5.3 Exchange Module Office365

There are several prerequisites that need to be completed for setting up a job.

If Autodiscover fails for a user, serious errors will occur when Retain attempts to archive them. This option allows users to be skipped or have the job immediately aborted.

The first thing to do is to test that autodiscover is enabled for the domain.

Retain needs to know what SMTP server to use for sending notifications.

Query the DNS for the MX record or

Microsoft has an article describing how to set up a DNS SRV record titled "A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service".

In short, the process is:

To prevent data loss, it is highly recommended that a rolling in-place hold be set so users are unable to remove items from disk before Retain has a chance to archive them.

In Exchange by default, when a user deletes a message out of Outlook, it is moved to the trash. When they empty the trash, the item is moved to the mostly hidden Recoverable Items folder, where it is kept for 14 day before being removed from disk. The user can then right-click the Trash to recover items, and in that dialog box they can purge the item which will delete it immediately. With a hold in place that item will be moved to a Purged folder that is not user accessible, where it will be kept until the hold is lifted.

Not all O365 licenses allow the setting of a hold, in such cases there is no way to prevent data loss.

In Retain, set Profile/Miscellaneous to Include user's recoverable items.

In Exchange Admin Console, set up a distribution list, for example All_Mailboxes, that contains all mailboxes. It will be best to create a policy to add new users to this distribution list by default.

Place the distribution list under a 90-day hold.

In the Exchange Management Shell:

An In-Place Hold can be set up for all mailboxes for 90 days:

New-MailboxSearch "Retain90DayHold" -ItemHoldPeriod 90 -InPlaceHoldEnabled $true -SourceMailboxes All_Mailboxes

It will take time for the hold to take effect. You can determine how many mailboxes were placed under hold with the script:

((Get-Mailbox).InPlaceHolds).Count

If the hosted system in use is an Office 365 system, further configuration on the Office 365 system is required. Because Office 365 Exchange Servers do not directly expose LDAP information, a PowerShell script must run periodically to cache user and group information.

The script requires PowerShell 2.0. Without this script, you cannot run jobs on Office365, or authenticate users. This script connects to O365 and downloads the address book and distribution group lists into two address book CSV files, exchangeuser.csv and exchangegroup.csv.

The standard sync365.ps1 script requires entering a plaintext administrator password. If that is not acceptable by your security policy, there is the O365 Archiving PowerShell Sync Secure Storage Script: Save-CredentialsEncrypted.ps1 which allows you to securely save the password used by the admin user.

Running the Script

1. After downloading and extracting the script, open PowerShell and change to the directory the script is in and type .\Save-CredentialsEncrypted.ps1

   1a. If you haven't run a PowerShell script before, you may have to change the Execution Policy to get a script to run. Set the execution policy to Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process. If PowerShell 4.0 or higher is not installed the script will abort.

   

2. A dialog box will appear requesting the credentials for an administrator user and the destination folder of the address book files.

   The administrator user must have sufficient rights to download the address book from O365. This would be the logon name and password of an administrator user (e.g. DomainAdmin@company.onmicrosoft.com).

   Provide it with a name for the Scheduled task.

   You can set the destination folder to anywhere you wish. However, the address book files exchangeuser.csv and exchangegroup.csv must end up in the ~\Program Files\Beginfinite\Retain\RetainServer\WEB_INF\cfg\ folder of the Retain Server. Retain will look for the address book files there when refreshing the address book.

   If you are using a Linux-based Retain Server, you will need to set up a process to move the address book files to the Linux-based Retain Server's opt/beginfinite/retain/RetainServer/WEB-INF/cfg folder.

   If you are running Retain will multiple modules each module will need a separate task and destination folder.

   

3. The script will then setup a recurring task (SyncO365) in Task Scheduler to download the address book every day at 12:30am.

   The script will request your logon credentials as it sets up the task. The script will start the task before exiting. If you are using Windows Server 2008, multiple errors will appear because the Task Scheduler cmdlets do not exist, this is expected and the task can be created manually in Task Scheduler.

4. It will take a moment to download the address book files: exchangeuser.csv and exchangegroup.csv. For a small system (<100 users) it may take a few minutes, for a large system (>10k users) it may take more than half an hour. After the script completes, make sure that the address book files are filled with items. If this does not generate the files it may be an execution policy issue, see notes section below.

In Office365 you can attach documents stored in SharePoint Online/OneDrive. However it doesn’t send the actual document but only a link to that document.

When Retain attempts to archive an attached document it often runs into trouble because the retain user, while it does have ApplicationImpersonation right, doesn’t have rights to anything outside of Exchange. So Retain will error because it knows there is supposed to be something there but can’t reach it.

11:04:16, 704[Thread-4920] [ERROR] ExchangeAttachment: error while creating attachment. java.io.IOException: SharePointError - Impersonation has no access to: https://gwava-my.sharepoint.com/personal/user08_gwava_onmicrosoft_com1/Documents/Email attachments/office 365 users(1) (1).txt

What needs to be done is the retain user needs be added as a “site collection administrator” in SharePoint/OneDrive. Start by going to the Office365 admin page and selecting SharePoint.

Go to the Site Collections, select the collection to add the retain user too, click the “Owners” tab.

You can now add the retain user as a “Site collection administrator”. This way the retain user will have rights to access the data.

This works for individual site collections, but it would be difficult to do that individually if you have many site collections. There is no way in SharePoint to change more than one collection at a time.

Changing Across The Domain However, there is a SharePoint Online Management Shell script that you could modify for your use to do all site collections at once.

The Exchange module must be configured in the Retain Server before any communication between Retain and an existing Exchange message system can occur. Open the Retain management page on the Retain Server, and select Module Configuration.

Select the ‘Configure’ option in the Exchange module. A new window or tab will open with the module configuration.

The Core Setting Tab allows you to disable all jobs and disable users logging into Retain.

The module needs to be enabled on this page to make it active in the Retain system.

The module can be given a name.

The Send Method option enables either the SMTP Forwarding or FTP features. For either feature to appear and function, the Module Forwarding tab must be configured on the Server Configuration page. See that section for more information.

Normally all the checkboxes on this tab are always left selected. It is rare that you would ever deselect any of them. Two cases where you might, would be: troubleshooting, (as instructed by Technical Support), or retrieving an old email system.

The Enable Address Book Caching function allows Retain to regularly cache the online email systems address book and synchronize it with Retain. This is critical for administration, authentication, and archiving purposes. It is recommended to cache the Address Book once every 24 hours to keep the Retain storage system up to date. By default, maintenance is set to cache the Address Book once every 24 hours.

The Enable Authentication checkbox determines if end-user authentication is performed when the user logs into Retain. If it is deselected, the Retain system will NOT authenticate the user against the email system and the user will not be able to log in unless another authentication method is enabled.

The Enable Jobs checkbox determines if configured data retrieval jobs are ever passed to the Worker. Even if the individual job is fully configured and enabled, if this checkbox is switched off, no jobs configured for this module will be processed.

The Message body allows the administrator to decide whether to store either the HTML or plain text message body, or both.

Send Method

The Send Method option enables either the SMTP Forwarding or FTP features. For either feature to appear and function, the Module Forwarding tab must be configured on the Server Configuration page. See that section for more information.

If the Impersonation and Core Settings tabs are not completely configured with the correct information, the hosted system will not be archived correctly.

Enter the Impersonation user credentials.

Mark the checkbox to enable Retain support for hosted Exchange services.

Provide the path that Retain will use for the CSV files that the PowerShell Sync script will save the user list. By default: C:\Program Files\Beginfinite\Retain\RetainServer\WEB-INF\cfg

All other tabs will be ignored. Save all changes before closing the Exchange Module page.

After saving changes, return to the Retain Server's Module Configuration page, and trigger a refresh of the Address Book.

Depending on the size of the address book, it may take several minutes to return with information, but a successful configuration will return a correct address book cache date and no errors. The date should reflect the date of when the address book refresh was triggered.

The Status may show “Address Book Cache Never Run” or may list commonly mis-configured or missed items if the Refresh job fails.

Once the status is configured and the Address Book has been cached, Retain can connect to and archive messages from the Exchange server. The system is ready to have workers, schedules, profiles, and jobs configured, and those options will now appear on the main administrative interface.

The Address Book is refreshed whenever the button is pressed, during the nightly maintenance cycle, and before each job.

The job will need an Exchange profile setup to connect to the email system properly.

After the Exchange Module has been configured, the Exchange Profile will be available for configuration. If an Exchange Profile is not configured, jobs cannot be run against the Exchange system.

Click on “Add Profile” and provide a profile name, or select an already existing profile to access the configuration tabs. All changes made on this page must be saved by selecting the “save changes”, disk icon, at the top right of the page. Tabs may be changed and navigated through without affecting new settings, but any move to another page will require saving, or abandoning the changes made.

The core settings consist of an enabled/disabled option which must be enabled for any jobs based on this profile to archive anything.

For systems where the administrator wishes to have archived messages removed from the system automatically, the Messaging System Deletion option may be used. Messaging System Deletion will remove messages from a mailbox after they are archived, according to the time frame specified in the settings. The amount of time to keep messages is specified in days. The recommended setting depends on the archiving scheme in the system. For example, if messages are to persist in the system for 30 days, then the system deletion setting should be set to 30 and enabled. A setting of 0 will remove messages from the system as soon as they are archived. Be sure to configure the system before enabling the setting in the profile.

