standby databases, ensuring data synchronization across the configuration. Redo transport operates in two primary modes: synchronous (SYNC), where the primary database waits for acknowledgment from the standby before committing transactions, providing zero data loss potential but with higher latency; and asynchronous (ASYNC), which allows commits without waiting for remote acknowledgment, minimizing impact on primary performance at the risk of some data loss during outages.[20][20] The transport process uses dedicated services, including the Log Writer (LGWR) process on the primary for real-time shipping of redo streams, which supports both SYNC and ASYNC modes for lower latency, or the Archiver (ARCH) process for batched shipping of archived redo logs after a log switch, suitable for less demanding environments. LGWR-based transport fills a network buffer and transmits redo as it is generated, while ARCH waits for log completion, potentially introducing delays but reducing primary overhead. Data Guard also supports redo compression to reduce network bandwidth usage and encryption via Transparent Data Encryption (TDE) to secure data in transit, configurable through theCOMPRESSION=ENABLE and ENCRYPTION=ENABLE attributes in the LOG_ARCHIVE_DEST_n parameters. Real-Time Apply protocol enhances transport by enabling continuous redo streaming to the standby redo log without waiting for full archive log creation.[21][22][20]
On the standby side, apply services process the received redo to maintain consistency. For physical standby databases, Redo Apply uses managed recovery operations, applying redo through the Media Recovery Process (MRP) to replay changes block-for-block, supporting real-time application for minimal lag. Logical standby databases employ SQL Apply, powered by Oracle LogMiner, which extracts SQL statements from redo logs and executes them on the standby schema, allowing for ongoing database openness but skipping unsupported operations like certain DDL changes. Gap resolution mechanisms automatically detect and fetch missing archived redo logs via flashback query or direct transfer from the primary when network interruptions occur, preventing prolonged desynchronization.[23][24][25]
Monitoring redo transport and apply involves querying dynamic performance views such as V$DATAGUARD_STATS, which reports metrics like apply lag (time difference between primary commit and standby application) and transport lag (time for redo to reach the standby), along with overall status indicators for errors or delays. Transport status can also be checked via V$ARCHIVE_DEST_STATUS to verify shipping success and destination validity.[26][27]
Best practices for redo transport emphasize tuning for low latency by sizing standby redo logs to match or exceed primary online redo logs, enabling LGWR ASYNC on high-bandwidth networks to achieve near-zero data loss without performance penalties, and configuring multiple transport destinations for redundancy. To handle transport faults, implement automatic gap resolution and monitor for buffer overflows by adjusting NET_TIMEOUT parameters; for SYNC modes, use Far Sync instances on low-latency networks to offload acknowledgment without compromising primary throughput.[28][29][30]
In 2025, Oracle introduced redo decryption capabilities in Data Guard for hybrid cloud disaster recovery scenarios within Oracle Cloud Infrastructure (OCI), allowing encrypted redo from on-premises primaries to be decrypted and applied on encrypted cloud standbys without key synchronization, simplifying cross-environment protection.[31][32]
Role Transitions and Procedures
Role transitions in Oracle Data Guard enable the seamless shift of database roles between primary and standby databases to maintain high availability and ensure business continuity. These transitions include planned operations like switchover, which reverse roles without data loss, and unplanned operations like failover, which activate a standby during primary failure. Prerequisites for both typically require the standby to have minimal redo apply lag, ensuring synchronized states before proceeding. The Data Guard Broker automates these processes, simplifying execution through command-line interfaces.[33] Switchover is a planned role reversal where the primary database transitions to a standby role, and a target standby becomes the new primary, guaranteeing no data loss. This operation is ideal for maintenance, testing, or load balancing, as both databases remain available throughout. Using SQL commands, the process begins on the primary by verifying the standby's readiness withSELECT SWITCHOVER_STATUS FROM V$DATABASE;, followed by ALTER DATABASE COMMIT TO SWITCHOVER TO PHYSICAL STANDBY; to initiate the transition. On the standby, ALTER DATABASE COMMIT TO SWITCHOVER TO PRIMARY; completes the role change, after which the new primary is opened read-write. The Data Guard Broker streamlines this with the SWITCHOVER TO <standby_db_unique_name>; command from DGMGRL, handling validation, role changes, and redo transport reconfiguration automatically. Post-switchover tasks include updating client connections and verifying redo apply on the new standby.[33]
Failover occurs when the primary database fails unexpectedly, activating a standby as the new primary to minimize downtime. Unlike switchover, failover is one-way and may involve data loss depending on the type: complete failover applies all available redo for zero loss if possible, while immediate (or abort) failover skips remaining redo for faster activation at the cost of potential loss. To perform a complete failover manually, connect to the standby and check status with SELECT DATABASE_ROLE, OPEN_MODE FROM V$DATABASE;, stop managed recovery with ALTER DATABASE RECOVER MANAGED STANDBY DATABASE CANCEL;, and activate with ALTER DATABASE COMMIT TO SWITCHOVER TO PRIMARY;, followed by ALTER DATABASE OPEN;. For immediate failover, use ALTER DATABASE ACTIVATE PHYSICAL STANDBY; after canceling recovery. The Broker facilitates this via FAILOVER TO <standby_db_unique_name>; for complete or FAILOVER IMMEDIATE; for abort, including automatic validation and post-activation steps like reinstating the old primary if feasible. After failover, administrators must reconfigure the environment, such as rebuilding the failed primary as a new standby.[33]
