IT tutorials

Microsoft Exchange Server 2013 : Preserving information (part 2) - Searching mailbox content, In-place holds

11/21/2014 3:19:06 AM
- Windows 10 Product Activation Keys Free 2019 (All Versions)
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

Searching mailbox content

The content index catalogs that are maintained by Search Foundation for mailbox databases are critical to the ability of Exchange to perform searches. If the catalogs are unhealthy or not fully populated, search results will be unpredictable or incomplete. Administrators don’t have to do anything to configure or manage Search Foundation because it is installed automatically on every Mailbox server.

Inside Out Two versions of content indexes

Exchange 2010 uses the MSSearch component to build its content indexes for mailbox databases. Exchange 2013 uses Search Foundation. Because the two versions of Exchange use different search technology, you cannot execute an eDiscovery search that encompasses mailboxes on Exchange 2010 and Exchange 2013 servers. Instead, you will have to execute one search for Exchange 2010 and another for Exchange 2013 (using separate discovery search mailboxes) and then combine the search results. For this reason, the recommendation is to move all the mailboxes that are likely to be searched to Exchange 2013 as soon as possible.

Exchange uses the same content indexes for searches by clients, including Outlook Web App and Outlook. However, Outlook uses the Exchange content indexes only when it is configured to work in online mode. Most Outlook clients are now configured in cached Exchange mode, so they use local search indexes created with Windows Desktop Search to conduct searches even when connected to a server.

Items are typically indexed within a few seconds of their creation on a server. The contents of attachments are also indexed, with the caveat that some attachments might fall into the unsearchable category. Indexing throttles back automatically in periods when Mailbox servers experience heavy load. Again, administrators don’t have to take any action for this to happen.

Exchange can search across items stored in mailboxes, archive mailboxes, and the Recoverable Items structure (and site mailboxes if this feature is deployed). It cannot search through deleted mailboxes, even if the mailbox content is still in the database because it hasn’t exceeded the deleted mailbox retention period. The searching process typically follows these steps:

  1. Determine the material that needs to be found and identify the criteria that can be used for a search, such as keywords.

  2. Create a mailbox search using the initial criteria.

  3. Perform an estimate (a search without retrieval) to assess the effectiveness of the criteria.

  4. Refine the criteria to generate search results more accurately; iterate until satisfied.

  5. Retrieve information from user mailboxes by using the final search criteria and store it in a discovery mailbox.

  6. Have the retrieved information reviewed by investigators.

Underneath the hood, Exchange uses the New-MailboxSearch cmdlet to create new searches and its companions, the Get-MailboxSearch, Start-MailboxSearch, and Stop-MailboxSearch cmdlets, to set search criteria, start or resume a previously defined search, and stop a search. Information is retrieved from the content indexes that Search Foundation maintains. If Exchange captures information from Lync 2013 conversations such as the details of phone conversations (telephone numbers of participants and so on), text for instant messaging conversations, or files that are shared between participants, this information is discoverable through mailbox searches. The same is true if SharePoint 2013 and Exchange 2013 are connected to provide the ability to conduct a single search across mailboxes and SharePoint sites from the SharePoint eDiscovery portal.

Inside Out eDiscovery search policy for exiting employees

If your company commonly needs to conduct eDiscovery searches, it’s wise to have a policy of disabling mailboxes for a month or so after someone leaves the company rather than deleting mailboxes immediately. This is especially true for mailboxes that belong to company officers or other executives, which you might need to keep for up to a year after an employee leaves the company. Office 365 attempts to address the problem of how to retain deleted mailboxes for discovery purposes with the Inactive Mailboxes feature. This feature might well surface in a future update for the on-premises version of Exchange.

Search and destroy

As mentioned earlier, EAC executes the New-MailboxSearch command when it needs to search mailboxes. Exchange also supports the Search-Mailbox command. Although EAC doesn’t use this cmdlet, you can run it in EMS to perform a search. The big difference between the two cmdlets is that Search-Mailbox can also delete content it finds, which is a useful facility when dubious or unwanted material has arrived on a server and been delivered to several mailboxes. If this happens, you can run Search-Mailbox to locate the unwanted items and remove them in one operation. For example, the following command scans all the mailboxes on a server, looking for items received during a particular period that contain the term “Great Bargain.” Any matching items are copied to a discovery mailbox, where they are stored in a folder under the Search Results root. The items are then deleted from the source mailboxes.

Get-Mailbox –Server ExServer2 | Search-Mailbox -SearchQuery "Received: > $('01/01/2013 00:00:00') AND Received: < $('01/31/2013 23:59:59')  AND Great Bargain" -LogLevel Full -TargetMailbox 'Legal Discovery Mailbox' -TargetFolder 'Search Results' -DeleteContent

The Search-Mailbox command can wreak havoc on mailboxes if it is not controlled. Before any attempt is made to remove mailbox content, it is wise to run the command in a log-only mode so that the results are reported and copied to a discovery mailbox without any deletions. When you are satisfied that the search query locates the right content in the right mailboxes, you can run the command again, this time including the DeleteContent parameter, and the content will be removed. Depending whether a hold exists on the target mailboxes, some of the information might be retained. However, this should not be an issue because the offending information is no longer available to users.

