Disaster Recovery for Exchange 2000

Transcription

Color profile: Generic CMYK printer profile
CertPrs8 / MCSE Administering
Composite Default screen
Exchange 2000 Server Study Guide / Clawson/Luckett / 2674-4 / Chapter 7
Blind Folio 7:511
7
Disaster
Recovery for
Exchange 2000
CERTIFICATION OBJECTIVES
7.01
Implementing a Backup and
Restore Plan
7.02
Restoring User Data
7.03
Configuring a Server for Disaster
Recovery
7.04
Restoring the Information Stores
7.05
Troubleshooting Backup and Restore
Problems
7.06
Safeguarding User Keys
✓
Q&A
C:\OMH\CertPrs8\674-4\ch07.vp
Wednesday, July 25, 2001 3:51:23 PM
Two-Minute Drill
Self Test
512
Chapter 7:
CERTIFICATION OBJECTIVE 7.01
Implementing a Backup and Restore Plan
An important part of keeping your network and services up and running to serve
your user community is to have a plan in place in case of a failure. With Exchange
2000 Server, this plan should include:
■ A plan to back up the underlying Windows 2000 Server
■ A plan to back up the information stores, both mailbox stores and public
folder stores
■ A plan for how to log transactions, and when and where to restore the
transaction log files
■ A plan to recover lost messages and deleted mailboxes
■ A plan to recover corrupted databases
■ A plan to restore a mailbox store when the server is otherwise operational
■ A plan to restore data to a recovery server
It is entirely possible that a large portion of your test will ask questions about
backing up, restoring, recovering, and dealing with server disasters. Be prepared!
The probability that you can pass the exam without thoroughly understanding
the material in this chapter is pretty small.
Exchange 2000 offers a great deal of flexibility in configuring the storage groups
and the information stores. Many of your decisions on how many mailbox stores
(for example) to configure will depend upon factors such as:
■ How long it will take to back up a storage group or mailbox store
■ How long it will take to restore a mailbox store
■ Who in your organization can be without messaging services and for how long
After you carefully consider those factors, you can begin to construct your plans
for how to back up and restore the databases.
Composite Default screenCertPrs8 / MCSE Administering
513
Another item that you must account for in your backup and restore plans is
backing up Active Directory. AD exists on all domain controllers, so if your network
contains multiple Windows 2000 domain controllers, your network already has
some degree of built-in fault tolerance. If one of the domain controllers fails, you
still have working (and writable) copies of AD. To introduce another domain
controller into the network, you would simply install a Windows 2000 Server and
run DCPROMO to promote this server to a domain controller. There is no need to
“restore” AD from tape backup.
If, however, you have a single domain controller and it fails, you will need to
restore AD from tape backup. AD will contain all of the Exchange objects and
attributes. You will want to pay some attention to the status of AD when doing a
restore, especially of an Exchange Server. Later in this chapter you will learn about
using setup with the /disasterrecover switch to accommodate reinstalling an
Exchange Server when the objects currently exist in AD.
You can back up AD (and other things) by selecting System State from the
Windows Backup program. Backing up the System State will back up AD, the
Registry, the sysvol, and the COM+ registrations.
You can back up Active Directory only by backing up the System State on a
domain controller. Backing up the System State on domain controllers and
member servers will also back up the Registry on other items.
If you are running in a mixed environment with Exchange 5.5 servers, you are
interested in the sysvol, because that is where the Site Replication Service (SRS)
parameters and objects are kept. Exchange 2000 does not use the SRS, but the
Exchange 5.5 servers must reference the SRS for backward-compatibility.
Types of Backup
Before delving any further into the material, it is important to discuss the types of
backups that can be performed, how these backups interact with Exchange, and
what your options are when doing the backups.
Backup Techniques
There are three types of backups that you are most interested in when considering
exam material. Other backup techniques are possible, but probably not relevant for
testing. An important consideration in selecting one of these three types is what they
514
Chapter 7:
do with the archive bit, how much backup media is needed, and how much time is
required to do the backup. Another important consideration in selecting the backup
type is the kind of restore procedure that will be required. The three types of
backups are:
■ Normal backup
This is sometimes referred to as a “full” backup because it
backs up all files regardless of the status of the archive bit. Because this
technique writes all files to the backup media, it consumes the most time and
uses the most space on the backup media. The normal backup resets the
archive bit (turns it off, or sets it to zero) after it has backed up the file. You
would use a normal backup when time and media space are not a concern.
Restoring files from a normal backup is also the least complex restoration
procedure. You simply need the last media set. Since that set contains all files,
you don’t need anything else.
■ Incremental backup
As the name implies, this technique incrementally
backs up data by backing up only the files with the archive bit set on. Using
an incremental backup scheme, you would start by making a full normal
backup. This backup turns off all of the archive bits. When the backup
modifies (or creates) a file, the file system sets the archive bit on, indicating a
change to the backup system. The next backup you would perform is an
incremental backup, which backs up only the files that have changed, as
indicated by the archive bit. After the file is backed up, the archive bit is then
set to off. Each day you would run an incremental backup until the next
scheduled normal backup. Typically, you would run a normal backup once a
week and incremental backups the rest of the week. Using an incremental
backup scheme, the backup takes less time and consumes less media, since
you are backing up only the files that have changed (presumably some small
subset of the total files). Restoring files from an incremental scheme is the
most complex of the three types that this section will discuss. During the
restore, you need the last normal backup media and every incremental backup
media to be able to restore all the files.
■ Differential backup
This technique starts with you making a full backup of
the data. This backup resets the archive bit off on all of the files. Then, on
the succeeding days, you run a differential backup, which backs up all the
files with the archive bit set on (that is, all the files that have changed). But,
unlike the incremental backup, the differential backup does not reset the
515
archive bit, but leaves the archive bit set on. The next time you run a
differential backup, it will back up the same files as the previous differential
backup, plus any new files (or files with the archive bit turned on). Each
successive day, the differential backup can potentially take longer to back up
the files and consume more media. You would use a differential backup when
media capacity is a concern and the length of time it takes to do the backup
is not a prime concern. Doing a restore from a differential backup requires
the last normal backup media and the last differential media. This makes the
differential backup slightly more complex than a normal backup to restore
and slightly less complex than an incremental backup to restore.
Online and Offline Backups
When you perform an online backup, you are backing up the Exchange database
while the Exchange services are still running. In other words, users are still using
Exchange to send and receive messages while you are backing up. The advantage to
this type of backup should be obvious. You get to do the backup and the users get to
send and receive e-mail without interruption.
When you do a normal backup, you back up the database and the transaction log
files. When you do an incremental or a differential backup, you back up only the
transaction log files. You will not get a backup copy of the database using an online
incremental or differential backup.
In a production shop, you might consider doing a normal backup of the
database once each day, typically at night when the system usage is minimal.
You would then do differential backups of the transaction log several times
during the day at regular intervals. These intervals could be every hour, two
hours, or four hours, depending upon your needs. This backup scheme will not
cause undo stress on the server, as you will be backing up only several
megabytes of data. If you lose the drive that contains the log files, this
technique will allow you to limit the data loss to the interval between the
differential backups.
It is worth noting what happens when operations are made to a page during an
online backup. First, if a transaction occurs for a database that has not yet been
backed up, then the operation proceeds normally. If the transaction occurs for a
database that is being backed up, the transaction is stored in a patch (.pat) file. This
516
Chapter 7:
patch file is used only during an online backup or restore of the database. There is
only one patch file for any given store that is undergoing an online backup.
When you begin an online backup, the patch file is created and is stored in the
same folder as the database store, typically the mdbdata folder. The patch file uses
the same naming convention as the store. If the database file name is executive.edb,
then the patch file will be named executive.pat.
As the online backup is taking place, the transaction entries are placed into the
patch file instead of the log files. When the backup is complete, the patch file is
written to the tape and then deleted from the folder.
To do an offline backup, the information store service must be stopped or the
database store must be dismounted. Doing an offline backup can be faster and
simpler, doesn’t involve any patch files, and is always a full backup, but you must
take the store out of service. Obviously, because it requires that you dismount the
database, an offline backup is a secondary choice to an online backup.
Data Recovery Architecture
In this section, you learn about the database engine, the transaction logs, and how
you use the logs in the Exchange process.
Extensible Storage Engine
The Extensible Store Engine (ESE) uses a transaction logging system to help ensure
the consistency and integrity of the data in the database in the event of a system
crash. Microsoft points to four design goals of ESE:
■ High recoverability in the event of failure
■ Fewer I/O operations
■ The maximum level of self-tuning
■ Twenty-four-hour-a-day, seven-day-a-week uptime
From a design point of view, the ESE uses four principles, which Microsoft calls
ACID, to ensure data integrity:
■ Atomic
This is the “all or none” principle. It states that all operations in a
transaction must be completed or none of the operations will be completed.
Consider the example of an online banking application where you would
517
transfer funds from one account to another. Such a transfer actually consists
of two separate transactions: a withdrawal and a deposit. Consider the
ramifications if the withdrawal portion were done and the system failed before
the deposit portion could be completed. Bad news! You wouldn’t want the
withdrawal portion marked as completed until it was also deposited into the
other account.
■ Consistent
A transaction can start only with the database in a consistent
condition, and the database must be consistent when the transaction finishes.
■ Isolated
The changes to the database are not available (sometimes called
visible) until the transaction is completed in the atomic sense and the
database is consistent. At this point in the process, the transaction is
committed.
■ Durability
Transactions must survive system failures. This means that if a
system failure occurs, when the store.exe restarts, it will detect that the
database is in an inconsistent state and roll back the operation that was in
progress during the failure. For example, if you were moving a message from
one folder to another when the system failed, you would not lose the
message.
Data is stored inside the ESE database file in 4KB sections known as pages. Each
page contains such features as the following:
■ Data definitions
■ Data
■ Indexes
■ Checksums
■ Flags
■ Timestamps
■ B-tree information
Pages are numbered sequentially in the database to improve performance. A database
32
may contain 2 pages, which at 4KB per page is approximately 16 terabytes of
information. When information is read from the database, it is put into memory,
one page at a time.