Retain can archive and select specific types of mail and Exchange system items to be archived. The Manage Settings tab provides access to manage those settings.

The Mailbox type specifies whether to include or exclude the available types of mailboxes. Because there can be multiple profiles and jobs, it may be advantageous to archive the Users and Room / Equipment mailboxes separately as needed and appropriate for the system.

The Item Type option specifies the different types of messages found in Exchange that can be archived, and allows the exclusion of or inclusion of the different individual types.

The Item Source option allows administrators to exclude or include messages that have not yet been sent or received, or posted.

The Message Status allows messages which have or have not been read or opened, or marked private or confidential to be archived. The different options in the drop-down menu are as shown.

The Scope tab dictates the date range Retain will scan in the attached archiving jobs.

Date Range to Scan

The Date Range to Scan instructs Retain to scan for, and archive, messages after, or before, a certain date. This is useful if only specific chunks or areas of mail are to be archived.

New Items: All items that have not been archived by Retain since the last time the job ran.

All Items in Mailbox: All items in the mailbox starting from 1/1/1970, duplicates will be processed but not stored if they already exist in Retain's archive.

Number of days before job start date and newer: Only items from the relative number of days from the time the job began will be archived. E.g. messages that came into the email system less than 7 days ago.

Number of days from job start date and older: Only items previous to the relative number of days from the time the job began will be archived. E.g. messages that came into the email system more than 7 days ago.

Specify custom date range: Only items between two absolute dates will be dredged.

Specify custom date range relative to job start: Only items between two relative dates will be dredged. E.g. messages that came into the email system between 7 and 5 days ago.

It is recommended to archive all New items.

The Miscellaneous tab allows access to settings detailing how messages are stored and what is archived. Attachments, message information such as the Internet headers, and how the data is stored and named, (by folders, year, or year and month), dictate not only the message store structure, but affect the storage size.

Miscellaneous options also allow for the archiving of the ‘recoverable items’. To enable checking and archiving of the ‘Recoverable Items’ for compliance reasons, select the checkbox next to the option.

The Advanced tab allows you to limit what is stored by Retain. This must be used with caution as this opens holes for data to be lost through. It is recommended to store everything since storage space is inexpensive.

Advanced Criteria

If you want to be more specific as to what to dredge or not to dredge, add the criteria here.

Each line will be logically AND-ed together. Think “Dredge all items where the following is true:” Criteria A AND Criteria B AND Criteria C AND etc.

You may select based on:

And whether they are is, is not, contains, or does not contain the items specified.

This provides flexibility and granularity. It allows customized dredges and retention for many different groups, or even individuals.

By default, we dredge items from all folders. You can specify one or more inclusions or exclusions.

Your choices are:

How to specify the list of folders to dredge/exclude:

You may now configure Schedules, Workers and Jobs.

While there isn't a way to run Powershell scripts on a Linux server, you can run the sync365.ps1 script on any Windows computer with Powershell 2.0 or higher installed and copy the resulting CSV files to the Retain server.

Create a batch file to transfer the files

You can create a small Windows 7 VM that only runs the Powershell script and then you can copy the exchangeuser.csv and exchangegroup.csv to the Retain server.

You can use the free program WinSCP to copy from a Windows computer to a Linux server.

You can use windscp.com as the basis of a batch file to copy the resulting csv files to the Retain server.

Here is an example that we used:

retain.bat
"C:\Program Files (x86)\WinSCP\winscp.com" /command ^
 "option batch abort" ^
 "option confirm off" ^
 "open scp://[user]:[password]@[retain server address]" ^
 "cd /opt/beginfinite/retain/RetainServer/WEB-INF/cfg" ^
 "option transfer binary" ^
 "put [file location on windows]*.csv" ^
 "close" ^
 "exit"

Explanation of what each line does:

#Specify that all commands are run on the command line, while using ^ to split long lines for readability.
 "C:\Program Files (x86)\WinSCP\winscp.com" /command ^
# Automatically abort script on errors
 "option batch abort" ^
# Disable overwrite confirmations that conflict with the previous
 "option confirm off" ^
# Connect replacing your own username, password and retain server address
 "open scp://[user]:[password]@[retain server address]" ^
# Change remote directory
 "cd /opt/beginfinite/retain/RetainServer/WEB-INF/cfg" ^
# Force binary mode transfer
 "option transfer binary" ^
# Upload the file to current working directory
 "put [file location on windows]*.csv" ^
# Disconnect
 "close" ^
# Exit WinSCP
 "exit"

Automate the Script

You can now automate the running of this batch file in Task Scheduler as a simple task to run before the Retain archive job. Set the run time of the task so that it will complete before the Retain job begins.