• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 891
  • Last Modified:

Exchange 2010 e-discovery. How does it work

We just started testing Exchange 2010. We are currently running 2007. I noticed new features called archiving and e-discovery. Are these new featues independent of each other? All of our clients are Outlook 2007 so I don't think we can leverage the archiving just yet, but, do I need to enable archiving for e-discovery to work? If not, were do the emails get stored?
0
osiexchange
Asked:
osiexchange
  • 9
  • 5
1 Solution
 
chapmanjwCommented:
Here is a good overview/tutorial on e-Discovery in Exchange 2010: http://msmvps.com/blogs/andersonpatricio/archive/2009/05/15/using-exchange-server-2010-e-discovery-multi-mailbox-search.aspx

You do not necessarily need archiving enabled for e-discovery, you just won't necessarily have all the emails you require for auditing if you do.

Archiving is done on the server side, so it is independent of your Outlook client.
0
 
osiexchangeAuthor Commented:
I saw that article already. It just goes through some basic features and show you how to find emails. It really does not explain how e-discovery works. Like I said, where are these emails being stored if you do not enable archiving. The Transport Dumpter? If so, how long do they stay there. Just looking for a good article that explains all the mechanics of how e-discovery function.s

Also, archiving is stored on the server  but you need Outlook 2010 to take advantage of the archiving feature.
0
 
chapmanjwCommented:
The Archives are stored in the same mailbox database as the regular mailboxes: http://www.howexchangeworks.com/2009/08/archive-mailbox-in-exchange-2010.html
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
osiexchangeAuthor Commented:
This has changed with SP1. You can now direct archives to a separate database and tiered storage. Also, archiving and e-discovery appear to be separate entities. You don't need one to have the other I am guessing. I just want something that explains in details how the e-discovery process works on the backend.
0
 
chapmanjwCommented:
I don't believe such documentation exists.  The closest would be what TechNet has: http://technet.microsoft.com/en-us/library/dd335072.aspx

Some of the processes on the backend of Microsoft Servers (like Exchange and SharePoint) are not publicly documented.  (Some of them aren't even documented well internally for Microsoft, for ex: I worked with Microsoft support on a SharePoint service issue and was basically told the service was a black hole with little to no documentation on how it operates).
0
 
osiexchangeAuthor Commented:
Fair enough but if my CIO asks me how it works, a black hole will not be an acceptable answer. This is one of the better articles I have seen but still does not answer the technical part of it. An example. I have a test environment as mentioned with about 5 mailboxes. Archiving is not configured on any of them. I sent a message to a paricular mailbox. After sending the message, I deleted it from Sent Items, emptied my Deleted Items Bin, and removed it from Recoverable Deleted Items. Did the same thing on the recipients mailbox so there is no trace of the message, yet, an e-discovery search revealed the message. OK, where did Exchange get this from. A simple question I have not found the answer to yet. My first quess is the transport dumpter. If so, do I need to increase some settings on this to include more emails? I think its important to know because when it doesn't work, you need to know how to fix it and you won't be able to.
0
 
chapmanjwCommented:
Items deleted (from the user end) aren't really gone until Exchange cleans them up.  They still exist in the users mailbox storage, they just cannot see them and they don't count against them in their storage limits.  Here are details on that: http://support.microsoft.com/kb/249680.  You can configure the settings around this if necessary.
0
 
chapmanjwCommented:
Just FYI: http://support.microsoft.com/kb/249680, granted this article applied to Exchange 2000, it is the same principle used for all versions of Exchange.
0
 
chapmanjwCommented:
Here is some more updated documentation for 2007, still looking for 2010: http://technet.microsoft.com/en-us/library/aa997206(EXCHG.80).aspx

The default for both Exchange 2007 and 2010 is that it retains items for 14 days.
0
 
osiexchangeAuthor Commented:
I haven't looked at these articles yet, but if you are talking about Deleted Items Retention, yeah the default I think is 14 days for users but I did flush this out as I stated. After emptying my Deleted Items Bin, I then deleted all the contents in Recover Deleted Items by highlighting the Deleted Items Bin, selecting Tools, and then Recover Deleted Items. From there I deleted everything that the server was holding so the message should have been erased from existence at that point.
0
 
chapmanjwCommented:
In 2010, it has been enveloped into the Retention Policy management: http://technet.microsoft.com/en-us/library/dd297955.aspx
0
 
chapmanjwCommented:
Like I mentioned previously, the emails aren't completely purged until the cleanup processes run.  Until that time, the eDiscovery software can find it, even though it isn't accessible otherwise.
0
 
osiexchangeAuthor Commented:
OK, so if that is the case, I guess I am back to my original question which I think I know the answer to already. Do you need to enable Archiving to have effective e-discovery and it looks lkie the answer is yes because this "e-Discovery" that 2010 has is just a search engine on existing emails. Once the Deleted Items retention policy expires, the emails are gone so I guess you need to have all emails archived and not let the users mess with the archives so you have historical data to search through. I am guessing you can search through archived mailbox with the e-discovery tool.
0
 
chapmanjwCommented:
Yes, that is correct.  You can also set retention policies so that even if the user deletes it from the archive they have access to (as archiving was designed to get rid of PST files) it will still be retained in the server for e-Discovery.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now