User Tools

Site Tools


Sidebar

Announcement

Ahsay Backup Software

Backup Set Types

Supported Storage

Features in OBM / ACB

Features in CBS

Brand and Customize

License

Documentation

Performance Testing

FAQs and Known Issues

Can't Find What You Need?

public:microsoft_exchange_mail_level

Microsoft Exchange Server 2007/2010/2013 Mail Level Backup Set

Last modified: 2019/08/27 (Note: Content written for AhsayCBS v7+v8, and may generally apply to latest product release)

AhsayOBM allows you to back up individual mailboxes in your Microsoft Exchange Server with the MS Exchange Mail Level Backup Module. This module provides a set of tools to protect your mailboxes and public folders on Microsoft Exchange Server 2007/2010/2013. This includes backup and recovery of individual emails, contacts, calendars and other mail items in your mailboxes and public folders, with snapshots / versioning, and retention policy to protect even email that you may have accidentally deleted from your Exchange 2007/2010/2013 mailboxes or public folders.

AhsayOBM supports backup of mailboxes on both MS Exchange Server for deployed in standalone and Database Availability Group (DAG).

An MS Exchange mail level backup must be utilized in conjunction with full Information Store backup (Exchange Database backup set), as mail level backup for Microsoft Exchange Server is not designed to fully protect an Exchange Server, but to facilitate easy and fast recovery of emails, contacts, calendars for individual mailboxes and public folder items.

System Architecture

Below is the system architecture diagram illustrating the major elements involved in the backup process among the Microsoft Exchange Server, AhsayOBM backup client, AhsayCBS backup server, and Cloud storage.


Requirements

You are strongly recommended to check all the settings below before you proceed with the MS Exchange Mail Level 2007/2010/2013 backup and restore.

Software Requirement

For the list of compatible operating systems and application versions, refer to: Ahsay Software Compatibility List (SCL)

Antivirus Exclusion Requirement

To optimize performance of AhsayOBM on Windows, and to avoid conflict with your antivirus software, refer to this list of processes and directory paths that should be added to all antivirus software white-list / exclusion list

For AhsayOBM version 8.1 or above, the bJW.exe process is automatically added to Windows Defender exclusion list for Windows 10 and 2016, during installation / upgrade via installer or upgrade via AUA.

AhsayOBM Installation

The latest version of AhsayOBM must be installed on the MS Exchange Server hosting the mailbox database.

For backup of mailboxes on MS Exchange Server 2010/2013 Database Availability Group (DAG), ensure the same AhsayOBM version is installed on all member servers.

For MS Exchange Server 2010/2013, Database Availability Group (DAG) backup option is available.

AhsayOBM Licenses

AhsayOBM licenses are calculated on a per device basis.

  • For backup of mailboxes on a standalone Microsoft Exchange 2007/2010/2013 Server, one AhsayOBM license is required.
  • For backup of mailboxes on a Microsoft Exchange Server 2010/2013 DAG setup, the number of AhsayOBM licenses required is equal to the number of members (nodes) in the DAG. For example, if there are three members then three AhsayOBM licenses are required.

Backup Quota Requirement

Make sure that your AhsayOBM user account has sufficient storage quota assigned to accommodate the storage of additional Exchange mailbox and public folder items for the new mail level backup set.

Microsoft Exchange Mailbox Add-On Module

One Microsoft Exchange Mailbox license is required for the backup of each user mailbox.

Make sure the Microsoft Exchange Mailbox feature has been enabled as an add-on module in your AhsayOBM user account and there is sufficient Microsoft Exchange Mailbox license quota to cover the backup of your mailboxes.

Scheduled Backup for Exchange Server in Data Availability Group (DAG) Option

Scheduled backup is required if you choose to backup MS Exchange server 2010/2013 setup in DAG option, as AhsayOBM on all DAG members will use the scheduled backup time to start backups on all individual DAG members at the same time.

An MS Exchange server 2010/2013 DAG backup cycle is considered complete only when scheduled backup on all DAG members have been run successfully. A backup report will be generated and emailed to the recipients when a complete MS Exchange server 2010/2013 DAG backup cycle has taken place.

Please keep in mind that manual backup will only be considered as individual mail level backup, and therefore will not be counted as part of the DAG backup cycle.

Temporary Directory Folder

The Temporary Directory folder is used by AhsayOBM for storing backup set index files and any incremental or differential delta files generated during a backup job. To ensure optimal backup/restoration performance, the temporary directory folder is located on a local drive with plenty of free disk space.

Backup Source

Ensure “Hide from Exchange address list” is unchecked for user mailboxes, otherwise the mailbox will not be visible in the AhsayOBM backup source and therefore cannot be selected for backup.

Mailbox Access Permission

The Active Directory account used to authenticate the backup must have full access to the mailboxes. To grant full access right for the account, enter the following command in Exchange Management Shell.

Open the Exchange Management Shell by clicking Start > Microsoft Exchange Server > Exchange Management Shell.

Exchange Server 2007

Enter the following command in Exchange Management Shell

Get-MailboxServer | Add-ADPermission -User "%os_username%" -
AccessRights GenericAll -ExtendedRights ms-exch-store-admin,receive-as,send-as -InheritanceType All

where %os_username% is the username of the operating system account for backup.

Example: granting permission to local account “system”

Get-MailboxServer | Add-ADPermission -User "system" -
AccessRights GenericAll -ExtendedRights ms-exch-store-admin,receive-as,send-as -InheritanceType All

Other useful commands:

1. To show added permission for an AD account

Get-MailboxServer | Get-ADPermission -User "%os_username%"

Example, to show added permission for local account “system”

Get-MailboxServer | Get-ADPermission -User "system"

2. To remove permission from an AD account

Get-MailboxServer | Remove-ADPermission -User "%os_username%" - AccessRights GenericAll -ExtendedRights ms-exch-store-admin,receive-as,send-as -InheritanceType All

Example, to remove permission from local account “system”

Get-MailboxServer | Remove-ADPermission -User "system" - AccessRights GenericAll -ExtendedRights ms-exch-store-admin,receive-as,send-as -InheritanceType All

Reboot the Exchange Server after executing the command.

Exchange Server 2010 / 2013

Enter the following command in Exchange Management Shell

Get-Mailbox | Add-MailboxPermission -User "%os_username%" -AccessRights FullAccess

Example: granting permission to local account “system”

Get-Mailbox | Add-MailboxPermission -User "system" -AccessRights FullAccess

Other useful commands:

1. Remove permission from an AD account

Get-Mailbox | Remove-MailboxPermission -User "%os_username%" -AccessRights FullAccess

Example:

Get-Mailbox | Remove-MailboxPermission -User "system" -AccessRights FullAccess

2. To view the mailbox permission of a user

Get-Mailbox | Get-MailboxPermission -User "%os_username%"

Example:

Get-Mailbox | Get-MailboxPermission -User "system"

Reboot the Exchange Server after executing the command.

Windows User Account Permission

The Active Directory account used to authenticate the backup must be a member of the following security groups.

Exchange Server 2007

  • Microsoft Exchange Security \ Exchange Organization Administrators
  • Microsoft Exchange Security \ Exchange Servers
  • Users \ Domain Admins

Exchange Server 2010 / 2013

  • Microsoft Exchange Security \ Organization Management
  • Users \ Administrator
  • Users \ Domain Admins
  • Users \ Enterprise Admins

Steps to check the current settings

  1. Click Start > Control Panel > Administrative Tools, and then click Active Directory Users and Computers.
  2. Browse to the organization unit containing the corresponding operating system account.
  3. Right click on the user, and select Properties.
  4. Select the Member Of tab to check on the membership setting.

Enabling Mailbox on Windows User Account

Make sure the Windows account used to authenticate the backup has a mailbox enabled. Follow the steps below to verify.

Exchange Server 2007 / 2010

  1. Click Start > Microsoft Exchange Server 2007/2010, and then click Exchange Management Console.
  2. Click to expand the Recipient Configuration menu tree, and then select Mailbox.
  3. Right click on the user and select Properties.
  4. Select the General tab to check the settings. Make sure the Hide from Exchange address lists box is not checked.

    Note: A mailbox-enabled user is a Windows Active Directory user that has one or more Exchange Server mailboxes associated with it.

