Get-MailboxServer | Add-ADPermission -User "%os_username%" -AccessRights GenericAll -ExtendedRights ms-exch-store-admin,receive-as,send-as -InheritanceType All %os_username% is the username of the operating system account for backup.
This user guide aims at providing detailed information for backing up and restoring individual mail items stored in Microsoft Exchange Server with Retrospect Virtual Host Server, also known as the Mail-Level backup.
Mail-Level backup for Microsoft Exchange Server is not designed to fully protect an Exchange Server, but to facilitate easy backup and fast restoration of individual emails, contacts or calendars, etc. A Mail-Level restoration cannot fully recover the Information Store after a disaster.
Important: Mail-Level Backup must be utilized in conjunction with full Information Store Backup, in order to fully protect the Exchange Server.
Exchange Server in Data Availability Group (DAG) provides higher availability for mail items backup and restoration. The Microsoft Exchange Mailbox add-on module is available if you are using Exchange server 2010/2013/2016/2019.
Refer to the URL for more details.
You are strongly recommended to configure or check all the settings below before you proceed with the Exchange Mail-Level backup and restoration.
The latest version of Retrospect Virtual Host Server must be installed on the Exchange Server hosting the database. For Exchange Server 2010/2013/2016/2019, Database Availability Group (DAG) backup option is available, please refer to Performing Mail-Level Backup for Microsoft Exchange 2010/2013/2016/2019 in Database Availability Group (DAG) for details.
Make sure the Microsoft Exchange Mailbox feature has been enabled as an add-on module in your Retrospect Virtual Host Server user account. Contact your backup service provider for more details.
Scheduled backup is required if you choose to back up in DAG option, as Retrospect Virtual Host Server on all DAG members will base on the scheduled backup time to start backups on individual DAG member at the same time.
A DAG backup cycle is considered complete only when scheduled backup on all DAG members have been carried out. An email report will be generated when a complete DAG backup cycle is taken place.
Please keep in mind that manual backup will only be considered as individual mail-level backup, and therefore will not be counted as part of the DAG backup cycle.
Temporary Directory folder is used by Retrospect Virtual Host Server for storing backup set index files and any incremental or differential delta files generated during a backup job. To ensure optimal backup/restoration performance, it is recommended that the temporary directory folder is located on a local drive with plenty of free disk space.
The Active Directory account used for backup must have full access to the mailboxes. To grant full access right for the account, enter the following command in Exchange Management Shell.
Open the Exchange Management Shell by clicking Start > Microsoft Exchange Server > Exchange Management Shell.
Exchange Server 2007
Enter the following command in Exchange Management Shell
Get-MailboxServer | Add-ADPermission -User "%os_username%" -AccessRights GenericAll -ExtendedRights ms-exch-store-admin,receive-as,send-as -InheritanceType All %os_username% is the username of the operating system account for backup.
Example: granting permission to local account "system"
Get-MailboxServer | Add-ADPermission -User "system" -AccessRights GenericAll -ExtendedRights ms-exch-store-admin,receive-as,send-as -InheritanceType All
Other useful commands:
To show added permission for an AD account
Get-MailboxServer | Get-ADPermission -User "%os_username%"
Example, to show added permission for local account "system"
Get-MailboxServer | Get-ADPermission -User "system"
To remove permission from an AD account
Get-MailboxServer | Remove-ADPermission -User "%os_username%" -AccessRights GenericAll -ExtendedRights ms-exch-store-admin,receive-as,send-as -InheritanceType All
Example, to remove permission from local account "system"
Get-MailboxServer | Remove-ADPermission -User "system" -AccessRights GenericAll -ExtendedRights ms-exch-store-admin,receive-as,send-as -InheritanceType All
Reboot the Exchange Server after executing the command.
Exchange Server 2010 / 2013
Enter the following command in Exchange Management Shell
Get-Mailbox | Add-MailboxPermission -User "%os_username%" -AccessRights FullAccess %os_username% is the username of the operating system account for backup.
Example: granting permission to local account "system"
Get-Mailbox | Add-MailboxPermission -User "system" -AccessRights FullAccess
Other useful commands:
Remove permission from an AD account
Get-Mailbox | Remove-MailboxPermission -User "%os_username%" -AccessRights FullAccess
Example:
Get-Mailbox | Remove-MailboxPermission -User "system" -AccessRights FullAccess
To view the mailbox permission of a user
Get-Mailbox | Get-MailboxPermission -User "%os_username%"
Example:
Get-Mailbox | Get-MailboxPermission -User "system"
Reboot the Exchange Server after executing the command.
The Active Directory account used for the backup must be a member of the following security groups.
Exchange Server 2007
Microsoft Exchange Security \ Exchange Organization Administrators
Microsoft Exchange Security \ Exchange Servers
Users \ Domain Admins
Exchange Server 2010 / 2013
Microsoft Exchange Security \ Organization Management
Users \ Administrator
Users \ Domain Admins
Users \ Enterprise Admins
Steps to check the current settings
Click Start > Control Panel > Administrative Tools, and then click Active Directory Users and Computers.
Browse to the organization unit containing the corresponding operating system account.
Right click on the user, and select Properties.
Select the Member Of tab to check on the membership setting.
For setup on Exchange Server 2010 / 2013, Remote Exchange Management Shell must be enabled for the operating system account used for the backup.
Enter the following command in Exchange Management Shell to enable this feature.
>Set-User "%os_username%" -RemotePowerShellEnabled $True
Reboot the Exchange Server after executing the command.
Note: Remote Shell in Microsoft Exchange Server enables you to manage your server running Exchange.
Make sure the account for backup mailbox has been enabled. Follow the steps below to verify.
Exchange Server 2007 / 2010
Click Start > Microsoft Exchange Server 2007/2010, and then click Exchange Management Console.
Click to expand the Recipient Configuration menu tree, and then select Mailbox.
Right click on the user and select Properties.
Select the General tab to check the settings.
Make sure the Hide from Exchange address lists box is not checked.
*Note*: A mailbox-enabled user is a Windows Active Directory user that has one or more Exchange Server mailboxes associated with it. Refer to the URL below for more information http://support.microsoft.com/kb/275636/en-us.
Exchange Server 2013
Refer to the following article from Microsoft for more details on how to check if an account is mailbox enabled. https://technet.microsoft.com/en-us/library/jj991919(v=exchg.150).aspx
The latest version of CDO must be installed on the Exchange Server for the mail-level backup job to work properly.
Download and install the latest version CDO via the URL below. If you already have CDO installed on the Exchange Server but are not sure if it is the latest version, you are recommended to uninstall the current version and re-install via the URL below.
Exchange Server 2007 / 2010
Exchange Server with MS Outlook 2007: https://www.microsoft.com/en-us/download/details.aspx?id=3671
Exchange Server without MS Outlook 2007: https://www.microsoft.com/en-gb/download/details.aspx?id=42040
Exchange Server 2013
Exchange Server 2013
The LAN Manager authentication level configured on the Exchange Server must be level 3 or above. Follow the steps below to check the settings.
Click Start > Control Panel > Administrative Tools, and then click **Local Security Policy.
Under Security Settings, expand Local Policies > Security Options, then click Network security: LAN Manager authentication level.
Make sure that the setting is configured to use NTLMv2, for example:
Send NTLMv2 response only
Send NTLMv2 response only. Refuse LM
Send NTLMv2 response only. Refuse LM & NTLM
Make sure the Windows PowerShell 2.0 Engine is installed.
Exchange Server 2013
To install the feature:
Navigate to Server Manager > Manage, then select Add Roles and Features.
On the Select installation type screen, select Role-based or feature-based installation.
Select the target server.
On the Select features screen, go to the Features option, check the box next to Windows PowerShell 2.0 Engine.
Ensure that all MS Exchange related services have been started, particularly the MS Exchange Information Store and MS Exchange System Attendant Services.
To verify this setting, launch the Services menu by clicking Start then typing “Services” in the search box. All Exchange related services should be started by default, in case if it is not, turn it on by right clicking the item and then select Start.
+
Verify if the IISAuthenticationMethods is set to Basic only. If so, change the setting with the commands below.
Exchange Server 2013
Click Start > Microsoft Exchange Server > Exchange Management Shell.
Enter the following command to check on the IISAuthenticationMethods setting:
>Get-OutlookAnywhere
If it is set to {Basic} only, enter the following command to modify the setting:
>Set-OutlookAnywhere -Identity:"%Server%\Rpc (Default Web Site)" -IISAuthenticationMethods Basic,NTLM,Negotiate
Reboot the Exchange server.
