ShadowProtect Granular Recovery for Exchange
Transkrypt
ShadowProtect Granular Recovery for Exchange
ShadowProtect Granular Recovery for Exchange StorageCraft Copyright Declaration StorageCraft ImageManager, StorageCraft ShadowProtect, StorageCraft Cloud, and StorageCraft Cloud Services, together with any associated logos, are trademarks of StorageCraft Technology Corporation in the United States and elsewhere. All other brands and product names are or may be trademarks or registered trademarks of their respective owners. Table of Content Table of Content 1 GRE System Requirements 2 Installing GRE 3 GRE Licensing 4 Configuring GRE 5 Configuring Exchange Permissions 2 3 4 5 9 11 5.1 Exchange Service Account Setup 5.2 Alternate Exchange Service Account Setup 11 15 6 Understanding the GRE User Interface 17 6.1 GRE Settings 6.2 Search Operations 19 20 7 Recovery Operations 22 7.1 Mounting ShadowProtect Images 7.2 Restricted Mode 7.3 Selecting the Source 7.4 Selecting a Target 7.5 Target Management 7.6 Restore 7.7 Import Mailboxes 7.8 Export Operations 22 23 23 24 26 27 28 29 8 ShadowProtect GRE FAQs © 2016 StorageCraft Technology Corporation 30 StorageCraft Support Center Page 2 of 31 ShadowProtect Granular Recovery for Exchange ShadowProtect Granular Recovery for Exchange GRE 8.1 Welcome to Granular Recovery for Exchange (GRE). This product enables you to mount StorageCraft backup image files that contain Microsoft Exchange server database files. It provides a browser user interface (Windows Explorer-like) to search for, export (to a separate file), or restore (back to a live Exchange server) individual emails, email folders or entire mailboxes. This document explains: How to install GRE How to configure GRE How to understand the User Interface How to perform Recovery operations The document also includes: Frequently asked questions Additional Resources: The GRE ReadMe contains the most up to date list of enhancements, known issues and fixed bugs. 1 GRE System Requirements System Requirements GRE has the following minimum software and hardware requirements: Component Requirement Operating Systems Windows Server 2008 R2 (64-bit) Windows 7 (64-bit) For best results if your Exchange is running on Windows Server 2008 R2 you should run GRE on Windows 7 or Windows Server 2008 R2. Windows Server 2012 R2 (64-bit) Windows 8, 8.1 and Windows 10 (64-bit) For best results if your Exchange is running on Windows Server 2012 you should run GRE on Windows 8, 8.1 or 10 or Windows Server 2012. Important: GRE should NOT be installed on the same machine as an Exchange server (this includes Small Business Server). This is not a supported configuration. RAM 2 GB Minimum, 4 GB recommended. Drive Space Program space: You need at least 65 MB free to install GRE. Data space: You need free space that totals at least 110% of the space used by your combined database files. Processor Any processor that runs the compatible operating systems. Multiple processors will improve performance. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 3 of 31 ShadowProtect Granular Recovery for Exchange Other Hardware A mouse is required for some of the operations. For example: To delete mailboxes or emails that you've restored you must use the mouse instead of the del key on the keyboard. Virtual Machine Virtual machines can be used if they meet the System Requirements listed above. Application StorageCraft GRE requires the following files (which are not included with the GRE installation): eseutil.exe ese.dll exchmem.dll jcb.dll (for Microsoft Exchange 2003 or 2007 recovery) exosal.dll (for Exchange 2003 recovery) Get these files from the Exchange server and copy them to the folder where GRE is installed. MAPI See Configuring GRE for Exchange version specific details. Install 32-bit or 64-bit Outlook (2007 SP3 or newer). Note: GRE uses the MAPI components installed with Outlook (trial or licensed). Licensing See Licensing. Important: StorageCraft GRE requires an active internet connection for initial license activation, and license validation each time you launch GRE. Note: GRE can't run from the IT Edition USB key (on a Hyper-V guest machine) because Microsoft Hyper-V doesn’t support USB pass through. Lack of USB pass through prevents ShadowProtect IT Edition license verification. Microsoft Exchange Sources: Exchange 2003, 2007, 2010, 2013, 2016 Targets/destinations: PST files, Exchange 2003, 2007, 2010, 2013 and 2016, and can be exported to msg/txt files. Rights You must have local admin rights to run GRE. The GRE Mount Wizard is installed with GRE to ensure that all users have the ability to mount (WRITABLE) and dismount ShadowProtect images and access EDB files. To restore items directly to an Exchange environment you must have the proper Exchange system/domain rights. 2 Installing GRE © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 4 of 31 ShadowProtect Granular Recovery for Exchange To Install GRE 1. Open a browser. 2. Download the GRE installation file. 3. Run ShadowProtect_GRE_Setup.exe. Note: If you see an Unknow n Error message during installation, reboot the computer and restart the installation. To Update GRE To update GRE (install a newer version of GRE) simply run the installer for the new version. Note: There is no programmatic w ay to upgrade from GRE version 6 to the new er versions. You must uninstall version 6 then install the new version. To Repair GRE 1. Use the Microsoft Control Panel interface and select "Uninstall a Program". 2. Find GRE in the list then click uninstall/change. 3. Choose the repair option and complete the process. To Uninstall GRE 1. Use the Microsoft Control Panel interface and select "Uninstall a Program". 2. Find GRE in the list then click uninstall/change. 3. Select uninstall. 3 GRE Licensing This table summarizes the StorageCraft licensing models and options for the GRE product line. Licensing details are described below the table. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 5 of 31 ShadowProtect Granular Recovery for Exchange Licensing Option EDB Options Mailbox Options ShadowProtect GRE Licensed per server, unlimited EDB files on a mounted backup volume. 