Exchange 2013 In-Place Hold and In-Place eDiscovery (Part 2)

If you would like to read the other parts in this article series please go to:

Placing mailboxes on In-Place Hold

In order to be able to place mailboxes on In-Place Hold, authorized users have to be added to the Discovery Management role-based access control (RBAC) role group or assigned the Legal Hold and Mailbox Search management roles. RBAC allows administrators to delegate this task to records managers, compliance officers or attorneys in the organization's legal department, while assigning the least privileges.

While in Exchange 2010, the Legal Hold role gave users sufficient permissions to place mailboxes on litigation hold, in 2013 this same role allows users to place mailboxes on an indefinite or time-based In-Place Hold. However, because query-based in-place hold is based on a search, users must be assigned the Mailbox Search role as well. Alternatively, they can be added to the Discovery Management role group which contains both these roles.

Placing a mailbox on In-Place Hold is very different from Exchange 2010 when using the Exchange Management Shell. In Exchange 2010, an administrator would run the following cmdlet to put the mailbox of Nuno Mota in Litigation Hold:

Set-Mailbox nunom@letsexchange.com -LitigationHoldEnabled $True

In Exchange 2013, In-Place Hold is further integrated with In-Place eDiscovery searches. In order to place a mailbox on In-Place Hold, administrators can use the In-Place eDiscovery & Hold wizard in the EAC or the New-MailboxSearch cmdlet in the Shell. The following example places all contents in the mailbox on hold by not specifying a search query, which accomplishes similar results as litigation hold in Exchange 2010:

New-MailboxSearch “Hold-Nuno” -SourceMailboxes “nunom@letsexchange.com” -InPlaceHoldEnabled $True

The next example creates both a Query-based and a Time-based In-Place Hold for the mailbox of Nuno and holds every e-mail, meeting or IM that contains the keywords Disciplinary and Redundancy for 6 months:

New-MailboxSearch “Hold-DisciplinaryRedundancy” -SourceMailboxes “nunom@letsexchange.com” -InPlaceHoldEnabled $True –ItemHoldPeriod 182 -SearchQuery '”disciplinary” and “redundancy”' –MessageTypes Email, Meetings, IM

Note that the SourceMailboxes parameter accepts one or more mailboxes, including distribution lists. If not specified, all mailboxes in the Exchange 2013 organization are searched but to enable In-Place Hold, you must use this parameter.

The MessageTypes parameter specifies the message types to include in the search. These can be one or more of the following: Email, Meetings, Tasks, Notes, Docs, Journals, Contacts or IM. If this parameter is not specified, all message types are included.

Litigation Hold in Exchange 2013 and Exchange Online

If you tried placing a mailbox on Litigation Hold using the EAC or the Shell, both the interfaces displayed an alert message with a recommendation to switch to the new In-Place Hold feature. This recommendation was also reflected in the product documentation.


Figure 1

However, according to Microsoft itself, it does not plan to remove Litigation Hold from Exchange Online or Exchange 2013 and this alert has been removed from Exchange Online and Exchange 2013 SP1. The recommendation from Exchange Online and Exchange 2013 documentation has also been removed.

So which feature should I use?! You can use either hold features to preserve mailbox data in Exchange 2013 and Exchange Online, based on your preservation needs. Here are some scenarios to help you choose between the two holds:

You can use either hold feature to preserve mailbox data in Exchange 2013 and Exchange Online, based on your preservation needs. Here are some scenarios to help you choose between the two holds.

You want to… Use Litigation Hold Use In-Place Hold
Preserve all items in a   mailbox Yes Yes.

To preserve all items, don’t specify any query parameters.

Preserve all items in a   mailbox for a specific duration Yes.

Specify the LitigationHoldDuration parameter for the mailbox using the Shell.

Yes.

Create a time-based In-Place Hold. Specify the duration in the In-Place Hold settings in EAC or ItemHoldDuration parameter from the Shell.

Preserve items matching query parameters No.

Litigation Hold preserves all items.

Yes.

Create a query-based In-Place Hold. Specify query parameters such as start date, end date, sender, recipients and keywords.

Specify types of items to preserve (such as e-mail, calendar, notes) No.

Litigation Hold preserves all items.

Yes.

You can use the EAC or the MessageTypes parameter from the Shell.

Specify hold settings for members of a distribution group Yes.

Use the Get-DistributionGroupMembercmdlet in the Shell to pipe distribution group members to the Set-Mailbox cmdlet.1

Yes.

Easily specify distribution groups in the In-Place eDiscovery and Hold wizard in the EAC or in the SourceMailboxes parameter in the Shell. 2

Max users on hold No.

Litigation Hold is a mailbox parameter. No maximum limits apply. You can use the Shell to quickly place all users in an organization on hold.

You can specify a maximum of 5000 users per In-Place Hold object. To place additional users on hold, you must create another hold. Place multiple holds on a mailbox No Yes.

