5.6 Exchange Prerequisites required for Retain

There are several prerequisites that need to be done in Exchange for Retain to successfully archive the mailbox databases:

  • A mailbox user with ApplicationImpersonation rights

  • Basic Authentication enabled for Autodiscover and EWS on all Client Access Servers

  • A DNS SRV record

  • Set the DNS used by the Retain server to be the same as used by Exchange.

  • Set a Rolling In-Place Hold to retain data until Retain can archive it.

  • If "Configure email forwarding for a mailbox" is in use, enable "Deliver messages to both forwarding address and mailbox", otherwise no messages will be stored in Exchange and Retain will never be able to archive any messages.

5.6.1 Create a Retain User

To connect with Exchange, Retain needs a user with appropriate rights. This can be accomplished by using an existing user, or by creating a new one. It is recommended to create a new user for Retain archiving. If creating a new user, ensure that the user is an active user account and that the password does not change to ensure Retain will be able to access mail without changing settings. This user is sometimes called a ‘service account’. Retain calls this user the ‘global catalog user’.

The user created or used for Retain must be a “mailbox-enabled user” with read access to see all other users, groups, resources, and Exchange Servers in the Exchange Forest. The user will be utilized by both the Retain Server and Worker for LDAP lookups in Active Directory. The Retain user also must have Exchange impersonation rights to every mailbox user on every server in the organization to be archived. The Retain user MUST NOT be a member of any Exchange Administrator group, as Exchange denies impersonation rights for all administrator accounts.

Additional permissions need to be added to the user created for Retain. The quickest way to add these rights is through the Exchange Management Shell.

After creating the new user in Active Directory, open the Exchange Management Shell.

5.6.2 Grant Impersonation Permissions to the Retain user.

In Exchange 2013 and 2016 Impersonation permissions can be granted in the Exchange Admin Center under Permissions.

Under Admin Roles create a new role (e.g. Retain Impersonation Management). Add the role "ApplicationImpersonation" and add the Retain User as a member.

You can also accomplish this via PowerShell commands using the Exchange Management Shell.

The commands required are different depending on the version of the Exchange Server. Exchange 2010, and 2013 require only one command per Exchange system to be issued, whereas Exchange 2007 requires the commands to be run on every Exchange server in the Exchange system to grant required permissions. If the Exchange system contains mixed 2007, 2010, and 2013 servers, the different commands must be completed on one server of each type.

Exchange 2010, 2013, and 2016 commands

For Exchange 2010, 2013, and 2016 the only command necessary for impersonation permissions is:

New-ManagementRoleAssignment –name ImpersonationAssignmentName –Role ApplicationImpersonation –User ServiceAccount

Where the ‘Name’ is a name chosen by the administrator and the ‘ServiceAccount’ is the name of the Retain user.

For Example:

New-ManagementRoleAssignment –Name impersonation-retain -Role ApplicationImpersonation -UserRetain

If additional Exchange servers are added to the system after running this command to grant rights to the ‘retain’ user, the command must be run again to grant rights to the new server.

5.6.3 Room and Equipment Resources

To archive Room and Equipment Resources, or to restore them, the Retain user, or Service Account, must also have delegation rights. These commands must be issued manually for each Room and Equipment or resource mailbox on every relevant server. This is required for 2013 and 2016.

These commands must be issued:

(‘Retain’ is used here as the name of the Service Account, or Retain user, and the ‘Mailbox Database’ should be changed to the appropriate name.)

(NOTE: every time a new Room and Equipment or resource mailbox is added, the first command must be re-run.)

Exchange 2013 and 2016 Powershell commands

Get-Mailbox –ResultSize Unlimited –Database “Mailbox Database” | Add-MailboxPermission –User “Retain” –AccessRights FullAccess

Add-ADPermission –Identity “Mailbox Database” –User “Retain” –ExtendedRights Receive-As

Add-ADPermission –Identity “Mailbox Database” –User “Retain” –ExtendedRights Send-As

5.6.4 Basic Authentication

Retain requires Basic Authentication to be enabled on each CAS Exchange server in the system for Autodiscover and EWS.

In Exchange Admin Center, go to Servers, then go to the Virtual Directories tab.

  1. Edit Autodiscover and under Authentication enable Basic authentication if it is not enabled.

  2. Edit EWS and under Authentication enable Basic authentication if it is not enabled.

  3. Do this for each server in the list.

To check if this worked, run the following PowerShell cmdlets:

For EWS:

Get-WebServicesVirtualDirectory | ft server,basicauthentication

For Autodiscover:

Get-AutoDiscoverVirtualDirectory | ft server,basicauthentication

On Exchange systems prior to 2013 you may need to set basic authentication manually.

Open “Server Manager” on Exchange server.

  1. In left pane, expand “Roles”, expand “Web Server (IIS)”, select “Internet Information Services (IIS) Manager”.

  2. A new “Connections” pane opens, expand your Exchange server object, expand “Sites”, expand “Default Web Site (Multiple Protocols)”, select “EWS”.

  3. Under heading “IIS”, open “Authentication” icon

  4. Select “Basic Authentication”, click “Enable” in right pane.

    You can now close “Server Manager”.

DNS SRV Record

Microsoft has an article describing how to set up a DNS SRV record titled "A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service".

In general, you will need to:

  1. Go to the DNS Manager

  2. Expand Forward Lookup Zones

  3. Locate and right-click on the external DNS zone and choose Other New Records

  4. Click Service Location (SRV) and enter:

    Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: [your mail host, e.g. mail.gwava.net, usually the AD domain forest found in AD Domains and Trusts on the MS AD server]

  5. Click OK

The Microsoft autodiscover library in Retain expects a URL along the lines of https://autodiscover.[your domain]/Autodiscover/Autodiscover.xml (e.g., https://autodiscover.xyzcompany.com/Autodiscover/Autodiscover.xml), which can be found in the worker log as it attempts to login by searching for "Discovered endpoint:" or "AutoDiscover".

Server DNS Setting

Retain has best performance when the server's network setting is using the same DNS as the Exchange servers.

If Retain and Exchange must use different DNS, on the DNS that Retain uses, create a Conditional Forwarder that resolves to the Exchange server.

Set Rolling In-Place Hold

To prevent data loss, it is highly recommended that a rolling In-Place or Litigation Hold be set so users are unable to remove items from disk before Retain has a chance to archive them.

In Exchange by default, when a user deletes a message out of Outlook, it is moved to the trash. When they empty the trash, the item is moved to the mostly hidden Recoverable Items folder, where it is kept for 14 day before being removed from disk. The user can then right-click the Trash to recover items, and in that dialog box they can purge the item which will delete it immediately. With a hold in place that item will be moved to a Purged folder that is not user accessible, where it will be kept until the hold is lifted.

In Retain, set Profile/Miscellaneous to Include user's recoverable items.

In Exchange Admin Console, set up a distribution list, for example All_Mailboxes, that contains all mailboxes. It will be best to create a policy to add new users to this distribution list by default.

Place the distribution list under a 90-day hold.

In the Exchange Management Shell:

An In-Place Hold can be set up for all mailboxes for 90 days:

New-MailboxSearch "Retain90DayHold" -ItemHoldPeriod 90 -InPlaceHoldEnabled $true -SourceMailboxes All_Mailboxes

It will take time for the hold to take effect. You can determine how many mailboxes were placed under hold with the script:

((Get-Mailbox).InPlaceHolds).Count