If you would like to be notified of when Rui Silva releases the next part in this article series please sign up to our MSExchange.org Real Time Article Update newsletter.
If you would like to read the other parts in this article series please go to:
- Exchange Archiving: On-Premises vs Cloud-Based (Part 1)
- Exchange Archiving: On-Premises vs Cloud-Based (Part 2)
- Exchange Archiving: On-Premises vs Cloud-Based (Part 3)
- Exchange Archiving: On-Premises vs Cloud-Based (Part 4)
In-Place Hold and eDiscovery
Now that we covered the set up process for both on-premises and cloud-based archives, let’s examine how to play with the other compliance mechanisms provided by Exchange Server 2013, specifically In-Place Hold and eDiscovery.
These features act on both mailboxes, primary and archive, and at the present time there’s no configuration setting to discretely apply different policies to each of those mailboxes (although it’s possible to exclude archive from search).
- In-Place Hold and litigation hold: When you put a mailbox on In-Place Hold or litigation hold, the hold is placed on both the primary and the archive mailbox.
- In-Place eDiscovery: When a discovery manager performs an In-Place eDiscovery search, users’ archive mailboxes are also searched. There’s no option to exclude archive mailboxes when creating a discovery search from the Exchange Administration Center (EAC). When using the Exchange Management Shell to create a discovery search, you can exclude the archive by using the DoNotIncludeArchive switch.
Notice that, even if a user’s mailbox is put on litigation hold, he/she can still delete items and even purge them from the dumpster (at least he/she thinks it’s possible). What happens in the background is that Exchange moves the message to one of the Recoverable Items subfolder, as illustrated in the following picture:
Figure 1: Recoverable Items subfolders (picture from TechNet)
The archive mailbox contains its own Recoverable Items folder and is subject to the same Recoverable Items folder quotas as the primary mailbox.
If a user under In-Place hold deletes something out of the Primary Mailbox or Online Archive, it goes to the corresponding Deleted Items, then to Deletions, under Recoverable Items, then to the DiscoveryHold folder, where it stays for the duration of the retention period.
Items in the Recoverable Items folder aren’t calculated toward the user’s mailbox quota. In Exchange, the Recoverable Items folder has its own quota. For Exchange, the default values for the RecoverableItemsWarningQuota and RecoverableItemsQuota mailbox properties are set to 20 GB and 30 GB respectively. In Exchange Online, the quota for the Recoverable Items folder is automatically increased to 100 GB when you place a mailbox on Litigation Hold or In-Place Hold. If the Recoverable Items folder reaches or exceeds the 100 GB quota, you can contact Office 365 support to request an increase of the Recoverable Items quota for a mailbox on hold.
To create an In-Place-Hold (or Litigation Hold in this example) follow these steps:
- In Exchange admin center navigate to compliance management > in-place eDiscovery & hold (Figure 2) and click the plus sign (New).
- In the new in-Place eDiscovery & hold window (Figure 3), on the Name and description page, type a name for the search and an optional description, and then click next.
Figure 2: In-place eDiscovery & hold
Figure 3: New in-Place eDiscovery & hold
- On the Mailboxes page (Figure 4), click Specify mailboxes to search, click Add, select the mailboxes you want to place on hold, and then click next. You can’t select Search all mailboxes to place all mailboxes on hold.
- On the Search query page (Figure 5), either select Include all user mailbox content or define a Filter based on criteria, and then click next.
Figure 4: Specify mailboxes to search
Figure 5: Include all content
- On the In-Place Hold settings page (Figure 6), select the Place content matching the search query in selected mailboxes on hold check box and then select Hold indefinitely or Specify number of days to hold items relative to their received date. Click finish and wait for the Saving completed successfully message (Figure 7).
Figure 6: In-Place Hold settings
Figure 7: Operation complete
Creating this In-Place hold policy could also be attained using PowerShell:
New-MailboxSearch “MI6 In-Place Hold (aka Litigation Hold)” -SourceMailboxes JamesB, Moneypenny
-InPlaceHoldEnabled $true
After placing email data on hold, there will be a time when finding and recovering specific items will be needed. Exchange Server 2013 provides some easy and clever ways to do it.
If you want users to be able to use Microsoft Exchange Server 2013 In-Place eDiscovery, you must first authorize them by adding them to the Discovery Management role group. With the proper authorization in place, we can now create an eDiscovery search.
Creating an eDiscovery search is pretty much like creating the In-Place Hold. The main difference is that we don’t select the Place content matching the search query in selected mailboxes on hold check box in the end. As for the search query, Figure 8 gives a brief explanation of all the parameters you can use.
