disaster recovery for exchange 2000books.mhprofessional.com/.../0072126744_ch07.pdf · q&a self...

7DisasterRecovery forExchange 2000

CERTIFICATION OBJECTIVES

7.01 Implementing a Backup andRestore Plan

7.02 Restoring User Data

7.03 Configuring a Server for DisasterRecovery

7.04 Restoring the Information Stores

7.05 Troubleshooting Backup and RestoreProblems

7.06 Safeguarding User Keys

✓ Two-Minute Drill

Q&A Self Test

CertPrs8 / MCSE Administering Exchange 2000 Server Study Guide / Clawson/Luckett / 2674-4 / Chapter 7Blind Folio 7:511

C:\OMH\CertPrs8\674-4\ch07.vpWednesday, July 25, 2001 3:51:23 PM

Color profile: Generic CMYK printer profileComposite Default screen

CERTIFICATION OBJECTIVE 7.01

Implementing a Backup and Restore PlanAn important part of keeping your network and services up and running to serveyour user community is to have a plan in place in case of a failure. With Exchange2000 Server, this plan should include:

■ A plan to back up the underlying Windows 2000 Server

■ A plan to back up the information stores, both mailbox stores and publicfolder stores

■ A plan for how to log transactions, and when and where to restore thetransaction log files

■ A plan to recover lost messages and deleted mailboxes

■ A plan to recover corrupted databases

■ A plan to restore a mailbox store when the server is otherwise operational

■ A plan to restore data to a recovery server

It is entirely possible that a large portion of your test will ask questions aboutbacking up, restoring, recovering, and dealing with server disasters. Be prepared!The probability that you can pass the exam without thoroughly understandingthe material in this chapter is pretty small.

Exchange 2000 offers a great deal of flexibility in configuring the storage groupsand the information stores. Many of your decisions on how many mailbox stores(for example) to configure will depend upon factors such as:

■ How long it will take to back up a storage group or mailbox store

■ How long it will take to restore a mailbox store

■ Who in your organization can be without messaging services and for how long

After you carefully consider those factors, you can begin to construct your plansfor how to back up and restore the databases.

512 Chapter 7: Disaster Recovery for Exchange 2000

CertPrs8 / MCSE Administering Exchange 2000 Server Study Guide / Clawson/Luckett / 2674-4 / Chapter 7



Another item that you must account for in your backup and restore plans isbacking up Active Directory. AD exists on all domain controllers, so if your networkcontains multiple Windows 2000 domain controllers, your network already hassome degree of built-in fault tolerance. If one of the domain controllers fails, youstill have working (and writable) copies of AD. To introduce another domaincontroller into the network, you would simply install a Windows 2000 Server andrun DCPROMO to promote this server to a domain controller. There is no need to“restore” AD from tape backup.

If, however, you have a single domain controller and it fails, you will need torestore AD from tape backup. AD will contain all of the Exchange objects andattributes. You will want to pay some attention to the status of AD when doing arestore, especially of an Exchange Server. Later in this chapter you will learn aboutusing setup with the /disasterrecover switch to accommodate reinstalling anExchange Server when the objects currently exist in AD.

You can back up AD (and other things) by selecting System State from theWindows Backup program. Backing up the System State will back up AD, theRegistry, the sysvol, and the COM+ registrations.

You can back up Active Directory only by backing up the System State on adomain controller. Backing up the System State on domain controllers andmember servers will also back up the Registry on other items.

If you are running in a mixed environment with Exchange 5.5 servers, you areinterested in the sysvol, because that is where the Site Replication Service (SRS)parameters and objects are kept. Exchange 2000 does not use the SRS, but theExchange 5.5 servers must reference the SRS for backward-compatibility.

Types of BackupBefore delving any further into the material, it is important to discuss the types ofbackups that can be performed, how these backups interact with Exchange, andwhat your options are when doing the backups.

Backup TechniquesThere are three types of backups that you are most interested in when consideringexam material. Other backup techniques are possible, but probably not relevant fortesting. An important consideration in selecting one of these three types is what they

Implementing a Backup and Restore Plan 513




do with the archive bit, how much backup media is needed, and how much time isrequired to do the backup. Another important consideration in selecting the backuptype is the kind of restore procedure that will be required. The three types ofbackups are:

■ Normal backup This is sometimes referred to as a “full” backup because itbacks up all files regardless of the status of the archive bit. Because thistechnique writes all files to the backup media, it consumes the most time anduses the most space on the backup media. The normal backup resets thearchive bit (turns it off, or sets it to zero) after it has backed up the file. Youwould use a normal backup when time and media space are not a concern.Restoring files from a normal backup is also the least complex restorationprocedure. You simply need the last media set. Since that set contains all files,you don’t need anything else.

■ Incremental backup As the name implies, this technique incrementallybacks up data by backing up only the files with the archive bit set on. Usingan incremental backup scheme, you would start by making a full normalbackup. This backup turns off all of the archive bits. When the backupmodifies (or creates) a file, the file system sets the archive bit on, indicating achange to the backup system. The next backup you would perform is anincremental backup, which backs up only the files that have changed, asindicated by the archive bit. After the file is backed up, the archive bit is thenset to off. Each day you would run an incremental backup until the nextscheduled normal backup. Typically, you would run a normal backup once aweek and incremental backups the rest of the week. Using an incrementalbackup scheme, the backup takes less time and consumes less media, sinceyou are backing up only the files that have changed (presumably some smallsubset of the total files). Restoring files from an incremental scheme is themost complex of the three types that this section will discuss. During therestore, you need the last normal backup media and every incremental backupmedia to be able to restore all the files.

■ Differential backup This technique starts with you making a full backup ofthe data. This backup resets the archive bit off on all of the files. Then, onthe succeeding days, you run a differential backup, which backs up all thefiles with the archive bit set on (that is, all the files that have changed). But,unlike the incremental backup, the differential backup does not reset the





archive bit, but leaves the archive bit set on. The next time you run adifferential backup, it will back up the same files as the previous differentialbackup, plus any new files (or files with the archive bit turned on). Eachsuccessive day, the differential backup can potentially take longer to back upthe files and consume more media. You would use a differential backup whenmedia capacity is a concern and the length of time it takes to do the backupis not a prime concern. Doing a restore from a differential backup requiresthe last normal backup media and the last differential media. This makes thedifferential backup slightly more complex than a normal backup to restoreand slightly less complex than an incremental backup to restore.

Online and Offline BackupsWhen you perform an online backup, you are backing up the Exchange databasewhile the Exchange services are still running. In other words, users are still usingExchange to send and receive messages while you are backing up. The advantage tothis type of backup should be obvious. You get to do the backup and the users get tosend and receive e-mail without interruption.

When you do a normal backup, you back up the database and the transaction logfiles. When you do an incremental or a differential backup, you back up only thetransaction log files. You will not get a backup copy of the database using an onlineincremental or differential backup.

In a production shop, you might consider doing a normal backup of thedatabase once each day, typically at night when the system usage is minimal.You would then do differential backups of the transaction log several timesduring the day at regular intervals. These intervals could be every hour, twohours, or four hours, depending upon your needs. This backup scheme will notcause undo stress on the server, as you will be backing up only severalmegabytes of data. If you lose the drive that contains the log files, thistechnique will allow you to limit the data loss to the interval between thedifferential backups.

It is worth noting what happens when operations are made to a page during anonline backup. First, if a transaction occurs for a database that has not yet beenbacked up, then the operation proceeds normally. If the transaction occurs for adatabase that is being backed up, the transaction is stored in a patch (.pat) file. This





patch file is used only during an online backup or restore of the database. There isonly one patch file for any given store that is undergoing an online backup.

When you begin an online backup, the patch file is created and is stored in thesame folder as the database store, typically the mdbdata folder. The patch file usesthe same naming convention as the store. If the database file name is executive.edb,then the patch file will be named executive.pat.

As the online backup is taking place, the transaction entries are placed into thepatch file instead of the log files. When the backup is complete, the patch file iswritten to the tape and then deleted from the folder.

To do an offline backup, the information store service must be stopped or thedatabase store must be dismounted. Doing an offline backup can be faster andsimpler, doesn’t involve any patch files, and is always a full backup, but you musttake the store out of service. Obviously, because it requires that you dismount thedatabase, an offline backup is a secondary choice to an online backup.

Data Recovery ArchitectureIn this section, you learn about the database engine, the transaction logs, and howyou use the logs in the Exchange process.

Extensible Storage EngineThe Extensible Store Engine (ESE) uses a transaction logging system to help ensurethe consistency and integrity of the data in the database in the event of a systemcrash. Microsoft points to four design goals of ESE:

■ High recoverability in the event of failure

■ Fewer I/O operations

■ The maximum level of self-tuning

■ Twenty-four-hour-a-day, seven-day-a-week uptime

From a design point of view, the ESE uses four principles, which Microsoft callsACID, to ensure data integrity:

■ Atomic This is the “all or none” principle. It states that all operations in atransaction must be completed or none of the operations will be completed.Consider the example of an online banking application where you would





transfer funds from one account to another. Such a transfer actually consistsof two separate transactions: a withdrawal and a deposit. Consider theramifications if the withdrawal portion were done and the system failed beforethe deposit portion could be completed. Bad news! You wouldn’t want thewithdrawal portion marked as completed until it was also deposited into theother account.

■ Consistent A transaction can start only with the database in a consistentcondition, and the database must be consistent when the transaction finishes.

■ Isolated The changes to the database are not available (sometimes calledvisible) until the transaction is completed in the atomic sense and thedatabase is consistent. At this point in the process, the transaction iscommitted.

■ Durability Transactions must survive system failures. This means that if asystem failure occurs, when the store.exe restarts, it will detect that thedatabase is in an inconsistent state and roll back the operation that was inprogress during the failure. For example, if you were moving a message fromone folder to another when the system failed, you would not lose themessage.

Data is stored inside the ESE database file in 4KB sections known as pages. Eachpage contains such features as the following:

■ Data definitions

■ Data

■ Indexes

■ Checksums

■ Flags

■ Timestamps

■ B-tree information

Pages are numbered sequentially in the database to improve performance. A databasemay contain 232 pages, which at 4KB per page is approximately 16 terabytes ofinformation. When information is read from the database, it is put into memory,one page at a time.





A transaction is a modification to a page in the database. Each modification isknown as an operation. A transaction may comprise multiple operations. When alloperations are complete, then the transaction has occurred.

Now here is where the plot “sickens,” or gets a bit more complex. When a page isread into memory, it is known as a clean page. Once on operation has been performedon the page, it is known as a dirty page. Dirty pages may be subject to furthermodifications. Many operations may be performed on a dirty page before it is writtenback to the disk. The write back is not a function of the number of operations onthe page.

Before a page can be written to memory, the ESE must reserve an area in memoryfor its own use. This area is known as the database buffer cache and is created by aprocess known as the Dynamic Buffer Allocation (DBA). The size of this cache canbe increased, as necessary.

Don’t be too concerned if your Exchange 2000 Server seems to use all of theavailable memory. First, unused memory is wasted money. That is, you boughtthe memory and might as well use it rather than just let it sit in the systemunallocated. Second, Exchange will tune the amount of memory it uses basedon other demands of the system.

While operations are being processed, they are written to the version store. Theversion store contains the list of all of the changes that have been made to the pagesthat have not been committed.

To commit the transaction, the changes are written from the version store to thetransaction log buffer area. From there they are written to the transaction log file,edb#.log. The edb# starts with 00 for the first storage group, then 01 for the secondstorage group, and so forth. So the log file for the first storage group would be E00.log.

Transaction Log FilesWe have previously discussed the transaction logs and their configuration, and thissection will go into more depth.

As discussed earlier, messages are written to the transaction logs first, and then tothe actual database afterward. So, log files are important in the processing ofmessages and in the recovery process.





We have mentioned before that you do not want to delete the log files manually.Let us say that again: Never, never, ever delete the log files manually. Thesefiles will be deleted when you run your regular normal backup. Also, the samerule applies to the checkpoint file. Deleting either the log files or the checkpointfile will result in nothing but trouble for you.

Exchange does not use a single transaction log file. Over time, that single filecould grow to be quite large and unmanageable, and even consume all space on thehard drive. Instead, Exchange writes to a log file called edb.log. After that file reaches5MB, this file is renamed edbxxxxx.log and a new edb.log file is begun. During thischangeover process, a temporary log file named edbtemp.log is used to hold transactionsuntil the new edb.log is created.

This technique is known as generational files, with each unique log file representinga generation. The xxxxx is a hexadecimal number, and each log file is numbered insequence using this sequential hexadecimal number scheme.

A transaction log files has two sections:

■ Header

■ Data

In Exchange 2000, a set of transaction log files is matched to a storage group.Since a storage group can contain multiple information stores, it follows that a set oftransaction log files can serve multiple databases. The header section in thetransaction log file contains hard-coded paths to the databases that reference it. Theheader contains a signature that is matched to the database signature that it serves.This signature keeps the transaction log file from being paired to an identicallynamed, but wrong, database.

You can get a listing of the header (called a dump) to verify the log file. Thedump will provide information such as the generation number, the hard-codeddatabase paths, and the signatures (Figure 7-1).

With this understanding of transaction log files in place, let’s look at whathappens when a database is modified. When you modify the database, the first thingthat happens is that the page that contains the information you are modifying is readinto memory, the database cache. Next the timestamp on the page is updated toreflect the new activity. Finally, a log record is created to keep track of what is aboutto be done to the database. This log record is created in the log cache buffer.







Writing the Log Entries to the Database After these steps are completed,the page is modified. Next, a connection is created between the two entries, thepurpose of which is to preclude the page from being written to disk without the logrecord being written to the log entry first. Remember, information is written to thelog file first before it is written to the database on the disk.

Committed transactions are written to the database, from the transaction log,when one of the following occurs:

■ If the number of committed transactions on a log file reaches a point wherethe checkpoint falls too far behind, these transactions will be flushed to thedatabase.

FIGURE 7-1

Header dumpproduced usingeseutil /ml



■ If the number of free pages in memory falls too low, committed transactionswill be flushed to free up memory pages.

■ If another service is requesting memory, Exchange will free up memory byflushing its cache. Remember, unused memory is a waste, so Exchange usesmemory until another process needs some.

■ The information store service is being shut down. Then all updated pages inmemory are written to the disk.

Using a Write-Back Cache If you are using a controller with a write-backcache enabled, there is a real risk in using this controller for the disks that supportthe log files. In a nutshell, you can feed information to be written to the disk fasterthan the actual disk device is capable of writing that information. Under normalcircumstances, when information has been written to the disk, the disk will reportback to the system this success and get the next piece of information to write. Thewrite-back controller then gets the information to be written to the disk, stores theinformation in its cache, and reports a successful write to the system. The systemthen moves onto its next task. Meanwhile, the write-back controller continues tofeed information, as a surrogate, to disk as the drive plods along writing theinformation at whatever speed it can. And as long as everything is working okay,then everything is okay—until a controller malfunction occurs. Under certaincircumstances, it is possible for a page to be written to the database itself withoutbeing written to the log file first. This will cause corruption in the database andmake restoring the database anywhere from difficult to impossible.

Many high-performance disk controllers offer write-back cache. Write-backcache can substantially improve performance under most conditions. In fact,Microsoft indicates that you can cut restore times in half if you have enabledwrite-back cache, and restore times can be very critical to you. However,using write-back cache can pose a significant hazard to your data and shouldbe used only if the cache is supplied power by battery, and you have testedthis feature and confirmed that it is operational.

By the way, it doesn’t matter if you are caching the writes at the controller or atthe disk device itself; any malfunction in the cache anywhere has the potential tolead to the same results. At a minimum, you should have a battery backup for yourcache. This battery will protect your cache from a power failure, but not from a





cache malfunction. You will have an interesting decision to make relative to thispoint: You want your log files on a write-optimized disk subsystem, and employinga write-back cache controller substantially improves disk write performance, but notwithout imposing some potential for disaster. Which will you choose?

Have we mentioned that you should never manually delete your log files?

Mission-critical MailboxesThere may be users in your organization whose ability to send and receive e-mailmessages substantially impacts the well-being of the organization. Salespeople whoneed to be in constant contact with their customers may well be such a category ofusers. Executives of the organization may be another group of users who need accessto their messages.

Partitioning the Database for Mission-critical MailboxesThe concept of partitioning a database calls for placing part of that database onanother facility. In the case of Exchange 2000, this partitioning can take the form ofcreating a separate storage group or creating another mailbox store within an existingstorage group.

Be prepared to field questions about how best to handle situations thatrequire quick restoring of mailboxes for a given group of users beforerestoring the mailboxes for all users.

Which technique you should use, another storage group or another mailboxstore, largely depends upon the circumstances, your hardware, and your currentconfiguration. To maintain performance, you will want to put each storage groupon its own dedicated disk array, with the transaction log files on their own mirroredarray. This translates ideally to an additional five physical drives (three drives for thestorage group RAID 5 and a pair of drives for the mirrored volume that will holdthe log files) to support the new storage group.

On the other hand, you could create another mailbox store in an existing storagegroup, assuming that you have not already reached the maximum number ofmailbox stores. This technique has the advantage of not needing as much hardwareor planning about where to put the storage group files.





Multiple Databases Single StoreWe have already discussed configuring Exchange 2000 Server to support multiplestorage groups and multiple stores in a storage group. One of the real strengths ofExchange 2000 Server, this feature allows you to scale the server vertically. In previousversions of Exchange, if you wanted to reserve mission-critical mailboxes in a store,you had to configure another physical server.

You can back up or restore the entire storage group, or back up and restore one ormore of the mailbox stores in the storage group, depending upon your need.

Know what happens to the transaction log files during a backup. Incrementalbackups purge the transaction logs, and differential backups do not purge thetransaction logs. Also, in a storage group with multiple stores, the transactionlogs will not be purged if you do not back up all stores in the storage group,even if you do a normal backup.

Dedicated Recovery ServerIf a disaster occurs, you will have several choices for recovery. One choice is torestore the database to the original server in the original store. This may work well inthe case of a corrupted database or a drive failure where you want to restore theentire database. Also, this technique assumes that the underlying hardware platformis still functional, or can be made functional.

You may want to consider keeping a fully functional and configured serverplatform in reserve as a recovery server. The purpose for this server is to be a“warm spare” in the event that a production server goes down and cannot bebrought back into service in a timely manner. You might think that maintaininga reserve server is expensive, but here is another perspective: It is not what itcosts to keep your application servers in production that is expensive, it is whatit costs you when your application servers go down. To prove this point toyourself (and your organization), pull the network cable on your financialapplication server and see how long it takes for the pain to register.

Consider the case where you need to recover several e-mail attachments from amailbox that has been deleted from the database. You have that mailbox on a tapebackup, and that backup was from two weeks ago. If you restore that database to the





production server, everyone’s mailbox will be out of sync and will not containcurrent messages that were received in the last two weeks. What should you do?

To set up a dedicated recovery server, especially if you want to recover individualmailboxes, you will need to do the following:

1. Install Windows 2000 Server.

2. Create a new, isolated forest.

3. Run Exchange 2000 setup/forestprep if you plan to install Exchange 2000 ona member server.

4. Install Exchange 2000 Server.

5. Restore the database or databases from tape backup.

Windows 2000 BackupWindows 2000 comes with a fully functional backup and restore program alreadytuned for the Windows 2000 environment. This tool, as it is, is not suitable to back upExchange 2000 databases until you actually install Exchange 2000 Server on themachine. During the installation, the backup program will be made “Exchange-aware”so that you can do online backups. An online backup is the preferable backupmethod because it does not require you to take the information stores out of servicewhile backing up the data.

A limitation to this backup program is that you can only back up the localExchange databases. You will not be able to back up a remote Exchange databasesuccessfully using this program, even if you have Exchange 2000 Server installedlocally.

EXERCISE 7-1

Using Windows 2000 Backup ProgramIn this exercise, you will become familiar with and use the Windows 2000 backupprogram to back up an Exchange database.

1. Click the Start button.

2. Point to Programs.







3. Point to Accessories.

4. Point to System Tools.

5. Click on Backup Wizard to start the backup process.



6. Click on the Backup tab.

7. Expand the Microsoft Exchange Server container.

8. Expand the Exchange1 container.

9. Expand the Microsoft Information Store container.

10. Left-click on the First Storage Group. The details pane of the console thendisplays the mailbox stores located in the first storage group.

11. Click on the Executive Mailbox Store checkbox.

12. If you have a backup device, you would click Start Backup to begin backingup the Executive mailbox store.

13. Clicking on Start Backup brings up the Backup Job Information dialog box.From here you can start the backup, schedule the backup to run, and selectthe backup type through the Advanced tab.






Restoring User DataBeing able to restore user data is critical to both your operation and your success asan Exchange administrator. This section covers some key concepts as well as testablematerial.

Mailbox Recovery ScenariosThe term brick-level restore (or backup) refers to the ability of your backup programto restore a single mailbox without having to restore the entire mailbox store. TheWindows 2000 backup program does not provide for a brick-level restore. Somethird-party backup programs allow for the restore of a single user’s mailbox.

Using Exmerge (described in the following section), it is possible to approximatea restore of a single user’s mailbox, but there are a lot of assumptions made for thistechnique to work.

Exmerge and .PST filesExmerge is an Exchange 2000 utility. If you are an Exchange 5.x administrator, youprobably recognize the Exmerge program and may have used it in administeringyour Exchange 5.x servers. You can find it on the Exchange 2000 Server CD. Thisutility enables you to accomplish the following:

■ Extract mail from a mailbox store, even if the store is damaged. The mail isput into a .pst file, which can be imported into another mailbox store.

■ Locate and remove specific messages from the mailbox store. For example,you might use Exmerge to find an e-mail containing a virus.

■ Extract folder rules.

■ Migrate users between different Exchange organizations by extracting thecontents of a mailbox into a .pst file and then importing the contents intothe new store.





Recovering a Deleted MailboxYou can specify the retention period to keep a mailbox after you have deleted themailbox. The default time period is 30 days. You can set the retention period forwhatever time period is appropriate for you. There are minor ramifications to increasingthe deleted mailbox retention period other than consuming more storage space.

Connecting a user account to a mailbox that has been deleted is a relatively trivialmatter, as long as you are still in the retention time period. You will connect a userto the deleted mailbox in the Active Directory Users and Computers console.

In the ESM, an unconnected mailbox is displayed with a red X through it.

Know how to recover a deleted mailbox. The exam will ask you how to do so,as this is an important topic at Microsoft.

EXERCISE 7-2

CertCam 7-2

Configuring Deleted Mailbox RetentionIn this exercise, you will specifically configure a mailbox store to increase the deletedmailbox retention period.

1. Start the ESM console.

2. Navigate to and expand the Administrative Groups container.

3. Navigate to and expand the First Administrative Group container.

4. Expand the Servers container.


6. Expand the First Storage Group.

7. Right-click on the Mailbox Store container.

8. Select Properties from the menu.

9. Click on the Limits tab.

10. In the Deletion Settings section, enter 90 in the Keep Deleted Mailboxes For(Days) field.

Restoring User Data 529




11. Click on OK to close the dialog box.

12. Close the ESM console.

Recovering Deleted ItemsDeleted items retention is very different from deleted mailbox retention. Deleteditems refer to messages, whereas the deleted mailbox refers to the whole mailbox.You can configure each of these items independently of each other.

You set the time period for deleted items using the ESM in the same dialogsection of the Limits tab where you set the deleted mailbox retention time period.You recover deleted items by using Outlook 2000.

Recovering a Mailbox from BackupTo recover an Exchange 2000 mailbox from backup to a recovery (offline) server,follow these steps:

1. You will need these logical names:







■ The Exchange 2000 organization name

■ The name of the administrative group to which the database belongs

■ The name of the storage group to which the database belongs

■ The logical database name

■ The LegacyExchangeDN value of the administrative group to which thedatabase belongs (see the discussion in the next section to learn how tofind this value)

2. Install Microsoft Windows 2000 Server on the recovery server, and then runDCPROMO to install Active Directory on the recovery server.

You will need to create a new isolated forest for your recovery server. Also,pay attention to how forests (DNS namespace), domains, servers, and foldersmust be named and their paths.

3. Install and configure DNS if necessary.

4. Install Exchange 2000, using the same organization name as used in theproduction system.

5. Change the name in the LegacyExchangeDN value, if required.

6. Create a storage group using the same logical name as the production server’sstorage group.

7. Create logical database names in the storage group to match the original names.

8. Right-click on the database to rename it, and then click on Rename, ifrequired.

9. Dismount the database to be restored. In System Manager, select the ThisDatabase Can Be Overwritten By A Restore checkbox.

10. Use Windows 2000 backup utility to restore the database that contains themailbox that you want to recover.

Be sure that you select the Last Backup Set checkbox when restoring the lastonline backup set. If you fail to select this checkbox, you must run ESEUTIL/CC against the restored files before the database will start.





11. Mount the database that you restored.

12. In System Manager, navigate to the database and right-click on Mailboxes.

13. Click on Run Cleanup Agent. A red X will identify mailboxes that are notcurrently linked to an AD account.

14. Create a non-mailbox-enabled AD user account for each mailbox that youwant to recover.

15. Link the mailboxes to AD accounts by clicking Reconnect.

16. Extract the contents of the mailbox to a .pst file.

Know how to restore a single user’s mailbox from a backup. The exam willask you how to do so, as this is an important topic at all the Exchangeconferences that we attend.

LegacyExchangeDN Values To be able to restore from a backup a mailboxthat was part of a previous Exchange 5.5 server, you will need to identify theLegacyExchangeDN value. There are several ways to find the LegacyExchangeDN ofthe administrative group. The LegacyExchangeDN value has the following form:

/O=organization/OU=administrative group

If the OU= portion of the LegacyExchangeDN value is First Administrative Group,there is no need to change any LegacyExchangeDN values on the recovery server.

If this portion of the value is not administrative group, then you must change theLegacyExchangeDN values. You must first know what the LegacyExchangeDNvalue is (and be able to determine whether the value is an obstacle to configuringyour recovery server).

There are two ways to determine and change the LegacyExchangeDN value:

■ You can use ADSIEDIT or LDP to view the properties of the administrativegroup object.

■ You can use the LDIFDE utility.

To use LDIFDE, you must know the fully qualified DNS domain name ofthe root domain in your Windows 2000 forest. The domain name you want is



not necessarily the domain name to which the Exchange 2000 Server belongs,but rather the root domain name of the entire forest. You will also need theExchange organization and the administrative group names.

For example, the following LDIFDE command displays the results on the screen.(The command must be entered as a single line, but it is wrapped here for readability.)

LDIFDE –f CON –d "CN=Executives,CN=Administrative Groups,CN=Exchange1,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=gk,DC=com" –l legacyExchangeDN –p Base

In this example, Executives is in LegacyExchangeDN, and because of this,objects on the recovery server must be modified because after a clean Exchange2000 installation, LegacyExchangeDN on the recovery server contains FirstAdministrative Group, not Executives.



I have more data to back up than I can fit on mytape cassette. What can I do?

Depending on exactly how much data changes fromday to day, you can use either an incremental or adifferential backup technique.

In the case of a failure, I must restore the salesdepartment’s e-mail first. How do I do that?

Put the sales department’s mailboxes in their ownmailbox store in another storage group. This willallow you to restore that storage group first andmount the mailbox store.

I have two storage groups on my Exchange 2000Server. Each storage group contains enough data tofill my tape and I want to do a full backup. Whatcan I do?

You could perform a full backup of each storagegroup every other day.

SCENARIO & SOLUTION




Configuring a Server for Disaster RecoveryThis section discusses configuring the Exchange 2000 Server that holds theExchange databases to make it easier to recover them in the event of a disaster. Youcan recover the databases in two places: the original server and a different server. Inthe different server category, there are two types of servers. One is a replacementserver that will be used permanently for the failed original server. The other is atemporary recovery server that will be used only to recover some specific data, andwhen that task is done, the recovery server will more or less be abandoned until thenext disaster recovery. This section focuses on configuring three items:

■ Storage groups and stores

■ Log settings

■ A server for recovery

Storage Groups and StoresThere are several reasons to configure multiple storage groups and multipleinformation stores on the same server. One reason can be to improve performance,especially that of disk subsystems. The other reason is to aid restoring a storagegroup or information store after a failure.

You want your design to minimize the restore time for critical mailboxes ormailbox stores. You also want your design to keep your backup routines as simple asis practical. Complex designs are difficult to implement and sustain and oftenrequire great attention to detail, the kind of attention that often gets overlooked inthe boredom of routines such as daily or multiple daily backups.

When you are doing an online backup, the transaction logs are of criticalimportance because they contain the transactions that are not yet written to thedatabase. These same transaction files are of no concern when you do an offlinebackup. To do an offline backup, you must dismount the store. When you do that,the committed transactions held in the log files are flushed to the database. Ofcourse, when you are doing an offline backup, that database is not available for use.





Backing up the entire storage group backs up all of the stores and the transactionfiles. Such a backup is the simplest to administer, and you can’t miss anything.However, if you must back up all of the stores in the storage group at the same time,the backup might possibly exceed the time allotted. In this case, using multiplestorage groups and multiple backup devices, you can simultaneously back up themultiple stores and keep the backup time within the allotted time period.

As we have indicated before, using multiple stores (even within the same storagegroup) allows you to selectively restore the store. You can restore a mailbox store, forexample, without having to disrupt the other mailbox stores in the storage group.Using multiple mailbox stores also allows you to restore one mailbox store, andtherefore the critical mailboxes within that store, before restoring the others.

Logging SettingsThe prime consideration here is whether to use circular logging or not to use circularlogging. Circular logging conserves disk space. But unless you do normal backupsfrequently enough before the circular log wraps, you will be in trouble if a failureoccurs. Disabling circular logging is the preferred method of operation.

EXERCISE 7-3

CertCam 7-3

Configuring Log SettingsIn this exercise, you will configure the log settings to ensure that circular logging isdisabled on the default mailbox store.

1. Start the ESM console.

2. Navigate to and expand the Administrative Groups container.

3. Navigate to and expand the First Administrative Group container.

4. Expand the Servers container.


6. Right-click on the First Storage Group.

7. Click on the Enable Circular Logging checkbox, then click OK.

Configuring a Server for Disaster Recovery 535




8. Click on Yes in response to the question about using circular logging.

9. Close the ESM.

Configuring a Server for RecoveryThere are two issues that are important when configuring a server for recovery. Oneis configuring a server to be easy to manage in the case of failure and the other is ifyou want to restore to that server. Using multiple drives will simplify the process.Using multiple storage groups may also help, depending on the exact scenario. If





you elect to use multiple storage groups, the recommendation is to put each storagegroup on its own array, using RAID 5 if you are interested in fault tolerance.Remember also that for best performance, you should keep the log files for thatstorage group on separate physical drives as well. Don’t forget that you want tomirror the transaction log file drives.

If you are using multiple storage groups, do not put the transaction log filesfor multiple storage groups on the same drive.


Restoring the Information StoresBefore you restore a backup from tape, you should make copies of existing databasefiles, even if you cannot start these files. The existing database may be repairable,even though the database may be damaged.

You cannot restore an Exchange 5.5 database to an Exchange 2000 Server.The log files for an Exchange 5.5 database are different from those of anExchange 2000 database.

You should never let the drive that contains your databases get more than halffull. This way, you can quickly save a copy of a database that crashes. If you do letthe database drive fill up, and you do not have sufficient space to move the databaseto another folder on the same logical drive, your recovery time is extended. Usually,recovery time is doubled.

If you keep your database drive from filling up, you also have room for offlinedefragmentation.

Before you restore a database, you must start the information store service. Youwill need to dismount the databases that you want to restore. If you leave the MountDatabase After Restore checkbox clear, be sure to examine the event logs to see thatthe hard recovery finishes before you mount the database in ESM. A hard recoveryreplays the transaction log files and the patch files after you restore the database.

Restoring the Information Stores 537




If you are restoring only a single backup set, do not forget to select the LastRestore Set checkbox in Windows NT Backup to trigger hard recovery afterrestoration. If you did not select this checkbox, then you can perform a hardrecovery by using ESEUTIL /CC. You must run this utility in the same folder asthe transaction logs, patch files, and the restore.env file. You cannot remountthe database until the hard recovery finishes.

In a soft recovery, a database starts normally and the storage group is initialized. Ifthe database file is in a consistent state, the ESE simply begins to handle transactions.

If the database is in an inconsistent state (it might not have been shut downproperly), the ESE replays transactions from the checkpoint through to the log file.If the checkpoint file doesn’t exist, the ESE starts with the earliest transaction logthat it finds. When the ESE finishes replaying the transaction, the database isavailable.

You can follow these steps to recover databases:

1. Ensure that the information store service is running.

2. Ensure that the database you want to restore is dismounted.

3. On the Start menu, point to Programs, point to Accessories, point to SystemTools, and then click on Backup.

4. On the Restore tab, expand the media file. Select checkboxes to select thedata that you want to restore.

5. Click on Start Restore.

6. In the Restore Database Store dialog box, use the Temporary location tospecify a directory to store a log file that is different from the directory wherethe original log files exist. Make sure the location has enough disk space tostore the files. If you restore databases or log files to their original location,any existing databases or log files are overwritten.

7. If you are restoring a full backup without any incremental backups, selectLast Restore Set to start a log file replay after restoring the database. If youare restoring a backup with incremental backups, do not select this optionuntil you are restoring the last incremental backup.

8. Click on OK.





Troubleshooting Backup and Restore Problems 539


Restoring Exchange ServerActive Directory almost always survives a disaster that occurs to an Exchange 2000computer. Therefore, you cannot reinstall Exchange 2000 on a server without firstremoving that server from AD. However, you do not want to remove the serverfrom AD, because all of the configuration information will be lost, and you willneed that information in AD.

With Exchange 2000, using the Setup utility with the /disasterrecovery switchsolves this problem.

In disaster recovery mode, Setup installs program files and local Registry settings,but assumes that AD information remains intact. Setup searches for the server inAD, then reconfigures the local setup based on what it found in AD.

In disaster recovery mode, Setup restores only the components that you choose torestore. If you do not choose a component that was previously installed, the utilitydoes not restore that component. After Setup finishes, you can restore the Exchangedatabases, and those databases are restored to the correct previous locations becauseAD stores information store database paths.


Troubleshooting Backup and Restore ProblemsBacking up data is a very important process. You will only go to your backup whenyou have an emergency or have suffered a disaster with the online data. In thesecases, you will want to have good, usable backup copies of the data.

However, backing up the data is only a small part of the picture. Actually beingable to successfully restore the data is the big part of the picture. Having a good, usablebackup copy of the data will not be helpful if you can’t actually restore that data.

Problems can occur when both backing up and restoring data from backups. Thissection will highlight some of the problems that can occur and what to do if thoseproblems occur.



Common Error MessagesSeveral common error messages are important for you to know, both in the realworld and for the test.

–1018 ErrorOne important error message is –1018 JET_errReadVerifyFailure. Before a page iswritten to the disk, a checksum is calculated for that page and written with the pageto the disk. When a page is requested, it is read from the disk, and the checksum isrecalculated and verified along with the page number being requested. If thechecksum fails or there is a page number mismatch, a –1018 error message isgenerated. This error indicates that the data that was written to the disk was not thedata that was read from the disk to memory. The ESE will attempt to read the datamany times (16, in fact) before it reports the error. ESE makes these attempts tominimize the possibility of a transient fault condition causing the error.

To fix 1018 errors, first fix the underlying problem of the error, which isusually a disk subsystem problem. Then restore the database from a knowngood copy.



I keep getting a bunch of 1018 errors. Look for hardware problems.

One of my mailbox stores is corrupt. What should Iattempt first to fix it?

Restore from tape backup.

Why not just run ESEUTIL or ISINTEG? Depending on the state of things, you could sufferdata loss from running one of these utilities. Usethem as a last resort.

So what? I still have my online tape backup. Your online backup will need the transaction logs,which got flushed when you ran the utility, andagain you suffer data loss.

I manually deleted my transaction logs to free upspace on the drive. Now I need to restore my onlinebackup and need the most current data. Whatshould I do?

Look for another job, perhaps in the housekeepingor food services industries. When you deleted thelogs, you deleted your ability to restore the databasein as current a state as possible.

SCENARIO & SOLUTION



Common causes of this error message are:

■ A hardware problem with the disk subsystem. This is the most commoncause of the error.

■ A high number of “soft” recovered errors on a hard drive. In this case, youshould replace the drive.

■ Improper SCSI termination.

■ Trouble with the write-back cache on a disk controller.

■ Third-party tools that attempt to write directly to the Exchange database.

■ Faulty device drivers.

■ Firmware bugs in the disks or the disk controllers.

If you receive error messages, do not assume that your database has beendamaged. If you incorrectly assume the database is damaged and take drasticmeasures to correct the supposed damage, it could lead to actual damageand prolonged downtime. The only error messages that you can assumeindicate a corrupted database are repetitive –1018 errors.

-1069 ErrorAnother important error message is –1069 JET_errVersionStoreOutOfMemory.During an operation, it is possible that an operation will fail to complete (hang) orthat it is so large that it will cause the version store to consume hundreds ofmegabytes. One possible operation that might cause such a failure to occur isindexing a large table. As the version store keeps track of all of the changes, such anoperation could stress the version store to the point of generating an error. To fixthis, try moving the information stores to a disk with more free space. You mightalso consider adding more RAM.

ESEUTILIn an ideal world, you’d never need to run ESEUTIL. There are only threesituations in which we recommend using it:

■ You want to check the integrity of a database.





■ You need to defragment a database to free up disk space. There is never anyreason to defragment databases on a routine basis. Remember, the onlinedefragmentation process runs daily to defragment databases.

■ You need to fix a corrupted database because you can’t restore it from abackup.

We cannot overemphasize that ESEUTIL is not a tool for casual use. It can bedangerous, especially in repair mode. We grimace when we see peoplerunning it as a preventive maintenance tool. Doing so is like playing Russianroulette with an automatic pistol.

Table 7-1 lists the common switches used with ESEUTIL and their meaning.

Pay attention! The Exchange 2000 version of ESEUTIL is different from theprevious versions, especially the /C [options] switch and the /U switch, whichno longer exists.



Switch Function

/CC Forces a hard recover that plays the transaction log files and patch files. Use this switch after arestore where you did not select the Last Restore Set option.

/CM Dumps the restore.env file, which is a binary file. Both this switch and the /CC switch areoptions used with the /c switch, described later in this table.

/d Defragmentation. Copies the database to a new file and removes empty or unused pages andthen copies the file back. You need space on the drive to use this switch.

/r Recovery. Attempts to put the database in a consistent state, but does not truncate the data.

/g Integrity. Validates the checksum and header information and is nondestructive. You willneed to run it once for each database.

/m File dump. Attempts to dump the database file contents in a human-readable form.

/p Repair. Validates the database and links and can truncate data and cause data loss.

/c Restores the database without a hard recovery using the Restore.env.

TABLE 7-1 ESEUTIL Options



ISINTEGThe Information Store Integrity Checker (ISINTEG) is used on Exchangedatabases. It is a suite of tests that check the Exchange 2000 databases forconsistency.

You should be careful which tests you select to run. Running a full testcomplement on your Exchange database could take many hours to complete.The database stores are unavailable during this time.

To use the utility, the database must be dismounted. When you use ISINTEG, itwill create a temporary database, so you will need to have room on the drive for thisdatabase.

A storage group can have no more than six databases. If you have sixdatabases created in the storage group and want to run ISINTEG, you willneed to dismount a second database so the utility can execute.

Table 7-2 lists the common switches used with ISINTEG and their meaning.

Pay attention! Like ESEUTIL, there are differences between the Exchange2000 version of ISINTEG and previous versions. The –patch switch no longerexists.



Switch Function

-fix Specifies the fix mode. The default is check-only mode. In fix mode, ISINTEG willfix any inconsistencies that it finds.

-verbose Reports in verbose form.

-s Specifies the server name against which to test.

-l [log filename] Specifies the log filename.

-t [ref db location] Indicates the location of the temporary database, also known as the referencedatabase.

-test [test name] Selects the ISINTEG test.

TABLE 7-2 ISINTEG Switches



EXERCISE 7-4

Running ESEUTILIn this exercise, you will dismount the mailbox store, run ESEUTIL to defragmentthe database, and then mount the mailbox store after the defragmentation is done.

1. Open the ESM.

2. Navigate to and expand the Administrative Groups folder.

3. Expand First Administrative Group.

4. Expand Exchange Server.

5. Expand First Storage Group.

6. Right-click on Mailbox Store.

7. Click on Dismount Store from the menu.

8. Click on Yes on the confirmation dialog box.

9. Open a command prompt.







10. Change directories to the c:\program files\exchsrvr\bin folder. Your actualpath may be different depending on where you installed the Exchange 2000Server. During this exercise, simply use your correct path.

11. Enter eseutil /d “c:\program files\exchsrvr\mdbdata\priv1.edb”. Don’tforget to use the double quotes around the command to accommodate thespaces in the command line.

12. Press ENTER.

13. Depending on the size of the database, defrag will run and then terminate byreporting the status and time it took to run the program.

14. Close the command prompt.

15. In the ESM, mount the mailbox store.

16. Click on OK in the success message dialog box.

17. Close the ESM.




Safeguarding User KeysWhen configuring Exchange 2000 for Advanced Security, you must consider someadditional factors when developing a disaster recovery plan. The Key ManagementServices (KMS) provided in Exchange 2000 used for managing the enrollment ofusers and the archiving of their keys for secure e-mail rely on several underlyingservices. If one of the components involved with Advanced Security fails, it is



Backing Up

Backing up mission-critical services is, in itself,mission-critical. When students come to class,it is a good time to interact with engineersfrom many different types of organizations andfind out what applications those organizationsbelieve are mission-critical. It is also veryinteresting to hear their reaction when theengineers find out which applications aremission-critical.

Among the applications mentioned as beingmission-critical are e-mail, human resources,payroll, customer management, and onlinecommerce. In the last two years, e-mail hasgone from being the second- or third-priorityapplication to being the number-onemission-critical application among many.Students used to say, “Payroll is the mostimportant application if it goes down,

especially during certain times.” Now they say,“If e-mail isn’t working, then I won’t getnotified that the payroll service is down!”

It can be easy to find out howmission-critical your e-mail application iswhen it goes down. I have heard severalstudents remark that they thought they hadtwo or more days to restore e-mail. After thee-mail service went down, they found out theyhad hours, not days, to restore the service.

In fact, some organizations require thatsome mailboxes be restored within 20 minutes,and it is not unusual to find the requirementfor all mailboxes to be restored in a two- tofour-hour timeframe. Obviously, to meet theserequirements you must plan your restore andbackup routines very carefully.

—Shane Clawson, MCSE+I, MCT

FROM THE CLASSROOM



possible that all components will be inoperable, leaving secured e-mail in yourorganization inaccessible. In short, recovering KMS in Exchange 2000 in the eventthat all servers in your organization have failed (total disaster) requires:

■ The most recent backup of the Certificate Authority (CA) and subordinateCA certificate (.p12 export files) and the associated passwords

■ The most recent backup of Active Directory that contains the KMSadministrator accounts

■ The most recent backup of the KMS database and the startup password

■ The KMS administrator’s password

Earlier in the book, we focused on how to enroll clients using KMS and ActiveDirectory. We have also already discussed how to recover the keys used to securee-mail. This section takes a step further and talks about how to ensure that the KMSservice can be restored in the event of a disaster. To learn more about KMS, andhow to administer advanced security using KMS, see Chapter 3.

Backing Up Key Management ServicesKMS in Exchange 5.5 was a self-contained entity. In Exchange 2000, KMS canbe thought of as the combination of the Windows 2000 Enterprise CertificateAuthority, Active Directory Services, and the Key Management Service itself. Allthree of these must be backed up together in order for KMS to be properly restoredin the event of a critical failure.

Backing Up the Certificate AuthorityMicrosoft recommends backing up the Enterprise Certificate Authority server usingthe “entire server” option with NT Backup. You should back up this server for eachsubordinate CA in your enterprise as well. However, you must do some additionalwork to safeguard this critical service in Exchange 2000. To restore a CertificateAuthority, you must also use the Certification Authority MMC snap-in to back upthe CA certificate. This will create a .p12 file that will be used during the restoreprocess. When backing up the CA certificate, you will be prompted for a password.Make this a very difficult password and safeguard the .p12 file and password in anextremely secure place. If this password is compromised, your entire PKI will bejeopardized.

Safeguarding User Keys 547




EXERCISE 7-5

Backing Up the CA CertificateIn this exercise, you will back up the CA certificate and the Issued Certificate logusing the Certification Authority MMC snap-in.

1. Click on Start | Programs | Administrative Tools, then select CertificationAuthority.

2. Right-click on the root object, point to All Tasks, and select Backup CA.

3. When the welcome screen appears for the Certification Authority BackupWizard, click on Next.

4. On the Items To Back Up screen, select the Private Key And CA Certificatecheckbox and the Issued Certificate Log And Pending Certificate RequestQueue checkbox. Make sure to also specify a path for the backup. Then clickon Next.







5. On the Select A Password screen, enter a complex password, confirm thepassword, and click on Next. Note that it is important not to lose thispassword. Make sure that you store it in an extremely safe location.

6. Verify the settings you have made in the CA Backup Wizard on theCompleting The Certification Authority Backup Wizard screen and thenclick on Finish.

7. Navigate to the location that you specified for the backup to be placed andverify that there is a DataBase folder and a .p12 file. You should move thesefiles to a very safe location. Preferably, you should move them off thenetwork until you need them for recovery purposes.



Backing Up Active DirectoryEach Active Directory domain should include two or more domain controllers(DCs). Each of these domain controllers contains a read/write copy of the domaindatabase. Changes made to any DC are automatically replicated to all other DCsusing a multimaster replication model, essentially making each DC an onlinebackup for all other domain controllers.

A domain database is a single partition of Active Directory. Active Directory isthe sum total of all objects in all Active Directory domain databases in anorganization. The AD component that ties them all together is the Global Catalog.By having more than one domain controller in each domain, you guarantee that agiven AD domain will have no single point of failure. Because Windows 2000 usesmultimaster replication, a single failed DC does not necessarily constitute anemergency situation. Even so, you should back up each domain controller in ActiveDirectory on a regular schedule. The Active Directory database is backed up whenyou select the System State in Windows 2000 Backup on a DC (Figure 7-2).

Backing Up the KMS DatabaseThe KMS database (KMSMDB.EDB) and associated KMS files will be backed upwhen you perform a backup of the Exchange Server running KMS. You must select



FIGURE 7-2

From Windows2000 BackupWizard, selectthe option toback up only theSystem State data



the Microsoft Key Management Service object from the Items To Back Up screen inthe NT Backup Wizard (Figure 7-3). In fact, this option will not be available if theKMS service is not running while the backup is performed. The KMS files arelocated in PROGRAM FILES\EXCHSRVR\KMSDATA\ by default. It is importantthat the Certification Authority be backed up at the same time that you back up theKMS database in order to keep the CRLs (Certificate Revocation Lists) in sync.

Backing Up the KMS Database RemotelyYou can back up KMS databases only on the local machine. This is because theKMS database is hidden from the network to prevent unauthorized people frombrowsing the network for the KMS server. There are a couple of workarounds in theevent that you must back up the KMS database remotely. You can install terminalservices on the KMS server and connect with a Terminal server client. BecauseTerminal server can be detrimental to performance, you may choose to use lightweightremote console software such as Symantec’s PC Anywhere or McAfee’s RemoteDesktop. Once connected to the KMS server, you can initiate NT Backup to back upthe KMSDATA folder. Then you can remotely back up the .bkf created by NT Backup.




FIGURE 7-3

Microsoft KeyManagementService object inthe BackupWizard



The KMS database is hidden from the rest of the network and can be backedup only on the local KMS server.

Restoring KMSPrior to restoring the KMS database, make sure that Active Directory andCertificate Server have been restored, are working properly, and are available.Because of the additional password security associated with KMS administration,restoring KMS is not as straightforward a process as restoring the information storedatabases. However, the processes are similar. The KMS restore process is outlinedas follows:

1. Install KMS. Note that you do not have to install KMS on the samecomputer or computername.

2. If you are restoring KMS to same machine, stop KMS and move the currentcontents of the KMSDATA directory to another location. Note that if theKMSDATA directory isn’t empty before you restore KMS, you will receive a0xC103798A error.

3. If the KMS password was placed in a Kmserver.pwd file, place this file on theserver.

4. Start the KMS service. If the KMS password was not placed in aKmserver.pwd file, type in the password to start the service.

5. Restore KMS using NT Backup.

6. Stop and restart the KMS service.

KMS Restoration ProblemsIn the process of reinstalling or restoring KMS, you may run into some KMS-specificproblems. Although many problems with KMS in Exchange 5.5 are documented,that documentation may prove to be useless and at the very least outdated by KMSin Exchange 2000 for reasons that this book has already mentioned. Here are twoknown issues related to KMS restoration to watch out for on the exam:

■ Error 0xC103798A

■ Error c104172 with ESE Event ID 619





Error 0xC103798A When recovering a failed machine, you may decide toreinstall KMS. During the installation process, you may get the following message:

Setup failed while installing sub-component Key ManagementService with error code 0xC103798A (please consult theinstallation logs for a detailed description). You may cancelthe installation or try the failed step again.

The most likely cause of this error is that a database for a previously installed versionof KMS still exists in the KMSDATA folder. To fix this problem, you should movethe data in the KMSDATA folder to another location and then perform theinstallation again. It is a good idea not to delete the previous database, as you mayneed it in the future.

Error c104172 with ESE Event ID 619 Error c104172 is not unique toKMS. However, it may occur when you mount the KMS database after a restore.When attempting to mount the database, you may receive the following error:

An internal processing error has occurred. Try restarting theExchange System Manager or the Microsoft Exchange InformationStore service, or both.ID no: c1041724Exchange System Manager

The following event will be logged into the application log as well:

Event Type: ErrorEvent Source: ESE98Event Category: Logging/RecoveryEvent ID: 619

If you encounter this error and event ID, it is very likely that you did not select theLast Restore Set checkbox during the restore process. This means that a hardrecovery was not performed on the database. Before you can mount the database,you will need to force a hard recovery. You can do so using ESEUTIL:

eseutil /cc [path to directory containing Restore.env]

Another option is to run the restore again and select the Last Restore Set checkbox.





CERTIFICATION SUMMARYThis chapter has wrapped up discussions of technologies that earlier chaptersintroduced and covered specific exam objectives. Planning your Exchange Serverbackup and restore routines is an important part of the production cycle of yourExchange Server. Much of your administrative time may be involved with planningto recover from the unexpected or having to recover from the expected disaster.Some of the disaster may be user-induced, but you will still need to recover the data.You can create storage groups and mailbox stores to facilitate both the backup andthe restore process.

Because backup and restore are very important functions in the real world, youcan expect Microsoft to make them an important test area. You need to know abouta number of important utilities, again for both the test and to be able to do your jobeffectively when administering an Exchange 2000 Server.

You must also fix clearly in your mind the types of restore scenarios that couldcome up. Some examples of such scenarios include restoring to the same server afterdata corruption, restoring to the same server after a hardware failure and repair,restoring to a new replacement server of the same name or different name, andrestoring to a recovery server not intended for production for the purposes ofrecovering deleted messages from tape backup.

So now you are nearly done with the book, and you are studying to administerExchange 2000 Server and to take the test. Just a few more items to read andunderstand and you are ready to go. Good luck!





✓TWO-MINUTE DRILL

Implementing a Backup and Restore Plan❑ You can create storage groups to facilitate backup and restore.

❑ You can create mailbox stores to facilitate backup and restore.

❑ The database remains available during an online backup.

❑ To do an offline backup, you first must dismount the storage group or store.Messaging is not available during an offline backup.

❑ Transaction logs are deleted after an offline backup.

❑ Never manually delete the transaction log files.

❑ A normal or full backup backs up all files, databases, and transaction logs.

❑ A normal or full backup deletes the transaction log files after the database hasbeen successfully backed up.

❑ After a normal or full backup, everything you need for a restore is on the tape.

❑ An incremental online backup does delete the transaction log files. You willneed these files for a restore.

❑ A differential online backup does not delete the transaction log files. You willneed these files for a restore.

❑ You should never manually delete the transaction log files.

Restoring User Data❑ Users can recover deleted messages from inside Outlook 2000 up to the

deleted item retention period you specify.

❑ The default item retention period is zero days.

❑ You can recover a deleted mailbox up to the deleted mailbox retention period.

❑ Run Mailbox Cleanup Agent to see which mailboxes do not have associateduser accounts.

❑ Put mission-critical mailboxes, those that must be restored before othermailboxes, in their own separate mailbox store.

Two-Minute Drill 555




Configuring a Server for Disaster Recovery❑ Put transaction log files and database files on separate physical drives.

❑ Put each storage group on its own drive or set of drives.

❑ Recovery servers for message recovery must be in an isolated forest.

Restoring the Information Stores❑ Restore information stores from tape backup.

❑ Databases restored from online backups must replay the current set oftransaction logs and patch files to be current.

❑ Be sure to select the Last Restore Set checkbox to force a hard recovery.

❑ You can use ESEUTIL /CC to force a hard recovery.

❑ A hard recovery forces the ESE to replay the transaction logs.

Troubleshooting Backup and Restore Problems❑ You must dismount the database prior to a restore.

❑ You must dismount the database prior to running ESEUTIL.

❑ Running ISINTEG can take a very long time, during which the database willbe unavailable.

❑ In general, 1018 error messages indicate a hardware problem.

❑ You want to fix the hardware problem first.

❑ A 1018 error could also indicate a corrupt database not caused by anyparticular hardware problem.

❑ Attempt to restore a corrupted database from tape backup first, beforerunning ESEUTIL or ISINTEG.

❑ Use ESEUTIL to defragment a database.

❑ Have we mentioned before that you should never manually delete thetransaction log files?

❑ You are running out of time to remember this.





Safeguarding User Keys❑ If one of the components involved with Advanced Security fails, it is possible

that all components will be inoperable, leaving secured e-mail in yourorganization inaccessible.

❑ KMS in Exchange 5.5 was a self-contained entity. In Exchange 2000, KMScan be thought of as the combination of the Windows 2000 EnterpriseCertificate Authority, Active Directory Services, and the Key ManagementService itself.

❑ The KMS files are located in PROGRAM FILES\EXCHSRVR\KMSDATA\by default.

❑ To restore a Certificate Authority, you must also use the CertificationAuthority MMC snap-in to back up the CA certificate. This will create a.p12 file that will be used during the restore process.

Two-Minute Drill 557




SELF TEST

Implementing a Backup and Restore Plan

1. You are the Exchange administrator for your company. You want to be able to back up yourExchange 2000 Server computer, which is a member server in the domain. Which of thefollowing are legitimate options for backing up your server? (Choose all that apply.)

A. The Windows 2000 backup program on the domain controller

B. The Windows 2000 backup program on the member server

C. A third-party backup program with an Exchange agent

D. Any third-party backup program

2. You are the Exchange administrator for your company. You are preparing the disaster recoveryplan for your Exchange 2000 Server. You are considering using a recovery server as part of yourprocess. What factors should you consider when making your plan?

A. DNS services

B. The number of storage groups

C. The number of mailbox stores

D. The number of user accounts

E. The amount of RAM in the recovery server

F. The disk drive configuration of the recovery server

Restoring User Data

3. You are the administrator for the Exchange 2000 Server computer. Your server has a singlestorage group and a single mailbox store. The configuration items for the mailbox store are inthe default configuration. You back up the Exchange databases once each week on Sundaymorning. Today is Wednesday. Mary Jo called you this morning to report that she hasaccidentally deleted some critical messages that she received Monday morning. She checked herDeleted Items folder in Outlook and it was empty. What can you do to recover Mary Jo’smessages?

A. Create a new user account in the ADUC. Connect this account to Mary Jo’s mailbox.Configure Outlook with a profile using the new account. Open Outlook and copy themessages to a .pst file.





B. Instruct Mary Jo to open Outlook, go to the Deleted Items folder, and use the RecoverDeleted Item tool from the Tools menu.

C. Using the ESM, recover the deleted items for Mary Jo.

D. Update your resumé.

4. You are the Exchange administrator for your company. You have two Exchange 2000 Servercomputers named Exch1 and Exch2. Each server has a single storage group with two databases.Exch1 has mbstore1 and mbstore2. Exch2 has mbstore3 and mbstore4.Fred has a mailbox on Exch1. Last week, Fred deleted several messages that he now needs. Youattempted to restore Fred’s mailbox on Exch2 by restoring mbstore1 onto Exch2. You then ranthe Mailbox Cleanup Agent on the new copy of mbstore1. You were unable to connect Fred’smailbox to another AD user account. What should you do?

A. Promote Exch2 to a domain controller. In the ADUC, connect Fred’s account to themailbox on the mbstore1 copy.

B. On Exch1, dismount mbstore1. On Exch2, stop and start the Information Store service.Run the Mailbox Cleanup Agent.

C. Install another Exchange 2000 Server computer in an isolated forest. Restore mbstore1 tothis server. Connect Fred’s mailbox to a new user’s account.

D. On Exch2, dismount mbstore3. Mount the copy of mbstore1. Run ISINTEG –fix.

Configuring a Server for Disaster Recovery

5. You are the Exchange administrator for your company. You have configured a Windows 2000member server as your Exchange recovery server. You will use this server to recover singlemailboxes should the need arise. To verify proper restore procedures, you restore the databasefiles from the production Exchange Server’s online tape backup. During the restore, you usedthe correct database and path names. After the restore, you are unable to mount the database.What should you do?

A. In the ESM, select the This Database Can Be Overwritten By A Restore checkbox. Mountthe database.

B. Run ISINTEG –patch. Mount the database.

C. Change the path of the transaction log file to match the path of the original server.

D. Select the Last Restore Set checkbox during restore. Run ESEUTIL /D. Mount thedatabase.

Self Test 559




6. You are the Lotus Notes administrator for your company. The Notes activity has been slowbecause most of the users have requested to be migrated to Exchange so that they can useOutlook 2000. While you were checking the event log of one of the Windows 2000 memberservers that host Exchange, you notice the Netlogon and the Exchange services are not started.You attempt to start them, but fail. You suspect the Registry is corrupted. What should you doto repair the Registry?

A. Restart the server using the Last Known Good Configuration.

B. Copy the System.Alt file to System.dat and restart the server.

C. Restore the Sysvol folder from the backup.

D. Restore the System State from the backup.

Restoring the Information Stores

7. You are the Exchange administrator for your company. The sales department users have toldyou that e-mail is mission-critical to them, and that in the case of failure their mailboxes mustbe restored first and as soon as possible. You have a single Exchange 2000 Server computer inyour organization supporting 1,542 users. The current size of the information store is nearly14GB. You currently back up the information store to a single 4 MM DAT drive and mustkeep the backup in one set. What should you do?

A. Create new storage group.Create a new mailbox store in the storage group.Put the transaction logs on a different physical drive.Move the sales department users’ mailboxes to the new store.

B. Create a new storage group.Create a new mailbox store in the storage group.Accept the default location for the log files.Move the sales department users’ mailboxes to the new store.

C. Create a new mailbox store in the existing storage group.Move the sales department users’ mailboxes to the new store.Modify the storage group’s properties so that the log files are put on another physical drive.

D. Create a new mailbox store in the existing storage group.Move the sales department users’ mailboxes to the new store.Leave the mailbox store’s properties so that the log files are on the same physical drive.





Self Test 561


8. Your company has three Windows 2000 domains in a single forest. Each domain is in one ofthe company’s three locations in North America. You are the administrator for the Exchange2000 Server computer located in the San Diego office. Users in the San Diego office arecomplaining that they cannot open some messages in the public folder. After checking, youfind that some of the folders are corrupted in the public folder structure. What should you doto resolve this problem?

A. Dismount the public folder store. Run ISINTEG –fix. Mount the store.

B. Run ISINTEG –patch. Start the information store service.

C. Run ESEUTIL /CM. Start the information store service.

D. Run ESEUTIL /CC. Mount the store.

Troubleshooting Backup and Restore Problems

9. You are the Exchange administrator for your company. Your company’s Windows 2000environment consists of a single domain across three sites. You have Exchange 2000 Servercomputers located at each of the sites. During your regular review of the event log files on oneof the computers, you find there is a string of –1018 ESE error messages in the log. Users withmailboxes on this server have not reported any problems when they connect to their mailboxes.You need to fix this problem, but you do not want to damage the contents of the mailboxstore. What could you do?

A. Stop the information store service and truncate the transaction log files. Restart theinformation store.

B. Dismount the mailbox store and run ISINTEG –fix. Remount the mailbox store.

C. Repair the disk subsystem hardware and restore the mailbox store from backup.

D. Dismount the mailbox store and run ESEUTIL /CC. Remount the mailbox store.

10. You are an Exchange administrator for your company. There is a single Exchange Server with asingle storage group. The storage group contains mailbox stores for the sales, engineering,management, production, HR, and finance departments. You work second shift and areresponsible for the backups. When you got to work today, the administrator on the first shifthad left a note that he has begun an ISINTEG process to fix some anomalies on the salesdatabase. He is asking that you monitor the process through to completion. However, whenyou check, you find that the ISINTEG process has failed to run. What could you do to ensurethat it can successfully run?

A. Start the ISINTEG process with a “runas” process and specify the Exchange service accountas the credentials for the process.





B. Delete the transaction log files first and then restart the ISINTEG process.

C. Restore the sales database from tape backup and then run the ISINTEG process.

D. Dismount another database first, then restart the ISINTEG process.

11. You are the Exchange administrator for your company. You have a single Windows 2000domain with a single Exchange 2000 Server computer. You receive calls from your users statingthey are unable to connect to their mailboxes. When you check, you find that the informationstore service has shut down improperly. You suspect that this has caused the mailbox store toshut down improperly as well. You examine the database header and discover that the databaseis in an inconsistent state. How can you bring the mailbox store online without damaging thedatabase?

A. Restart the information store and remount the database.

B. Run ESEUTIL /D and remount the database.

C. Run ISINTEG -patch and remount the database.

D. Run ESEUTIL /P and remount the database.

Safeguarding User Keys

12. You are the Exchange administrator at your company. You are responsible for maintaining theKMS. Every night you perform a backup of KMS using NT Backup. You recently enrolled 50new users using KMS. You want to make sure you can restore these users’ certificates in theevent of a disaster. What else must you do in addition to backing up KMS? Choose the best answer.

A. When backing up KMS using NT Backup, select the option to back up Private Key AndCA Certificate and Issued Certificate Log And Pending Certificate Request Queue.

B. Use the Certification Authority Backup Wizard to back up the Private Key And CACertificate and Issued Certificate Log And Pending Certificate Request Queue.

C. Use the Export Wizard to create a p.12 file.

D. Do nothing; all you need is the KMS backup.

13. You are the Exchange administrator for your company. You have just restored KMS. However,when you attempt to mount the KMS database, you receive the following error message:

An internal processing error has occurred. Try restarting theExchange System Manager or the Microsoft Exchange InformationStore service, or both. ID no: c1041724 Exchange System Manager



What must you do to be able to mount the database? Choose the best answer.

A. Run ESEUTIL /CM.

B. Run ESEUTIL /CC.

C. Run ISINTEG –patch.

D. Run ISINTEG –fix.

14. You are the Exchange administrator for a syndicated radio program. On a regular basis, youcheck the services on the Exchange Server to make sure all Exchange services are running. Younotice that the KMS service is not running. What impact will this have on the users currentlyenrolled in Advanced Security?

A. Users will be unable to send and receive secure e-mail.

B. Users will be able to send but will not be able to receive secure e-mail.

C. Users will be able to send and receive secure e-mail but will not be able to open securee-mail.

D. There will be no effect on users currently enrolled.

E. Users will have to reenroll when the service is restarted.

LAB QUESTIONYou are the Exchange administrator for your company. You have deployed a single Exchange 2000Server computer. You want to configure the server for optimum performance and fault tolerance.You must provide for the following:

■ There are 3,200 mailboxes.

■ Each mailbox may have up to 100MB of storage.

■ Two hundred and twenty salespeople have mission-critical mailboxes.

■ In the event of a disaster, you must first restore the sale department’s mailbox, withoutaffecting other mailboxes that may still be available. Also, the process of restoring othermailboxes must not interfere with the sales department’s mailboxes.

■ You must be able to restore from tape backup the sales department’s mailboxes within 40minutes of being notified.

■ The backup and restore plan must be as simple as possible using the least amount of mediapossible. The processes also must be unattended.

Lab Question 563




■ All mailboxes must be backed up within a six-hour timeframe.

You have the following equipment available:

■ Your company has selected a tape backup unit that can store 180GB of data per tape unitand can read and write at 40GB per hour.

■ You have several disk controllers available that will support RAID 0, 1, and 5. Eachcontroller can support up to 15 drives. To support RAID configurations, all drives in thearray must be on the same controller.

■ Your company has selected 50GB capacity drives.

Your task is to configure the server with the appropriate hard drives and tape backup devices tosupport the mission requirements. You have no limitations or requirements other than the onespreviously listed. How will you configure the server?

Drive and Controller Configuration Work Area:





Tape Unit Work Area:

Lab Question 565




SELF TEST ANSWERS

Implementing a Backup and Restore Plan

1. þ B and C. If you want to use the Windows backup program to back up the Exchangedatabases, you must use the backup program at the server, which in this case is a memberserver. You can also use a third-party program with an Exchange agent, which is the part thatallows you to do an online backup of the database.ý A is wrong because the Exchange database is not the domain controller. D is wrong becauseyou can’t just use any third-party backup program. The program must include an agent forbacking up Exchange databases.

2. þ A, B, C, E, and F are all good choices. Each one of these will play a part and can affect thelength of time the restore can take.ý D has nothing to do with backing up or restoring the Exchange databases. There is norelationship between the number of user accounts and the number of mailboxes. It is possibleto have many fewer mailboxes than user accounts.

Restoring User Data

3. þ D is the best choice here. The default configuration for the mailbox store is to have zerodays set for the deleted items retention period, so you lose the ability to recover the items.Since you back up only once each week on Sunday, last Monday’s messages aren’t on tapebackup, so it offers no help. Your only hope for salvation is to get your resumé updated and onthe street so that you can get another job as a Notes administrator before your boss finds outabout this catastrophe!ý A is just incorrect, even if this idea would work (and it won’t). The problem is not with theaccount; the messages are gone, which means there is nothing to copy to the .pst file. B iswrong because the scenario clearly states that the deleted item folder is empty. C is incorrect.You can’t use the ESM to recover deleted items.

4. þ C is the only choice among these answers that makes any sense. The issue is that Fred hasdeleted messages from his mailbox and you need to recover these messages from a tape backup.You will need to do this on a recovery server, not a production server, and in an isolated forest.ý A, B, and D are all wrong because they do not involve using a recovery server. A is really badfor suggesting that promoting a machine to a domain controller would influence the fix.B is really bad for suggesting that you dismount a database on one server to be able to affect a





Self Test Answers 567


fix of a database on another server. D is bad because there is an empty database slot in thestorage group available for ISINTEG to use.

Configuring a Server for Disaster Recovery

5. þ C is the best choice. After a restore, the transaction logs must be replayed to make thedatabase consistent from an online backup. The most probable cause here is that the log filescannot be located because they are in a different folder.ý A is wrong because there is no database on the recovery server to overwrite. B is wrongbecause –patch is not an option in E2K. D is wrong because selecting the checkboxes is whatyou do to force a hard recovery after the restore. You would need to run ESEUTIL only if youdid not select that checkbox, and in that case you would use the /CC switch and not the /D switch.

6. þ D is correct. The Registry is one of the items that gets backed up with the System State.ý A is wrong because using the LKGC is effective in the case of an invalid configurationchange, but won’t do much for a corrupted Registry. B is incorrect; don’t rename this file.C is wrong because the System State contains the Registry, not the sysvol.

Restoring the Information Stores

7. þ C. This is a really difficult set of choices and you should read the question very closely. Theissue at the root of the question is that the sales department’s users’ mailboxes must be restoredfirst, before anyone else. The rest of the narrative about the number of users and IS size andtape drive is just “filler” to distract you. Creating a new mailbox store is the logical answer.Nothing in this scenario should lead you to believe a new storage group is required, so you canthrow out answers A and B. Now the choices are between answers that pose different solutionsas to what to do with the log files. It is always better to put the log files on a separate drive.ý A, B, and D. See the explanation for the correct answer.

8. þ A. This is a folder corruption problem that you can fix with ISINTEG.ý B, C, and D are all wrong. As mentioned previously, the –patch switch does not exist.ESEUTIL is simply the wrong utility to use to solve this problem.

Troubleshooting Backup and Restore Problems

9. þ C is the correct answer. The predominant cause of 1018 errors is a hardware malfunction.To eliminate the error, you will need to fix the underlying problem first. Only answerC does so.ý A, B, and D. No matter what else is right in the other answers, if you don’t fix the hardwareproblem, the 1018 errors are not going away.




10. þ D is the best choice. You must dismount the database to use ISINTEG and it will beunavailable for the duration of the process.ý A is a poor choice because you do not need to use the “run as” process and the Exchangeservice account no longer exists. Exchange services use the Windows 2000 system account.B is a really bad choice. Have we mentioned before that you never want to delete the log files?C is a bad choice. You don’t need to restore the database to run ISINTEG.

11. þ D is the best choice here. The /P switch will repair the database.ý A is wrong. The IS probably won’t start, and if even it does, the database will still becorrupt. B is a bad choice as it defragments the database but won’t fix the corruption.C is wrong because this version of the product no longer has a –patch switch.

Safeguarding User Keys

12. þ Answer B is the correct answer. In addition to backing up KMS using NT Backup,administrators of KMS should also back up the Certification Authority.ý The options listed in A are not available with NT Backup. The p.12 file is created when youperform B, so C is invalid. D is a partially true statement. However, depending on thecircumstance in which the KMS failed, there is a possibility that the client certificates will becorrupted or lost. Having a backup of the Certification Authority and specifically the issuedcertificate log will guarantee a full recovery.

13. þ B is the correct answer. ESEUTIL should be run with the /cc parameter to enforce a hardrecovery.ý A is wrong, as /cm will simply dump the Restore.env file. C and D are incorrect, asISINTEG will do nothing to help in this scenario. In fact, the –patch parameter no longerexists in Exchange 2000.

14. þ D is correct. In fact, when you are not enrolling new users, it is recommended that you stopthe service to reduce even further the chance that it might be discovered on the network andcompromised.ý A, B, and C are all untrue statements. E is not true either. Just because the service stops doesnot mean the certificate will expire.




Lab Answer 569


LAB ANSWERSolving this lab question will require some “stubby pencil” engineering work and calculations:

■ You must support 3,200 mailboxes with an individual mailbox limit of 100MB. This meansyou must accommodate 320GB of data (3200*100MB=320,000MB).

■ However, you have special support requirements for 220 sales users who can store 22GB ofdata. You must be able to restore their mailboxes before other mailboxes in less than 40minutes. To support this requirement, you will put the sales mailboxes in their ownmailbox store and in their own storage group.

■ This leaves 2,980 other mailboxes, or 298GB of data. As your tape units will back up at therate of 40GB per hour, you will need 7.45 hours to back up the information store.However, you must back up the database in no more than six hours, so you need to makesome adjustments. You will have to spilt the users among multiple mailbox stores (twostores) and use multiple tape backup units, one for each store. To support this configuration,you will need separate storage groups for each of the mailbox stores to allow you to restorethe transaction log files separately. If you were to use a single storage group, when you backup from each tape unit, each tape will include the same transaction log files, which would beawkward during a restore as each tape unit would attempt to restore the same log files. Abetter design is to use two storage groups and one tape unit per storage group.

■ Using two storage groups with a single mailbox store, you will have 1,490 users per mailboxstore and 149GB of data. Thus you will need 3.75 hours for backup, which is within thesix-hour window.

■ To summarize, you will have three storage groups; you will use a tape unit for each of thestorage groups; each tape unit has enough capacity for you to do a normal (full) backupevery day using a single tape, which makes the backup as simple as possible.

Okay, let’s design the storage groups and mailbox stores:

Storage group 1 Sales mailbox store Sales users’ mailboxes

Storage group 2 Mailbox store 2 Half of the user mailboxes

Storage group 3 Mailbox store 3 Half of the user mailboxes



Now let’s configure the disk drives:

Controller 0 Disk 0; Disk1 RAID 1; contains the operation systemfiles and the Exchange operating files

Controller 0 Disk 2 Windows 2000 page file

Controller 0 Disk 3; Disk 4 RAID 1; transaction log files for storagegroup 1

Controller 0 (Disk 5; Disk 6) (Disk 7; Disk 8) RAID 0 +1; storage group 1 (salesmailboxes at 22GB maximum)


Controller 1 (Disk 11; 12; 13; 14) (Disk 15; 16; 17; 18) RAID 0+1; storage group 2 (1,490 or halfthe remaining user mailboxes at 149GBmaximum)


Controller 2 (Disk 21; 22; 23; 24) (Disk 25; 26; 27; 28) RAID 0+1; storage group 3 (1,490 or halfthe remaining user mailboxes at 149GBmaximum)

Notice that you are using four drives in the array for storage groups 2 and 3. This is because usingthree drives provides only 150GB of storage, whereas 149GB might be required, and that would fillthe drives too full to be efficient. This overall drive configuration will support the requirements forperformance and fault tolerance.

You will need three tape units and use one tape unit to back up each storage group. Remember,the backup must be simple and unattended, which means that the administrator will not be there tochange tapes. The potential size of the database is too big for a single unit to handle, so you split theusers among different mailbox stores. Putting the mailbox stores in different storage groups makesthem “self-contained” with their transaction log files. This simplifies both the backup and potentialrestore.





disaster recovery for exchange 2000books.mhprofessional.com/.../0072126744_ch07.pdf · q&a self...

Documents