In-place holds

The legal hold mechanism available in Exchange 2010 retains mailbox data that might be required for litigation. However, a legal hold operates on an all-in basis that has a side effect of holding everything in the mailbox, including information that is not necessary for legal review. For instance, if you place a mailbox on litigation hold because the mailbox’s owner is involved in a patent action about a certain invention, the information the lawyers require is most likely anything to do with the technology covered by the patent and any interaction between the inventor and co-inventors or advisors as the invention evolved from idea to practical implementation. Messages to the inventor’s aunt asking her to come to tea on a rainy Saturday in March 2013 are unlikely to add much to the knowledge of the lawyers who seek to defend or attack the patent, but because Exchange retains everything in a mailbox when it is on litigation hold, the possibility exists that the item might be provided to the lawyers for review, something that drives up legal costs without adding anything of value to the discovery process.

The mailbox search mechanism provided in Exchange 2010 is simple to understand and execute. It is capable of uncovering vast amounts of information gathered from user mailboxes on an on-demand basis. However, like many first versions of solutions, these mailbox searches are a blunt instrument.

Inside Out Permissions Required

An account needs to be a member of the RBAC Discovery Management role group to create an in-place hold. Two important roles are present in this role group. The Mailbox Search role enables a user to create a new in-place hold and specify the query that Exchange will use to find matching content. The Litigation Hold role is required to copy matching items from user mailboxes so that investigators can review the data. It is possible to divide the two roles and create a situation in which you have a set of authorized users who are allowed to create in-place holds and another who are allowed to use the in-place holds that were previously created to retrieve and review data from user mailboxes. This creates a separation in function that often exists between those who oversee the search process and those who have to separate the wheat from the chaff in the discovered material.

A more evolved and comprehensive approach is taken in Exchange 2013, with the goal being to satisfy the following requirements:

  • Preserve items on hold immutably. That is, neither users nor a computer process can take action to alter the information stored in items that are on hold. To meet this requirement, steps must be taken to ensure that users cannot delete items from mailboxes that are on hold and that the MFA cannot remove items either.

  • Provide a method to target items that need to be held rather than having to hold everything in a mailbox. Sometimes it is necessary to hold everything, but more often, investigators are interested in specific information.

  • Preserve items indefinitely or for precise periods.

  • Allow mailboxes to be governed by different hold conditions arising from multiple investigations.

  • Make holds transparent to users; users should not have to alter the way they work just because it is necessary to hold information in their mailbox.

  • Make sure that any information that is held is indexed and remains discoverable.

Exchange 2010 satisfies many of these requirements and preserves data immutably. The biggest advance in Exchange 2013 is the introduction of the in-place hold mechanism to enable a more granular form of information preservation and more efficient searches. The idea is that instead of forcing Exchange to retain everything in a mailbox, you can formulate a precise query to identify the information in which the lawyers are really interested, instruct Exchange to hold that information, and ignore everything else. In-place holds make sure that information is retained in mailboxes until it is required and that any deletions users perform are captured so that the information can always be retrieved. In effect, Exchange 2013 supports three distinct types of mailbox searches:

  • Query-based in-place holds. These searches identify a set of criteria that Exchange uses to retain information in the mailbox. Items that meet the hold criteria remain in their normal folders unless an attempt is made to delete them, in which case Exchange retains the items in a special subfolder of the Recoverable Items folder. Microsoft presents the close integration of in-place holds with mailbox searches as a considerable advantage for Exchange 2013.

  • In-place hold without criteria. These searches require Exchange to retain information but don’t set specific criteria. This forces Exchange to retain everything in a user mailbox.

  • Regular. These searches do not require Exchange to hold any information in mailboxes. They simply search whatever the mailboxes currently contain, using the criteria provided by the person who creates the search. This is the kind of search Exchange 2010 supports.

Up to five in-place holds can be in effect on a mailbox to handle situations when it is impossible to gather all required material based on one query or when an individual comes under the aegis of multiple legal actions. You can access details of the holds that apply to a mailbox through EAC. The details pane shows the number of holds that apply for the selected mailbox (Figure 2), and you can click View Details to have EAC show you the names of the holds. Whenever multiple holds are in effect for a mailbox, Exchange combines the queries by using an OR operator to locate matching items. You can apply more than five in-place holds to a mailbox, but when this happens, Exchange applies a complete hold to the mailbox to reduce the complexity of the combined search terms specified by the various holds. In effect, when you ask Exchange to resolve search term OR search term OR search term OR search term OR search term OR search term OR search term, the resulting set of items would probably be the entire mailbox anyway. The same is true if you put a mailbox in litigation hold alongside in-place holds—all the information in the mailbox is kept.