250 Mailboxes Unlimited Mailboxes ShadowProtect GRE for DAG Licensed per server, unlimited EDB files. Note: Must be licensed for every server in the DAG. 250 Mailboxes Unlimited Mailboxes StorageCraft GRE 250 Mailboxes Licensed per EDB for Exchange 2013 and later. Note: For Exchange servers earlier than 2013 it is licensed per server. Unlimited Mailboxes Project License Licensed per 60 days. Unlimited EDBs and Servers Unlimited Mailboxes MSP GRE Licensed per server, unlimited EDB files Unlimited Mailboxes Licensing Models StorageCraft offers two GRE licensing models: StorageCraft ShadowProtect Granular Recovery for Exchange StorageCraft Granular Recovery for Exchange StorageCraft ShadowProtect Granular Recovery for Exchange For restoring from EDB files that were on a machine backed up by ShadowProtect Requires the EDB to be part of a mounted ShadowProtect Image Available via subscription from the MSP Portal StorageCraft Granular Recovery for Exchange Also known as Direct-to-EDB For restoring from EDB files that were not part of a ShadowProtect backup The EDB does not need to be part of a mounted ShadowProtect Image Not available as a subscription from the MSP Portal Both models are also offered in Perpetual (250 or unlimited mailboxes) or as a Project License version. Note: The StorageCraft ShadowProtect IT Edition uses the StorageCraft Granular Recovery for Exchange (Direct-to-EDB) version. GRE License Purchase Options Project (unlimited mailboxes, short term projects - 60 days) 250 (GRE can manage EDB files containing up to 250 mailboxes) Unlimited (No limit on the number of mailboxes GRE can manage in EDB files) GRE License types © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 6 of 31 ShadowProtect Granular Recovery for Exchange Unlicensed versions of GRE can't be used to view details (preview) or restore. The preview pane is disabled and you can't export any of your data. Node locked Server bound DAG Node Locked Node locked licenses can only be installed on one machine. You can open EDB files stored locally on the node-locked machine, and EDB files on a network share that can be seen by the node locked machine. Node locked licenses are not locked to a particular server name. When you configure your Node Locked GRE license on the StorageCraft License portal you can enter the ComputerIdentity for the computer to which the license corresponds. Otherwise the license will be locked to the first machine that installs the license using the GRE license download functionality. To obtain the ComputerIdentity: 1. Run GRE on the target machine. 2. Go to the licenses subfolder in the GRE data folder. The default location is C:\ProgramData\StorageCraft\GRE\Licenses\ComputerIdentity.txt 3. Copy the contents of the ComputerIdentity.txt file. Server Bound Server bound licenses only allow you to open EDB files from a specific Exchange server which has been identified in the license as the source Exchange server. DAG A DAG license is different in function and price than a single GRE license. In essence a DAG license is equivalent to bundling multiple single-licenses into one license that covers all the servers in the DAG. Special Cases For Exchange 2013 StorageCraft Granular Recovery for Exchange requires a separate license for each EDB. StorageCraft ShadowProtect Granular Recovery for Exchange requires a separate license for each server, regardless of the number of EDB files hosted by that server. See Exchange 2013 Licensing Scenarios near the end of this page for additional examples. To configure and download ShadowProtect GRE licenses Retail Licenses must be configured in the ShadowProtect Granular Recovery for Exchange Portal prior to downloading the license. 1. Enter the Product Key. This takes you to the GRE licensing page. 2. Enter your name, company name, email settings, and server name, then click Save Configuration. 3. For a DAG license, you need to buy a separate license for each Exchange server in your DAG. Important: After purchasing the separate licenses, you need to contact StorageCraft support so they can combine the separate licenses into a single key (DAG License) for all the servers in your DAG. MSP ShadowProtect GRE licenses must be purchased through the MSP portal. You must add one GRE product key per Exchange server. StorageCraft configures the MSP licenses based on the actual server names entered when adding the product key. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 7 of 31 ShadowProtect Granular Recovery for Exchange Note: Be sure to enter the server name accurately, or select your server from the drop down list in the MSP portal. This ensures that the server bound license is linked to your specific server. To automatically download the license 1. Launch GRE. 2. Navigate to GRE>Help>Licensing>Download License. 3. Enter the product key. To manually download and install the license 1. Click Download on the Success page and save the file. 2. Copy the downloaded license to the licenses subfolder in the GRE data folder. The default location is: C:\ProgramData\StorageCraft\GRE\Licenses\ 3. If GRE is not running, start GRE to automatically find the license. GRE automatically finds the license the next time it starts. 4. If GRE is running, navigate to GRE>Help>Licensing and click Refresh Licenses. Refreshing Licenses In the licensing dialog you will see the licenses that pertain to your system. The "Refresh Licenses" functionality refreshes the screen AND communicates with the licensing server and refreshes the actual licenses list. Licenses that don't pertain to your system (i.e. it won't work) are visible in the folder but not in the dialog. Note: Each Public mailbox decrements your license count. However, public folders inside a public mailbox don't decrement your license count. GRE License Management You can use the GRE Licensing dialog to view and manage all installed GRE license types. Select the license to view or manage from the window on the left. Information about the selected license is shown in the right window. GRE Exchange 2013 Licensing Scenarios ShadowProtect GRE Exchange 2013 EDB files are hosted on a machine being backed up by ShadowProtect. ShadowProtect GRE EDBs must be on a mounted volume. ShadowProtect GRE reads the machine name of the server from the ShadowProtect image. The machine name is used to license the GRE software. This is regardless of the number of EDB files used by that instance of Exchange 2013. If those EDB files are hosted on the machine being backed up by ShadowProtect, and the GRE license is tied to that machine name, GRE will be able to open those EDB files – regardless of how many there are – 1 EDB or 10 EDB files, it is the same. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 8 of 31 ShadowProtect Granular Recovery for Exchange StorageCraft GRE (Direct-to-EDB) The GRE license (Direct-to-EDB) for Exchange 2013 is tied DIRECTLY to the GUID that identifies the EDB file. This scenario requires a license for each and every unique EDB file. This is true for both DAG or standard Windows replication (a license for each unique EDB file). The GUID is always tied directly to the EDB and never changes for that EDB. You can also back up (or replicate) these EDBs across multiple servers without requiring extra licenses (IF you have a license for each unique EDB. For example, if you have 5 EDB files replicated across 10 servers you still only need 5 GRE licenses. Combined Example MSP licenses are ShadowProtect GRE licenses. If you host all of your EDB files on the same server (which is being backed up by ShadowProtect) only a single license is required. If those EDBs are then replicated across multiple servers and you need to access those EDB files from any of the other servers, you need a GRE license for each of the other