If you would like to read the first part in this article series please go to Exchange 2010 Litigation Hold (Part 1).
Recovering Data
Now that one or more mailboxes are on Litigation Hold, how do we actually recover e-mails that users deleted or changed?
As we saw before, mailbox items in the Recoverable Items\Purges and Recoverable Items\Versions folders are not accessible by users. However they are indexed and discoverable by administrators assigned the Discovery Management role by using the Multi-Mailbox Search functionality in the ECP or the Search-Mailbox cmdlet in the EMS.
Both these methods are explained in detail in Neil Hobson’s “Single Item Recovery” article as well as in Henrik Walther’s “Eliminating Traditional Backups using native Exchange 2010 Functionality” article so there is no point in replicating what is already on this site.
Backups and Single Item Recovery
Unless you put all users in your organization on Litigation Hold, this shouldn’t have a noticeable impact on backups. Let’s look at an example:
-
A user sends and receives 100 messages per working day with an average size of 50KB;
-
The user edits 10% of mailbox items;
-
You enable Litigation Hold for this user for 90 days.
In this scenario
-
5 working days * 100 e-mails = 500 e-mails / week;
-
For Purges:
o 500 e-mails / week * 13 weeks = 6500 e-mails / retention period
o 6500 e-mails * 50KB = 318MB -
For Versions:
o 500 e-mails / week * 13 weeks = 6500 e-mails / retention period
o 6500 e-mails * 10% = 650 e-mails
o 650 e-mails * 50KB = 32MB
In total, the backup for this mailbox will only contain an additional 350MB volume of data due to Litigation Hold (plus additional new data of course).
As you can see, placing a mailbox on Litigation Hold will not affect your backups. This, of course, assuming users don’t send and receive loads of huge e-mails every day and that you don’t enable Litigation Hold for every user in your organization.
Litigation Hold vs. Single Item Recovery vs. Retention Hold
Many administrators confuse Litigation Hold with Single Item Recovery and Retention Hold. However, they provide different functionalities and, therefore, are appropriate for some situations and not for others. In this section I will try to provide a simple overview of all three:
Litigation Hold, as explained before, is used during a lawsuit, investigation or similar events to preserve mailbox items from inadvertent or purposeful modification or deletion by the user (or someone with access to the mailbox) and from automated deletion by retention policies. Until the hold is removed, deleted items are not purged from the mailbox database and if a mailbox item is modified, a copy of the original item is also retained. These are returned in Discovery searches performed when the mailbox is on Litigation Hold. Any retention policies applicable to the mailbox don’t need to be suspended. Because messages continue to be deleted as expected (except from the Recoverable Items\Purges folder!), users may not notice they’re on Litigation Hold.
Single Item Recovery preserves items that users purged from their Recoverable Items\Deletions as well as modified items until the deleted item retention period is reached (14 days be default). To the user the items will look purged, but they can still be recovered by an administrator.
Retention Hold prevents retention policies from deleting or moving e-mails to the user’s personal archive for a period of time while the user is temporarily away from work (holidays, sabbatical leave, etc.). Note that this does not affect the mailbox quota – if a user has ProhibitSendReceiveQuota set, e-mails will get bounced back if the mailbox goes over quota! Deleted messages are not treated any differently when a mailbox is on Retention Hold.
The following table hopefully will make the differences even clearer:
|
Feature State |
Soft-deleted items kept in dumpster? |
Modified and hard-deleted items kept in dumpster? |
User can purge items from dumpster? |
MRM automatically purges items from dumpster? |
Retention Policies applied? |
| Single Item Recovery disabled | Yes | No | Yes | Yes, 14 days by default (120 days for calendar items) | Yes |
| Single Item Recovery enabled | Yes | Yes | No | Yes, 14 days by default (120 days for calendar items) | Yes |
| Litigation Hold enabled | Yes | Yes | No | No | Yes |
| Retention Hold enabled | Yes | No | Yes | Yes, 14 days by default (120 days for calendar items) | No |
Table 2.1: Litigation Hold vs. Single Item Recovery vs. Retention Hold
Litigation Hold and Mailbox Quotas
When a mailbox is on Litigation Hold, items are never purged from the Recoverable Items Purges and Versions subfolders which mean more and more data is kept on Exchange. To protect organizations from a possible Denial of Service attack, this folder has its own quota to prevent it from growing continuously until the database runs out of space. This also means that Recoverable Items do not count towards the mailbox storage quota – when an item is moved to the Recoverable Items folder, its size is deducted from the mailbox quota and added to the size of the Recoverable Items folder.