You can place a user on multiple In-Place Holds, for example when a user is subject to multiple investigations or legal cases.

Make mailboxes inactive to preserve data in Exchange Online Yes Yes

Table 1

1 Distribution group is expanded when you run the command. Future changes to the group require running the command again.

2 Distribution groups are expanded only when you create or refresh the In-Place Hold. Future changes to the group require refreshing the search object.

Recoverable Items Folder

The Recoverable Items folder replaces what was previously known as the Dumpster. It is used by In-Place Hold and Litigation Hold to preserve items. When a user deletes an e-mail from a folder other than the Deleted Items folder, it is moved to the Deleted Items folder. When a user soft deletes an item (by pressing the SHIFT and DELETE keys) or deletes an item from the Deleted Items folder, the message is moved to the Recoverable Items folder, thus disappearing from the user’s view.

The Recoverable Items folder contains the following subfolders:

  • Deletions - items removed from the Deleted Items folder or soft-deleted from other folders are moved to this subfolder and are visible to the user when using the Recover Deleted Items feature in Outlook and OWA. By default, items reside in this folder until the deleted item retention period configured for the mailbox database or the mailbox expires;
  • Purges - users delete an item from the Recoverable Items folder (by using the Recover Deleted Items tool), the item is moved to the Purges folder. Items that exceed the deleted item retention period are also moved to the Purges folder. Items in this folder are not visible to users if they use the Recover Deleted Items tool. When the mailbox assistant processes the mailbox, items in the Purges folder are purged from the mailbox database unless the mailbox is on hold;
  • DiscoveryHold - if a mailbox is placed on hold, deleted items are moved to this folder. When the mailbox assistant processes the mailbox, it evaluates items in this folder. Items matching the In-Place Hold query are retained indefinitely, until the hold period specified in the query or until the mailbox is removed from hold;
  • Versions - when a mailbox is placed on hold, items must be protected from modification. This is accomplished using a copy-on-write process. When a user or a process changes certain properties of an item (such as subject, body, attachments or senders/recipients for example), a copy of the original item is saved in the Versions folder before the change is committed. The process is repeated for subsequent changes. Items captured in the Versions folder are also indexed and returned in In-Place eDiscovery searches. After the hold is removed, copies in the Versions folder are removed by the Managed Folder Assistant;
  • Audits - if mailbox audit logging is enabled for a mailbox, this subfolder contains all the audit log entries;
  • Calendar Logging - this subfolder (not visible to users) contains calendar changes that occur within a mailbox when calendar logging is enabled.

All items in the Recoverable Items folder are indexed by Exchange Search and, therefore, are discoverable using In-Place eDiscovery. After a mailbox user is removed from In-Place Hold, items in the DiscoveryHold, Purges and Versions folders are purged by the Managed Folder Assistant.

Items in the Recoverable Items folder are retained for the deleted item retention period configured on the user’s mailbox or database (14 days by default). When an item is moved to the Recoverable Items folder, its size is deducted from the mailbox quota and added to the size of the Recoverable Items folder. Administrators can configure a storage quota for this folder in order to protect the organization from a potential Denial of Service attack due to rapid growth of the Recoverable Items folder and therefore the mailbox database. Mailbox databases have a configurable Recoverable Items warning quota (soft limit) of 20GB and a Recoverable Items quota (hard limit) of 30GB. By default, these limits are inherited by all mailboxes in the database.

When a user's Recoverable Items folder exceeds the warning quota for recoverable items, events 10023 and 10024 are logged in the Application event log of the Mailbox server. When the folder exceeds the quota for recoverable items, an event 10023 (with a different message) is also logged in the same Application event log. In this case, no more items can be stored in the folder. This impacts mailbox functionality in the following ways:

  • Mailbox users cannot delete items;
  • The Managed Folder Assistant cannot delete items based on retention tag or managed folder settings;
  • Mailboxes that have single item recovery or In-Place Hold enabled, the copy-on-write page protection process cannot maintain versions of items edited by the user;
  • Mailboxes that have mailbox audit logging enabled, no mailbox audit log entries can be saved in the Audits subfolder.

Mailboxes that are not placed on In-Place Hold, the Managed Folder Assistant automatically purges items from the Recoverable Items folder when the deleted item retention period elapses. If the folder reaches the Recoverable Items warning quota, the assistant automatically purges items in a First In, First Out (FIFO) order.

For the reasons above, it is critical to monitor Recoverable Items quotas for mailbox users placed on In-Place Hold.