servers. This is because the GRE license is tied to the machine name of the server being backed up. 4 Configuring GRE Several Microsoft Exchange Server management files (ESEUTILS) are used to check and repair EDB files (prior to use if necessary). The Exchange Server management files must be manually copied from the Exchange Server folder to the installed GRE folder (applicable for your system) as specified below. For GRE running on ShadowProtect IT Edition, copy the files to: <IT drive>:\GREUtils For GRE installed on a specific computer, copy the files to: <GRE install folder/Exchange version folder name> GRE Install Folder Default Locations The default GRE install folder locations are: %SystemDrive%:\Program Files\StorageCraft\GRE (default for GRE if you have 64-bit Outlook) %SystemDrive%:\Program Files (x86) \StorageCraft\GRE (default for GRE if you have 32-bit Outlook) The default data file location is: %SystemDrive%:\ProgramData\StorageCraft\GRE (default data file location for both 32-bit and 64-bit GRE) Note: ProgramData is a hidden folder on the system volume that contains program data files. These data files can be moved from the default location if your system volume has limited free space. Using Exchange 2003 EDB files with GRE To recover folders or messages from Exchange 2003 EDB files 1. Get a copy of the following files from the Exchange 2003 Server bin directory: ESEUTIL.exe ESE.dll EXCHMEM.dll JCB.dll EXOSAL.dll Note: The default bin directory location for Exchange 2003 is C:\Program Files\Exchsrvr\bin\ 2. Save the copy of the files to <GRE install folder location>\ese2003\. Using Exchange 2007 EDB files with GRE To recover folders or messages from Exchange 2007 EDB files © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 9 of 31 ShadowProtect Granular Recovery for Exchange 1. Get a copy of the following files from the Exchange 2007 Server bin directory: ESEUTIL.exe ESE.dll EXCHMEM.dll JCB.dll Note: The default bin directory location for Exchange 2007 is C:\Program Files\Microsoft\Exchange Server\bin\ 2. Save the copy of the files to <GRE install folder location>\ese2007\. Using Exchange 2010 EDB files with GRE To recover folders or messages from Exchange 2010 EDB files 1. Get a copy of the following files from the Exchange 2010 Server bin directory: ESEUTIL.exe ESE.dll EXCHMEM.dll Note: The default bin directory location for Exchange 2010 is C:\Program Files\Microsoft\Exchange Server\V14\bin\ 2. Save the copy of the files to <GRE install folder location>\ese2010\. Using Exchange 2013 EDB files with GRE To recover folders or messages from Exchange 2013 EDB files 1. Get a copy of the following files from the Exchange 2013 Server bin directory: ESEUTIL.exe ESE.dll EXCHMEM.dll Note: The default bin directory location for Exchange 2013 is C:\Program Files\Microsoft\Exchange Server\V15\bin\ 2. Save the copy of the files to <GRE install folder location>\ese2013\. Using Exchange 2016 EDB files with GRE To recover folders or messages from Exchange 2016 EDB files 1. Get a copy of the following files from the Exchange 2016 Server bin directory: ESEUTIL.exe ESE.dll EXCHMEM.dll Note: The default bin directory location for Exchange 2016 is C:\Program Files\Microsoft\Exchange Server\V15\bin\ 2. Save the copy of the files to <GRE install folder location>\ese2016\. Additional Information See Microsoft's KB article "How to use eseutil.exe" for additional information. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 10 of 31 ShadowProtect Granular Recovery for Exchange 5 Configuring Exchange Permissions To Set up Exchange service accounts for use with GRE (Optional) To restore e-mail content directly to a Microsoft Exchange Server you need to configure Exchange administrative permissions as described on the following pages: Exchange Service Account Setup Alternate Exchange Service Accounts Setup 5.1 Exchange Service Account Setup Configuring Exchange Server Service Accounts Complete the steps in this section for all supported versions of Exchange server. This is the preferred method to configure Exchange service account permissions for use with StorageCraft GRE. 1. In Active Directory Users and Computers (ADUC) create a new user. The new user is the name of your service account for the Exchange environment. 2. Create a mailbox for the service account user and login to the account at least once to initialize the mailbox. 3. Open the Active Directory® Service Interfaces Editor (ADSI Edit or adsiedit.msc). This can be installed from the Windows OS install media. (\support\tools\suptools.msi) 4. Navigate to the folder shown below then Right click and select Properties. 5. Select the Security tab: © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 11 of 31 ShadowProtect Granular Recovery for Exchange 6. Click Advanced. 7. Click Add. 8. In the Enter the object name to select field, enter the username of the service account created earlier. This is the name of the new user created with ADUC in step 1. 9. Click Check Names to validate the service account created earlier. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 12 of 31 ShadowProtect Granular Recovery for Exchange 10. Click OK when finished finding & validating the service account name. 11. This window is now shown: 12. 13. 14. 15. In the Object Permissions window, find and check the Allow box for Full Control. Click OK to accept new permissions. Click OK again. Click OK again. Note: After you create a service account (by changing permissions), you need to restart the Exchange Information Store service on the Exchange servers for the permissions to take effect. The Information Store service is on the Server(s) w ith the Mailbox role. Additional Configuration Instructions for Exchange 2010 or 2013/2016 Complete the additional steps in this section for Exchange 2010 or 2013/2016 servers. Note: For mixed environments you need a service account for Exchange 2013/2016 (if part of the environment) and a separate service account on one of the legacy Exchange servers (Exchange Server 2010 or 2007). To set up Exchange 2010 or 2013/2016 service accounts rights using RBAC 1. In Active Directory find and select the Microsoft Exchange Security Group OU. 2. 3. 4. 5. On the right side, double click Organization Management. Click the Members tab. Select the name(s) to be assigned admin rights. Click Add. 6. Click OK to set the selected user(s) as Exchange 2010 or 2013/2016 administrator(s). © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 13 of 31 ShadowProtect Granular Recovery for Exchange Additional Configuration Instructions for Exchange 2003 (non-mixed) 1. Open Exchange System Manager. 2. Right Click on the top Exchange organization item. 3. Choose Delegate Control. 4. Click Next. 5. Click Add. 6. Change the Role to Exchange Full Administrator. 7. Click Browse to select a User. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 14 of 31 ShadowProtect Granular Recovery for Exchange 8. Click OK after you select the User Account. 