Latest revision as of 14:14, 3 August 2018

[edit] How to Setup Retain with Exchange 2013

Now that you have set up Exchange 2013

Exchange and Retain out of the box are not really set up to do true archiving. Exchange does not have a simple system to indicate that a message has been archived or not. So we need to do a few things to give Retain a chance to archive all the messages.

While Retain will certainly dredge Exchange for messages and Exchange will serve them. If a user receives a message, deletes it and then purges it from Recoverable Items, Retain will never see it for archiving. So in this case we would only get a snapshot backup of Exchange and not a true archive.

So we have to make sure that Exchange is set up so it will not allow messages to be permanently deleted before Retain has a chance to archive them.

[edit] DNS Server Prerequisites

The CAS, AD, Exchange and Retain servers should all be pointing to the DNS server, if they must point to different DNS see link below.

Retain expects a URL along the lines of:

http://autodiscover.<smtpdomain>/Autodiscover/Autodiscover.xml 

Which can be found in the worker log as it attempts to login by searching for "Discovered endpoint:" or "AutoDiscover"

Relevant kb articles: Creating a DNS SRV record for Exchange http://support.gwava.com/kb/?View=entry&EntryID=2402 In simple terms:

1. Go to the DNS Manager
2. Expand Forward Lookup Zones
3. Locate and right-click on the external DNS zone and choose Other New Records
4. Click Service Location (SRV) and enter:

• Service: _autodiscover
• Protocol: _tcp
• Port Number: 443
• Host: [your mail host, e.g. mail.gwava.net, usually the AD domain forest found in AD Domains and Trusts on the MS AD server]
• Click OK

• How to Make Exchange's Autodiscover Work When Retain and Exchange Point to Different DNS Servers http://support.gwava.com/kb/?View=entry&EntryID=2233

[edit] CAS Server Prerequisites

By going into Exchange Admin Center:Server/Virtual directories Edit Autodiscover and EWS, select authentication and enable basic authentication, which will propagate to all CAS servers.

[edit] Verifying Basic Authentication is Enabled

Check that all CAS servers have successfully been updated. Bring up the Exchange Management Shell and run:

Get-WebServicesVirtualDirectory | fl

Make sure that you find the following line under each server:

BasicAuthentication : True

A simpler method which will only show the server name and the status of basicauthentication:

Get-WebServicesVirtualDirectory | ft server,basicauthentication

Relevant kb articles:

• Determining if Basic Authentication is enabled on your network http://support.gwava.com/kb/?View=entry&EntryID=2395

[edit] Enabling Basic Authentication

Go to IIS Manager on each of your CAS servers and enable Basic Authentication for EWS and Autodiscover see page 229 in the Admin Guide (get pictures for EX2013) Backup the IIS config file. http://technet.microsoft.com/en-us/library/cc754617(v=ws.10).aspx

Check which DNS the CAS are pointing to. Command line “ipconfig /all” or right-click Start/Network Connections/Properties/Internet Protocol Version 4. If you change the DNS make sure to run "ipconfig /flushdns" from the command line to update the new setting immediately.

Firewall/proxy exceptions: Retain needs to be able to connect to Exchange's EWS service. Make sure that your firewalls and proxies contain an exception to allow TCP traffic to and from the Retain server. Retain uses the Global Catalog port (Microsoft default is 3268 for plain text and 3269 for SSL).

EWS throttling: It is recommended to create a throttling policy specifically for Retain, which allows for large attachments. After creating the policy, you can use the following command to apply the policy to the impersonation account used by Retain. See "Retain and Exchange Server 2010 Throttling Policies" for more information. http://support.gwava.com/kb/?View=entry&EntryID=2343

Alternatively you can use an EMS script

For EWS, use the command: [1] [2]

Set-WebServicesVirtualDirectory -Identity <VirtualDirectoryIdParameter> [-BasicAuthentication <$true | $false>]

Example:

Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -BasicAuthentication $true

For autodiscover, use the command: [3] [4]

Set-AutodiscoverVirtualDirectory -Identity <VirtualDirectoryIdParameter> [-BasicAuthentication <$true | $false>]

Example:

Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (Default Web Site)' -BasicAuthentication $true

Backup the IIS config file. http://technet.microsoft.com/en-us/library/cc754617(v=ws.10).aspx

[edit] Active Directory Prerequisites

Log into your Active Directory server Check that the DNS server is the one configured above.

[edit] Create Retain User Account

Go into Server Manager/Tools/Active Directory Users and Groups. Create a user for Retain to log into Exchange with. Note the user logon name and password. Go to the Account tab, then set in the Account Options:

• User cannot change password
• Password never expires
• Account expires never

[edit] Determining Global Catalog Host

Run the PowerShell command:

Get-ADDomainController -Discover -Service "GlobalCatalog"

[edit] Multiple Domains (if applicable)

If you have multiple domains in your active directory tree or you have a different internal domain from your email domain you can change the LDAP login that your users use to log into Retain.

In Active Directory Domains and Trusts:

• Right-click on the top container called "Active Directory Domains and Trusts" and select Properties
• Here you can add Alternative UPN suffixes.
• Click Apply, then OK.

Then you can go into the Exchange Admin Center:

• In Recipients/Mailboxes choose a user and edit them.
• Here you can change the User logon name: and from the drop down choose the domain you want them to login with.

Finally you can attempt logging in as a user with that new domain into Retain. This will not create a new mailbox in Retain as the user is also identified by their GUID which is unique.

Look at the worker log to determine which autodiscover URL Exchange is returning to Retain. Make sure there is a record for the autodiscover server in the Exchange system. The default port for autodiscover is 443.

[edit] Exchange Prerequisites

[edit] Retain User Setup

Browse to the Exchange Admin Center https://[yourExchangeServerURL]/ecp Create a retain user account using the existing user you created in Active Directory and give it ImpersonationApplication rights. see Appendix G of the Admin Guide (get pictures from EX13)

[edit] In-Place Holds

To properly archive your Exchange system you will need to setup In-Place Holds so they cannot delete messages before they have had a chance to be archived by Retain. Since there is no flag that can be set to mark that a particular message has been archived, we are hoping everything works. A 90-day hold is a good amount of time to have a hold in place to catch any failures in the system and repair them.

Relevant kb articles:

• In-Place Holds http://technet.microsoft.com/en-us/library/ff637980%28v=exchg.150%29.aspx
• To set a hold on all mailboxes http://technet.microsoft.com/en-us/library/dn767952(v=exchg.150).aspx

[edit] IIS Throttling Policy settings

Make sure that IIS on the Exchange server is throttled and configured appropriately for use with Retain. Attachment size limits are a common problem. The changes you'll want to consider making will be to the Exchange Web Services.

• Open Exchange Management Console

Enter the following commands:

New-ThrottlingPolicy RetainThrottlingPolicy

This command is a single line, if you copy and paste you will need to remove spaces and returns:

Set-ThrottlingPolicy RetainThrottlingPolicy -RCAMaxConcurrency Unlimited -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -CPAMaxConcurrency Unlimited -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsRechargeRate Unlimited

Then

Set-Mailbox <ApplicationImpersonation_user_name> -ThrottlingPolicy RetainThrottlingPolicy

Relevant kb articles:

• Configure client-specific message size limits http://technet.microsoft.com/en-us/library/hh529949(v=exchg.150).aspx

• Retain and Exchange Server 2013 Throttling Policies http://support.gwava.com/kb/?View=entry&EntryID=2343

• Backup the IIS config file. http://technet.microsoft.com/en-us/library/cc754617(v=ws.10).aspx

[edit] Prerequisites to Installing Retain

[edit] Preparing the Retain Server

Retain is quite comfortable running in a VM. It is recommended to use a VM because it is much easier to backup, restore and reconfigure the server.

• Install the OS.
• Install Acrobat Reader [5]
• Get Retain Windows Install Manual [6]

• Create 5 disks and make sure that they will be extensible:
  • OS: so the operating system is safe from disk full errors.
  • DATABASE: for the database
  • STORAGE: for the storage directory
  • INDEX: for the indexes, their backups
  • LOGS: for the logs of the system (This can be up to 30GB/day/worker during large migrations, usually it will be much lower)

• Create a directory off the root called /software.

• Install Java 1.6 aka Java 6. [7] (Retain 3.5.1 asks to download/install)
  • System/Change settings/Advanced/Environmental Variables (new system variable JAVA_HOME point to the installed directory c:\Program Files\Java\jdk1.6.0_38)

• Install IIS by adding the role in Server Manager.
  • Add WebServer Role Services Application Development/ISAPI Extensions and ISAPI Filters
• Restart

[edit] MySQL

1. Install MySQL 5.5 [8], SQL Server 2008 R2, 2012, or 2014 preferably on a separate server with the following setting:
2. Install as Typical, take defaults and allow to start MySQL Instance Configuration Wizard
   1. Detailed Configuration
   2. Server Machine
   3. Transactional Database only
   4. give it a storage path
   5. Manual Setting (100)
   6. Enable TCP/IP networking (port 3306) add firewall exception, Enable Strict mode
   7. Best Support for Multilingualism
   8. Install MySQL as a Service and select Include the Bin directory in the Windows PATH.
   9. Enter root password

Create database and user

1. Start the Command Line Client and login as root.
   1. CREATE DATABASE retain DEFAULT CHARACTER SET 'utf8' DEFAULT COLLATE 'utf8_bin';
2. add retain user to database
   1. GRANT ALL PRIVILEGES ON retain.* TO 'retain'@'%' IDENTIFIED BY 'password';
   2. GRANT ALL PRIVILEGES ON retain.* TO 'retain'@'localhost' IDENTIFIED BY 'password';

[edit] MS SQL

1. Install as default instance, with Unicode, UTF-8 or Latin 1_General_C1_AS as standard encoding.
2. Enable SQL Server Authentication in addition to Windows Authentication
3. Once installed, Verify server is listening on port 1433 (telnet [ip address]:1433)
4. Ensure TCP/IP is enabled - Run SQL Server Configuration Manager
5. Expand SQL Server Network Configuration
6. Protocols for MSSQLSERVER
7. Enable TCP/IP
8. Run SQL Server Management Studio, connect to Server
9. Under Security/Logins, right click and select "create Login, (for example retaindbuser) that uses SQL Server authentication.
10. Assign a password.
11. Right click on Databases, and create a new database named retain and assign retaindbuser as the owner.(There are other ways to grant the permissions but this is easiest)

[edit] Retain

• Download and extract the latest version of Retain.[9]

You should have been emailed Validation Keys for Retain Server, Exchange module and any other modules you have bought. Browse to https://licenses.gwava.com/ to receive your license files. Save these to your Retain Server and back them up someplace safe.

[edit] Install Retain 3.5.1

• Launch the installer.

• Install the Server, Worker and Reporting&Monitoring Server

• Browse to http://localhost/RetainServer
  • Set the paths to the proper disks.
  • Connect to the database.
  • Load the licenses.

• Set bookmark.

[edit] Post-Install Tasks

[edit] Tune Tomcat Memory Setting

Windows Tomcat memory tuning:

1. Go to the System Tray icon for Tomcat.
   • If using the embedded Tomcat, launch tomcat.exe located in C:\Program Files\Apache Software Foundation\Tomcat\bin. Skip step 2.
2. Choose configure.
3. Go to the Java tab.
4. Set the Minimum Memory (always used), Maximum Memory, and Stack Size.
   • Tomcat is pre-tuned to 256MB initial and 1024MB max memory with a 160 stack size. For a typical 16GB system you will want to set Tomcat to 10240MB for initial and max memory size.
   • Set 256kb for thread stack size.

[edit] Connect to the AD domain

move this to Exchange module This assumes you have created an Exchange server to test against. If you are using a different email system to connect to you may ignore this section.

• Change the DNS to the one you created on your Exchange server
• Join the server to the domain created on your Exchange server
  • In Server Manager click on Workgroup, which will take you to System Properties
  • click on "Change"
  • enter the domain under "Member of"
  • Reboot
• Turn off domain firewall

[edit] Setup Exchange Module

Check that Core settings are enabled.

• Set the Impersonation Account. (retain@company.com, password)
• Set the Exchange forest: (AD forest, 3268/plaintext || 3269/SSL)
• Create a Search Base: top level of their forest (dc=organizationDomain,dc=domainType).
• Save Changes.
• Refresh address book!

[edit] Setup Job

Setup the Initial Dredge.

1. Schedule
   • Create a SingleUse schedule. Used mainly for initial dredging and testing.
   • A RecurringUse Schedule is for the daily archive dredge.
   • Note: Exchange runs daily maintenance tasks from 1-5am.
2. Profile
   • Create a DredgeEverything Profile.
     • All messages
     • Set Item Store Flag
     • Try to publish all messages
     • Store/Index Internet headers, include archive mailbox and recoverable items
   • A DailyProfile should be set to something more limited.
     • Ignore all messages older than item store flag (fast).
   • A TestProfile will be used for testing and generally would not have Item Store Flag set so messages are not lost, but would be if you are working on a single user that has issues.
3. Worker
   • Create a worker for the mail server. The best practice is to have one worker for each mail server for best performance.
4. Job
   • Create an InitialDredge Job.
   • If possible select the AD container and not the mailserver, for better performance. Enter the Notification details.
   • This would apply for the DailyJob as well. This would be for each mail server.

[edit] Setup RetainWorker web console

• Log into worker console. (localhost/RetainWorker)
• Upload bootstrap.
• Set bookmark.

[edit] Setup Reporting and Monitoring

Monitoring shows stats about the server. Reporting can generate reports about many things in the system.

• Have them enter details, then save and upload bootstrap.
• Log into R&M Server. (localhost/RetainStatsServer)
• Set bookmark.