Single Item Recovery in Exchange 2010
Until now, we all know that single item recovery in Exchange has always been a tedious task for the administrators. User deletes an email item from the mailbox and fails to recover it from “recover deleted items” option in outlook and some other options in OWA. The only option left for the administrator was to restore from the valid previous backup and recover the deleted item for the user.
Isn’t it too tedious and complicated for an administrator to restore a single email from the entire database…? Especially when it comes to restoring the entire database for just one email. We were fortunate enough to have “Recovery Storage Group” in Exchange 2003 server and later versions to avoid the downtime for the user or the entire database while the restore was in progress.
Single item recovery doesn’t just apply to a theory of user wanting to recover it. There could also be possibilities in an organization when a user would delete a company’s confidential email from the mailbox and the legal team of the company would want it. This time it becomes a legal matter of the company and recovering those emails can become more critical.
But just the “Recovery Storage Group” feature wasn’t enough for the administrators and hence Exchange 2010 brings in a new and improved functionality to help administrators recover such single items from the given users mailbox with minimum effort and time to spend.
Let us take a look at how a deleted email from the user mailbox can be retrieved using new and improved features in Exchange 2010.
Given below is the step by step guide on recovering single item in Exchange 2010.
Below is the screenshot of a user mailbox with some email items in it.
We would be using the selected email in the above screenshot which would be deleted and then recovered.
Currently we would use outlook Web App to delete this email assuming that the user is a sales user and has access to his email through Outlook Web App only.
In previous versions of Exchange (like Exchange 2000/2003/2007), it was possible for the end user to recover deleted emails from the dumpster using OWA and outlook both. This feature is now restricted to Outlook ONLY in Exchange 2010.
Since the user is using OWA in this case, it is not possible for him to use the “Recover deleted Items” feature and hence the only option left is calling the helpdesk and asking the exchange administrator to recover it from the database.
The user has just used shift delete button to delete the email in picture below and the email is not visible in deleted items folder as well. This is where the email has by-passed the “deleted items” folder and is gone into the dumpster of the user mailbox.
Now…the real game starts for the administrator. Until exchange 2007, there was only one option left and it was restoring from the previous backups and retrieving the deleted email.
But now, the exchange 2010 Discovery Management feature would allow the administrator to search within the user’s mailbox (including dumpster) and pull the email item in question. Let’s see how.
NOTE: The administrator who will perform the task to recover this deleted item for the user should be a member of the “Discovery Management” group so that it can perform searches within the user’s mailbox. I have already added the administrator to the group from the Exchange control Panel and this is how it looks.
Now, let’s quickly jump onto the Exchange management shell to perform the recovery steps.
In the shell, we would give the command as shown in the below screenshot.
Let me first explain you the command we just gave.
Search-mailbox: as the word sounds, it is used to search within user’s mailbox.
-Identity: Here we need to give the mailbox name which we need to search. In this example, we searched the mailbox of user “hiteg”.
-searchquery: here, we can give the details like the subject of the email, the FROM field, the TO field of the email, etc. You can also think as of it is a search filter. In this example, we are looking for an email item with the subject “company deal”
-targetmailbox: the target mailbox would always be “discovery search mailbox”.
-targetfolder: the target folder can be any folder/subfolder where you would want the search query results to be exported within the “discovery search mailbox” mailbox. In this example, we want the data to be exported to the “Hiteg_Data_Recovered” folder within the “discovery search mailbox” mailbox.
Now that we have got the results, we let us login to the “Discovery search mailbox” mailbox and check the email item that we just recovered.
NOTE: By default, no user/administrator has rights to login to the “Discovery search mailbox” mailbox and access data from it. Users who are members of the “Discovery management” group ONLY have rights to login to the “Discovery search mailbox” mailbox. In this example, the administrator account has the rights to login to the “Discovery search mailbox” mailbox. Hence I would use the administrator’s credentials to login to the “Discovery search mailbox” mailbox.
In the above picture, you can see the “Discovery search mailbox” mailbox and a subfolder with the name “Hiteg_Data_Recovered” and the actual email item which was deleted.
Hey, wait. We are still not done. The email is still not in the actual user’s mailbox. Right now, it is just in the mailbox of “Discovery search mailbox”. We now need to move this email item from the “Discovery search mailbox” mailbox to “hiteg” mailbox and to do so, we have numerous ways to do it. I would follow the simple way again.
I hope by now you are very much comfortable with the only command we gave above to recover the email so I would use the same command. We would now search the “Discovery search mailbox” mailbox and we would target the “hiteg” mailbox for any search results.
Here’s how we do it.
We literally gave the same command and just changed the source and the destination mailbox locations.
Also, If you check the output of the command, interestingly, you would see that the “ResultItemCount” is “2” . But we actually had just one email to be recovered.. rite?
Well, when we recover from the “Discovery Search Mailbox” mailbox, there’s a summary email also which automatically gets created to the actual email.
Let’s login to the mailbox of HITEG and check if he recovered the email.
The above screen shot shows the search result summary and the below email was the actual email which was deleted.
Isn’t this wonderful!!! The administrator had to give just two commands and the email is back in the user’s mailbox.
Note: the above task can be performed through Exchange control panel as well if one is not comfortable in using Exchange management shell.
Well…since I am done with recovering single item in exchange 2010, I would come up with another blog and another topic to discuss.
I hope the topic was helpful