518
Chapter 7:
A transaction is a modification to a page in the database. Each modification is
known as an operation. A transaction may comprise multiple operations. When all
operations are complete, then the transaction has occurred.
Now here is where the plot “sickens,” or gets a bit more complex. When a page is
read into memory, it is known as a clean page. Once on operation has been performed
on the page, it is known as a dirty page. Dirty pages may be subject to further
modifications. Many operations may be performed on a dirty page before it is written
back to the disk. The write back is not a function of the number of operations on
the page.
Before a page can be written to memory, the ESE must reserve an area in memory
for its own use. This area is known as the database buffer cache and is created by a
process known as the Dynamic Buffer Allocation (DBA). The size of this cache can
be increased, as necessary.
Don’t be too concerned if your Exchange 2000 Server seems to use all of the
available memory. First, unused memory is wasted money. That is, you bought
the memory and might as well use it rather than just let it sit in the system
unallocated. Second, Exchange will tune the amount of memory it uses based
on other demands of the system.
While operations are being processed, they are written to the version store. The
version store contains the list of all of the changes that have been made to the pages
that have not been committed.
To commit the transaction, the changes are written from the version store to the
transaction log buffer area. From there they are written to the transaction log file,
edb#.log. The edb# starts with 00 for the first storage group, then 01 for the second
storage group, and so forth. So the log file for the first storage group would be E00.log.
Transaction Log Files
We have previously discussed the transaction logs and their configuration, and this
section will go into more depth.
As discussed earlier, messages are written to the transaction logs first, and then to
the actual database afterward. So, log files are important in the processing of
messages and in the recovery process.
519
We have mentioned before that you do not want to delete the log files manually.
Let us say that again: Never, never, ever delete the log files manually. These
files will be deleted when you run your regular normal backup. Also, the same
rule applies to the checkpoint file. Deleting either the log files or the checkpoint
file will result in nothing but trouble for you.
Exchange does not use a single transaction log file. Over time, that single file
could grow to be quite large and unmanageable, and even consume all space on the
hard drive. Instead, Exchange writes to a log file called edb.log. After that file reaches
5MB, this file is renamed edbxxxxx.log and a new edb.log file is begun. During this
changeover process, a temporary log file named edbtemp.log is used to hold transactions
until the new edb.log is created.
This technique is known as generational files, with each unique log file representing
a generation. The xxxxx is a hexadecimal number, and each log file is numbered in
sequence using this sequential hexadecimal number scheme.
A transaction log files has two sections:
■ Header
■ Data
In Exchange 2000, a set of transaction log files is matched to a storage group.
Since a storage group can contain multiple information stores, it follows that a set of
transaction log files can serve multiple databases. The header section in the
transaction log file contains hard-coded paths to the databases that reference it. The
header contains a signature that is matched to the database signature that it serves.
This signature keeps the transaction log file from being paired to an identically
named, but wrong, database.
You can get a listing of the header (called a dump) to verify the log file. The
dump will provide information such as the generation number, the hard-coded
database paths, and the signatures (Figure 7-1).
With this understanding of transaction log files in place, let’s look at what
happens when a database is modified. When you modify the database, the first thing
that happens is that the page that contains the information you are modifying is read
into memory, the database cache. Next the timestamp on the page is updated to
reflect the new activity. Finally, a log record is created to keep track of what is about
to be done to the database. This log record is created in the log cache buffer.
520
Chapter 7:
FIGURE 7-1
Header dump
produced using
eseutil /ml
Writing the Log Entries to the Database After these steps are completed,
the page is modified. Next, a connection is created between the two entries, the
purpose of which is to preclude the page from being written to disk without the log
record being written to the log entry first. Remember, information is written to the
log file first before it is written to the database on the disk.
Committed transactions are written to the database, from the transaction log,
when one of the following occurs:
■ If the number of committed transactions on a log file reaches a point where
the checkpoint falls too far behind, these transactions will be flushed to the
database.
521
■ If the number of free pages in memory falls too low, committed transactions
will be flushed to free up memory pages.
■ If another service is requesting memory, Exchange will free up memory by
flushing its cache. Remember, unused memory is a waste, so Exchange uses
memory until another process needs some.
■ The information store service is being shut down. Then all updated pages in
memory are written to the disk.
Using a Write-Back Cache If you are using a controller with a write-back
cache enabled, there is a real risk in using this controller for the disks that support
the log files. In a nutshell, you can feed information to be written to the disk faster
than the actual disk device is capable of writing that information. Under normal
circumstances, when information has been written to the disk, the disk will report
back to the system this success and get the next piece of information to write. The
write-back controller then gets the information to be written to the disk, stores the
information in its cache, and reports a successful write to the system. The system
then moves onto its next task. Meanwhile, the write-back controller continues to
feed information, as a surrogate, to disk as the drive plods along writing the
information at whatever speed it can. And as long as everything is working okay,
then everything is okay—until a controller malfunction occurs. Under certain
circumstances, it is possible for a page to be written to the database itself without
being written to the log file first. This will cause corruption in the database and
make restoring the database anywhere from difficult to impossible.