This quota, which can be configured on a per-user or per-database level, has a warning limit (soft limit) of 20GBs and a hard limit of 30GBs. By default it is only set on databases:
Figure 2.1: Recoverable Items folder quotas
Although the quotas are set to unlimited for the user, the mailbox is actually using the quotas set on the database, much like the “normal” mailbox quotas behavior.
Since the purpose of Litigation Hold is to preserve information, what happens when this quota is reached? Basically, no more items can be stored in the Recoverable Items folder, which means:
-
Users can’t delete any items;
-
Exchange will not delete items based on retention tags or managed folder settings;
-
The copy-on-write page protection process can’t maintain versions of items edited by the user.
Because this would make Litigation Hold ineffective, when the quota levels are reached administrators are notified by means of an event log and a Microsoft System Center Operations Manager alert. When the 20GB limit is reached, an EventID 10024 is logged and when 30GB is reached an EventID 10023.
When the hard limit is reached, administrators have 3 options:
-
Remove the mailbox from Litigation Hold;
-
Use the Search-Mailbox cmdlet to copy messages from the Recoverable Items folder to a discovery mailbox and then delete them from the mailbox (not recommended);
-
Increase the quota for the mailbox (recommended – Set-Mailbox <user> –RecoverableItemsWarningQuota 40GB –RecoverableItemsQuota 50GB);
To check the Recoverable Items folder size for all mailboxes on Litigation Hold, use the following cmdlet:
Get-Mailbox -ResultSize Unlimited -Filter {LitigationHoldEnabled -eq $True} | Get-MailboxFolderStatistics –FolderScope RecoverableItems | FT Identity, FolderAndSubfolderSize
Or simply the following to check a single mailbox:
Get-MailboxFolderStatistics <user> -FolderScope RecoverableItems | Select Identity, FolderAndSubfolderSize
Figure 2.2: Checking Recoverable Items folder size
New in SP2
In SP2, Exchange prevents administrators from disabling or deleting mailboxes currently on Litigation Hold so that investigations are not compromised by an accidental deletion of a mailbox, for example.
To overcome this, administrators must either remove the mailbox from Litigation Hold or use the –IgnoreLegalHold switch parameter when disabling or removing the mailbox. This parameter has been added to the following cmdlets:
-
Disable-Mailbox
-
Remove-Mailbox
-
Disable-RemoteMailbox
-
Remove-RemoteMailbox
-
Disable-MailUser
-
Remove-MailUser
As for the Remove-StoreMailbox cmdlet which immediately and permanently deletes a mailbox (similar to Remove-Mailbox –Permanent), it does not have the IgnoreLegalHold parameter. This is because you can only run this cmdlet against disconnected or soft-deleted mailboxes.
Third Party Archiving
It is important to remember to temporarily disable any third party archiving software you have as it will simply keep moving e-mails from users’ mailboxes into their archive, even if these are on Litigation Hold!
Office 365
All the functionalities described in this article are available in Office 365. The only difference is that you will not be able to modify the default quotas for the Recoverable Items folder… For this reason, it is crucial to always monitor how much space Litigation Hold is taking on users’ mailboxes.
Conclusion
Litigation Hold helps organizations to ensure they preserve the required information, from an e-mail perspective, during the course of a lawsuit or investigation. Since the introduction of e-mail this has been a requirement but it was never straightforward, or even possible, for an administrator to prevent users from maliciously deleting data. Until now!
In this article series we explored Litigation Hold in Exchange 2010, how it makes administrators’ life a lot easier and how it can even safe an organization’s reputation and business.
If you would like to read the first part in this article series please go to Exchange 2010 Litigation Hold (Part 1).
