Upload
o365infocom
View
218
Download
1
Embed Size (px)
DESCRIPTION
Recover deleted mail items in the Exchange Online environment | Deleted mail flow | 3#7 http://o365info.com/recover-deleted-mail-items-in-the-exchange-online-environment-deleted-mail-flow-part-3-7 In the current article, we will review the following subjects: 1. The flow of a “deleted mail item” in an Exchange base environment for a standard mailbox and for Litigation Hold or In-Place Hold enabled mailbox. 2. The subject of Deleted Item retention policy, the Exchange server policy that removes deleted mail items after a specific time period and the ability to extend the default value. 3. The meaning of the terms Soft delete versus Hard delete. Eyal Doron | o365info.com
Citation preview
Page 1 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Recover deleted mail items in the
Exchange Online environment | Deleted
mail flow | 3#7
In the current article, we will review the following subjects:
The flow of a “deleted mail item” in an Exchange base environment for a
standard mailbox and for Litigation Hold or In-Place Hold enabled mailbox.
The subject of Deleted Item retention policy, the Exchange server policy that
removes deleted mail items after a specific time period and the ability to extend
the default value.
The meaning of the terms Soft delete versus Hard delete.
Page 2 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
As Exchange Online administrator, we will need to understand the deleted mail flow
for two major reasons:
1. To be able to prepare in advance, for a business need in which we need to
provide the ability for recovering mail items for a longer period than the
“standard 14 days’ period”.
2. To be able to provide the right answer for our users, in a scenario in which our
user asks us to recover for then deleted mail items.
For example, in case that the user report that the mail item was deleted two
months ago and, we did not use the option of Litigation Hold or In-Place Hold, the
answer is that the mail item cannot be recovered!
The Recoverable Items folder and deleted mail item life
cycle
Before we start with the detailed description of the “deleted mail item life cycle” it’s
important that we understand the logic of the Recoverable Items folder.
As mention, In Exchange Online environment mail items that were deleted from the
Exchange inbox “Recycle bin” (the Deleted items folder) will be moved to
the Recoverable Items folder or, if we want to be more specific, to the Deletion
folder.
The main question is: for how long this “deleted mail items” will be kept in
the Deletion folder?
The answer depends on the specific setting of the Exchange Online mailbox.
Case 1– in case that the mailbox considers as “standard mailbox” the deleted mail
items will be considered as “recoverable” for a period of 14 days.
Case 2– in case that the mailbox considers as Exchange Online mailbox with
Litigation Hold or In-Place Hold enabled, the deleted mail items will be considered
as “recoverable” for a period that will be defined by the Litigation Hold or In-Place
Hold policy (a specific time period longer than 14 days or forever).
Page 3 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The Recoverable Items folder purpose and the relevance for the
subject of deleted mail items.
The Exchange single item recovery architecture and the Recoverable Items
folder can be considered as sophisticated architecture and an infrastructure that
was created for providing many types of services.
In the current article series, we will relate only to the “part” that relate to the subject
of storing and recovering deleted mail items via the Recoverable Items folder.
By default, the Recoverable Items folder can help us to deal with a scenario of
Soft deleted and Hard delete for a period of 14 days. This “limitation” is dictated by
the Deleted Item retention policy.
Page 4 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The Exchange architecture provides a tool that will enable us to “bypass” the
limitation that is imposed by the Deleted Item retention policy for a specific user
mailbox or for multiple mailboxes.
The name of the Exchange mechanism that enable us to “bypass” the limitation
described as Litigation Hold or In-Place Hold.
Recoverable Items folder, Litigation Hold and, In-Place
Hold
One of the most confusing and unclear subject in the Exchange server architecture
is the subject of Litigation Hold and In-Place Hold.
Page 5 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the current article, we will not “dive” into a detailed description of these
components.
To simplify the understanding Exchange Litigation Hold and In-Place Hold, we can
relate to these components as a “tool” or mechanism that unable to use to override
the values of the Exchange Deleted Item retention policy that is applied on the
Exchange mailboxes.
For example –the default Exchange Online Deleted Item retention value is 14
days.
By using the option of Litigation Hold or In-Place Hold, we can set a
different Deleted Item retention policy to specific Exchange users.
For example, when we apply Litigation Hold and In-Place Hold to a specific mailbox,
we can decide what will be the value of the Deleted Item retention policy.
We can set the value of the Deleted Item retention policy to months, years or
even forever.
Page 6 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Litigation Hold versus In-Place Hold
The Litigation Hold mechanism is applied for all of the items in a specific mailbox
such as – calendar items, contact items mail items etc.
The option of In-Place Hold enables us to define more refined deleted mail item
policy.
For example, we can decide to apply the -Place Hold only to calendar items from a
specific date, etc.
In reality, the difference between Litigation Hold and In-Place Hold is much more
comprehensive but for our purpose, we can be satisfied with this simple
explanation.
Deleted mail item flow and “Life Cycle”
To be able to unveil the mystery of the Recoverable Items folder, let’s review the
object of Deleted mail item flow and “Life Cycle”.
We can classify the different “deleted mail items scenarios” in Exchange
environment to two major groups:
1. Standard mailbox – Exchange mailbox that is subject to the default Deleted
Item retention policy.
2. Exchange mailbox with a Litigation Hold or In-Place Hold enabled – an Exchange
mailbox that is not subject to the default Deleted Item retention policy.
Instead, have a “special” or dedicated Deleted Item retention policy.
Page 7 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
What is the Exchange Deleted Item retention policy?
The term – “Deleted Item retention policy” define an Exchange process that can
be described as garbage collection of non-relevant objects (mail items).
Technically speaking, when a user decides to delete a specific mail item, the
meaning is that the mail item is not relevant or not needed for the user.
When a user deletes mail item, the mail item is not acutely deleted but instead,
moved or relocated to a new folder – the Deleted items folder.
Technically speaking, the user doesn’t need to “empty or clean the Deleted items
folder. In case that an Exchange user doesn’t bother to empty the Deleted items
folder, the “deleted mail item” will stay in the Deleted items folder forever.
The only disadvantage for not emptying the Deleted items folder is that the
deleted mail item considers as part of the user mailbox quota and over time, the
deleted mail items will consume a significant part from the user mailbox quota.
Page 8 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
So let’s assume that for this reason and for a proper management of mailbox data,
the user decides to empty the content of the Deleted items folder.
The questions now are:
Q1: What happened to the mail items that were deleted from Deleted items
folder? Are they lost forever?
A1: When the user empties the Deleted items folder (delete mail items that were
saved in the Deleted items folder) the mail items are not deleted but instead,
moved or
“re located”, to an additional folder named: Deletion (one of the folders that are
include in the Recoverable Items folder).
Q2: Can the user access the content of the Deletion folder?
A2: The answer is “yes”. For example, Outlook user, can choose the option- recover
deleted items. This option will enable him to view the content of
the Deletion folder. The user will see a list of the mail items, that was deleted from
the Deleted items folder.
Page 9 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Q3: Is there any “time limitation” for the mail items that are saved to
the Deletion folder?
A3: Yes there is. The Exchange component that dictates for how long the mail items
will be saved in the Deletion folder is the Deleted Item retention policy.
By default, the Deleted Item retention policy is configured so “keep” mail items in
the Deletion folder for a period of 14 days.
In Exchange on-Premises environment, the Exchange administrator can configure
the default value of the Deleted Item retention policy to any desired period.
In Exchange Online environment, the default value of the Deleted Item
retention can be extended over to a maximum period of 30 days.
The reason for this time limitation that are being enforced by the Deleted Item
retention is the process that I described as: “garbage collection”.
The Exchange server, need to manage the user mailbox data effectively.
The meaning – verify that the user mailbox will be restricted to a predefined
amount of storage and that this “storage” will be managed in an effective manner.
“new deleted mail items” will be saved and “old deleted mail items” will be removed
(deleted).
Q: What is the Exchange Deleted Item retention policy?
A: The Deleted item policy is an Exchange server policy, which “attached” to the
Recoverable Items Folder.
The purpose of the “Deleted item policy” is to optimize the management of
the Recoverable Items folder partition.
By default, the Recoverable Items folder partition serve as a temporary storage for
deleted mail items.