Reinstatement restores a failed primary database as a standby after failover, preserving the Data Guard configuration without full recreation. This is commonly achieved using Flashback Database if enabled on the original primary, allowing it to rewind to a point before the failure using flashback logs. The process requires determining the current SCN on the new primary with SELECT CURRENT_SCN FROM V$DATABASE;, then on the failed database, mounting it and issuing FLASHBACK DATABASE TO SCN <scn_value>; followed by ALTER DATABASE CONVERT TO PHYSICAL STANDBY;. Redo apply is then started with ALTER DATABASE RECOVER MANAGED STANDBY DATABASE DISCONNECT FROM SESSION;. The Broker automates reinstatement with the REINSTATE DATABASE <old_primary_db_unique_name>; command, verifying flashback eligibility and integrating it back into the configuration. If Flashback is unavailable, reinstatement involves creating a new standby from backups, which is more time-consuming.[33]
In Oracle Database 26ai, role transitions for pluggable databases (PDBs) in Data Guard environments are simplified at the PDB level, allowing independent switchovers and failovers without affecting the entire container database (CDB). Using the Data Guard Broker, administrators execute SWITCHOVER TO PLUGGABLE DATABASE <pdb_name> AT <db_unique_name>; to reverse roles between source and target PDBs, with the Broker managing validation, closure of the source PDB, role conversion, and recovery startup on the new target. This PDB-specific approach ensures minimal disruption and supports granular high availability.[34]
Advanced Features
Active Data Guard
Active Data Guard is a licensed option for Oracle Database Enterprise Edition that extends the capabilities of physical standby databases by allowing them to remain open in read-only mode while continuously applying redo data from the primary database. This feature enables real-time data synchronization and querying on the standby without interrupting the redo apply process, providing a synchronized replica for disaster recovery and high availability. Introduced in Oracle Database 11g, it requires the Active Data Guard license and is specifically designed for physical standby configurations.[35] The primary benefits of Active Data Guard include offloading read-only workloads, such as reporting, analytics, and backups, from the production primary database to the standby, thereby improving overall system performance and resource utilization. It also facilitates automatic block repair, where the standby can detect and repair corrupted blocks on the primary by fetching valid blocks from its own copy, enhancing data integrity. Additionally, it supports real-time data validation and reduces planned downtime through rolling upgrades, allowing the standby to serve queries during maintenance on the primary. These advantages maximize the return on investment for standby hardware that would otherwise remain idle.[35] To set up Active Data Guard, first ensure the physical standby database is created and synchronized using standard Data Guard redo transport services, with the database in mounted state and ARCHIVELOG mode enabled. Then, issue the SQL commandALTER DATABASE OPEN READ ONLY; to open the standby in read-only mode. To resume redo apply concurrently, execute ALTER DATABASE RECOVER MANAGED STANDBY DATABASE DISCONNECT FROM SESSION; (or USING CURRENT LOGFILE for real-time apply). This process requires Oracle Database 11g or later and the Active Data Guard license; the Data Guard Broker can simplify management by automating these steps. Once enabled, the standby integrates seamlessly with physical standby configurations for ongoing operations.[35]
With Active Data Guard enabled, queries on the standby return committed data as of the point when the database was opened in read-only mode, updated in real-time as redo is applied, ensuring consistency with the primary database with minimal lag. The apply process runs in the background, using parallel redo apply for performance, and users can monitor synchronization via views like V$DATAGUARD_STATS. This real-time query capability allows applications to access up-to-date data without impacting the primary.[35]
Limitations of Active Data Guard include the inability to perform DML operations directly on the standby, as it remains read-only; any write attempts must be redirected to the primary. There may be performance overhead on the standby due to concurrent query and apply activities, particularly with high transaction volumes, and it is restricted to physical standby databases—logical standbys use separate apply mechanisms. NOLOGGING operations on the primary can cause gaps that require manual intervention unless configured otherwise.[35]
Data Guard for Pluggable Databases
Oracle Data Guard for Pluggable Databases (DGPDB) extends the core Data Guard functionality to the multitenant architecture, enabling protection at the individual pluggable database (PDB) level within container databases (CDBs). This feature allows per-PDB redo transport and apply services, where redo data from a source primary PDB is shipped to a target standby PDB independently of other PDBs in the same CDB. Introduced as a preview in Oracle Database 21c, DGPDB achieved full production support in Oracle Database 23ai, with further enhancements in Oracle AI Database 26ai (October 2025), providing high availability and disaster recovery without requiring separate CDB instances for each PDB.[36] Setup for DGPDB in Oracle Database 23ai and later versions, including 26ai, includes simplified validation processes to ensure compatibility between source and target PDBs, automatic addition of temporary files during configuration, and support through the Database Configuration Assistant (DBCA) for creating and cloning PDBs in Data Guard environments. These enhancements reduce manual intervention and configuration errors, allowing administrators to establish protection for specific PDBs while keeping the CDB in read-write mode. The Data Guard Broker facilitates this by providing visibility into PDB-specific configurations during setup.[3] Operations in DGPDB support independent switchover and failover at the PDB level, enabling role transitions for a single PDB without impacting others in the CDB; for instance, a PDB can switch roles with minimal downtime using broker commands likeSWITCHOVER PDB. Standby PDBs can be opened in read-only mode for offloading queries, enhancing reporting capabilities. Role transitions are adapted to preserve per-PDB protection levels during these operations.