Many high-performance disk controllers offer write-back cache. Write-back
cache can substantially improve performance under most conditions. In fact,
Microsoft indicates that you can cut restore times in half if you have enabled
write-back cache, and restore times can be very critical to you. However,
using write-back cache can pose a significant hazard to your data and should
be used only if the cache is supplied power by battery, and you have tested
this feature and confirmed that it is operational.
By the way, it doesn’t matter if you are caching the writes at the controller or at
the disk device itself; any malfunction in the cache anywhere has the potential to
lead to the same results. At a minimum, you should have a battery backup for your
cache. This battery will protect your cache from a power failure, but not from a
522
Chapter 7:
cache malfunction. You will have an interesting decision to make relative to this
point: You want your log files on a write-optimized disk subsystem, and employing
a write-back cache controller substantially improves disk write performance, but not
without imposing some potential for disaster. Which will you choose?
Have we mentioned that you should never manually delete your log files?
Mission-critical Mailboxes
There may be users in your organization whose ability to send and receive e-mail
messages substantially impacts the well-being of the organization. Salespeople who
need to be in constant contact with their customers may well be such a category of
users. Executives of the organization may be another group of users who need access
to their messages.
Partitioning the Database for Mission-critical Mailboxes
The concept of partitioning a database calls for placing part of that database on
another facility. In the case of Exchange 2000, this partitioning can take the form of
creating a separate storage group or creating another mailbox store within an existing
storage group.
Be prepared to field questions about how best to handle situations that
require quick restoring of mailboxes for a given group of users before
restoring the mailboxes for all users.
Which technique you should use, another storage group or another mailbox
store, largely depends upon the circumstances, your hardware, and your current
configuration. To maintain performance, you will want to put each storage group
on its own dedicated disk array, with the transaction log files on their own mirrored
array. This translates ideally to an additional five physical drives (three drives for the
storage group RAID 5 and a pair of drives for the mirrored volume that will hold
the log files) to support the new storage group.
On the other hand, you could create another mailbox store in an existing storage
group, assuming that you have not already reached the maximum number of
mailbox stores. This technique has the advantage of not needing as much hardware
or planning about where to put the storage group files.
523
Multiple Databases Single Store
We have already discussed configuring Exchange 2000 Server to support multiple
storage groups and multiple stores in a storage group. One of the real strengths of
Exchange 2000 Server, this feature allows you to scale the server vertically. In previous
versions of Exchange, if you wanted to reserve mission-critical mailboxes in a store,
you had to configure another physical server.
You can back up or restore the entire storage group, or back up and restore one or
more of the mailbox stores in the storage group, depending upon your need.
Know what happens to the transaction log files during a backup. Incremental
backups purge the transaction logs, and differential backups do not purge the
transaction logs. Also, in a storage group with multiple stores, the transaction
logs will not be purged if you do not back up all stores in the storage group,
even if you do a normal backup.
Dedicated Recovery Server
If a disaster occurs, you will have several choices for recovery. One choice is to
restore the database to the original server in the original store. This may work well in
the case of a corrupted database or a drive failure where you want to restore the
entire database. Also, this technique assumes that the underlying hardware platform
is still functional, or can be made functional.
You may want to consider keeping a fully functional and configured server
platform in reserve as a recovery server. The purpose for this server is to be a
“warm spare” in the event that a production server goes down and cannot be
brought back into service in a timely manner. You might think that maintaining
a reserve server is expensive, but here is another perspective: It is not what it
costs to keep your application servers in production that is expensive, it is what
it costs you when your application servers go down. To prove this point to
yourself (and your organization), pull the network cable on your financial
application server and see how long it takes for the pain to register.
Consider the case where you need to recover several e-mail attachments from a
mailbox that has been deleted from the database. You have that mailbox on a tape
backup, and that backup was from two weeks ago. If you restore that database to the
524
Chapter 7:
production server, everyone’s mailbox will be out of sync and will not contain
current messages that were received in the last two weeks. What should you do?
To set up a dedicated recovery server, especially if you want to recover individual
mailboxes, you will need to do the following:
1. Install Windows 2000 Server.
2. Create a new, isolated forest.
3. Run Exchange 2000 setup/forestprep if you plan to install Exchange 2000 on
a member server.
4. Install Exchange 2000 Server.
5. Restore the database or databases from tape backup.
Windows 2000 Backup
Windows 2000 comes with a fully functional backup and restore program already
tuned for the Windows 2000 environment. This tool, as it is, is not suitable to back up
Exchange 2000 databases until you actually install Exchange 2000 Server on the
machine. During the installation, the backup program will be made “Exchange-aware”
so that you can do online backups. An online backup is the preferable backup
method because it does not require you to take the information stores out of service
while backing up the data.
A limitation to this backup program is that you can only back up the local
Exchange databases. You will not be able to back up a remote Exchange database
successfully using this program, even if you have Exchange 2000 Server installed
locally.
EXERCISE 7-1
Using Windows 2000 Backup Program
In this exercise, you will become familiar with and use the Windows 2000 backup
program to back up an Exchange database.
1. Click the Start button.
2. Point to Programs.
3. Point to Accessories.
4. Point to System Tools.
5. Click on Backup Wizard to start the backup process.
525
526
Chapter 7:
6. Click on the Backup tab.
7. Expand the Microsoft Exchange Server container.
8. Expand the Exchange1 container.
9. Expand the Microsoft Information Store container.
10. Left-click on the First Storage Group. The details pane of the console then
displays the mailbox stores located in the first storage group.
11. Click on the Executive Mailbox Store checkbox.
12. If you have a backup device, you would click Start Backup to begin backing
up the Executive mailbox store.
13. Clicking on Start Backup brings up the Backup Job Information dialog box.
From here you can start the backup, schedule the backup to run, and select
the backup type through the Advanced tab.
527
528
Chapter 7:
Restoring User Data
Being able to restore user data is critical to both your operation and your success as
an Exchange administrator. This section covers some key concepts as well as testable
material.
Mailbox Recovery Scenarios
The term brick-level restore (or backup) refers to the ability of your backup program
to restore a single mailbox without having to restore the entire mailbox store. The
Windows 2000 backup program does not provide for a brick-level restore. Some
third-party backup programs allow for the restore of a single user’s mailbox.
Using Exmerge (described in the following section), it is possible to approximate
a restore of a single user’s mailbox, but there are a lot of assumptions made for this
technique to work.
Exmerge and .PST files
Exmerge is an Exchange 2000 utility. If you are an Exchange 5.x administrator, you
probably recognize the Exmerge program and may have used it in administering
your Exchange 5.x servers. You can find it on the Exchange 2000 Server CD. This
utility enables you to accomplish the following:
■ Extract mail from a mailbox store, even if the store is damaged. The mail is
put into a .pst file, which can be imported into another mailbox store.
■ Locate and remove specific messages from the mailbox store. For example,
you might use Exmerge to find an e-mail containing a virus.
■ Extract folder rules.
■ Migrate users between different Exchange organizations by extracting the
contents of a mailbox into a .pst file and then importing the contents into
the new store.
Restoring User Data
529
Recovering a Deleted Mailbox
You can specify the retention period to keep a mailbox after you have deleted the
mailbox. The default time period is 30 days. You can set the retention period for
whatever time period is appropriate for you. There are minor ramifications to increasing
the deleted mailbox retention period other than consuming more storage space.
Connecting a user account to a mailbox that has been deleted is a relatively trivial
matter, as long as you are still in the retention time period. You will connect a user
to the deleted mailbox in the Active Directory Users and Computers console.
In the ESM, an unconnected mailbox is displayed with a red X through it.
Know how to recover a deleted mailbox. The exam will ask you how to do so,
as this is an important topic at Microsoft.
EXERCISE 7-2
CertCam 7-2
Configuring Deleted Mailbox Retention
In this exercise, you will specifically configure a mailbox store to increase the deleted
mailbox retention period.
1. Start the ESM console.
2. Navigate to and expand the Administrative Groups container.
3. Navigate to and expand the First Administrative Group container.
4. Expand the Servers container.
6. Expand the First Storage Group.
7. Right-click on the Mailbox Store container.
8. Select Properties from the menu.
9. Click on the Limits tab.
10. In the Deletion Settings section, enter 90 in the Keep Deleted Mailboxes For
(Days) field.
530
Chapter 7:
11. Click on OK to close the dialog box.
12. Close the ESM console.
Recovering Deleted Items
Deleted items retention is very different from deleted mailbox retention. Deleted
items refer to messages, whereas the deleted mailbox refers to the whole mailbox.
You can configure each of these items independently of each other.
You set the time period for deleted items using the ESM in the same dialog
section of the Limits tab where you set the deleted mailbox retention time period.
You recover deleted items by using Outlook 2000.
Recovering a Mailbox from Backup
To recover an Exchange 2000 mailbox from backup to a recovery (offline) server,
follow these steps:
1. You will need these logical names:
Restoring User Data
531
■ The Exchange 2000 organization name
■ The name of the administrative group to which the database belongs
■ The name of the storage group to which the database belongs
■ The logical database name
■ The LegacyExchangeDN value of the administrative group to which the
database belongs (see the discussion in the next section to learn how to
find this value)
2. Install Microsoft Windows 2000 Server on the recovery server, and then run
DCPROMO to install Active Directory on the recovery server.
You will need to create a new isolated forest for your recovery server. Also,
pay attention to how forests (DNS namespace), domains, servers, and folders
must be named and their paths.
3. Install and configure DNS if necessary.
4. Install Exchange 2000, using the same organization name as used in the
production system.
5. Change the name in the LegacyExchangeDN value, if required.
6. Create a storage group using the same logical name as the production server’s
storage group.
7. Create logical database names in the storage group to match the original names.
8. Right-click on the database to rename it, and then click on Rename, if
required.
9. Dismount the database to be restored. In System Manager, select the This
Database Can Be Overwritten By A Restore checkbox.
10. Use Windows 2000 backup utility to restore the database that contains the
mailbox that you want to recover.
Be sure that you select the Last Backup Set checkbox when restoring the last
online backup set. If you fail to select this checkbox, you must run ESEUTIL
/CC against the restored files before the database will start.
532
Chapter 7:
11. Mount the database that you restored.
12. In System Manager, navigate to the database and right-click on Mailboxes.
13. Click on Run Cleanup Agent. A red X will identify mailboxes that are not
currently linked to an AD account.
14. Create a non-mailbox-enabled AD user account for each mailbox that you
want to recover.
15. Link the mailboxes to AD accounts by clicking Reconnect.
16. Extract the contents of the mailbox to a .pst file.
Know how to restore a single user’s mailbox from a backup. The exam will
ask you how to do so, as this is an important topic at all the Exchange
conferences that we attend.
LegacyExchangeDN Values To be able to restore from a backup a mailbox
that was part of a previous Exchange 5.5 server, you will need to identify the
LegacyExchangeDN value. There are several ways to find the LegacyExchangeDN of
the administrative group. The LegacyExchangeDN value has the following form:
/O=organization/OU=administrative group
If the OU= portion of the LegacyExchangeDN value is First Administrative Group,
there is no need to change any LegacyExchangeDN values on the recovery server.
If this portion of the value is not administrative group, then you must change the
LegacyExchangeDN values. You must first know what the LegacyExchangeDN
value is (and be able to determine whether the value is an obstacle to configuring
your recovery server).
There are two ways to determine and change the LegacyExchangeDN value:
■ You can use ADSIEDIT or LDP to view the properties of the administrative
group object.
■ You can use the LDIFDE utility.
To use LDIFDE, you must know the fully qualified DNS domain name of
the root domain in your Windows 2000 forest. The domain name you want is
Restoring User Data
533
not necessarily the domain name to which the Exchange 2000 Server belongs,
but rather the root domain name of the entire forest. You will also need the
Exchange organization and the administrative group names.
For example, the following LDIFDE command displays the results on the screen.
(The command must be entered as a single line, but it is wrapped here for readability.)
LDIFDE –f CON –d "CN=Executives,CN=Administrative Groups,
CN=Exchange1,CN=Microsoft Exchange,CN=Services,CN=Configuration,
DC=gk,DC=com" –l legacyExchangeDN –p Base
In this example, Executives is in LegacyExchangeDN, and because of this,
objects on the recovery server must be modified because after a clean Exchange
2000 installation, LegacyExchangeDN on the recovery server contains First
Administrative Group, not Executives.
SCENARIO & SOLUTION
I have more data to back up than I can fit on my
tape cassette. What can I do?
Depending on exactly how much data changes from
day to day, you can use either an incremental or a
differential backup technique.
In the case of a failure, I must restore the sales
department’s e-mail first. How do I do that?
Put the sales department’s mailboxes in their own
mailbox store in another storage group. This will
allow you to restore that storage group first and
mount the mailbox store.
I have two storage groups on my Exchange 2000
Server. Each storage group contains enough data to
fill my tape and I want to do a full backup. What
can I do?
You could perform a full backup of each storage
group every other day.
534
Chapter 7:
Configuring a Server for Disaster Recovery
This section discusses configuring the Exchange 2000 Server that holds the
Exchange databases to make it easier to recover them in the event of a disaster. You
can recover the databases in two places: the original server and a different server. In
the different server category, there are two types of servers. One is a replacement
server that will be used permanently for the failed original server. The other is a
temporary recovery server that will be used only to recover some specific data, and
when that task is done, the recovery server will more or less be abandoned until the
next disaster recovery. This section focuses on configuring three items:
■ Storage groups and stores
■ Log settings
■ A server for recovery
Storage Groups and Stores
There are several reasons to configure multiple storage groups and multiple
information stores on the same server. One reason can be to improve performance,
especially that of disk subsystems. The other reason is to aid restoring a storage
group or information store after a failure.
You want your design to minimize the restore time for critical mailboxes or
mailbox stores. You also want your design to keep your backup routines as simple as
is practical. Complex designs are difficult to implement and sustain and often
require great attention to detail, the kind of attention that often gets overlooked in
the boredom of routines such as daily or multiple daily backups.
When you are doing an online backup, the transaction logs are of critical
importance because they contain the transactions that are not yet written to the
database. These same transaction files are of no concern when you do an offline
backup. To do an offline backup, you must dismount the store. When you do that,
the committed transactions held in the log files are flushed to the database. Of
course, when you are doing an offline backup, that database is not available for use.
535
Backing up the entire storage group backs up all of the stores and the transaction
files. Such a backup is the simplest to administer, and you can’t miss anything.
However, if you must back up all of the stores in the storage group at the same time,
the backup might possibly exceed the time allotted. In this case, using multiple
storage groups and multiple backup devices, you can simultaneously back up the
multiple stores and keep the backup time within the allotted time period.
As we have indicated before, using multiple stores (even within the same storage
group) allows you to selectively restore the store. You can restore a mailbox store, for
example, without having to disrupt the other mailbox stores in the storage group.
Using multiple mailbox stores also allows you to restore one mailbox store, and
therefore the critical mailboxes within that store, before restoring the others.
Logging Settings
The prime consideration here is whether to use circular logging or not to use circular
logging. Circular logging conserves disk space. But unless you do normal backups
frequently enough before the circular log wraps, you will be in trouble if a failure
occurs. Disabling circular logging is the preferred method of operation.
EXERCISE 7-3
CertCam 7-3
Configuring Log Settings
In this exercise, you will configure the log settings to ensure that circular logging is
disabled on the default mailbox store.
1. Start the ESM console.
2. Navigate to and expand the Administrative Groups container.
3. Navigate to and expand the First Administrative Group container.
4. Expand the Servers container.
6. Right-click on the First Storage Group.
7. Click on the Enable Circular Logging checkbox, then click OK.
536
Chapter 7:
8. Click on Yes in response to the question about using circular logging.
9. Close the ESM.
Configuring a Server for Recovery
There are two issues that are important when configuring a server for recovery. One
is configuring a server to be easy to manage in the case of failure and the other is if
you want to restore to that server. Using multiple drives will simplify the process.
Using multiple storage groups may also help, depending on the exact scenario. If
537
you elect to use multiple storage groups, the recommendation is to put each storage
group on its own array, using RAID 5 if you are interested in fault tolerance.
Remember also that for best performance, you should keep the log files for that
storage group on separate physical drives as well. Don’t forget that you want to
mirror the transaction log file drives.
If you are using multiple storage groups, do not put the transaction log files
for multiple storage groups on the same drive.
Before you restore a backup from tape, you should make copies of existing database
files, even if you cannot start these files. The existing database may be repairable,
even though the database may be damaged.
You cannot restore an Exchange 5.5 database to an Exchange 2000 Server.
The log files for an Exchange 5.5 database are different from those of an
Exchange 2000 database.
You should never let the drive that contains your databases get more than half
full. This way, you can quickly save a copy of a database that crashes. If you do let
the database drive fill up, and you do not have sufficient space to move the database
to another folder on the same logical drive, your recovery time is extended. Usually,
recovery time is doubled.
If you keep your database drive from filling up, you also have room for offline
defragmentation.
Before you restore a database, you must start the information store service. You
will need to dismount the databases that you want to restore. If you leave the Mount
Database After Restore checkbox clear, be sure to examine the event logs to see that
the hard recovery finishes before you mount the database in ESM. A hard recovery
replays the transaction log files and the patch files after you restore the database.
538
Chapter 7:
If you are restoring only a single backup set, do not forget to select the Last
Restore Set checkbox in Windows NT Backup to trigger hard recovery after
restoration. If you did not select this checkbox, then you can perform a hard
recovery by using ESEUTIL /CC. You must run this utility in the same folder as
the transaction logs, patch files, and the restore.env file. You cannot remount
the database until the hard recovery finishes.
In a soft recovery, a database starts normally and the storage group is initialized. If
the database file is in a consistent state, the ESE simply begins to handle transactions.
If the database is in an inconsistent state (it might not have been shut down
properly), the ESE replays transactions from the checkpoint through to the log file.
If the checkpoint file doesn’t exist, the ESE starts with the earliest transaction log
that it finds. When the ESE finishes replaying the transaction, the database is
available.
You can follow these steps to recover databases:
1. Ensure that the information store service is running.
2. Ensure that the database you want to restore is dismounted.
3. On the Start menu, point to Programs, point to Accessories, point to System
Tools, and then click on Backup.
4. On the Restore tab, expand the media file. Select checkboxes to select the
data that you want to restore.
5. Click on Start Restore.
6. In the Restore Database Store dialog box, use the Temporary location to
specify a directory to store a log file that is different from the directory where
the original log files exist. Make sure the location has enough disk space to
store the files. If you restore databases or log files to their original location,
any existing databases or log files are overwritten.
7. If you are restoring a full backup without any incremental backups, select
Last Restore Set to start a log file replay after restoring the database. If you
are restoring a backup with incremental backups, do not select this option
until you are restoring the last incremental backup.
8. Click on OK.
Troubleshooting Backup and Restore Problems
539
Restoring Exchange Server
Active Directory almost always survives a disaster that occurs to an Exchange 2000
computer. Therefore, you cannot reinstall Exchange 2000 on a server without first
removing that server from AD. However, you do not want to remove the server
from AD, because all of the configuration information will be lost, and you will
need that information in AD.
With Exchange 2000, using the Setup utility with the /disasterrecovery switch
solves this problem.
In disaster recovery mode, Setup installs program files and local Registry settings,
but assumes that AD information remains intact. Setup searches for the server in
AD, then reconfigures the local setup based on what it found in AD.
In disaster recovery mode, Setup restores only the components that you choose to
restore. If you do not choose a component that was previously installed, the utility
does not restore that component. After Setup finishes, you can restore the Exchange
databases, and those databases are restored to the correct previous locations because
AD stores information store database paths.
Backing up data is a very important process. You will only go to your backup when
you have an emergency or have suffered a disaster with the online data. In these
cases, you will want to have good, usable backup copies of the data.
However, backing up the data is only a small part of the picture. Actually being
able to successfully restore the data is the big part of the picture. Having a good, usable
backup copy of the data will not be helpful if you can’t actually restore that data.
Problems can occur when both backing up and restoring data from backups. This
section will highlight some of the problems that can occur and what to do if those
problems occur.
