Microsoft Exchange Server requirements (DS-MLR)
Ensure that the following requirements are met wherever applicable before you create an Email messages backup set to back up Microsoft Exchange Server data using DS-MLR:
• Ensure that the DS-MLR service has been configured to run under a user account that meets the following criteria, so that DS-MLR service has access to all mailboxes in a Microsoft Exchange Server:
• Be a member of a Domain Admins group and be granted Receive-As privilege, or be an Exchange Full Administrator account
• Be a member of a Local Administrators group.
DS-MLR access on the Microsoft Exchange Server depends on its service account and the credentials provided in the individual backup set. For each backup or restore request, DS-MLR checks the credentials of the DS-MLR service account.
If the DS-MLR service account has the required privilege to access all mailboxes, DS‑MLR will proceed using the DS-MLR service account, and you will be able to see all the mailboxes in the Microsoft Exchange Server in the New Backup Set Wizard.
If the DS-MLR service account does not have the required privilege to access all mailboxes, DS‑MLR will proceed using the credentials provided in the properties of the backup set (Backup Set Properties > Connection tab). The following table describes how the credentials of the backup set are used in various scenarios.
If | Then |
DS-MLR is installed under a non-domain user account, and the credentials of a domain user account on the Microsoft Exchange Server is provided in the backup set. | DS-MLR will be able to back up one or multiple mailboxes on which that domain user account has Receive-As privileges. |
DS-MLR is installed under a domain user account who is not a Domain Admin, and the credentials of another user account is provided in the backup set. | DS-MLR will be able to back up those mailboxes on which the user account whose credentials is provided in the properties of the backup set has privileges to. |
DS-MLR is installed under a Domain Admin user account, and the credentials of a user who is not a Domain Admin is provided in the backup set. | DS-MLR will allow only access to those mailboxes to which the user account whose credentials is provided in the properties of the backup set has privileges to, as configured on the Microsoft Exchange Server. |
• Ensure that the MAPI client has already been downloaded separately from Microsoft and installed on the Microsoft Exchange Server.
• To ensure that multiple items with the same Exchange ID are backed up, add the switch ChangeDuplicateID to the DS-MLR computer’s registry and configuration and set the key to 1.
DS-MLR processes email messages or individual items in Microsoft Exchange based on their Exchange ID, which is unique for any Exchange object. In special scenarios when multiple items have the same Exchange ID, DS-MLR will only back up the first item that was created with that Exchange ID and not the remaining items created with that Exchange ID. When you add the switch
ChangeDuplicateID and set the key to 1, DS-MLR assigns a new Exchange ID to each item that has a duplicate Exchange ID. If this key is set to 0, items with a duplicate Exchange ID are skipped, and a warning is recorded in the DS-Client event log. For more information on registry keys, see
“DS-MLR registry keys”.
Microsoft Exchange Server 2013 additional configurations
To create backup sets of email messages on Microsoft Exchange Server 2013 using DS-MLR, you must perform the following configurations:
• Ensure that the DS-MLR service account has granted proper permission for mailboxes of other users. The power shell commands that grant permissions to the DS-MLR account are as follows:
Add-AdPermission -Identity "Exchange Administrative Group
(FYDIBOHF23SPDLT)" -User "<Domain>\<UserYouCreated>" -AccessRights
GenericAll -ExtendedRights Receive-As,Send-As
AND
Get-Mailbox | Add-MailboxPermission -User "<Domain>\<UserYouCreated>"-AccessRights FullAccess
• Create and configure a registry key on the Exchange server where the DS-MLR is installed (the one running the Client Access Server role).
a) Add a new REG_SZ value under the DSMLR service account's registry hive, under HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem
NOTE: This registry value's name should begin with RPCHTTPProxyMap. It is recommended that each application appends an additional identifier to prevent overwriting existing mappings, like the following: RPCHTTPProxyMap_DSMLR
b) Populate the registry value with a DNS domain name, an equal sign, fully qualified domain name (FQDN) of the RPC Proxy server, a comma, and the proxy server settings in the following format:
RpcHttpAuthenticationMethod,RpcAuthenticationMethod
c) Indicate what the subsystem should do when an invalid certificate is encountered. A value of “true” indicates that invalid certificates should be ignored. This is an example of such a registry value:
mydomain.local=https://myexchange.mydomain.local,ntlm,ntlm,false
NOTE: You might need to add more than one registry key depending on the setup of the domains. For example, the full DNS name of the CAS Server (where DS-MLR is intended to be deployed) is ex01.mainsubdom.domain.local, so the main domain is mainsubdom.domain.local.
• Configure the domain mapping as necessary. Mailboxes of the users are configured with a different primary domain. As an example, in the domain primdom.domain.local, all users would have their primary SMTP address configured as <username>@primdom.domain.local
a) To configure the domain mapping, log on into Windows on the DS-MLR computer with the DS-MLR service account, in the registry under HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem,
b) Add two different REG_SZ values, one for each domain.
Examples:
RPCHTTPProxyMap_DSMLR, with its value set to the following:
mainsubdom.domain.local=https://ex01.mainsubdom.domain.local,ntlm,ntlm,false
AND
RPCHTTPProxyMap_DSMLR1, with its value set to the following:
primdom.domain.local=https://ex01.mainsubdom.domain.local,ntlm,ntlm,false
NOTE: Alternatively, you can combine the two into one REG_SZ value if there is a common root to the domains. As seen in the above examples, the common root is *.domain.local. The value of RPCHTTPProxyMap_DSMLR, can be set to the following: *.domain.local=https://ex01.mainsubdom.domain.local,ntlm,ntlm,false