If the mailbox is placed on In-Place Hold and the Recoverable Items folder is near its quota, you must reduce its size. To achieve this, you can use the Search-Mailbox cmdlet to copy messages from the Recoverable Items folder of a mailbox to a discovery mailbox, and then delete the items from the mailbox. Alternatively, you can raise the Recoverable Items quota for the mailbox. To check the Recoverable Items folder size for a particular mailbox, you can use the following cmdlet:

Get-MailboxFolderStatistics “Nuno Mota” -FolderScope RecoverableItems | Select Identity, FolderAndSubfolderSize

The following example permanently deletes items from Nuno’s Recoverable Items folder but first copies them to the Nuno-RecoverableItems folder in the Discovery Search Mailbox:

Search-Mailbox “Nuno Mota” -SearchDumpsterOnly -TargetMailbox “Discovery Search Mailbox” -TargetFolder “Nuno-RecoverableItems” -DeleteContent

Note that you cannot use the EAC to configure recoverable items quotas for a mailbox or database. To modify the quota values for the Recoverable Items folder for a mailbox database, use the Set-MailboxDatabase cmdlet:

Set-MailboxDatabase DB01 –RecoverableItemsWarningQuota 40GB –RecoverableItemsQuota 50GB -UseDatabaseQuotaDefaults $False

To modify these values for individual mailboxes, use the Set-Mailbox cmdlet:

Set-Mailbox nunom –RecoverableItemsWarningQuota 10GB –RecoverableItemsQuota 20GB

In-Place Hold vs. Single Item Recovery vs. Retention Hold

Many administrators confuse In-Place Hold with Single Item Recovery and Retention Hold. However, they provide different functionalities and, therefore, are appropriate for some situations and not for others.

  • In-Place Hold - as explained before, is used during a lawsuit, investigation or similar events to preserve mailbox items from inadvertent or purposeful modification or deletion by a user and from automated deletion by retention policies. Until the hold is removed or expired, deleted items are not purged from the mailbox database and if a mailbox item is modified, a copy of the original item is also retained. These are returned in eDiscovery searches performed when the mailbox is on hold. Any retention policies applicable to the mailbox do not need to be suspended. Because messages continue to be deleted as expected, users may not notice they are on hold.
  • Single Item Recovery - preserves items that users purged from their Recoverable Items\Deletions as well as modified items until the deleted item retention period is reached (14 days by default). To the user the items will look purged, but they can still be recovered by an administrator.
  • Retention Hold - prevents retention policies from deleting or moving e-mails to the user’s personal archive for a period of time while the user is temporarily away from work (holidays, sabbatical leave, etc.). Note that this does not affect how mailbox quotas are processed. Deleted messages are not treated any differently when a mailbox is on Retention Hold.

Use the following table to help you make appropriate Hold and Recovery decisions:

Feature State Soft-deleted items kept in the Recoverable Items folder? Modified and hard-deleted items kept in the Recoverable Items folder? User can purge items from the Recoverable Items folder? MRM automatically purges items from the Recoverable Items folder? Retention Policies applied?
Single Item Recovery   disabled Yes No Yes Yes, 14 days by   default (120 days for calendar items) Yes
Single Item Recovery   enabled Yes Yes No Yes, 14 days by   default (120 days for calendar items) Yes
In-Place Hold enabled Yes Yes No No Yes
Retention Hold enabled Yes No Yes Yes, 14 days by   default (120 days for calendar items) No

Table 2

Conclusion

In this second part of this article series, we had a look at how to place mailboxes on In-Place Hold and how this features makes use of the Recoverable Items folder. In the next and final article, we will look at In-Place eDiscovery in Exchange 2013.

If you would like to read the other parts in this article series please go to:

Nuno Mota

Nuno Mota is an Exchange MVP working as a Microsoft Messaging Specialist for a financial institution. He is passionate about Exchange, Lync, Active Directory, PowerShell, and Security. Besides writing his personal Exchange blog, LetsExchange.blogspot.com, he regularly participates in the Exchange TechNet forums and is the author of the book “Microsoft Exchange Server 2013 High Availability.”

Share
Published by
Nuno Mota

Recent Posts

Qumulo raises $125M for cloud data management across a hybrid setup

Qumulo is an up-and-coming data management solution focusing on managing files in a hybrid setup.…

2 days ago

Why SMBs need a standalone solution for Windows 10 patch management

Is patch management for the Windows PCs at your business driving you crazy? Maybe there's…

2 days ago

Microsoft Teams guest access: How to enable and manage it

Two of the main factors that affect the total cost of an organization’s Microsoft 365…

2 days ago

Samsung Galaxy Unpacked 2020: Everything you need to know

Samsung rolled out the all-new Galaxy Z Fold 2, Note 20, Note 20 Ultra handsets…

3 days ago

SAN vs. NAS: Detailed comparison of these two storage technologies

SAN and NAS provide dedicated storage for a group of users using completely different approaches…

3 days ago

Generation 1 virtual machines: Modernize them and bring them up to date

In many companies, Generation 1 virtual machines have been superseded by Gen 2 VMs. But…

3 days ago