You can view information about holds that apply to mailboxes through EAC under the In-Place Holds section of mailbox properties. Click View Details to see the holds currently in place. In this case, two holds are shown.

Figure 2. Viewing hold details for a user

The information EAC shows about in-place holds comes from the mailbox properties. You can retrieve the same information by using EMS as follows:

Get-Mailbox –Identity 'Tony Redmond' | Format-List DisplayName, InPlaceHolds

The information in Figure 2 indicates that two holds are in place, each of which is identified by a GUID that ties to the full information about the hold maintained in the Exchange configuration data in Active Directory.

When query-based searches are used, all existing data that meets the hold criteria, plus any new data created during the lifetime of the hold that meets the criteria, are retained. Like retention holds, in-place holds can be time-based and have start and end dates that control how long information is kept. Date-controlled holds are useful because they ensure that data is kept for precise periods and will be deleted thereafter. Using your patent example, you could create a date-controlled hold combined with a query to ensure that any items relating to patent applications are retained. It is also possible to create a date-controlled hold that retains items for a specific number of days based on their creation date. Unlike retention holds, mailboxes are unlikely to run into quota exhaustion because only certain items are retained rather than everything.

It is also possible to emulate the way litigation holds work in Exchange 2010 by creating an in-place hold that has no query parameters or start and end dates to force Exchange to hold all data in the target mailboxes indefinitely or until the in-place hold is removed.

The Exchange 2010 Exchange Control Panel (ECP) offers a Discovery Management section from which administrators can create and execute multimailbox searches. The equivalent place in EAC is the In-Place eDiscovery And Hold option of the Compliance Management section (Figure 11-24), which is where you formulate the queries that underpin in-place holds and execute search options to estimate, preview, and retrieve information specified by queries from user mailboxes.

This screen shot shows the In-Place eDiscovery And Hold section of EAC. Four searches are shown. Properties of Stock Trading Enquiry, the selected search, are shown in the details pane, including the number of hits for each keyword used in the search.

Figure 3. The In-Place eDiscovery And Hold section of EAC

Not all the searches shown in Figure 3 are based on in-place holds; some searches remain similar to the simpler query-based type Exchange 2010 uses. For instance, if you run the following command in EMS, you can see which searches use in-place holds:

Get-MailboxSearch | Format-Table Name, InPlaceHoldEnabled

In addition to the InPlaceHoldEnabled property being set to $True if a search uses an in-place hold, the InPlaceHoldPeriod property will be set to either Unlimited (indicating that items should be retained indefinitely) or a certain number of days to govern exactly how long items are retained.

In-place holds work for mailboxes on Exchange 2013 servers only, so if you have some mailboxes on Exchange 2007 or Exchange 2010 servers and need to conduct a search to satisfy a discovery action, you will have to:

  • Move the mailboxes to an Exchange 2013 server.

  • Arrange to conduct searches on the different server platforms and then collate the results. This is easy enough to do using multimailbox searches for Exchange 2010 mailboxes; you will need a third-party product to do the same for Exchange 2007 servers.

From the preceding, it’s obvious that the best idea is to move any mailbox that might be involved in a discovery action to Exchange 2010 or Exchange 2013 (preferably) as quickly as possible. Remember that deleted items are not moved when mailboxes migrate from Exchange 2007 servers because this version of Exchange does not use the enhanced Recoverable Items structure found in Exchange 2010 and Exchange 2013.

It is not a good idea to move mailboxes from Exchange 2013 to earlier versions of Exchange if they contain information that might be of interest to searches. As discussed earlier, retention and litigation holds remain in place only if the mailbox moves to an Exchange 2010 server. In-place holds are a new feature of Exchange 2013. Mailboxes that move to Exchange 2010 or Exchange 2007 disappear from searches that use this feature.

- Microsoft Exchange Server 2013 : Preserving information (part 1) - Putting a mailbox on litigation hold
- Microsoft Exchange Server 2013 : How the Managed Folder Assistant implements retention policies (part 2) - Retention date calculation
- Microsoft Exchange Server 2013 : How the Managed Folder Assistant implements retention policies (part 1) - Behind the scenes with the MFA
- Sharepoint 2013 : Security and Policy - SharePoint Security Groups (part 4) - Assigning New Visitor, Member, and Owner Groups at Site Creation
- Sharepoint 2013 : Security and Policy - SharePoint Security Groups (part 3) - Creating a New Group, Deleting a Group
- Sharepoint 2013 : Security and Policy - SharePoint Security Groups (part 2) - Removing Users from a Group, Group Settings and Permissions
- Sharepoint 2013 : Security and Policy - SharePoint Security Groups - Adding Users to a Group
- Microsoft Exchange Server 2013 : Messaging records management (part 7) - Setting a retention policy on a folder
- Microsoft Exchange Server 2013 : Messaging records management (part 6) - Customizing retention policies for specific mailboxes, User interaction with retention policies
- Microsoft Exchange Server 2013 : Messaging records management (part 5) - Applying a retention policy to mailboxes
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
Popular tags
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS