asked on

Exchange 2010 Restore after Ransomware

I was hired by a company that was hit with ransomware the same week all the law firms were targeted. Luckily the Practice Admin did a pretty good job at backups. I was able to restore their shared data files, their law practice software database and all the workstations. They have 4 servers total, 2 have exchange servers, 2 domain controllers (one of the DCs is also file server). the only thing left to restore is mail, the caveat is I have already moved their incoming mail to 365 however I need to gain access to that old server so I can get pst's to push old mail up to 365. The backup they have provided me is in VHD or built in windows server backup. I was able to extract the old database I just wasnt sure what would be the best way to gain access to those mailboxes and old mail.

They have two mail servers, mail01 and mail02, mail 01 has no mailboxes, they were all migrated to mail02. Both server 2008r2 installations and exchange installations were corrupted by encryption so I can't just restore the database because it wouldn't work anyway. So my question is, what would be the best route to pursue in order to access that old mailbox data? I could not find anyway to just repair and fix those server 2008r2 installations otherwise this would be fairly easy.

Any suggestions?

M A

Option1
What backup you software used backup. Some softwares give you option to export to PST.
If that is there no need to get access to get PSTs.

Option2.
If you have EDB file recover the server using setup.exe m:/serverserver
Setup.exe /M:RecoverServer

kevin taylor

ASKER

The backup I have is the exchange folder which contains the installation and database. The backup was done by the onboard feature server 2008r2 backup. The format was VHD, I was able to mount that and extract those files. however the current server has too much damage to system files so I do not think option 2 would work unless you had a recovery partition? Is that correct?

kevin taylor

ASKER

I do not need this server to function normally anymore as mail is now on 365, I just need to gain access to the old emails which are on the mail store backup

M A

-->I do not need this server to function normally anymore as mail is now on 365, I just need to gain access to the old emails which are on the mail store backup
Can you restore EDB file (Database file)?

kevin taylor

ASKER

Yes I do see the edb database file on the backup.. I think it might be easier to to go third party software and just extract .pst files.

ASKER CERTIFIED SOLUTION

M A

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

kevin taylor

ASKER

Can you make a recommendation for 3rd party, I see many online but not sure who is best.. I assume I need the kernel version because I am recovering from a raw unmounted edb correct?

McKnife

Check if the backup is only one vhdx file. If there are several vhdx, you may restore the whole server to a virtual machine and simply use the exchange management shell to extract PST files.

Aaron Tomosky

I’ve used “lepide exchange recovery” to go from edb directly to O365 for exactly the same reason you are facing. it worked great, nice granular options if you need them.

kevin taylor

ASKER

Ended up using Kernel Exchange Suite to extract mailboxes from edb file.. Worked well but is really slow but better than having to rebuild exchange in a 2008r2 environment..

M A

Hi Kevin,
All 3rd party extraction will be slower compare to exchange. But you don't need to worry about any of these exchange installation or recovery.

Glad to know 😊 you sorted out 👍.