390 likes | 1.04k Views
UNC403 Native Data Protection in Exchange 2010 Service Pack 1. Ross Smith IV Principal Program Manager, Exchange Server Microsoft Corporation. Session Objectives And Takeaways. Session Objective(s): Explain backup strategy for Exchange 2010
E N D
UNC403Native Data Protection in Exchange 2010 Service Pack 1 Ross Smith IV Principal Program Manager, Exchange Server Microsoft Corporation
Session Objectives And Takeaways • Session Objective(s): • Explain backup strategy for Exchange 2010 • Provide an overview of native data protection features • Key Takeaway 1 • New features provide an alternative to traditional backups • Key Takeaway 2 • Exchange 2010 lowers costs while improving IT Pro disaster recovery experience
Exchange Native Data ProtectionLet’s Begin • What is this Native Data Protection concept? • Exchange Native Data Protection relies on Exchange to protect your mailbox data, without any VSS backups
Disaster Recovery ScenariosA Historical Perspective Reason for Backup Exchange 2003 Exchange 2007 CCR and/or SCR Software / Hardware / Datacenter Failures Third Party SAN Replication • Accidental / Malicious • Item Deletion PIT Backup or SCR Point-in-Time (PIT) Backup • Physical Corruption Database Reseed PIT Backup or SCR Logical Corruption • Administrative / Automation Errors • Rogue Administrators Isolated PIT (iPIT) Backup • iPIT Backup Corporate/Regulatory Compliance Requirements Third Party Solution or iPIT Backup • Third Party Solution or iPIT Backup • Long-term Data Retention
Disaster Recovery ScenariosExchange 2010’s Perspective Reason for Backup Exchange 2010 Mailbox Resiliency Software / Hardware / Datacenter Failures Accidental / Malicious Item Deletion Single Item Recovery • Physical Corruption Single Page Restore • Single Item Recovery • Calendar Repair • Mailbox Moves • New-MailboxRepairRequest • and/or • PIT Backup Logical Corruption Administrative / Automation Errors • Rogue Administrators RBAC or iPITBackup Corporate/Regulatory Compliance Requirements Exchange 2010 features, Third Party Solution or iPITBackup Long-term Data Retention • Personal Archive
Mailbox Resiliency Software / Hardware / Datacenter Failures • Goal • Minimize downtime and data loss after a failure with a single solution across the entire deployment • Features • Data redundancy provided by up to 16 database copies in geographically distributed sites • Database level failover • Continuous log data shipping
Mailbox Resiliency Overview AD site: Dallas Log Log Client Access Server Hub Transport DB1 Clients connect via CAS servers Client DB3 Mailbox Server 6 DB5 Client Access Server Hub Transport AD site: San Jose Easy to stretch across sites Database Availability Group Failover managed within Exchange Mailbox Server 1 Mailbox Server 2 Mailbox Server 3 Mailbox Server 4 Mailbox Server 5 DB1 DB1 DB1 DB4 DB2 DB5 DB3 Database -centric failover DB2 DB5 DB3 DB4 DB1 DB1 DB3 Log DB2 DB5 DB4
Continuous Replication Send me the latest log files … I have log 2 ESE Log Buffer Replication Log Buffer • Database copy up to date • Log is built and inspected • Log fragment detected and converted to complete log Exx.log Log File 3 Log File 1 Log File 2 Log File 1 Log File 4 Log File 3 Log File 5 Log File 4 Log File 2 Log File 6 Log File 6 Log File 7 Log File 5 Continuous Replication – File Mode Continuous Replication – Block Mode
Single Page Restore Physical Corruption • Physical Corruption definition – when the underlying Extensible Storage Engine (ESE) structure is corrupt • Why did we implement single page restore? • The use of JBOD storage and the removal of RAID protection mechanisms requires that the application provide a mechanism to self-heal in the event that bad blocks are detected on the storage media which cause physical corruption within the database • Only used to heal HA database copies • Lagged database copies do not leverage single page restore • Use RAID to protect lagged database copies
Single Page Restore (Active Copy) Database Availability Group (DAG) Page corruption detected on Active Copy (e.g. -1018) Mailbox Server Node 1 Mailbox Server Node 2 Mailbox Server Node 3 Active DB places marker in log stream to notify passive copies to ship up to date page DB1-Active DB1-CopyA DB1-CopyB Log Log Log Passive receives log and replays up to marker, retrieves good page, invokes Replay Service callback and ships page Page1 Page1 Page1 Page2 Page2 Page2 Active receives good page, writes page to log, DB page is patched Page3 Page3 Page3 Database Database Database Subsequent page repair from additional copies ignored
Single Page Restore (Passive HA Copy) Database Availability Group (DAG) Page corruption detected on DB Copy (e.g. -1018) Mailbox Server Node 1 Mailbox Server Node 2 Mailbox Server Node 3 Passive copy pauses log replay (log copying continues) DB1-Active DB1-CopyA DB1-CopyB Passive retrieves the corrupted page # from the active using DB seeding infrastructure Log Log Log Page1 Page1 Page1 Passive copy waits till log file which meets max required generation requirement is copied/inspected, then patches page Page2 Page2 Page2 Page3 Page3 Page3 Database Database Database Passive resumes log replay
Mailbox Resiliency Benefits • Key Benefits • Improved availability, reliability, and fast recovery with minimal data loss • 30 second database activation events • Native replication features that include log inspection and page patching • SP1 adds Continuous Replication Block Mode • Enables deployment of large, low-cost mailboxes due to a fast recovery mechanism • Same automated database failover process used for a range for failures—disk, server, network • For more information • See UNC401 - Microsoft Exchange Server 2010: High Availability Deep Dive • See UNC321-IS - Microsoft Exchange 2010 SP1 High Availability: Ask The Experts
Dumpster 1.0 Issues Accidental/Malicious Item Deletion • What if the deletion timestamp is beyond the deleted item retention period? • You have to restore from backup (if you have one that goes back to prior to the purge) • No way to prevent user from accidentally or maliciously deleting the item out of dumpster • Dumpster 1.0 is a view stored per folder • Cannot be searched or indexed • Not moved with the mailbox
Dumpster 2.0aka the Recoverable Items Folder • Implemented as a folder hierarchy in the non_ipm_subtree of the mailbox • Means data moves with the mailbox • Means the data is discoverable • Has configurable quotas to mitigate denial of service attacks • Used in combination with two mechanisms to retain data: • Short-term preservation of data (single item recovery) • Long-term preservation of data (legal hold)
Single Item Recovery • Goal • Retain all deleted and modified items for a specified duration • Features • Enabled per mailbox, disabled by default • Set-Mailbox UserA –SingleItemRecoveryEnabled $true • Retention duration is configured per mailbox or per database • Set-Mailbox UserA -RetainDeletedItemsFor 90 -UseDatabaseQuotaDefaults $false • Set-MailboxDatabase DB1 -DeletedItemRetention 30 • Recoverable items folder quota defaults • 20 GB Warning Quota – items begin to be deleted (FIFO) • 30 GB Quota – recoverable items folder full
Single Item Recovery (1) Message delivered Mailbox • 1-2 yrs of E-mail • Size 2-10GB • Online and Offline Inbox … (2) Message moved to Deleted Items (5) Message Edited Deleted Items Recoverable Items (3) Message deleted Deletions Versions (4) Message “purged” by user Purges (6) Messages purged by 14 day (or custom DIRW) policy
Legal Hold • Goal • Retain all deleted and modified items for duration of legal claim • Features • Enabled per mailbox, disabled by default • Set-Mailbox UserA -LitigationHoldEnabled $true • Can notify the user that litigation hold has been enabled within Outlook 2010 • Set-Mailbox UserA -RetentionURL <legal URL> • Set-Mailbox UserA -RetentionComment <legal note> • Recoverable items folder quota defaults • 20 GB Warning Quota – application event is logged • 30 GB Quota – recoverable items folder full
Legal Hold (1) Message delivered Mailbox • 1-2 yrs of E-mail • Size 2-10GB • Online and Offline Inbox … (2) Message moved to Deleted Items (5) Message Edited Deleted Items Recoverable Items (3) Message deleted Deletions Versions (4) Message “purged” by user (6) Messages are moved to Purges folder (based on DIR Window), but are not purged from the system Purges
Single Item Recovery Benefits • Key Benefits • Easy admin recovery of purged items from Exchange Control Panel, but this requires an eCAL • Can utilize cmdlets to also recover purged items (doesn’t require eCAL) • http://msexchangeteam.com/archive/2010/04/26/454733.aspx • Dedicated backup admins not required to perform item recovery • Lowers cost of the solution
What are Logical Corruptions? Logical Corruptions • There are two types of logical corruption scenarios • Database Logical Corruption – page checksums, but the data is wrong on the page logically • Store Logical Corruption - Data is added, deleted, or manipulated in a way that the user doesn't expect; generally caused by third party applications
Dealing with Logical Corruptions • With Single Item Recovery, you can recover the original (not corrupt version) if the edited version is corrupt • The Calendar Repair Assistant detects and corrects inconsistencies that occur for single and recurring meeting items for mailboxes homed on that Mailbox server so that recipients won't miss meeting announcements or have unreliable meeting information • During mailbox moves, the Mailbox Replication Service detects corrupted items and will not move those items to the target mailbox database • Service Pack 1 introduces the New-MailboxRepairRequest which can address corruptions with search folders, item counts, folder views, and parent/child folder issues • For the corner cases not covered by the above items… • You could utilize a PIT backup like a traditional VSS backup or lagged database copy
Lagged Database Copy • Goal • Recover to a past point in time • Features • Ability to delay the replay of log files within a database copy for up to 14 days • Set-MailboxDatabaseCopy -Identity MBXDB1\Server1 -ReplayLagTime 14.0:0:0 • Log replay to bring DB to specific point in time • Restricted access to lagged database copy server provides rogue admin protection • Can be maintained in a separate data center
Lagged Database Copy Recovery Steps Mailbox Server 1 Mailbox Server 2 Mailbox Server 3 Mailbox Server 4 Lagged Copy DB 1 DB 1 DB 1 DB 1 DB 1 1 2 3 4 5 6 7 Database Availability Group (DAG) 1. Suspend Replication 2. Take VSS Snapshot RecoveryDatabase DB 1 3. Select Logs for Replay 4. Replay logs with ESEUtil 1 2 3 4 5 5. Copy DB and use for recovery 6. Revert VSS Snapshot 6 7 7. Resume Replication
Lagged Database Copy Benefits • Key Benefits • Faster recovery for large databases compared to backups on separate system • Less data duplication than multiple point in time copies • Safety blanket – used only to mitigate a risk • Keep in Mind • Not needed if deploying an Exchange aware VSS backup solution (e.g., DPM 2010) with an appropriate RTO SLA • Lagged copies are not HA database copies and thus should never be activated by the system! • Lagged copies have storage capacity implications • RAID is recommended to prevent loss in case of disk failure
Exchange Native Data ProtectionSo what is it, again? • What is this Native Data Protection concept? • Exchange Native Data Protection relies on Exchange to protect your mailbox data, without any VSS backups • What does it require? • Highly available database copies (3 is the recommended minimum) • Single Item Recovery enabled with a deleted item retention window that meets or exceeds your item recovery SLA • Lagged database copies are optional
Dealing with Rogue Administrators Rogue Administrators • First things first… • Don’t elevate permissions unless they are required • Within Exchange 2010 SP1, you can do two things via RBAC to help reduce the likelihood that an administrator can destroy the data • Use Server scoping and prevent the administrator from accessing copies on a particular server (e.g., dedicated lagged copy servers) • Use Database scoping and prevent the administrator from accessing certain databases or copies • Use Bitlocker to encrypt the disks • If leveraging a permission model is a concern, then the only solution to mitigate rogue administrators is to deploy a backup solution that is managed separately from the Exchange infrastructure
Database Scoping • Introduced in SP1 • The following table includes some of the cmdlets that are impacted by Database Scopes
Setting up Database Scoping Define a Database Scope Create a scoped Role Group Scope evaluation
Corporate/Regulatory Compliance Requirements Compliance Policy in Exchange 2010 Long-Term Retention Requirements • Integrated e-mail archiving capabilities offer tools to preserve and discover e-mail data, without changing the user or IT professional experience Preserve Discover Hold Policy Audit Policy Multi-Mailbox Search Personal Archive Move/Delete Policy • Secondary mailbox with separate quota • Appears in Outlook and OWA • Managed through EMC or PowerShell • Automated and time-based criteria • Set policies at item or folder level • Expiry date shown in e-mail message • Configuration Audit logged to regular mailbox • Web-based UI • Search primary, archive, and recoverable items • Delegate through roles-based admin • Audit Log Reports • Capture deleted and edited e-mail messages • Offers single item restore • Notify user on hold
Compliance Policy in Exchange 2010 SP1 • Provide a richer feature set incorporating customer feedback and take archive and discovery to the cloud Preserve Discover Hold Policy Audit Policy Multi-Mailbox Search Personal Archive Move/Delete Policy • Archive on a separate DB • Archive in the cloud • Outlook 2007 Support • PST Import into Archive • Admin Delegation • EWS Support • Managed through EMC • EWS Support for Archive • Automatically move content from the Primary to Archive dumpster • Mailbox audit • Manage through ECP, cmdlets • Report and exports results • Search Preview • De-duplication • Search and Destroy • Annotations • Cross Premise Search • Cmdlet Auditing • Non-Owner Auditing • Managed through ECP
Personal Archive + Retention Policies • Key Benefits • Lowers cost by eliminating the need for a separate backup/archival system for long term data retention or quota management • Rich end user access to older data • Same downtime and data loss guarantees as primary mailbox (depends on the architecture) • For more information • See UNC308 - Archiving, Retention and Discovery with Microsoft Exchange Server 2010 SP1
Traditional Backup Support • Traditional backups are a mindset • Traditional PIT backups may still be useful for: • PIT mailbox snapshots • Datacenter resiliency with a single datacenter • Public folder backups • VSS backup and restore supported at DB level • Backup from active and passive copies (depends on requestor support) • VSS Restore to Active only
The Exchange 2010 Backup Strategy • Choice! • New 2010 features provide an alternative to traditional point-in-time (PIT) backups • Minimize down time and data loss in failures • Eliminate painful item recovery from traditional backups • Reduce costs
Session Evaluations Tell us what you think, and you could win! All evaluations submitted are automatically entered into a daily prize draw* Sign-in to the Schedule Builder at http://europe.msteched.com/topic/list/ * Details of prize draw rules can be obtained from the Information Desk.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.