Confirm on the connection to the Exchange Management Shell (EMS) or Exchange Management Console (EMC).
Ensure that the HTTP binding on the Default Web Site in Internet Information Services (IIS) is correctly configured by following the steps below.
Click Start > Control Panel > Administrative Tools, and then click Internet Information Services (IIS) Manager.
Navigate to Default Web Site, then right-click and select Edit Bindings.
Create a new binding that has no host name and a value of All Unassigned for the IP address.
Restart IIS.
If you are using Exchange server 2013 on Windows server 2012, please install .Net Framework 3.5 Features.
This feature can enabled by accessing Server Manager > Dashboard > Add Roles and Features Wizard > Feature Page.
+
The following steps are performed during an Exchange mail-level backup job:
Click the Backup Sets icon on the main interface of Retrospect Virtual Host Server.
Create a new backup set by clicking the “+” icon next to Add new backup set.
Select the Backup set type as MS Exchange Mail Level Backup. The system will automatically detect and select the Exchange Server version, make sure the version selected is correct. Name your new backup set and then click Next to proceed.
In the Backup Source menu, select the Mailbox Store for backup.
You can click to expand the mailbox store to select which mailbox to back up. You can also click Show mails to select individual mail to back up. Click Next to proceed when you are done.
In the Schedule menu, you can configure a backup schedule for backup job to run automatically at your specified time interval. Click Add to add a new schedule, then click Next to proceed when you are done setting.
*Note:* By default, a daily backup scheduled for 22:00 is created automatically.
In the Destination menu, select a backup destination where the backup mail will be stored. Click the “+” icon next to Add new storage destination / destination pool.
Select the destination type and destination storage, then click OK to proceed.
Click Next on the Destination menu page to proceed.
By default, the Encrypt Backup Data option is enabled with an encryption key preset by the system which provides the most secure protection. You can also change the Encryption Type to Custom to set your own encryption key, key length, algorithm and method. Click Next to continue.
If you have enabled the Encryption Key feature in the previous step, the following pop-up window shows, whether you set the Encryption Type as Default or Custom.
The pop-up window has the following three options to choose from:
Unmask encryption key – The encryption key is masked by default. Click this option to show the encryption key.
Copy to clipboard – Click to copy the encryption key, then you can paste it in another location of your choice.
Confirm – Click to exit this pop-up window and proceed to the next step.
Enter the Windows login credentials for user authentication. Click Next to proceed.
The following screen shows when the new backup set is created successfully.
Click Backup now to start a backup immediately, or you can run a backup job later by following the instructions in Running Mail-Level Backup Job for Microsoft Exchange 2007/ 2010/2013/2016/2019.
Log in to Retrospect Virtual Host Server.
Click the Backup icon on the main interface of Retrospect Virtual Host Server.
Select the backup set which you would like to start a backup for.
If you would like to modify the In-File Delta type, Destinations and Retention Policy settings, click Show advanced option.
Click Backup to start the backup.
In the Retrospect Virtual Host Server main interface, click the Restore icon.
Select the backup set that you would like to restore mail from.
Select the backup destination that contains the mail(s) that you would like to restore.
Click to expand the menu tree to select which mailbox to restore. You can also select mail item(s) from a specific backup job or all mail items that you have backed up to restore. Click Next to proceed.
Select to restore the mail to their Original mailbox, or to an Alternate mailbox.
Restore to Original Mailbox
Select the Original location option, then press Next to proceed.
Restore to Alternate Mailbox
You can choose to restore mailbox item(s) to another mailbox in the same Exchange server. Select the Alternate location option and the desired mailbox destination, then press Next to proceed.
In addition, you can also restore mailbox item(s) to a different Exchange server of the same version. In this case, the restoration should be triggered by the Retrospect Virtual Host Server on the destination Exchange server.
Select the temporary directory for storing temporary files, such as delta files when they are being merged, click Restore to start the restoration.
The following screen with the text Restore Completed Successfully shows when the restoration is completed.
Each member in the DAG requires separate license for Microsoft Exchange Mailbox Add-on Module. One license will be deducted from each installation of the Retrospect Virtual Host Server on the DAG environment. Please check with your backup service provider if more Microsoft Mailbox Add-On module is required.
Click the Backup Sets icon on the main interface of Retrospect Virtual Host Server.
Create a new backup set by clicking the “+” icon next to Add new backup set.
Select the Backup set type as MS Exchange Mail Level Backup and choose the correct Exchange Server version with “Database Availability Group”. Name your new backup set and then click Next to proceed.
In the Backup Source menu, select the Mailbox Store for backup.
You can click to expand the mailbox store to select which mailbox to back up, and then click Show mails to select individual mail to back up. Click Next to proceed when you are done.
In the Schedule menu, you can configure a backup schedule for backup job to run automatically at your specified time interval. Click Add to add a new schedule, then click Next to proceed when you are done setting.
In the Destination menu, select a backup destination where the backup email will be stored. Click the “+” icon next to Add new storage destination / destination pool.
Select the destination type and destination storage, then click OK to proceed.
Click Next on the Destination menu page to proceed.
By default, the Encrypt Backup Data option is enabled with an encryption key preset by the system which provides the most secure protection. You can also change the Encryption Type to Custom to set your own encryption key, key length, algorithm and method. Click Next to continue.
If you have enabled the Encryption Key feature in the previous step, the following pop-up window shows, whether you set the Encryption Type as Default or Custom.
The pop-up window has the following three options to choose from: * Unmask encryption key – The encryption key is masked by default. Click this option to show the encryption key.
+
+
Copy to clipboard – Click to copy the encryption key, then you can paste it in another location of your choice.
Confirm – Click to exit this pop-up window and proceed to the next step.
Enter the Windows login credentials for user authentication. Click Next to proceed.
The following screen shows when the new backup set is created successfully. Backup will run automatically at the configured scheduled time.
You may click Backup now to start a backup immediately, however, manual backup will not be counted as part of the DAG backup cycle. For more information, refer to Scheduled Backup for Data Availability Group (DAG) Option.
On all other Exchange Servers within the same DAG, open the Retrospect Virtual Host Server and click the same backup set, and make sure the Run scheduled backup for this backup set is turned on in the Backup Schedule menu. Make sure you save the setting before exiting the application.
Refer to the following steps to restore individual items to the active database on the relevant Microsoft Exchange server within the DAG.
The mail-level restoration should be performed on the active database only. You can identify the Exchange server with the active database from the Exchange Management Shell by following the steps below.
Type the following command in the Exchange Management Shell.
Get-MailboxDatabase | ft name, server
It will show which Exchange server is hosting the active mailbox database. In the following case, Mailbox Database 01 and 03 are hosted on EX1, while Mailbox Database 02 and 04 are hosted on EX2.
[PS] C:\>Get-MailboxDatabase | ft name, server Name Server Mailbox Database 02 EX2 Mailbox Database 01 EX1 Mailbox Database 03 EX1 Mailbox Database 04 EX2
When you can identify which Exchange server hosted the active database, you can logon to that Exchange server to restore the database.
In the Retrospect Virtual Host Server main interface, click Restore.
Select the backup set that you would like to restore mail from.
Select the backup destination that contains the mail that you would like to restore.
Click to expand the menu tree to select which mailbox to restore. You can also select mail item(s) from a specific backup job or all mail items that you have backed up to restore. Click Next to proceed.
Select to restore mail to their Original mailbox, or to an Alternate mailbox.
Restore to Original Mailbox
Select the Original location option, then press Next to proceed.
Restore to Alternate Mailbox
You can choose to restore mailbox item(s) to another mailbox in the same Exchange server. Select the Alternate location option and the desired mailbox destination, then press Next to proceed.
In addition, you can also restore mailbox item(s) to a different Exchange server with the same version of Exchange server installed. In this case, the restoration should be triggered by the Retrospect Virtual Host Server on the destination Exchange server.
Select the temporary directory for storing temporary files, such as delta files when they are being merged, click Restore to start the restoration.
The following screen with the text Restore Completed Successfully shows when the restoration is completed.
To contact Retrospect support representatives for technical assistance, visit the following website: https://www.retrospect.com/support.
To access Retrospect Knowledgebase, visit the following website: https://www.retrospect.com/support/kb.