Figure 8: Search query (picture from TechNet)
We can even use the same In-Place Hold query to preview search results. Chose Estimate search results from the magnifier icon dropdown box (Figure 9) and wait for the search to complete. Next, in the actions pane, select Preview search results and you’ll be presented with a small subset of the results (Figure 10).
Figure 9: Estimate search results
Figure 10: Preview search results
Exporting eDiscovery Search Results
After you create a new eDiscovery search, you can copy search results to the discovery mailbox and export those search results to a PST file.
- To use the EAC to export search results go to compliance management > In-place eDiscovery & hold. In the list view, select the In-Place eDiscovery search you want to export the results of, and then click Export to a PST file (Figure 11).
Figure 11: Export to a PST file
- In the Security Warning popup (Figure 12) click Run.
- In the eDiscovery PST Export Tool window (Figure 13), do the following:
- Click Browse to specify the location where you want to download the PST file.
- Click the Enable deduplication checkbox to exclude duplicate messages. Only a single instance of a message will be included in the PST file.
- Click the Include unsearchable items checkbox to include mailbox items that couldn’t be searched (for example, messages with attachments of file types that couldn’t be indexed by Exchange Search). Unsearchable items are exported to a separate PST file.
- Click Start to export the search results to a PST file. A window is displayed that contains status information about the export process. If you get asked for security credentials enter one account with the proper permissions. Click Close (Figure 14).
Figure 12: Application Run
Figure 13: eDiscovery PST Export Tool
Figure 14: eDiscovery PST Export Tool
- In addition to the PST files (one for each mailbox) that contain the search results, two other files are also exported (Figure 15):
- A configuration file (.txt file format) that contains information about the PST export request, such as the name of the eDiscovery search that was exported, the date and time of the export, whether de-duplication and unsearchable items were enabled, the search query, and the source mailboxes that were searched.
- A search results log (.csv file format) that contains an entry for each message returned in the search results. Each entry identifies the source mailbox where the message is located. If you’ve enabled de-duplication, this helps you identify all mailboxes that contain a duplicate message.
Figure 15: eDiscovery exported files
The Recoverable Items Subtree
Let’s see what happens to the mailbox of one of the users who are on Litigation Hold. Figure 16 shows 2 messages on the mailbox of Miss Moneypenny.
Figure 16: Miss Moneypenny mailbox
Now let’s do the following:
- Move one of the messages to the Online Archive;
- Soft-delete (SHIFT+DEL) both messages;
- Purge the messages from the Recover Deleted Items (Figure 17).
Figure 17: Purge Deleted Items
The previous screenshot was taken from the Recover Deleted Items of the Inbox of the Primary mailbox. Notice that although we moved (not specifically deleted) one of the messages, that also represents a delete action.
Using a tool like MFCMAPI we can peek into the Recoverable Items subtree. Figure 19 shows the DiscoveryHolds folder of the Primary Mailbox. If we right click it and select Open contents table, we’ll see that both messages are preserved there (Figure 20).
Figure 18: IPM_SUBTREE
Figure 19: DiscoveryHolds folder of the Primary mailbox
Figure 20: Contents of the DiscoveryHolds
Since the In-Place Hold is also applied to the Online Archive, this mailbox will also retain the message that was deleted there, as depicted in Figure 21.
Figure 21: Contents of the DiscoveryHolds of the Online Archive
In-Place Hold as a Backup Replacement?
Using in-Place Archive (on-premises or cloud-based) and In-Place Hold combined can work as a backup replacement? Well, the right answer is “It depends!”. First you must know why are you using backups:
- To immutably preserve data (point in time)?
- To prevent accidental loss of data?
- Disaster recovery?
Combining the high availability features built into Exchange 2013 to minimize downtime and data loss in the event of a disaster with other built-in features, such as Legal Hold, you can actually reduce or eliminate your use of traditional point-in-time backups and reduce the associated costs. This strategy may be especially attractive when using cloud-based archiving, since you get virtually unlimited storage space.
But remember that comes with a cost: besides the direct licensing costs, activating long-duration hold increases the size of the Exchange databases, so there’s a balance between the tapes you save from eliminating backups and the increase storage you have to provide to Exchange.
Conclusion
When deciding between on-premises or cloud-based archiving there’s no right answer. Although cloud services provide many benefits and, so I’m convinced, in most of the cases will in fact be the right solution, every Organization has its own requirements and may reach a different conclusion.
This is also true when comparing Exchange native compliance features (eventually combined with Office 365 services) with third-party solutions. In the end what matters is meeting the objectives and requirements, whether it’s compliance or security, at the lowest possible cost.
If you would like to be notified of when Rui Silva releases the next part in this article series please sign up to our MSExchange.org Real Time Article Update newsletter.
If you would like to read the other parts in this article series please go to:
