Exchange 2010 Single Item Recovery Architecture
Any application that you and I work on, at the end of the day is an application. Nothing guarantees 100% uptime. The reasons could be several ranging from software to hardware failure, physical to logical corruptions, administration errors, compliance restrictions etc.. Thus predicting all possible scenarios what we all do is take “Backup”. E2010 is as well aligned to the same lines.
So as an Exchange Admin, you should visualize the wider spectrum of backup as to -> why you should and how you could!
Why you should!
Backup is needed to preserve the messaging infrastructure. This ideally plays a crucial role when your server malfunctions thus making users unable to send and receive mails. This steers way by enabling you to quickly restore services to normal operations.
Motivations to perform backup:
Server Crash: “DR” In this typical scenario where your Exchange server has, it will help you restore your server configuration and user data faster.
DB Corruption: “Point in time copy”
We need to make the thin line distinction between Dumpster 1.0 and Dumpster2.0 to relate in depth about the basic understanding of “S.I.R”.
I want to go with the bottom to top approach. This is for all new fellas to Exchange, So lets first understand, what Dumpster is all about!
Being a normal user (meaning I dunno anything about Exchange) of Outlook, my activities remain “reading and responding” my mails primarily. When I sense a mail wouldn’t add much value later, I delete it and if I sense a particular mail may be useful later I will store it safe or let it be in my inbox- till I am hit by space challenges.
Now when I delete a mail, where does it go? It goes to “Deleted Items”, unless I delete the mail from this folder, I do have a copy of the mail or unless I do a SHIFT+DEL to a mail. So where does my mail that I delete from “Deleted Items “or “SHIFT+DEL” go to????
It goes to a folder called as “Dumpster”. Now this isn’t visible to us , implying it doesn’t exist on outlook interface and neither is it the “Deleted Items” content. It keeps all mails that have been removed from the mailbox completely, for a retention defined by an Exchange Admin. Thus to make it more precise, Dumpster is a special folder, where your deleted items from Outlook will be kept for a retention period.
How does this Dumpster Work?
The latest version of Dumpster is Dumpster2.0 and the older was Dumpster 1.0. Let’s now dig into what each does.
Dumpster1.0 (E2003 AND E2007)
Let’s assume that Dumpster received a mail upon your deletion. Now what Dumpster1.0 will ideally do is, it will mark the mail with a “ptagDeletedOnFlag” flag attribute. What you need to note here is the flow, if you just delete a mail, it will go to “Deleted Folders” and once on getting further deleted, it will mark its entry in Dumpster with the flag. However if you, Shift+Del a mail, it makes an entry straight into Dumpster with the flag.
So this means, your “Recover Deleted Items” from “Tools” menu in Outlook would work
Only on deleting mails permanently else it will be grayed out as shown below.
As an Exchange Admin, what you need to focus here is that you can use/set a registry key to let the users access the Recover Deleted Items from the Dumpster in a directory called as “Dumpster Always On” on user profiles.
The issues with Dumpster 1.0 were found as below
Non Customizable: It is basically a view stored as a “folder”. You cannot use search, index or move mailbox with it.
Deletion Access Challenges: There is no possible way to prevent a user from deleting the items from Dumpster. This could oft lead to compliance and security issues as users could maliciously make use of email conversations.
Time Stamp: Now, what if a user needs a mail that is beyond the retention defined by the Exchange Admin?
Calendar/Contacts: You have nothing that can be addressed for your deleted calendar/contacts.
Now comes Dumpster 2.0 into picture (E2010 onwards). Dumpster2.0 is a redesign of Dumpster1.0 attempting to address the existing challenges. The action items worked out through it are as below
It will be possible to use index
It will be possible to search
Dumpster data will move with mailbox
Dumpster data will have quota
It will be per mailbox and not per folder
How Dumspter2.0 works?
This does not use the “ptagDeletedOnFlag” flag attribute. It instead moves the deleted items to a new folder termed “Recoverable items”in the Non IPM (Non Interpersonal Messaging) subtree of user’s mailbox with three defined sub – folders named as
Using the MFCMAPI in E2010, you can open the mailbox and view the Recoverable Items as shown below.
Deletions: This is the place ideally your mails will go on being deleted from “Deleted Items” or Shift+Del.
Purges: With Dumpster1.0, a user had the access to delete items from “Recover Deleted Items” too. This could basically mean, users could use it against compliance standards as well. Now when a user deletes a mail from a “Recover Deleted Items”, meaning “Deletions folder” in Dumpster2.0, it goes to “Purges”. Here it cannot be done anything further. It cannot be recovered using client side but an admin can still recover it using MAPI.
Versions: When an item gets changed, this folder will perform a “copy-on-write” to the original item. This will include all changes in your body, subject, sender and receiver changes but it wouldn’t capture it for drafts.
Dumpster2.0 works in two modes with the aim of retaining data
Short-term preservation of data (single item recovery)
Long-term preservation of data (legal hold)
Single Item Recovery: ()
Enabled per mailbox, disabled by default
Set-Mailbox UserA –SingleItemRecoveryEnabled $true
Recoverable items folder quota defaults
20 GB Warning Quota – items begin to be deleted (FIFO)
30 GB Quota – recoverable items folder full
Retention duration is configured per mailbox or per database
Set-Mailbox UserA –RetainDeletedItemsFor 90 -UseDatabaseQuotaDefaults $false
Set-MailboxDatabase DB1 -DeletedItemRetention 30
The flow of the functioning is as illustrated below.
Okay, we relate all of this now very well. You may now ask me one question: “What’s so special about this Single Item Recovery Feature, when outlook does has an option called “Recover Deleted items, through which I could still recover my mail” ??”
