404
Chapter 9

Planning a Highly Available Exchange Server 2007 Implementation
When configuring the CCR cluster, it is important to take into account the automatic data-
base mount settings. You can configure the server by using the Set-MailboxServer cmdlet
and setting AutoDatabaseMountDial property with one of the following values:

Lossless: The databases will not automatically mount on the passive node until all of the
logs have been copied to the passive node. If the active node goes offline, the databases
will not be mounted until the logs are able to be recovered from the failed node.

GoodAvailability: The databases will mount on the passive node as long as the copy
queue length is less than or equal to two. Exchange will continue to copy the remaining
logs from the failed node and attempt to mount the database.

BestAvailability: The databases will mount on the passive node as long as the copy queue
length is less than or equal to five. Exchange will continue to copy the remaining logs from
the failed node and attempt to mount the database.
These settings affect the automatic mounting of the databases in a CCR cluster; an administra-
tor can choose to force a database mount in case a failover occurs with data loss. Figure 9.14 shows
an example of using Set-MailboxServer to modify the AutoDatabaseMountDial setting from
the default of BestAvailability to Lossless.
FIGURE 9.14 Using Set-MailboxServer to modify the AutoDatabaseMountDial setting
Because CCR uses log-file replication to provide data redundancy, it is possible during a
hard failover to the second node that log files are damaged on the second node. This may
cause email to be lost. A feature that reduces this possibility is the transport dumpster. The
transport dumpster is enabled automatically on Hub Transport servers only for CCR clus-
ters. The Hub Transport servers will maintain a queue of recently delivered email messages
to mailboxes that reside on a CCR clustered Mailbox server. If a hard failover occurs that
has the possibility of lost data, the clustered Mailbox server will notify the Hub Transport

servers to redeliver email messages from the transport dumpster. The clustered Mailbox
81461.book Page 404 Wednesday, December 12, 2007 4:49 PM
Planning a Data-Redundancy Implementation
405
server will then reprocess the messages and deliver the non-duplicated items. Unfortunately,
the transport dumpster will not assist in recovering the following:

Appointments (not meeting requests)

Property updates (i.e., flagging, mark as read, etc.)

Tasks

Draft email messages created in Office Outlook in online mode
Although the Microsoft Clustering Services Cluster Administrator tool can be used to
manage the failover of a CCR cluster, it is not recommended because it does not contain
logic to check the health of the replication status before it transfers the clustered Mailbox
server. Using the Cluster Administrator can lead to damaged databases. The preferred
method of managing the clustered mailbox is to use the Move-ClusteredMailboxServer
cmdlet in the Exchange Management Shell as pictured in Figure 9.15. Using the cmdlet
allows for an administrator to provide a documented reason for moving the clustered Mail-
box server, and it properly checks the health of the server before performing the failover.
FIGURE 9.15 Using Move-ClusteredMailboxServer on a CCR server
Deciding Which Mailbox-Availability Strategy to Adopt
With so many options, it can be difficult to decide which mailbox-availability strategy to use in
a specific situation. Table 9.5 can help you to determine which availability strategy has specific
features or limitations.
TABLE 9.5 Mailbox Availability Strategy Features
Feature LCR CCR SCC
Can have only one database per storage group X X

Can run other roles X
81461.book Page 405 Wednesday, December 12, 2007 4:49 PM
406
Chapter 9

Planning a Highly Available Exchange Server 2007 Implementation
Using Dial-Tone Recovery
Dial-tone recovery has been a recommend fast recovery method since Exchange Server 2003.
When a database has failed and cannot be mounted, dial-tone recovery can be done. Dial-tone
recovery moves the damaged database out of the original database location, and then a blank
database is mounted. This database has no data in it, but it allows the end users to be able to
connect to a mailbox and to send and receive new email while the old data is recovered. The
old data could be recovered by either repairing the database or by performing a restore to the
recovery storage group. Once the data is recovered, there are two options:

The data can be merged back into the production mailboxes using the Recover Mailbox
Data feature of the recovery storage group.

The data can be swapped into the location of the dial-tone database so that the dial-tone
information can be merged into the recovered database.
Because mounting dial-tone databases loses mailbox rules, delegate data, and offline folder
store encryption keys, administrators will often swap the original database back into the pro-
duction storage group and merge the dial-tone database in using the Recover Mailbox Data
feature of the recovery storage group.
Now that Exchange Server 2007 allows for database portability, these dial-tone recovery
tasks can be done on a standby server rather than having to complete the recovery on the
server where the original failure occurred.
More information about problems that can arise when performing a dial-tone
recovery can be found at />Can host public-folder replicas X
Can span data centers X X

Simplest, least expensive X
Requires shared storage X
Provides data redundancy X X
Provides server redundancy X X
TABLE 9.5 Mailbox Availability Strategy Features (continued)
Feature LCR CCR SCC
81461.book Page 406 Wednesday, December 12, 2007 4:49 PM
Implementing Database Portability
407
Implementing Database Portability
One of the most painful aspects in previous versions of Exchange Server is the fact that moving
a database between servers wasn’t a supported way of moving users or of recovering from a
server failure. Exchange Server provides for mounting databases on different servers in the
same Exchange organization and then modifying the mailbox objects so that they are associ-
ated with the location of the new database. To allow for database portability, Exchange 2007
allows any mailbox database to be mounted on any other Exchange 2007 Mailbox server in
the organization.
Database portability does not work with public-folder databases.
There are a number of scenarios in which you would use database portability:

Recovering mailbox data between geographical sites.

Recovering a clustered Mailbox server to another operational server.

Using a portable dial-tone recovery. (You can do this by mounting empty databases on a
new server while database restores are being done.)
Managing Employee Relations During an Email Outage
In real-world environments, emails are a very critical piece of business. So when email is down,
tempers are up. If a failure occurs and the database needs to be repaired using the Extensible
Storage Engine Utility (ESEUTIL) or recovered from a tape, there is usually a better end-user

perception of the outage if the users are restored to service using a dial-tone recovery.
It is often difficult for Exchange administrators to admit that restores and repairs have a ten-
dency to fail the first time, especially when you’re dealing with the executives’ email and your
job is at stake. A good way to not fall into this trap is to limit the length of time that you spend
on trying to repair or restore the database, so that the end users are not left in the lurch with-
out any access to Exchange services. You should make it standard practice to mount a dial-
tone database if you aren’t able to repair or restore the database within 30 minutes. After
mounting the dial-tone database, send an email to the users describing the reason of the
absence of their old mailbox content and what steps are being taken to restore that data.
Following this procedure should reduce the number of times your manager has to come to
you with sweat running down his brow and scream at you that he is under a lot of pressure
so you need to get Exchange working!
81461.book Page 407 Wednesday, December 12, 2007 4:49 PM
408
Chapter 9

Planning a Highly Available Exchange Server 2007 Implementation
Database portability requires only a few steps that need to be followed when moving a
database from one server to another. The overview of the process is as follows:
1. Make sure the database was shut down cleanly or perform a soft recovery if the database
isn’t in a clean state.
2. Use either the Exchange Management Shell or Exchange Management Console to create a
new database with the same name on the new server; however, do not try to mount the new
database. Set the new database to allow a restore to overwrite the database. Figure 9.16
shows using the Exchange Management Shell to create the new database and setting it to
allow a restore.
FIGURE 9.16 Using the Exchange Management Shell to create a new database
3. Move the database files to the new server in the location you specified for the new
database.
4. Mount the new database with the Exchange Management Shell or Exchange Manage-

ment Console.
5. Use the MoveMailbox cmdlet with the ConfigurationOnly option to point the mailbox con-
figuration to the new location. Figure 9.17 shows an example of running Get-Mailbox to
gather the mailboxes from the old database and piping the output to the Movemailbox cmdlet
with the -ConfigurationOnly option.
FIGURE 9.17 Using MoveMailbox with the ConfigurationOnly switch
81461.book Page 408 Wednesday, December 12, 2007 4:49 PM
Exam Essentials
409
It is important to know how using database portability affects your user base. Since the
user’s mailbox is now on a server with a different name, the user’s client will need to be able
to locate where the mailbox has been moved to without the original server being available. As
you can see in Table 9.6, both Office Outlook 2007 and Office Outlook Web Access are auto-
matically redirected to the new location. Problems may occur when older clients are in use.
These clients will need to be manually reconfigured, or an administrative script can be run on
each of the users’ computers to reconfigure the older versions of Outlook.
Summary
In this chapter we talked about availability options for each of the Exchange server roles. You
saw how use of network load balancing as well as DNS round-robin and multiple MX records
can provide high availability for most of the Exchange roles. Then you learned how Mailbox
roles can use LCR, CCR, and SCC to improve availability. We also discussed the specific
requirements for each of the availability options. Last you learned how to leverage database
portability and dial-tone recovery to provide rapid recovery during failure situations, even when
a server is unrecoverable or if recovery will take longer than the permitted recovery window.
Exam Essentials
Know the differences between the Mailbox role availability types. In the exam you will
most likely be asked to differentiate between the ways to make your Mailbox servers more avail-
able. You need to know which server types provide data redundancy and which provide server
redundancy only. Remember that the single-copy cluster requires shared hardware and that local
continuous replication and cluster continuous replication use server-attached storage devices.

Remember which servers can have public-folder stores in an enterprise environment and which
ones require that only one database be in each storage group.
Know how to make all roles redundant. Each role can be made redundant by adding multi-
ple servers. Most roles, however, require additional hardware or configuration to make the
TABLE 9.6 Client Redirection Methods
Client Redirection Method
Office Outlook 2007 Automatic Uses Autodiscover
Outlook 2002 and 2003 Manual Needs to be reconfigured manually
Office Outlook Web Access Automatic Uses Active Directory
81461.book Page 409 Wednesday, December 12, 2007 4:49 PM
410
Chapter 9

Planning a Highly Available Exchange Server 2007 Implementation
solution failure-resilient. Be sure to understand the pros and cons for each of the redundancy
options and what is required to configure each of them.
Know how database portability opens new methods of recovery. Database portability is
the new feature that allows a database to be mounted on any Exchange server in the organi-
zation. Tools have been created to allow mailbox configuration to be modified so that the
mailboxes are pointed to the new location. New features in Microsoft Office Outlook 2007
also allow for the client computers to locate the new server the mailbox is hosted on.
81461.book Page 410 Wednesday, December 12, 2007 4:49 PM
Review Questions
411
Review Questions
1. You have been asked to design a redundant Mailbox server design. The business requires that
the design allow for a single server failure. Which server solutions could you design to meet this
requirement?
A. LCR.
B. CCR.

C. SCC.
D. Add two RAID arrays with a mirror set to a server.
2. The standard remote office deployment consists of two servers: one that has the Hub Trans-
port and Client Access roles installed, and one that has the Mailbox role installed. When the
Hub Transport server is offline, internal email message delivery is impacted to the remote
office mailboxes. What can be done to reduce this effect?
A. Add an Edge Transport server at the remote office and create an MX record in the domain
for it.
B. Add a second Client Access server at the remote office and create a round-robin DNS entry
for both.
C. Create an MX record for the Mailbox server at the remote office.
D. Add a second Hub Transport server at the remote site.
3. You have been asked to design a new redundant Mailbox server design. The business requires
that you allow for data redundancy and server redundancy. Which solution could you use to
meet the business requirements?
A. LCR.
B. CCR.
C. SCC.
D. Add two RAID arrays with a mirror set to a server.
4. You have been asked to design a new redundant design for users to access Outlook Web
Access. The business requires that you allow for server redundancy and automatic failover.
Which solutions could you use to meet the business requirements?
A. Software network load balancing
B. Hardware network load balancing
C. Round-robin DNS entries
D. Multiple MX records
81461.book Page 411 Wednesday, December 12, 2007 4:49 PM
412
Chapter 9


Planning a Highly Available Exchange Server 2007 Implementation
5. One of your Mailbox servers has had a database failure. The database may take hours to
restore or repair. The business requires that you allow users to be able to send and receive email
as quickly as possible. Which option will provide for the business requirement?
A. A dial-tone database
B. A recovery storage group
C. Database portability
D. Streaming database restores
6. Your company plans to deploy standard Mailbox server roles with 5 storage groups and
10 databases to each of the remote offices. The servers were purchased with a single storage
device. What would need to be done to optimally reconfigure these servers to support LCR?
(Choose all that apply.)
A. Create five additional storage groups and distribute the mailbox databases evenly.
B. Add a second server.
C. Add a second storage controller.
D. Add a second storage device.
7. Your company plans to deploy centralized Mailbox servers. The servers need to be redundant
and minimize data storage on the SAN due to budgetary constraints. What configuration
would meet the business needs?
A. LCR
B. SCC
C. CCR
D. Network load balanced servers
8. You need to deploy an SCC cluster with the fewest servers as well as provide redundancy for Hub
Transport servers. What is the lowest number of servers required to meet the requirements?
A. 2
B. 3
C. 4
D. 6
9. You need to provide redundancy for your company’s three Edge Transport servers. You need

to have each server used equally. Which of the following are supported options? (Choose all
that apply.)
A. Create MX records with the same preference weight for the host name of each server.
B. Create MX records with the sequential preference weights for the host name of each server.
C. Create a network load balanced cluster with each server with a single MX record pointing
to the host name of the cluster.
D. Create MX records with the same preference weights for an alias record of each server.
81461.book Page 412 Wednesday, December 12, 2007 4:49 PM
Review Questions
413
10. Which tool should you use to manage the failover process on a CCR cluster?
A. Exchange Management Shell
B. Exchange Management Console
C. Cluster Administrator
D. Server Manager
11. Which of the following is not a requirement for a supported CCR cluster?
A. A shared disk system
B. A public and private network interface
C. Server hardware listed on the Microsoft website
D. Windows 2003 Server Enterprise or later
12. Which of the following commands would you use when moving a database between servers?
A. Move-StorageGroupPath
B. Move-DatabasePath
C. Move-ClusteredMailboxServer
D. MoveMailbox
13. On an Exchange server with high disk I/O utilization that also requires redundancy, which
RAID type would you select?
A. RAID 0
B. RAID 5
C. RAID 10

D. RAID 6
14. When using network load balancing for web services, which property should be set to the load-
balanced fully qualified domain name?
A. ExternalURL
B. InternalURL
C. ExternalAuthenticationMethods
D. Instance
15. You added two MX records (smtp1.domain.com and smtp2.domain.com) with a preference
weight of 20 for domain.com. You have added another server (smtp3.domain.com) at another
location with a preference of 40. What behavior will this cause?
A. The smtp3.domain.com will be used first; if it is unavailable the others will be load-
balanced.
B. All three servers will be load-balanced, smtp3.domain.com will be used only one-third of
the time.
C. The smtp1.domain.com and smtp2.domain.com will be load-balanced first; if both are
unavailable smtp3.domain.com will be used.
D. All three servers will be load-balanced; smtp3.domain.com will be used two-thirds of
the time.
81461.book Page 413 Wednesday, December 12, 2007 4:49 PM
414
Chapter 9