This granular protection is ideal for consolidated environments, such as those hosting multiple applications in a single CDB, where tailored disaster recovery strategies per PDB optimize resource use and minimize blast radius during failures. For example, critical PDBs can maintain maximum protection modes while less sensitive ones use asynchronous transport.[37][3]
In 2025 updates aligned with Oracle AI Database 26ai enhancements, new DBMS_DG PL/SQL APIs were introduced to automate common PDB management tasks, such as initiating switchovers and monitoring apply lag at the PDB level. Additionally, integration with Oracle GoldenGate enables per-PDB capture for heterogeneous replication, supporting seamless redo handling during role transitions.[17][3]
Far Sync
Far Sync is an advanced Oracle Data Guard feature that uses a lightweight Oracle database instance to forward redo data synchronously from the primary database to remote standby databases, enabling zero data loss (maximum protection mode) over long distances without impacting primary performance due to network latency. Introduced in Oracle Database 12c, it requires an Active Data Guard license and acts as an intermediate sync point, receiving redo via SYNC transport and relaying it asynchronously to standbys. This configuration supports up to 30 standbys and integrates with the Data Guard Broker for automated management. Far Sync instances have minimal resource requirements, typically running on low-end hardware near the primary for optimal latency reduction.[38]Fast-Start Failover and Integrations
Fast-Start Failover (FSFO) is an Oracle Data Guard feature that enables automatic failover from a primary database to a synchronized standby database upon detection of a primary outage, minimizing downtime without requiring manual intervention.[39] The process relies on the Data Guard broker to manage the failover, using role transitions to convert the standby into the new primary while ensuring data consistency based on the configured protection mode.[3] FSFO setup requires enabling the broker, designating a target standby, and configuring an observer process, with failover thresholds such as a default 30-second delay to avoid premature actions during transient issues like network lags exceeding that duration.[40] The observer is a lightweight, independent process running on a separate host from the primary and standby databases, continuously monitoring their health via the broker'sdbms_drs interface.[39] If the primary becomes unresponsive beyond the FastStartFailoverThreshold (typically set to 6-15 seconds in optimized configurations), the observer initiates the failover to the target standby, ensuring isolation from site-specific failures by being located at a third site.[39] This setup supports both physical and logical standbys, with automatic reinstatement of the former primary as a standby post-failover if Flashback Database is enabled.[40]
Oracle Data Guard integrates seamlessly with Oracle Real Application Clusters (RAC) to support active-active configurations, where both primary and standby can be RAC-enabled for enhanced scalability and availability during failover.[3] It also works with Recovery Manager (RMAN) to offload backups from the primary to the standby database, reducing resource impact on production while maintaining recovery point objectives.[3] Flashback Database integration allows quick reinstatement of a failed primary as a standby after FSFO, enabling rapid recovery from human errors or corruptions without full rebuilds.[3] Additionally, Data Guard complements the Zero Data Loss Recovery Appliance (ZDLRA) by forwarding redo logs for centralized, incremental backups, offloading recovery validation and merging processes to enhance overall data protection efficiency.[3]
In 2025, Oracle Cloud Infrastructure (OCI) introduced Full Stack Disaster Recovery templates that standardize scripts for automating switchover, failover, and drill operations in manually configured Data Guard environments, supporting services like Base Database and Exadata deployments.[41] Nutanix Database Service (NDB) version 2.9 added native support for Oracle Data Guard, enabling one-click provisioning of DR topologies including cascaded standbys and RAC configurations, with automated monitoring of redo lag and protection modes like Maximum Availability.[42]
FSFO significantly reduces mean time to recovery (MTTR) to seconds by automating detection and execution, though it requires an Active Data Guard license for full functionality in read-only standby scenarios during normal operations.[39]