In part one of this eDiscovery in Exchange series, I discussed being proactive before the need for legal inquiry arises. Part 2 and 3 will cover email preservation methods. In this post I make some preliminary remarks and discuss backup considerations and database deletion settings.

There are many situations which could trigger the need to assure that email is being preserved. Some events are quite obvious while others may not be.

Before proceeding further, I must point out that prior to an event your company or organization should have an established list of guidelines that you will follow in the event eDiscovery of email may be required. I would recommend also having the procedures reviewed by your legal staff.

As an Exchange Administrator, here’s a scenario that should always trigger the execution of eDiscovery preservation. Your supervisor has notified you that an employee has been using your email system to harass another employee. The offended employee has told the Human Resources department that they are going to file a lawsuit against your company. This scenario is easily recognizable as a trigger to prompt you to preserve email.

Here are a couple that maybe aren’t so obvious. An employee has been terminated due to poor performance or you hear a rumor that an employee has been using their corporate email address for activities that could warrant termination. These scenarios may not be as obvious but these should also trigger preservation of email.

The overall rule is that an Exchange Administrator should begin preserving email even before being instructed to do so by a manager or supervisor whenever he or she first becomes aware of a situation that could require the use of eDiscovery in the future.

So now that we know when to preserve email, how do we do it in Exchange?

What NOT to do in Exchange 2007

Let me start by covering what NOT to do for Exchange 2007 mail boxes. Do NOT move affected mailboxes to another database.  Although most mailbox items are moved when a mailbox is moved to another database, the items in the dumpster are not moved. Dumpster items include any mailbox items that were permanently deleted but still fall within the database deleted item period mentioned in step later on.

In Exchange 2010, this is no longer a concern due to changes in the way the dumpster works. Dumpster items in Exchange 2010 mailboxes will stay with the mailbox when it is moved. This is not helpful when moving a mailbox from a pre Exchange 2010 server to 2010 as dumpster data will still be lost.

Retain Backups

This step can vary greatly depending on how you do backups. In a utshell, backup the affected database to a location where it will not be overwritten. If you backup to tape, backup the database to a tape and set that tape aside outside of the normal tape rotation. If you backup to disk, backup the database to a separate location outside of the normal location. Other snapshots may be necessary depending on the circumstances. If litigation concerns a former employee, this may be all that’s required. For current employees, this should be ongoing.

Modify Database Deletion Settings

The default for an Exchange database is to keep permanently deleted items and mailboxes for 14 and 30 days respectively. Consider the example where an offending employee will continue to remain employed. Your employer can be held responsible for lack of action if email is deleted due to default settings. My recommendation would be to choose a period of time of at least two or three years.

For Exchange 2007, open Exchange Management Console (EMC). Navigate to Server Configuration and click Mailbox. Right-click the effected database and click Properties. Modify Deletion Settings located on the Limits tab.

eDiscovery in Exchange -Database deltion settings

eDiscovery in Exchange - Database deletion settings

In Exchange 2010, Navigate under Organization Configuration and click Mailbox in EMC. Right-click the effected database in the top pane and click Properties. Modify Deletion Settings located on the Limits tab.

Also on the Limits tab is a checkbox that is critical to assuring nothing is removed before it makes it is backed up. Simply check the box for Don’t permanently delete items until the database has been backed up.

In the next post, I’ll discuss Messaging Records Management  and Exchange 2010 Mailbox Litigation Hold.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account