Planning a Highly Available Exchange Server 2007 Implementation
16. On a continuous-replication server, after a log file is closed it is copied by the replication ser-
vice into which directory?
A. The inspector directory for the storage group on the active node
B. The storage-group log directory on the passive node
C. The inspector directory for the storage group on the passive node
D. The storage-group log directory on the active node
17. A CCR storage-group replication has failed and needs to be reseeded. What cmdlet would you

used to reseed the database?
A. Update-StorageGroupCopy
B. Restore-StorageGroupCopy
C. Move-ClusteredMailboxServer
D. Resume-StorageGroupCopy
18. Which of the following resources need to be considered when sizing an LCR server?
A. 20 percent greater CPU load
B. 50 percent greater CPU load
C. 5 percent greater CPU load
D. 100 percent greater CPU load
19. Which of the following failover options will automatically mount a database after a failover
if two or fewer log files are missing from the failed node?
A. Lossless
B. GoodAvailability
C. BestAvailability
20. The Transport dumpster does not help recover which of the following? (Choose all that apply.)
A. Draft email
B. Tasks
C. New email received
D. New email sent
81461.book Page 414 Wednesday, December 12, 2007 4:49 PM
Answers to Review Questions
415
Answers to Review Questions
1. B, C. Both CCR and SCC will require a minimum of two clustered servers. Both solutions meet
the requirement for providing for a server failure. LCR and RAID arrays do not provide for
server failure.
2. D. Adding a second Hub Transport server is the only step required to be able to provide redun-
dancy. Internal routing is automatically redundant. Edge transport servers are for email going
to and from outside the Exchange organization. The Client Access server does not participate

in the delivery of email.
3. B. CCR provides redundancy for servers and data. There are two servers, each with a separate
copy of data. LCR, SCC, and RAID arrays may have data protection but do not have server
and data redundancy together.
4. A, B. Neither software nor hardware load balancing relies on the client to fail over. The load
balancing would be able to remove the failed server from the cluster so that the client can con-
nect to a functional server.
5. A. A dial-tone database will provide the ability for the users to send and receive email messages
while restores or repairs are done for the historical data. Recovery storage groups and streaming
database restores both require additional downtime to complete. Database portability would
require a valid, consistent database to mount, which in this case is unavailable.
6. A, C, D. To properly configure an LCR server you would need to make sure there is a 1:1 storage
group–to-database ratio, as well as a second storage controller and storage device for redundancy.
Adding a second server is not required to be able to use LCR.
7. B. SCC provides server redundancy and has only one copy of the data so it minimizes the amount
of storage used. LCR and CCR both require double the disk space of a SCC clusters and would
not meet the criteria. Network load balancing is not supported for mailbox servers.
8. C. SCC clusters cannot run any other role; above the two-node cluster you will also need two
servers for redundant Hub Transport servers.
9. A, C. To equally balance load between the servers, create a MX record for each of the server’s
host records. Another supportable option is to use network load balancing with a single
MX record. Creating an MX record for an alias record is not supported and creating sequential
weights will cause only the lowest preference to be used.
10. A. The only utility that should be used for CCR failover is the Exchange Management Shell;
using Cluster Administrator could lead to data loss. Server Manage and Exchange Manage-
ment Console do not provide an interface to perform a CCR failover.
11. A. A CCR cluster does not require the use of a shared disk system. Each server can have dedi-
cated storage. The remaining options are requirements for the deploying a supported cluster.
81461.book Page 415 Wednesday, December 12, 2007 4:49 PM
416

Chapter 9

Planning a Highly Available Exchange Server 2007 Implementation
12. D. MoveMailbox with the ConfigurationOnly switch allows an administrator to modify the
mailbox objects to point to the new location of the database. Move-StorageGroupPath and Move-
DatabasePath are used to move the files for the storage group and the database; they are not used
when moving these files between servers. The Move-ClusteredMailboxServer is used to move
the clustered resources between cluster nodes.
13. C. RAID 10 is the second best choice for utilization and provides disk-drive redundancy. RAID 0
provides no data redundancy at all. RAID 5 provides more space but has a higher I/O overhead
which leads it to not provide as much throughput. RAID 6 provides an even higher redundancy
than RAID 5 but has an even higher throughput penalty.
14. A. It is important to set the ExternalURL on each of the Exchange web services so that they can
be accessed from the Internet. InternalURL and ExternalAuthenicationMethods should also be
set, but they are not specific to configuring load balancing.
15. C. The lower the preference weight, the higher the priority. MX records with higher preference
numbers will not be used unless the lower-numbered records are unavailable.
16. C. The log file is copied to the inspector directory on the passive node and checked for consis-
tency before being applied to the passive database copy.
17. A. Update-StorageGroupCopy is able to be used to manually reseed the database. Move-
ClusteredMailboxServer is used to move the clustered resource between nodes. Restore-
StorageGroupCopy is used prior to mounting the passive copy of a database and is not used
to reseed. Resume-StorageGroupCopy is used resume replications if the previous copy has
been suspended.
18. A. The standard recommendation is to size for an additional 20 percent CPU load on an
LCR Exchange server.
19. B. GoodAvailability requires that two or fewer transaction log files be missing before automatically
mounting the database. Lossless allows for zero transaction logs and Best-Availability allows for up
to five missing transaction logs.
20. A, B. Tasks and emails saved to the Drafts folder do not traverse the Hub Transport server, so

the Transport dumpster does not help in recovering these items. The remaining items do trans-
verse the local Hub Transport servers thus will be retained in the transport dumpster.
81461.book Page 416 Wednesday, December 12, 2007 4:49 PM

Chapter

10

Planning a Backup
and Recovery
Solution for Exchange
Server 2007

MICROSOFT EXAM OBJECTIVES COVERED
IN THIS CHAPTER:


Plan a backup solution implementation.


Plan a recovery solution implementation.

81461.book Page 417 Wednesday, December 12, 2007 4:49 PM

Planning Backup
and Recovery

I was once told that backups are not important and that the only important thing was recov-
ery. Although the statement may be considered absurd it highlights the idea that if you cannot
restore there is no sense in doing backups. It is essential to completely understand the backup

and recovery process to be a successful Exchange professional. In this chapter we will cover
the variety of backup options for both Mailbox and non-Mailbox servers as well as methods
to recover from each of them.
When determining what type of backups meet your restore needs, it’s important to first
know what your business requirements are. Once the needs have been documented it will be
much easier to determine what backup solution to use and it will be much easier to justify the
cost of the solution to the business.
To determine your needs it’s good to start with a list of questions:


How long can it take to restore each group of users and still meet the Service Level
Agreements?


How long can it take before service is restored?


What services are essential to restore, and in what order?


How long can it take before all email is restored?


What is the maximum amount of data that can be lost?


How long can backups take to complete without affecting end user and other processes?


What budget has been allocated for backup and recovery?

This list can be summarized into three industry-standard acronyms: SLA, RPO, and RTO.
The

Service Level Agreement

or

SLA

will determine how long a mail service can be down before
it has to be restored. The

recovery-point objective

or

RPO

will determine how much data can
be lost. The

recovery-time objective

or

RTO

will determine the maximum times allowed for
recovering each service. Each business will decide upon each of these metrics. Sometimes differ-
ent business units within an enterprise may have different requirements for each of these, making

it even more difficult to come up with a good solution. Often these standards are devised by the
business using financial analysis of the effects of these services being offline to see how much it
costs the company. These standards are covered in an entire set of courses and books that cross
many business disciplines.
Once these standards have been set, a messaging professional can begin to determine the
best design that meets these needs.

81461.book Page 418 Wednesday, December 12, 2007 4:49 PM

Planning and Implementing Backup Solutions for Mailbox Server Roles

419

Planning and Implementing Backup
Solutions for Mailbox Server Roles

The Mailbox server role has to be the most important Exchange role. Without the Mailbox role
no one is able to read email. There are several options when it comes to backing up the mailbox
data; however there are a few other things that need to be backed up in order to be fully pro-
tected. The Mailbox server should have a system-state backup completed periodically to be
recovered from a backup. Also, a file-system backup of the [Install Directory]\ExchangeOAB
should be backed up on the Mailbox server that is set to generate the offline address book to
keep the organization from having to rebuild it. Much of the Exchange configuration is stored
in Active Directory. It is important to properly back up the domain controllers regularly to be
able to recover from corruption and user error. Table 10.1 shows the main components that
need to be backed up on a Mailbox server.
Another key component for recovery is to avoid having a disaster in the first place.
Having redundant hardware, proper patching procedures, change control, and all of the
other Microsoft Operations Framework components in place will go a long way toward
reducing the need to enact a recovery procedure. Another key way to avoid restoring data

needlessly is to set the deleted item and deleted mailbox retention times. Properly config-
uring deleted item retention will allow items to be recovered after being hard-deleted by
the users. The user will have the ability to recover hard-deleted items from within Office
Outlook’s deleted item recovery feature without having to restore any data from a backup.
The deleted mailbox retention time will allow deleted mailboxes to be retained for a
period of time before being purged from the database. This will allow an administrator to
reconnect a mailbox to a user account during that retention period to recover the entire
mailbox. It is important to set the retention period for both mailbox items and mailboxes

TABLE 10.1

Backup Components for the Mailbox Server Role

Data Type Backup Type

Exchange and service configura-
tion in the registry
System state of the Mailbox server and system state of the
Active Directory
Exchange offline address book File-system backup of [Install Directory]\Exchange OAB
Mailbox Exchange-aware backup
Public Folder Exchange-aware backup or replication to other public-
folder servers

81461.book Page 419 Wednesday, December 12, 2007 4:49 PM

420

Chapter 10



Planning a Backup and Recovery Solution for Exchange Server

for a period long enough to minimize the number of times restores would need to be com-
pleted. You might think that setting the retention period for both the mailbox and the
mailbox items to 999 days might be the answer (so that the only time a restore would be nec-
essary is in the event of corruption). Be aware, however, that a longer retention period
will consume more disk space, which will also increase the amount of space that backups will
consume.

A problem with Microsoft Office Outlook 2003 when used with Outlook
Anywhere may keep hard-deleted items from being restorable. A registry
setting on the client computers is required to work around this issue. For
more information on the change, please see the Microsoft Knowledge

Base article 886205 at

/>
.

Implementing Streaming Backups

Streaming Exchange backups have been available for Exchange since its initial release. The
Microsoft Exchange Server 2007 documentation officially calls these backups “legacy stream-
ing backups.” Over the years improvements in speed, flexibility, and the number of features
have been introduced. Software-based backups use the streaming backup API to back up the
online Exchange databases and copy them to either disk or a tape drive.
It is important to remember that you can have only a single simultaneous backup or
restore operation in each storage group. To be able to perform backups or restores on
multiple databases, the databases need to be separated into multiple storage groups. After

splitting up the databases into separate storage groups, you’ll be able to perform multiple
operations simultaneously (as shown in Figure 10.1). Where possible, put only one database
in each storage group, as this simplifies and streamlines both the backup and the restore pro-
cedures. Be aware that performing multiple operations simultaneously may have a signifi-
cant performance impact on the server CPU, memory, and disk systems. It would be good
to determine the effects of both single operations and multiple operations before attempting
to schedule backups and before performing multiple restores, especially during production
hours. Streaming backups can be done against all types of Mailbox servers. Performing a
backup of the active copy on both clustered and nonclustered Mailbox servers is supported.
Streaming backups can never be done against the passive copies of the databases, such as
those that exist on an local continuous replication (LCR) or cluster continuous replication
(CCR) Mailbox server.
A streaming backup can be done using NTBackup from a machine with the Exchange
management tools installed or by using an agent installed on the Exchange server with a
third-party backup application.
A number of types of backups can be completed. The available types of legacy streaming
backups are full, copy, incremental, and differential, as shown in Table 10.2. It is essential to
understand each of these types of backups and how they affect transaction log files.

81461.book Page 420 Wednesday, December 12, 2007 4:49 PM

Planning and Implementing Backup Solutions for Mailbox Server Roles

421

FIGURE 10.1

Only one backup can be done for each storage group

Full Streaming Backups


A full streaming backup will copy the entire database and the required log files to the backup
media and then will purge all of the committed transaction logs. The advantage of a full
backup is that you can use this backup to restore the database to a consistent state and not
need any additional backup sets. The main disadvantages of this backup type are that it can
take a long time to complete and that the entire database is backed up to tape including the
white space within the database.
When would you use a full backup? If possible, you should always do a full backup. With
ever-shrinking backup windows and increasing amounts of data, however, it is often not prac-
tical to complete a full backup each time.

TABLE 10.2

Available Types of Legacy Streaming Backups

Type of Backup Description

Full Complete database backup that purges all committed transaction logs.
Copy Complete database backup and does not purge any transaction logs.
Differential Transaction logs are not purged.
Incremental All available transaction logs are purged.
Backup Server
Storage Group 1
Storage Group 2
Backup 2
Backup 1

81461.book Page 421 Wednesday, December 12, 2007 4:49 PM

422


Chapter 10


Planning a Backup and Recovery Solution for Exchange Server

Copy Streaming Backups

A copy streaming backup will back up the entire database and will not purge any of the trans-
action logs. The advantage of a copy backup is that you can use this backup to restore the data-
base to a consistent state and not need any additional backup sets. The main disadvantages of
this backup type are that it can take a long time to complete and that the entire database is
backed up to tape including the white space within the database. The other disadvantage is that
it does not purge the committed transaction logs.
When would you use a streaming copy backup? An excellent use of streaming copy backup
is when you need to make an additional backup for archival without affecting the standard
backup rotation. As an example, the standard schedule for backups includes a full backup
once a week and a differential backup on the remaining days. In the middle of the week you
need to create a backup that will be sent offsite to your disaster-recovery site. Running a copy
backup to create the backup set to be sent offsite will not affect your ability to use the media
onsite to restore service in the case of an outage, since the transaction logs will still be intact.

Differential Streaming Backups

A differential streaming backup will back up the transaction logs that have been generated
since the last full or incremental backup. This form of backup does not delete any of the com-
mitted transaction logs. Using differential backups minimizes the number of backup sets that
would be required for a restore since the last differential backup set would include all of the
transaction logs generated. Differential backups cannot be run against storage groups that
have circular logging enabled.

When would you use a differential backup? You could use it if you are not able to perform
a full backup every day. This would keep all of the log files until the next full backup. You
would use differential backup if the server had enough space to hold the log files between full
backups.

Incremental Streaming Backups

An incremental streaming backup will back up the logs and then purge them. This form of
backup deletes all of the committed transaction logs. Using incremental backups minimizes the
number of transaction logs that are kept on the server. It also increases the number of backup
sets that would be required for a restore since all the incremental backup sets would need to
be restored to recover all of the transaction logs generated. Incremental backups cannot be run
against storage groups that have circular logging enabled.
When would you use an incremental backup? When there is not enough space to keep all
of the transaction logs between full backup jobs.

Implementing Restores Using Streaming Backups

Legacy streaming restores are fairly straightforward. Restores can be executed back to the
original location of the database while it is dismounted, or to a recovery storage group.

81461.book Page 422 Wednesday, December 12, 2007 4:49 PM

Planning and Implementing Backup Solutions for Mailbox Server Roles

423

Restoring a Streaming Backup

A streaming restore is the simplest restore and does not differ greatly from the process in pre-

vious versions of Exchange. You would restore to the original location if a database has been
damaged to the point that it cannot be mounted.
Although the actual process will vary slightly depending on your backup software, the pro-
cedure to restore to the original location is basically as follows:

1.

Dismount the current database.

2.

Mark the database able to allow for restore.

3.

Perform the full restore.

4.

Perform any differential or incremental restores.

5.

Perform a hard recovery to apply restored transaction logs.
You can also restore the database to a different server. To complete that process you would
follow these steps:

1.

Create the new database on the new server.


2.

Mark the database able to allow for restore.

3.

Perform the full restore to the alternate location.

4.

Perform any differential or incremental restores.

5.

Perform a hard recovery to apply restored transaction logs.

6.

Use database portability to update user objects to the new database location. (More infor-
mation about database portability can be found in Chapter 8, “Planning a Highly Avail-
able Exchange Server 2007 Implementation.”)
Hard recovery can be triggered by choosing Last Backup Set in the restore options of the
last restore set that you plan to restore, or can be done manually with

ESEUTIL /C

. Performing
a hard recovery can take a long time depending on the number of transaction log files that need
to be applied. It is important to consider this amount of time in the recovery schedule. Once

a hard recovery has been performed, no other log files can be applied to the database.
Streaming backups can also be used to restore public folders to their original location. Public
folders rely on having replicas stored on multiple servers to reduce the requirement for restores.
To perform single-item or folder restores for a public folder for items that have passed the
deleted item retention period, the data restore would need to be done in an alternate forest. After
restoring the public-folder data to the alternate forest, Office Outlook would need to be used to
export the public-folder data to a personal folders (

.pst

) file that would be used to import the
data back into the production public folders.

Restoring to a Recovery Storage Group

Recovery storage groups provide for a very flexible recovery process. They can be used to
restore individual mailboxes or specific mailbox items, or for dial-tone recoveries. A recovery
storage group can be on any Mailbox server in the Exchange organization and can be used to
recover Exchange 2007, Exchange 2003 Service Pack 1 or later, or Exchange 2003 Service
Pack 3 or later databases.

81461.book Page 423 Wednesday, December 12, 2007 4:49 PM

424

Chapter 10


Planning a Backup and Recovery Solution for Exchange Server


Dial-tone recoveries are covered in detail in Chapter 8 of this book.

To perform a restore to a recovery storage group and recover a specific mailbox, the pro-
cedure is as follows:

1.

Create a recovery storage group.

2.

Add the database that you will be recovering to the storage group.

3.

Set the database to allow it to be overwritten by a restore.

4.

Restore the database and all transaction log files.

5.

Mount the recovered database.

6.

Use the

restore-mailbox


cmdlet to merge data into mailboxes.
The

restore-mailbox

cmdlet is a very powerful tool, it also provides the ability to recover
mail to alternate mailboxes and recover only items selected by date, keyword, or location in
the original mailbox.

Implementing Volume Shadow Copy
Service (VSS) for Backups

VSS-based backups were first introduced in Microsoft Exchange Server 2003. The Volume
Shadow Copy Service (VSS) provides an interface for specialized hardware to be able to create
a consistent copy of the database. A consistent copy can be created only if all database writes
are

quiesced

, which means

quieted

. The VSS process includes quiescing the writes to the data-
base. As indicated by its name, VSS is volume-based, meaning it does not back up individual
files. This means that storage-group placement and database placement are extremely impor-
tant in an environment that is being planned to implement VSS backups.

You cannot mix VSS and legacy streaming backup types against the same


storage group.

What sort of hardware is required to complete VSS backups? As mentioned, specialized
hardware is required, as a standard SCSI or SATA RAID controller is not supported. Typically
a Fibre Channel or iSCSI Storage Area Network (SAN) is required to deliver this functionality.
The hardware needs to be able to support the ability to create two copies of the data rapidly.
Creating these copies is typically handled in two different ways even if the hardware manu-
facturer uses different names and methodologies.
The two basic methods are

clones

or

snapshots

. The clones start out as two synchronized
copies of the data and that are split at the point the backup is taken. This leaves one copy inac-
tive as a backup and the other copy continues to be used in production. The snapshot method
uses fewer disks and essentially stores a map of the disk data and only keeps track of data that

81461.book Page 424 Wednesday, December 12, 2007 4:49 PM

Planning and Implementing Backup Solutions for Mailbox Server Roles

425

has changed since the snapshot was taken. Although VSS does take less time to complete than
streaming backups, the amount of work that goes on at the disk level can be significant. When

using clones it could be that the two sets of disk have to synchronize. This synchronization can
be likened to the rebuilding of a RAID set and can take a considerable amount of time and
resources on the storage hardware. The load that these processes take should be considered
when scheduling backups, especially during production hours.
The clone process will vary with each technology vendor and with each VSS hardware pro-
vider, but the four main steps typically taken during a clone process are as follows:

1.

The two volumes are synchronized during normal database operations, as shown in
Figure 10.2.

FIGURE 10.2

Synchronization

2.

Database writes are quiesced and the two volumes are fractured to create a backup, as
shown in Figure 10.3.

FIGURE 10.3

Pausing the database writes and fracturing the volumes

3.

The checksum is verified on the copy and is completed by the requestor, as shown in
Figure 10.4.
1. Volume Synchronization

Database Volume
Log Volume
Clone
Clone
=
=
Database Volume
Log Volume
Clone
Clone
2. Database writes paused and clones are fractured

81461.book Page 425 Wednesday, December 12, 2007 4:49 PM

426

Chapter 10


Planning a Backup and Recovery Solution for Exchange Server

FIGURE 10.4

The checksum is verified and copy is completed

4.

The transaction logs are truncated when applicable, as shown in Figure 10.5.

FIGURE 10.5


Transaction logs are truncated

The snapshot process is slightly different from the clone process. Rather than making a full
second copy of the data, the snapshot contains only pointers to the data. When data is changed
on the active volume, the original data is copied into the snapshot and the changed data is writ-
ten to the active volume. The benefit of using snapshots is that they don’t require the synchro-
nization step. The drawback of using snapshots is that activity done against the snapshot will
affect the active volume, since all of the unchanged data is still located on the active volume
disks. When streaming backups or other I/O-intensive actions are performed against a snap-
shot, it can affect the performance of the active volume. Figure 10.6 shows how a snapshot is
just a pointer to the original data plus a copy of the original data that has been changed since
the snapshot.
The process for creating a VSS snapshot generally follows these three steps:

1.

Database is quiesced and writes are paused on the database; a snapshot map is created.

2.

Verification of the checksum on the copy is completed by the requestor.

3.

The transaction logs are truncated when applicable and writes are resumed to the active
database.
Database Volume
Log Volume
Checksum OK

3. Checksum verification by requestor
Database Volume
Log Volume
4. Transaction log truncation and writes resume on
active volumes

81461.book Page 426 Wednesday, December 12, 2007 4:49 PM

Planning and Implementing Backup Solutions for Mailbox Server Roles

427

FIGURE 10.6

A logical view of a snapshot backup

Configuring the VSS Volumes for Restores

In order for VSS backups to provide value, one of the following would need to be true:


VSS backups are able to have multiple copies made.


Copies are saved to other media.
Many companies will keep several VSS backups on disk. After several days, they will copy the
backups to tape media. Because backups and restores are done at a storage-group level, it
would make sense that each storage group should have separate volumes as a VSS backup
and will include all data on the volume. To provide smooth incremental and differential back-
ups (and more importantly, restores) the database and transaction logs would also need to be

on separate volumes.
Snapshot
Snapshot
1. Snapshot taken
Active Volume
2. Changes made to active volume and copied to snapshot
Changed
Active Volume
Copy of original data
+

81461.book Page 427 Wednesday, December 12, 2007 4:49 PM

428

Chapter 10


Planning a Backup and Recovery Solution for Exchange Server

Table 10.3 describes the components in a VSS backup.

With many storage solutions, the snapshot and clone volumes also need to be either licensed
or at a minimum pre-allocated. This means that for each full backup, a second copy of the vol-
ume will be needed. Most companies will choose to keep at least one backup copy online at
all times.
But what happens if one of the backup snapshots is corrupt and is unusable? Would you want
to have to pull the backup from a tape? Many companies work around this pitfall by assigning
two or three sets of backups or volumes so that there will be two full backup copies on disk
at all times. They then rotate out each backup set successively.

Here’s an example:


On Monday backup set #1 is used.

On Tuesday backup set #2 is used. Meanwhile, during business hours on Tuesday
backup set #1 can have a file-level backup run to tape.
This system has two advantages:

If the backup on Tuesday is unsuccessful for any reason, then the backup located on the
first set can still be used should it be needed.

The Tuesday backup set volumes can be synchronizing to the production volumes well
before the backup needs to be started.
In all, VSS backups allow for an extremely flexible backup solution. When designing the
volume layout be sure to configure them in a way that will meet the backup and restore
requirements.
TABLE 10.3 Components in a VSS Backup
Component Description
Requestor This is typically the backup software.
Writer Makes sure that Exchange has been quiesced and that the database is
in a consistent state.
Provider Manages communication between the operating system, the backup
writer, and the VSS-enabled hardware.
81461.book Page 428 Wednesday, December 12, 2007 4:49 PM