The Recoverable Items folder storage, provide a “grace period”, in which users can
“regret” and recover mail items although the mail was deleted from the inbox
“Recycle bin” (the Deleted items folder).
Page 10 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The Exchange Deleted Item retention policy serves as a “gatekeeper” or as the
“Exchange janitor”, that help the Exchange to manage his storage effectively by
keeping the Recoverable Items folder neat and tidy.
Page 11 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Q1: Does Exchange Online graphic management interface includes an option for
change the default value of the Deleted Item retention policy?
A1: No, the only way for extend the default value of the Deleted Item
retention policy to a time period of 30 days, is by using a PowerShell command.
The process or running the PowerShell command, will be needed to be
implemented for each new Exchange Online mailbox that will be created in the
future.
In the following screenshot, we can see the interface that is available when using
Exchange on-Premises 2010 version. The value of the Deleted Item retention is
set by the database level under the section of – Keep deleted items for(Days):
Page 12 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Q2: What will happen to a deleted mail item after 14 days?
A2: Exchange server will permanently delete all the mail items that save in
the Deletion folder that their “age” is over 14 days.
Q3: Is there any way for recovering mail items that were deleted from
the Deletion folder?
A3: No, there is no way!
Q4: Is there any way for “extending” the Deleted Item retention policy for a longer
period of for unlimited time?
Page 13 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
A4: Yes, Exchange Online and Exchange on-Premises server (Exchange version
2013) support two types of “solutions” that enable us to “override” the limitation
that is opposed by the
Deleted Item retention policy.
The available options are:
Exchange litigation Hold
In-Place Hold
When using one of this option, we are “removing” the time limitation that applied
on the deleted mail items that stored in the Deletion folder and the Purges folder.
Soft delete versus Hard delete.
Before we continue, I would like to briefly review two terms that relate to the flow
of the deleted mail item – Soft delete and Hard delete.
Page 14 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Soft Delete
When a user deletes a file and then, delete the file from the Deleted items folder,
the operation considered as Soft Delete.
We use the term “Soft” because – although the mail items were deleted from
the Deleted items folder, the file is not really deleted.
The user still of an option to recover the mail item by himself for a period of 14
days.
The “operation” of Soft Delete can be implemented by using the keyboard key
combination: SHIFT + DEL.
When select mail item and press on the combination keyboard key – SHIFT + DEL,
the deletion “bypass” the step in which the mail item sent to the Deleted items
folder and instead, the mail item sent directly to the Deletion folder.
Hard Delete
The term “Hard Delete” define a scenario in which the user access the content of
the Deletion folder (the folder that store mail items that were deleted from
the Deleted items folder) and, delete the mail item\s that store in this folder.
Theoretically, we can assume that is this scenario the mail item is “lost forever” but
in reality, although the user deletes the mail item\s from the Deletion folder the
mail item is not deleted but instead, relocated to the Purges folder.
We use the term “hard” because in this scenario, the user “lost” his ability to recover
the mail item by himself.
Only the Exchange administrator has access to the Purges folder and, only the
Exchange administrator can recover mail items that stored in this folder.
Note – an exception for this “rule” that enables “standard user” to access
the Purges folder is a utility named – MFCMAPI, which we will review in the next
section.
Page 15 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
General thoughts about Soft delete and Hard delete.
User (mailbox owner) have the ability to implement an event of:
1. Standard mail item deletion
2. Soft delete
3. Hard delete
The Outlook\OWA mail client enables a user to recover mail items in a scenario of
1. Standard mail item deletion
2. Soft delete
The Outlook\OWA mail client doesn’t include an option that enables users to
recover mail items in a scenario of Hard delete, in which the mail item was moved
to the Purges folder (or to the DiscoveryHolds folder in case that we use the
option of In-Place Hold).
Page 16 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Deleted mail item flow scenarios
To understand better the purpose and that way that Recoverable Items
folder “work”, let’s review three scenarios of “deleted mail item flow” in an
Exchange based environment.
To demonstrate the “deleted mail item flow” we will review three different
scenarios:
Scenario 1: Standard Exchange mailbox
Scenario 2: Exchange mailbox with Litigation Hold enabled
Scenario 3: Exchange mailbox with In-Place Hold enabled
Scenario 1: standard user mailbox (no use of Litigation Hold or In -
Place Hold)
Step 1 – user decides to delete a specific mail item. The mail item is “moved” to
the Deleted items folder.
Step 2 – the user decides to empty the Deleted items folder and delete all the mail
items that existed.
The mail items are not deleted but instead – relocated to the Recoverable Items
folder “partition”, to the Deletion folder.
The mail item will be kept in the Deletion folder for a period of 14 days. At the end
of the period of 14 days, all the mail item that are “older” then 14 days will be will
be permanently deleted.
Step 3 – as mention, each user has an access to the content of
the Deletion folder when using the option of – “recover deleted items”. In case that
the user decides to “empty” the content of the Deletion folder, the mail item is
relocated and placed on the Purges folder.
The mail item will be kept in the Purges folder for a period of X days until the “age”
of the mail items is more than 14 days.
At the end of the period of 14 days, all the mail item that are “older” then 14 days
will be will be permanently deleted.
Page 17 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
We use the term “X days” because, we don’t know what was the age of the mail that
is located in the Deletion folder.
For example – in a scenario in which the mail item age that is located in the
Deletion folder is four days when the user deletes the mail item, the mail item will
be relocated and saved to the Purges folder for a period to 10 days.
The reason for the “10 days” period is that by default the Deleted Item
retention define the range of “14 days” for the Deletion folder +
the Purges folder”
Scenario 2: Exchange mailbox with Litigation Hold enabled
The option of Exchange Litigation Hold enables us to set a different value for the
deleted mail items stored in the Recoverable Items folder that is different than
the value of the Deleted Item retention policy.
When using the option if Litigation Hold, we are able to “block” the Deleted Item
retention policy that is applied on the Purges folder.
Page 18 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
As mention, by default mail items within the Purges folder will be saved up to a
maximum period of 14 days.
When using the option of Litigation Hold, Exchange administrator can decide about
the time period in which the deleted mail items will be saved to the Purges folder.
The “time period” could be defined a specific value for the number of days or can
be set for an unlimited time period (for forever).
Note – the ability to use the Litigation Hold depend on the specific license that is
assigned to the Office 365 user. Only when using Office 365 plan E3 license or
Exchange license plan 2, the option of Litigation Hold is available.
The deleted mail flow in a scenario of – “Exchange mailbox with Litigation Hold
enabled” is almost identical to the former scenario of – standard mailbox.
The main difference is that now; the Exchange administrator could recover deleted
mail items locate in the Purges folder for the time period that was defined in the
Litigation Hold policy.
For example – in case that the Litigation Hold policy for the mail box was defined
with a value of 3,000 days. The Exchange administrator will have the ability to
recover deleted mail items that their “age” is up to 3,000 days.
Page 19 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Scenario 3: Exchange mailbox with In-Place Hold enabled
The option of – In-Place Hold, is similar to the Exchange Online option of – Litigation
Hold.
We will not review in details the differences between these two methods but
instead, just mention that the Exchange method of In-Place Hold, consider as more
advanced mechanism, that has more options and capabilities versus the Exchange
Litigation Hold.
The main difference between a scenario in which In-Place Hold is enabled versus
Litigation Hold is that when we use the option of – In-Place Hold, a new folder
named:
DiscoveryHolds folder is added to the hierarchy of the Recoverable Items folder.
When the Exchange Online mailbox configure as – In-Place Hold is enabled, the
logic of the deleted mail items flow is implemented as follows:
Page 20 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Step 1 – user decides to delete a specific mail item. The mail item is “moved” to
the Deleted items folder.
Step 2 – the user decides to empty the Deleted items folder and delete all the mail
items that exist in this folder.
The mail items are not deleted but instead – relocated to the Recoverable Items
folder “partition”, to the Deletion folder.
The mail item will be kept in the Deletion folder for a period of 14 days. At the end
of the period of 14 days, all the mail item that are “older” then 14 days will be will
be moved to the DiscoveryHolds folder.
Step 3 – In case that the user “empty” the content of the Deletion folder, the mail
is relocated and placed “Immediately” in the DiscoveryHolds folder.
The Exchange administrator will have the ability to access the content of
the DiscoveryHolds folder and recover\restore mail items, based upon the time
period value that was set by the In-Place Hold and based on the In-Place Hold
“terms” that was defend.
For example – in case that the In-Place Hold policy that was applied to the user
mailbox define to “hold” only calendar mal items for unlimited time period, the
Exchange administrator will have the ability to recover deleted mail item that
consider as “calendar mal items” for unlimited time period but this “ability”, could
not be implemented for other type of mail items such as contact mail item, note
mail items and so on.
Page 21 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Recoverable Items Folder and Mailbox quota
Each time when a new Exchange mailbox is created, Exchange allocates a dedicated
storage quota for the Recoverable Items folder.
The quota that is allocated to the user mailbox is not affected in any way by the
quota that allocated to the Recoverable Items folder.
In Exchange Online environment, each mailbox has a storage limit of 50 GB and
additional
30 GB storage allocated for the Recoverable Items folder.
Page 22 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
When we apply Litigation Hold or In-Place Hold for an Exchange Online mailbox,
Exchange Online, automatically extend the Recoverable Items folder quota size to
100 GB.
To demonstrate the subject of – Recoverable Items folder and mailbox quota, let’s
use the following example.
John is an Exchange Online user who has a “standard mailbox”.
Page 23 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
To be able to see the default size of the Recoverable Items folder partition, we will
use the following PowerShell command:
Get-Mailbox John | fl Recoverable*
In the following screenshot, we can see that Exchange Online allocate a “dedicated”
quota for the Recoverable Items folder that described as RecoverableItemsquota
We can see that the default Recoverable Items folder quota is 30 GB
After we have assigned the option of Litigation Hold to John mailbox and, run again
the same PowerShell command, we can see that the Recoverable Items
folder quota is 100 GB
Stretching the Exchange Deleted item policy
In Exchange on-Premises environment, Exchange administrator can decide how to
set the default value of the Deleted Item retention.
Page 24 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In Exchange Online environment, the default value of the Deleted item policy is set
to 14 days.
For Office 365 customers who have purchased Office 365 business license, this
value cannot be updated into “higher” value.
For Office 365 customers who have purchased Office 365 Enterprise E1, E3, E4
licenses or Exchange plan 2 license, Exchange Online administrator have the
privilege to extend the default value up to 30 days.
The ability to “starch” the value of the Deleted Item retention policy is
implemented by using PowerShell command.
The property that represent the value of the Deleted Item retention policy is –
“RetainDeletedItemsFor”
Page 25 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the following screenshot, we can see we can see an example to the default value
of the Deleted item policy.
The value of the property RetainDeletedItemsFor is 14 days.
To change this value of the Deleted Item retention policy, we can use a
PowerShell command.
For example, to “extend” the Deleted Item retention policy of John mailbox up to
30 days, we can use the following PowerShell command:
Get-Mailbox John| Set-Mailbox -SingleItemRecoveryEnabled $True -RetainDele
tedItemsFor 30
In the following screenshot, we can see that the value of
the RetainDeletedItemsFor was updated in now the value is: 30 days.
Page 26 of 26 | Recover deleted mail items in the Exchange Online environment | Deleted
mail flow | 3#7
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In case that we want to test this “Hard limit”, let’s use the PowerShell with a value
greater than 30 days.
In the following example, we try to use the PowerShell command with a value of 31
days.
The result is the following error:
The operation on mailbox “John” failed because it’s out of the current user’s write
scope. The value of properties ‘RetainDeletedItemsFor’ exceeds the maximum
allowed for user ‘John’ with license ‘BPOS_S_Enterprise’.
In case that we want to extend the value of the Deleted Item retention policy for
all of the Exchange Online users, we can use the following PowerShell command:
Get-Mailbox | Set-Mailbox -SingleItemRecoveryEnabled $True -RetainDeletedI
temsFor 30
Additional reading
Configure Deleted Item retention and Recoverable Items quotas
Change the deleted item retention period for a mailbox in Exchange Online
Single Item Recovery in Exchange Server 2010