9. Click OK to finalize the user selection. 10. Click Finish to finalize choosing Delegate Administrative access configuration. 5.2 Alternate Exchange Service Account Setup This is an Alternate method (less preferred) for setting up service accounts. Use this method if the other methods don't work. In order to access and recover to Exchange mailboxes with ShadowProtect Granular Recovery for Exchange, the account running Granular Recovery for Exchange MUST have FullAccess to the target mailbox(es). Several PowerShell commands are included below that you can run to help enable users access mailboxes. These scripts must be started through the Exchange Management Shell console. Additionally, the user running the Exchange Management Shell must be an Exchange administrator and have the appropriate Exchange permissions to run these cmdlets. A Note on Exchange Permissions There are several things you need to understand regarding the Exchange permissions and how they relate to an Active Directory environment. By default, the permissions of some domain-level accounts (i.e default Administrator Account) have explicit DENY attributes assigned to all mailboxes (except their own) within the Exchange schema. This differs depending on the versions of Exchange and Active Directory. Exchange 2007 and Exchange 2010 have will exhibit this behavior. In order to utilize the ShadowProtect Granular Recovery for Exchange tool, the credentials used to access the mailboxes must have FullAccess rights to the mailbox they wish to manipulate. Just because the user is the Domain Admin account, it DOES NOT mean that they have rights to other mailboxes in the Exchange schema. It is therefore recommended to create a service account for use with ShadowProtect Granular Recovery for Exchange to allow a specific user account to gain FullAccess to all the Exchange mailboxes. This will enable access while still maintaining security across the domain-level accounts. Scripts These scripts should be used with caution. Only the Exchange administrator or the end-user responsible for maintaining the Exchange in the organization should run them. These scripts are provided for the benefit of simplifying the configuration process and enabling Exchange administrator’s common resolutions for rights issues in conjunction with the use of the ShadowProtect Granular Recovery for Exchange tool. You may run these scripts while the Mailbox stores are Mounted. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 15 of 31 ShadowProtect Granular Recovery for Exchange PowerShell Script One The following script will add FullAccess rights to the specified mailbox for the specified user. The following command will only affect the specified user mailbox. It is recommended to use this script to test on a single mailbox before modifying all mailbox permissions. Add-MailboxPermission -Identitiy <mailboxname> -User <Domain Account> -AccessRights FullAccess Example: To add the FullAccess permission to the BobWatanabe mailbox for the StorageCraft Domain ShadowProtect Granular Recovery for Exchange service account the syntax would be as follows: Add-MailboxPermission -Identitiy bobwatanabe -User StorageCraft\Administrator - AccessRights FullAccess *This command does not appear to take time to propagate throughout the AD environment and should immediately allow access as long as the user does not have any Deny rights inherited from an AD group. The following script will set the permissions an entire Exchange database: Get-mailbox –Identity “<database>” | Add-MailboxPermission –User <Domain Account> -AccessRights FullAccess Example: To add the FullAccess permission to all mailboxes on the Exchange database for the StorageCraft ShadowProtect Granular Recovery for Exchange service account, the syntax would be as follows: Get-Mailbox –Identity “mailbox database 1583061650” | Add-MailboxPermission –User StorageCraft\ShadowProtect Granular Recovery for Exchange -AccessRights FullAccess PowerShell Script Two The following script may be required to allow access to all mailboxes and has been needed in addition to the addmailboxpermission cmdlet above. This is a “server-wide” cmdlet as it can be applied to all databases in the Exchange domain. You will need to run this for each database you want to modify permissions for. Get-MailboxDatabase -Identity “[mailbox database name]” | Add-ADPermission -User [username] -AccessRights GenericAll Example: To enable our StorageCraft ShadowProtect Granular Recovery for Exchange service account GenericAll access to the Exchange database, the command would be as follows: Get-MailboxDatabase -Identity “mailbox database 1583061650” | Add-ADPermission -User StorageCraft\administrator AccessRights GenericAll PowerShell Script Three If a service account is not being used, this script will be needed to remove the DENY attribute on built-in domain Administrator account in Active Directory. This script provided below to remove the DENY attribute on domain-level accounts (and groups) should be used with caution and knowledge that this is a potential security concern as it will allow the accounts to have full access to ALL mailboxes in the Exchange domain organization. Get-OrganizationConfig | Remove-ADPermission -User <Domain Account> -AccessRights ExtendedRight -ExtendedRights Receive-As –Deny Example: To remove the Deny permission for the domain-level administrator account in the StorageCraft domain, the command would be as follows: Get-OrganizationConfig | Remove-ADPermission -User StorageCraft\administrator -AccessRights ExtendedRight ExtendedRights Receive-As –Deny *This command will take time to propagate throughout the domain AD environment, so it may take some time to verify if the command was successful or not. Additionally, you can use this command for AD groups as well. If the Group name contains a space, be sure to encapsulate the domain\groupname in quotes. Example: “StorageCraft\ Enterprise Administrators”. Other Useful Scripts The following are scripts that are useful in troubleshooting and verifying Exchange settings and mailbox information. This script will show the permissions for all users on the specified mailbox. This is useful for verifying and checking to see what permissions the AD users and groups have to the specific mailbox. Get-mailboxpermission –identity <mailboxname> This script is useful in showing the name of the currently connected mailbox database. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 16 of 31 ShadowProtect Granular Recovery for Exchange Get-mailboxdatabase Important: It is not the responsibility of StorageCraft employees to validate or be responsible for repercussions in modifying the rights and permissions of users in the Exchange environment. 6 Understanding the GRE User Interface The GRE user interface allows you to view, restore and export Exchange email information from sources such as Exchange EDB files (Exchange 2003 - 2013/2016) or mounted ShadowProtect backup image files. The user interface consists of menu options, a toolbar and the source and target information windows. Menu and Toolbar Options The menu and toolbar options are shown on the left side at the top of the GRE user interface. Menu File Open Source EDB Open Target Export Selection Export Selection to PST View License String Quit Tools Hide Preview Search Source Generate Exchange 2013/2016 License Keys Settings Show Status Window Help Online Help Licensing About Toolbar The toolbar is displayed below the list of menu options. The toolbar contains the following icons: Open Source EDB. Open Target Export Selection Search All Sources Search in Source Selection Show Status History Window (View, Export, Clear, Hide status messages from current and past operations) Restores Exports Imports Information Windows Source Selection (top left and top middle windows) Target Selection (bottom left and bottom middle window) Message Preview (right window) Source Selection The source selection directory (top left window) The source email selection (top middle window) The message preview (right window) © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 17 of 31 ShadowProtect Granular Recovery for Exchange Target Selection The target selection directory (bottom left window) The target email selection (bottom middle window) The message preview (right window) User Interface Overview Source Selection Directory The top left window is the source selection window from a selected EDB file. Drilling Down in the Directory Tree You can drill down through this directory tree to select a folder or an individual email. Message Preview A preview of the selected email or message in the source or target window displays in the right window. The right window is called the preview window. Viewing Entire Messages If you see the error shown in the Note below, use GRE's Export function to view the entire message. Note: If the body of an email is too large, the preview will not show the message. Instead you'll see the following error: Target Selection Directory The lower left window is the target selection window. The functionality is the same as the source selection window. Select an email or message in the target selection window. The details are displayed in the target preview window. The maximum message length limitation is the same for the target messages as for source messages. Note: If the body of a target email is too large, it can't be exported for viewing. You must use an email client such as Outlook to view the message. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 18 of 31 ShadowProtect Granular Recovery for Exchange 6.1 GRE Settings GRE Settings are found under Tools > Settings. This menu allows you to change settings for: Restoring Duplicates Security Log files PST files Restoring Duplicates If duplicate messages are found on the target, GRE can: Create a duplicate message (fastest) Skip the source message (ignore and don't copy the message) Overwrite the target message (slowest) Security Settings Allow BCC fields to be shown and restored Automatically disable Windows Update during restore processes Confirmation Settings Always confirm restoration location (check the box to always confirm restoration location) Restore Links You can set the number of Maximum simultaneous restores and exports Logging The log file size limit defaults to 1 MB. A new log file is automatically created when the log file reaches the specified file size limit. The new (active) log file always retains the original file name. The log files that have reached the file size limit are renamed and saved by GRE. Typically it isn't necessary to have log files larger than the default size. PST Microsoft recommends 20 GB as the maximum PST file size. If the "Allow creation of additional PST files when size limit is exceeded" box is checked, GRE creates a new PST when the file size limit is reached. If the box is not checked GRE stops the © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 19 of 31 ShadowProtect Granular Recovery for Exchange restore. Temporary Database Settings The default temporary database location is C:\ProgramData\StorageCraft\GRE\. You can choose any convenient temporary database location. To restore the default location: 1. Clear the field (delete all text and leave the entry window empty). 2. Click Save. Reset all Defaults To restore all default settings click Reset all Defaults. 6.2 Search Operations GRE offers Basic and Advanced search options and two search modes. Basic and Advanced search functionality is available in both search modes. The search modes are: Search All Sources Search specific objects such as a single mailbox or folder. Note: Search results appear at the top of the Source selection window. Each new search creates a separate search result entry in the list. Select a search result entry from the list to display the messages that meet the search criteria. Basic The Basic search dialog: The Basic search tab lets you: Search for the terms in all emails in the selected path. Search by date (before or after a specific date). © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 20 of 31 ShadowProtect Granular Recovery for Exchange Advanced GRE's Advanced Search dialog: The Advanced search tab lets you Match all fields or Match any field to search for the specified terms: Body Subject From To CC or BCC Attachment Name By Date scope limiters Supported and Unsupported Search Characters GRE supports most alphanumeric characters in the search field except those listed below: Ampersand: @ Percent: % Punctuation: periods, commas, quote marks, etc. For example, in a search for an email address such as [email protected], GRE conducts the search for "John" "Doe", "somecompany" and "com". GRE Search Phrase Functionality 1. When a search phrase is entered in GRE: All text is converted to lower case All entries are converted to canonical compatible Unicode equivalents GRE adds a space in front of any word beginning with a letter or number. Note: Adding a space provides support for languages that don’t typically use w hitespace (for example: Asian languages). This allow s using a w hitespace to separate w ords. 2. When the search field is left blank, GRE returns all messages. This allows you to search all messages within a specified range of dates. 3. Punctuation (except the asterisk) will be ignored in searches. Words or partial words followed by an asterisk (*) will return all words or partial words that match the word in front of the asterisk. For example, if you search for 'the' (without an asterisk) then only messages that include the literal word 'the' will be returned. A search for 'the*' will return all messages that include a word that begins with 'the' including ‘then’, ‘there’, ‘their’, ‘they’, etc. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 21 of 31 ShadowProtect Granular Recovery for Exchange Note: The asterisk w ildcard character must be the last character in the search. You can search for 'the*'but not '*the'. 4. Multiple keyword searches: An AND search is used when multiple keywords are not surrounded by quotation marks. Messages containing all the keywords (in any order) will be returned. An exact phrase search is used when multiple keywords are surrounded by "quotation marks". Only messages with the exact phrase will be returned. A hybrid search will be used when an AND search and "exact phrase" search are combined. Only messages with the "exact phrase" and the individual keywords without quotation marks (in any order) will be returned. 5. Advanced searches return only messages that contain the specific search terms. Note: You should avoid using punctuation (other than the asterisk). You should only use letters and numbers (or the local language equivalent) in searches. 7 Recovery Operations 1. Navigate the backup image chain for the desired point-in-time to recover (applies only to ShadowProtect backup image files). 2. Right click the backup image and mount. Remember to include any images from the same backup job that contain database files and or transaction logs. Also, do not use the Quick Mount feature as the image must be writable (applies only to ShadowProtect backup image files). 3. Launch the ShadowProtect GRE application and then open the source EDB by browsing to the location in the mounted image and the associated log file folder path if needed. 4. Select a target. 5. Restore Email messages, folders, or mailboxes. Important: Migrating or restoring large EDBs can take a long time. To prevent rebooting during the process, ensure that Automatic updates are NOT selected in W indow s Updates. If the GRE client loses connection w ith the Exhcange Server during a restore it w ill try to reestablish communication for up to 3 hours before reporting an error. StorageCraft also strongly recommends disabling "Full Text Search Indexing" w hen migrating large EDBs to prevent netw ork errors during the migration. 7.1 Mounting ShadowProtect Images Mounting Images and Configuring GRE Images containing the Exchange EDB and log files must be mounted as writable. See ShadowProtect Mounting Backup Image Files. If the EDB file is on a different volume than the log files you must mount images for both volumes. All images for a specific GRE session must be from the same ShadowProtect backup job. Note: W hen configuring Shadow Protect, if the Exchange EDB and transaction logs are on separate volumes, Shadow Protect must be configured to back up the volumes as part of the same backup job. Details If you mount an image on a network drive, then later lose the connection to that drive, (for example a VPN or a WAN connection): © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 22 of 31 ShadowProtect Granular Recovery for Exchange 1. 2. 3. 4. Dismount the drive. Discover and correct the connection problem Re-mount (as writable) the backup image as a drive. If an I/O error is displayed (for example: This drive is not accessible.) you may need to reboot the operating system to prevent the errors. Note: If you have ongoing problems accessing the mounted images from across the netw ork, try copying the image chain locally (to the GRE w orkstation), or to physically attached external media. This allow s for the fastest access and recovery times. 7.2 Restricted Mode If you attempt to open or restore an EDB before a license is downloaded for that EDB, you'll see: "Due to license restrictions the selected action cannot be completed". This means you are viewing the mailbox data in restricted (unlicensed) mode. If this happens, download a valid license file then close and reopen the database. In unlicensed mode you can see the mailboxes and folders and the messages but not the message preview. You need a license to restore Mailboxes and folders. You also need a license to view and restore or export messages. 7.3 Selecting the Source GRE initially starts without any open EDB source files. Open the Exchange EDB file (or multiple files if you are using more than one EDB). To open an EDB file 1. Select Open Source. GRE displays the Open Source dialog: 2. 3. 4. 5. 6. Enter the name of the source EDB file or use Browse to select it. Enter the path for the associated log files. Enter the path for the mailbox store (stm) file. Click Open. Repeat for each EDB file wanted. Note: Multiple EDB files must be opened from the same server, have the same server name, or have a DAG license for use with multiple server names. The EDB file must be from one of the servers with an active DAG license. To Open an EDB file Dialog On a new installation the dialog to open an EDB file is displayed automatically when GRE starts. This dialog is displayed each time you open an EDB file. If the Attempt to skip EDB recovery and repair option is not selected, the log file path (associated log file folder path) is required if the EDB was not in a clean state in the snapshot. If the Attempt to skip EDB recovery and repair option is not selected and a log path is provided, a recovery (process pending transactions from the log files) is attempted. If the recovery fails, it attempts to repaire the EDB file. If the Skip Recovery option is selected and GRE is able to successfully skip the recovery then the database is opened. Skip the recovery means change the database from dirty flag to clean and open the database. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 23 of 31 ShadowProtect Granular Recovery for Exchange Warning: This has the potential for data loss and corruption. If the Skip Recovery option is selected but GRE is not able to open the EDB (after attempting to skip recovery) it will attempt to do a recover/repair. Depending on the size of the database this might take several hours. If you skip recovery and have problems you have to: 1. 2. 3. 4. 5. Close the database Dismount the backup file (do not save changes.) Mount the backup image again. Open the EDB file in GRE (Do not check Skip EDB Recovery or Repair). After the database maintenance is finished, GRE displays the mailboxes and content. 7.4 Selecting a Target A GRE target, can be: A new PST file An existing PST file All mailboxes on a Microsoft Exchange server A single mailbox on a Microsoft Exchange server To Create a New PST File GRE lets you save a mailbox to a new PST file: 1. 2. 3. 4. Click Open Target. Select Create a New PST File. Browse to where you want the file created and provide the filename. Click Open. GRE creates the target PST file. Note: This new PST file can be sent to a different Exchange server (one that the current user may not have rights to administer) for restoring. To Open an Existing PST file 1. 2. 3. 4. Click Open Target. Select Open an Existing PST File. Specify the PST file using either the dropdown or the Browse button. Click Open. GRE opens the target PST file. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 24 of 31 ShadowProtect Granular Recovery for Exchange To Connect to Microsoft Exchange Server Note: For mixed environments you need a service account for Exchange 2013 (if part of the environment) and a separate service account for one of the legacy Exchange servers (Exchange Server 2010 or 2007). All Mailboxes 1. Click Open Target. 2. Select Microsoft Exchange Server (All Mailboxes). 3. Enter the Target server name. Note: The user must log in to the Target server's domain. Accessing all mailboxes requires domain authentication. 4. If you want public folders included, check Connect Public Folders. Note: The CAS server is required when connecting to a 2010 Exchange server that doesn't have the client access role. 5. Click Open. Single Mailbox 1. 2. 3. 4. 5. 6. Click Open Target. Select Microsoft Exchange Server (Single Mailbox). Enter the Target SMTP/Email Address name. Enter the Server Name (or IP address). If you want public folders included, check Connect Public Folders. Click Open. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 25 of 31 ShadowProtect Granular Recovery for Exchange Exchange Server as a Target When you open GRE, and want to connect to the target Exchange All Mailboxes, the current user needs to have a mailbox in the Exchange domain where you want to connect. Note: If you are using Outlook 2013, the current user's mailbox must be hosted on Exchange 2007 or new er. Your computer must also be a member of the Exchange domain and the user must have Exchange administrative rights (see Setting up Exchange Service Accounts below for more information). When you connect to a single mailbox it prompts you for the mailbox credentials. You may need to include the server IP address in the host file of the server you are connecting to if you are connecting to a machine that's not part of your domain. You can connect to multiple single mailboxes at the same time. You can't use the All Mailboxes connect option to connect to an Exchange server outside the domain you are logged into. Client Access Server (CAS) When you connect to Exchange Server as a Target, you need to use the address for the server which is performing the Client Access Role (2010) or the Mailbox Role (2007). In a Mixed Environment you should: Use the CAS field for connecting to an Exchange Server 2010 using the Single mailbox or All mailboxes setting. You should not use the CAS Role server for connecting to an Exchange Server 2007; whether using the Single mailbox or All mailboxes setting. For single mailbox the CAS server name should be entered into the Server Name field since the CAS Server field is not shown. 7.5 Target Management To manage a target you need to: Create a new folder Rename an existing file or folder Delete a file or folder To create a new folder 1. Select the level of the Target's tree where you want to place the new folder. This could be the Inbox, the mailbox root, an existing folder or an existing subfolder. 2. Right-click on this item. GRE displays the Target Operations submenu: © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 26 of 31 ShadowProtect Granular Recovery for Exchange 3. Click Create Folder. GRE adds a new folder to the tree. 4. Name the new folder. To rename a folder 1. Right-click on the folder in the tree. 2. Click Rename. GRE displays the insertion box with the folder's existing name. 3. Type in a new name for the folder. To delete a folder 1. Right-click on the folder in the tree. 2. Click Delete. Warning: GRE does not ask you to confirm the deletion. W hen you click delete, the operation begins instantly. If you accidentally delete a folder, you can use the restore option in GRE to retrieve it from the backup EDB file. To delete restored objects You can only delete target objects that have been created in the current session. Only folders created with the Create Folder option, or during a restore operation can be renamed. If you restore a message or mailbox, then close GRE and reopen it, the restored objects will be permanent. You must use the mouse to delete objects. Right click on the object to be deleted and click Delete from the menu. 7.6 Restore Restoring Email messages, folders, or mailboxes can be done in two different ways: Use the mouse to drag the source object and drop it on the target mailbox or folder. Right-click the source item and copy, then right-click on a destination mailbox or folder in the target directory tree at the lower left. Note: If you restore a specific type of Exchange item (such as a contact, calendar item, or message) to a different type of folder (for example: restoring a contact to a calendar folder, a calendar item to a contact folder, or a message to a calendar folder, etc.) it w ill be restored and visible in GRE, but you w on’t be able to see it in Outlook. Warning: If you restore different (multiple) mailboxes or folders w ith the same name, to the same location, the messages from the multiple mailboxes w ill be mixed. If you restore (merge) multiple mailboxes (regardless of the source mailbox names) to a mailbox root folder in the target, the contents w ill be merged. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 27 of 31 ShadowProtect Granular Recovery for Exchange Note: Content deleted from mailboxes or folders w ill not be restored w hen the mailboxes or folders are restored. 7.7 Import Mailboxes Creating a user account The alias from the email address will be the login name for the user account that will be created and associated with a new mailbox. The new user account will have the same user domain as the current Windows user. For example: If the email address is "[email protected]" and the user domain is "mycompany.local", then the userPrincipalName is set to "[email protected]". Importation Options Important: StorageCraft strongly recommends disabling "Full Text Search Indexing" when importing large EDBs to prevent network errors. Initiating the importation: Use the mouse to drag the source EDB or mailbox and drop it on the target mailbox or folder. Important: The target needs to be a mailbox store (not a mailbox or folder). Target mailboxes and folders are treated as restores, not an import. Right-click the source item and copy, then right-click on a destination mailbox or folder in the target directory tree at the lower left. Full or Partial Importing: Import an entire EDB (all mailboxes) Create a single mailbox Note: GRE imports only user mailboxes. Link mailboxes are not created. Public folders, equipment mailboxes, and all other non-user mailboxes will not be imported. Import the entire EDB Importing an entire EDB can only be done if there are no corresponding user accounts or mailboxes in the domain. If you created a user account or mailbox in the domain with the same name as any account or mailbox in the EDB you cannot import the entire EDB. Important: The EDB does NOT contain the actual username associated with a mailbox. GRE only makes a best guess for what the username should be. It is possible that it won't be the same as the original username. If a wrong username is created during importing you'll need to use Microsoft administrative tools to change the username. In other words, if any of the accounts or mailboxes already exist in the domain DON'T import the entire EDB. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 28 of 31 ShadowProtect Granular Recovery for Exchange Warning: If there are any conflicts (i.e. the same account name or mailbox) between the EDB to be imported and the target domain, the importation for that mailbox will be skipped. To import the entire EDB: 1. 2. 3. 4. 5. Select the Organization Unit. Enter the applicable Domain Name (See Creating a user account). Enter the password you want to use as the Default. Confirm the Default password. Click Begin to continue or Cancel to abort. Import a single mailbox Important: If the user account for the mailbox you want to import already exists in the target domain, you need to Restore that mailbox to the existing account in the target domain instead of importing it. To import a single mailbox: 1. 2. 3. 4. 5. 6. Enter the Display Name. Select the Organization Unit. Enter the Email Address. Enter the password for the mailbox. Confirm the password. Click Begin to continue or Cancel to abort. 7.8 Export Operations GRE exports files from the Source directory in these formats: MSG Txt To export one or more files © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 29 of 31 ShadowProtect Granular Recovery for Exchange 1. Select one or more files from the Source email selection view or select a mailbox or folder from the Source directory. 2. Right-click on the selected file(s) to open the Options Submenu: 3. Click Export Selection. GRE displays the Export Selection menu: 4. Use the selector box to choose either Message (MSG) or Text (TXT) export format. 5. Type destination path or use the Browse button to locate the destination for the exported files. 6. Click Export. Warning: If you export different (multiple) mailboxes or folders w ith the same name, to the same location, the messages from the multiple mailboxes w ill be mixed. 8 ShadowProtect GRE FAQs Frequently Asked Questions Add Exchange Server Certificate as a Trusted Root Certificate The Exchange Server certificate must be added as a Trusted Root Certificate. This may be done by accessing a mailbox on the Exchange Server via Outlook and importing the Exchange Server certificate. ESEUTIL.EXE error when recovering Exchange 2007 or 2003 EDB ESEUTIL.EXE occasionally returns an error when you try to recover a 2007 or 2003 EDB file (even when the Microsoft provided DLL is in the same folder as ESEUTIL.EXE). To fix this problem, copy the JCB_x86.dll or JCB_x64.dll (depending on whether your ESEUTIL.EXE is the x86 or x64 version) over the Microsoft JCB.DLL to recover 2007 or 2003 EDB files. The files (JCB_x86.dll and JCB_x64.dll) can be found (if installed in the default location) in C:\Program Files\StorageCraft\GRE, or C:\Program Files (x86)\StorageCraft\GRE. Mount Driver Issue - Losing Network Connections (Windows Mounting) If you mount an image across a network connection, then lose the network connection, (for example a VPN or a WAN connection), you need to dismount the drive where that image is stored, fix the network connection issues, re-mount the backup image as a drive. If an I/O error is displayed (For example: This drive is not accessible) you may need to reboot the operating system to stop the errors from occurring. If you are running VMware Workstation, and you want to mount a backup image, you may see a network connection issue if you attempt to use the host computers’ (i.e. the computer that is running VMware Workstation) network shared folder. It causes a condition where neither the host nor VM can access the network. A VMware bridged network connection (not NAT) probably has a problem in the VMware bridged networking driver or networking subsystem. It appears to be blocking network traffic from both the VM and the host computer. If you configure a NAT network connection for the VM it doesn't have the problem and you can use the host computers’ (i.e. the computer that is running VMware Workstation) network shared folder as the destination to mount a backup image. Display names with Unicode characters fail to connect to single mailbox on MS Exchange Server Use the Mailbox SMTP/Email address to connect to a single mailbox. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 30 of 31 ShadowProtect Granular Recovery for Exchange Deleting Restored Objects You can only delete target objects that have been created in the current session. If you restore a message or mailbox, then close GRE and reopen it, the restored objects will be permanent. You must use the mouse to delete objects. Right click on the object to be deleted and click Delete from the menu. Soft deleted messages and folders show in Source View In GRE, soft deleted messages and folders are shown in the Source view to allow the opportunity to restore them. Date Variance where UTC versus Local Time Data timestamps are recorded in Exchange databases in GMT. The local machine (and GRE) user interface translates it to local time. File Name Length Exceeded One rare problem can occur especially if you have a lot of nested folders. In Microsoft operating systems you can’t create folders (or folder/subfolder tree) with a path longer than 258 Characters. The total length of the tree is 258 characters (total character length). However, Exchange lets you use as many characters as you want. If this happens and you try to export it, it can lock up. Two different errors describe these conditions. Note: Microsoft Windows has a folder/filename tree-length maximum of 258 characters. The full path length of any restored folder or file must be 258 characters or less. Exchange allows you to have more than 258 characters for a message's folder/filename path length. If you try to export a message or folder with more than 258 characters you'll see one of the following errors: 1. File name length exceeded 2. Maximum folder/filename tree-length exceeded If you see either of these errors, you need to restore the data to a .pst file. Bridged Driver Loopback Error If you are running VMware Workstation, and you want to mount a backup image, you may see a network connection issue if you attempt to use the host computers’ (i.e. the computer that is running VMware Workstation) network shared folder. It causes a condition where neither the host or VM can access the network. A VMware Bridged network connection (not NAT) probably has a problem in the VMware bridged networking driver or networking subsystem. It appears to be blocking network traffic from both the VM and the host computer. If you configure a NAT network connection for the VM it doesn't have the problem and you can use the host computers’ (i.e. the computer that is running VMware Workstation) network shared folder as the destination to mount a backup image. © 2016 StorageCraft Technology Corporation StorageCraft Support Center Page 31 of 31