Exchange Server 2013

Refer to the following article from Microsoft for more details on how to check if an account is mailbox enabled. https://docs.microsoft.com/en-us/exchange/create-user-mailboxes-exchange-2013-help

Remote Exchange Management Shell

For setup on MS Exchange Server 2010 / 2013, the Remote Exchange Management Shell must be enabled for the operating system account used for the backup.

Enter the following command in Exchange Management Shell to enable this feature.

>Set-User "%os_username%" -RemotePowerShellEnabled $True

Reboot the Exchange Server after executing the command.

Remote Shell in Microsoft Exchange Server enables you to manage your server running Exchange.

Collaboration Data Objects (CDO) 1.2.1

The latest version of CDO must be installed on the Exchange Server for the mail level backup job to work properly.

Download and install the latest version CDO via the URL below. If you already have CDO installed on the Exchange Server but are not sure if it is the latest version, you are recommended to uninstall the current version and re-install via the URL below.

Exchange Server 2007 / 2010

Exchange Server with MS Outlook 2007 https://www.microsoft.com/en-us/download/details.aspx?id=3671

Exchange Server without MS Outlook 2007 https://www.microsoft.com/en-gb/download/details.aspx?id=42040

Exchange Server 2013

https://www.microsoft.com/en-gb/download/details.aspx?id=42040

LAN Manager Authentication Level

Exchange Server 2013

The LAN Manager Authentication level configured on the Exchange Server must be level 3 or above. Follow the steps below to check the settings.

  1. Click Start > Control Panel > Administrative Tools, and then click Local Security Policy.
  2. Under Security Settings, expand Local Policies > Security Options, then click Network security: LAN Manager authentication level.
  3. Make sure that the setting is configured to use NTLMv2, for example:
    1. Send NTLMv2 response only
    2. Send NTLMv2 response only. Refuse LM
    3. Send NTLMv2 response only. Refuse LM & NTLM

Windows PowerShell 2.0 Engine

Make sure the Windows PowerShell 2.0 Engine is installed.

Exchange Server 2013

To install the feature:

  1. Navigate to Server Manager > Manage, then select Add Roles and Features.
  2. On the Select installation type screen, select Role-based or feature-based installation.
  3. Select the target server.
  4. On the Select features screen, go to the Features option, check the box next to Windows PowerShell 2.0 Engine.

Ensure that all MS Exchange related services have been started, particularly the MS Exchange Information Store Services.

To verify this setting, launch the Services menu by clicking Start then typing “Services” in the search box. All Exchange related services should be started by default, in case if it is not, turn it on by right clicking the item and then select Start.

MS Exchange Database Status

Ensure the MS Exchange Mailbox and Public Folder databases are mounted.

Example: MS Exchange 2010

Example: MS Exchange 2013

IISAuthenticationMethods Setting

Verify if the IISAuthenticationMethods is set to Basic only. If so, change the setting with the commands below.

Exchange Server 2013

  1. Click Start > Microsoft Exchange Server > Exchange Management Shell.
  2. Enter the following command to check on the IISAuthenticationMethods setting:
    >Get-OutlookAnywhere
  3. If it is set to {Basic} only, enter the following command to modify the setting:
    >Set-OutlookAnywhere -Identity:"%Server%\Rpc (Default Web Site)" -IISAuthenticationMethods Basic,NTLM,Negotiate
  4. Reboot the Exchange server.

Connection to Exchange Management Shell (EMS) or Exchange Management Console (EMC)

Confirm on the connection to the Exchange Management Shell (EMS) or Exchange Management Console (EMC).

Ensure that the HTTP binding on the Default Web Site in Internet Information Services (IIS) is correctly configured by following the steps below.

  1. Click Start > Control Panel > Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Navigate to Default Web Site, then right-click and select Edit Bindings.
  3. Create a new binding that has no host name and a value of All Unassigned for the IP address.
  4. Restart IIS.

Net Framework 3.5 Features

If you are using Exchange server 2013 on Windows server 2012, please install .Net Framework 3.5 Features.

This feature can be enabled by accessing Server Manager > Dashboard > Add Roles and Features Wizard > Feature Page.


Backup Process Overview

The following steps are performed during an MS Exchange mail level backup job:

Documentation

FAQs

Issues

public/microsoft_exchange_mail_level.txt · Last modified: 2022/11/28 11:05 by kirk.lim

Page Tools