To answer this query, all I can say is- a user’s intentions could be different. He could actullay delete a mail “intentionally” or “unintentionally” as well, also delete it from his “Recover Deleted items” as well. There is no possible way that you can as an admin recover that mail. With the S.I.R enabled, it will be possible to recover any deleted item defined in the retention window.
In my language, I would term Single Item Recovery as a “proscribed mechanism for legal clutch“.
ATTENTION: This is the best part, if you wonder, that you may require some “additional storage” for this feature, YOU DON’T! When you ideally calculate your storage requirements for E2010 server, this feature is included already in that (Its on by Default).
Usually the storage and exchange architects would do this calculation whilst analysing your storage for E2010.
RECOVERING THROUGH S.I.R
I spoke earlier about configuring S.I.R; I would now cover “Recovering through S.I.R”.
To recover through the S.I.R feature, you firstly need to have the “mailbox search” configured. This is fairly simple, so I wouldn’t discuss this. After configuring the “mailbox search”, you got to be using “Discovery Search Mailbox” to restore the items to the correct mailbox.
Now let me talk a little on “Discovery Search Mailbox” – as this has to be related strong to appreciate the recovery through S.I.R.
E2010 by default will create the “Discovery Search Mailbox“, which is the destination mailbox for your Exchange Control Panel Searches.
Some key features of “Discovery Search Mailbox“
You could create additional “Discovery Search Mailbox” and remove them as well- similar to your other mailboxes.
You can’t convert this mailbox into some-other type mailbox.
The user account (Meaning the associated AD) w.r.t to Discovery Search Mailbox is disabled by default.
You can’t send mails to this mailbox (admin enables this by delivery restrictions).
By default your storage quota in Discovery Search Mailbox is 50GB(editable defined by admin).
Now when you have a small to medium range organization, the Discovery Search Mailbox created by E2010 (by default ) does suffice. Given the scene of an enterprise organization, this would mean, you would have to have multiple Discovery Search Mailboxes created as the searches would be performed frequent.
Creating a new Discovery Search Mailbox:
It’s the same as creating a mailbox, you just add additionally the “discovery” attribute
New-Mailbox “Discovery Mailbox A” –UserPrincipalName discoverymailboxA@domain.local – Discovery
Now once you have created it, comes the aspect of “ACCESS” and this is where your S.I.R marks its entry. Defining the access is quite simple, right click on your mailbox and select “Manage Full Access Permission”.
NOTE: Nobody can access the Discovery Search Mailbox unless the admin has given
Full Access Permission.
Okay, we have created the new Discovery Search Mailbox, now let’s cross check once, if all access rights are perfect!!!!!
Full Access Permission on Discovery Search Mailbox (to access it)
Full Access Permission on user mailbox to open Discovery Search Mailbox (to restore items)
Important of all, you also need to have a defined role for searching in ECP. To define this role, kindly use the below cmdlet
New-ManagementRoleAssignment –Role “Mailbox Search” –User <account>
Now we are all set with the above mentioned three accesses, now you should define the SEARCH criterion in your ECP.
By default you can do the SEARCH for emails (Not calendars/contacts) only and you would have it appear like below
Now if you would wish to have it restored in all, then define the SEARCH as SEARCH ALL MESSAGE TYPE as shown below.
Now comes the question of retrieving the item. You could use ExportMailBox cmdlet to get the item but the problem here is you got to “know the exact folder names”. An alternative would be to have an Outlook Profile (connected between obviously your Discovery Search Mailbox and your target user mailbox) configured to copy the mails from Recover Deleted Items to a folder you want/Original Folder.
SINGLE ITEM RECOVERY = NO EXCHANGE BACKUPS???
After all this heavy duty discussion, if you think “Single Item Recovery can mean we don’t require backups in Exchange 2010″??
Certainly not. What I would say is that, it can lead to dramatically less frequency of backups. S.I.R. reduces the cost of solution by providing options for lesser backups. Traditional backups (Point-In-Time backups) will still be useful as through S.I.R we “don’t have a folder information” preserved in the Recoverable Items Folder.
What S.I.R does is, it routes the mails accordingly to its respective folders- Deletions,Purges or Version. Imagine a user deleting 10000 (In 10 different folders) mails in one shot, when he gets forced to free-up space on his mailbox. I don’t mean to say, S.I.R wouldn’t help in recovering these mails but recovering them without the folder information would be a big challenge needless to say.
Now let’s discuss Legal Hold. It’s enabled per mailbox, disabled by default
You can create it by :: Set-Mailbox UserA -LitigationHoldEnabled $true
Can notify the user that litigation hold has been enabled within Outlook 2010
Set-Mailbox UserA -RetentionURL <legal URL>
Set-Mailbox UserA -RetentionComment <legal note>
Recoverable items folder quota defaults
20 GB Warning Quota – application event is logged
30 GB Quota – recoverable items folder full
Now if we may want to check the process flow of Legal Hold, its very similar to Single Item Recovery. If you refer the previous diagram of S.I.R process flow, Legal Hold will be similar till Step5. In Legal Hold, basically in the step 6, MESSAGES will not be purged from the system beyond Defined window too.
At the edge of improvisation, as always Microsoft, has worked out for Backup Challenges in E2010 through Single Item Recovery. It has indirectly addressed
Time and effort involved in recovery through Traditional Backups
Minimized Data Loss further
Finally, money as well
What I will like to conclude it is: “”IF” storage is planned properly, designed properly, implemented correctly (keeping S.I.R active, mailbox resiliency features active), Backups would remain the call for DR only.