540
Chapter 7:
SCENARIO & SOLUTION
I keep getting a bunch of 1018 errors.
Look for hardware problems.
One of my mailbox stores is corrupt. What should I
attempt first to fix it?
Restore from tape backup.
Why not just run ESEUTIL or ISINTEG?
Depending on the state of things, you could suffer
data loss from running one of these utilities. Use
them as a last resort.
So what? I still have my online tape backup.
Your online backup will need the transaction logs,
which got flushed when you ran the utility, and
again you suffer data loss.
I manually deleted my transaction logs to free up
space on the drive. Now I need to restore my online
backup and need the most current data. What
should I do?
Look for another job, perhaps in the housekeeping
or food services industries. When you deleted the
logs, you deleted your ability to restore the database
in as current a state as possible.
Common Error Messages
Several common error messages are important for you to know, both in the real
world and for the test.
–1018 Error
One important error message is –1018 JET_errReadVerifyFailure. Before a page is
written to the disk, a checksum is calculated for that page and written with the page
to the disk. When a page is requested, it is read from the disk, and the checksum is
recalculated and verified along with the page number being requested. If the
checksum fails or there is a page number mismatch, a –1018 error message is
generated. This error indicates that the data that was written to the disk was not the
data that was read from the disk to memory. The ESE will attempt to read the data
many times (16, in fact) before it reports the error. ESE makes these attempts to
minimize the possibility of a transient fault condition causing the error.
To fix 1018 errors, first fix the underlying problem of the error, which is
usually a disk subsystem problem. Then restore the database from a known
good copy.
541
Common causes of this error message are:
■ A hardware problem with the disk subsystem. This is the most common
cause of the error.
■ A high number of “soft” recovered errors on a hard drive. In this case, you
should replace the drive.
■ Improper SCSI termination.
■ Trouble with the write-back cache on a disk controller.
■ Third-party tools that attempt to write directly to the Exchange database.
■ Faulty device drivers.
■ Firmware bugs in the disks or the disk controllers.
If you receive error messages, do not assume that your database has been
damaged. If you incorrectly assume the database is damaged and take drastic
measures to correct the supposed damage, it could lead to actual damage
and prolonged downtime. The only error messages that you can assume
indicate a corrupted database are repetitive –1018 errors.
-1069 Error
Another important error message is –1069 JET_errVersionStoreOutOfMemory.
During an operation, it is possible that an operation will fail to complete (hang) or
that it is so large that it will cause the version store to consume hundreds of
megabytes. One possible operation that might cause such a failure to occur is
indexing a large table. As the version store keeps track of all of the changes, such an
operation could stress the version store to the point of generating an error. To fix
this, try moving the information stores to a disk with more free space. You might
also consider adding more RAM.
ESEUTIL
In an ideal world, you’d never need to run ESEUTIL. There are only three
situations in which we recommend using it:
■ You want to check the integrity of a database.
542
Chapter 7:
■ You need to defragment a database to free up disk space. There is never any
reason to defragment databases on a routine basis. Remember, the online
defragmentation process runs daily to defragment databases.
■ You need to fix a corrupted database because you can’t restore it from a
backup.
We cannot overemphasize that ESEUTIL is not a tool for casual use. It can be
dangerous, especially in repair mode. We grimace when we see people
running it as a preventive maintenance tool. Doing so is like playing Russian
roulette with an automatic pistol.
Table 7-1 lists the common switches used with ESEUTIL and their meaning.
Pay attention! The Exchange 2000 version of ESEUTIL is different from the
previous versions, especially the /C [options] switch and the /U switch, which
no longer exists.
TABLE 7-1
ESEUTIL Options
Switch
Function
/CC
Forces a hard recover that plays the transaction log files and patch files. Use this switch after a
restore where you did not select the Last Restore Set option.
/CM
Dumps the restore.env file, which is a binary file. Both this switch and the /CC switch are
options used with the /c switch, described later in this table.
/d
Defragmentation. Copies the database to a new file and removes empty or unused pages and
then copies the file back. You need space on the drive to use this switch.
/r
Recovery. Attempts to put the database in a consistent state, but does not truncate the data.
/g
Integrity. Validates the checksum and header information and is nondestructive. You will
need to run it once for each database.
/m
File dump. Attempts to dump the database file contents in a human-readable form.
/p
Repair. Validates the database and links and can truncate data and cause data loss.
/c
Restores the database without a hard recovery using the Restore.env.
543
ISINTEG
The Information Store Integrity Checker (ISINTEG) is used on Exchange
databases. It is a suite of tests that check the Exchange 2000 databases for
consistency.
You should be careful which tests you select to run. Running a full test
complement on your Exchange database could take many hours to complete.
The database stores are unavailable during this time.
To use the utility, the database must be dismounted. When you use ISINTEG, it
will create a temporary database, so you will need to have room on the drive for this
database.
A storage group can have no more than six databases. If you have six
databases created in the storage group and want to run ISINTEG, you will
need to dismount a second database so the utility can execute.
Table 7-2 lists the common switches used with ISINTEG and their meaning.
Pay attention! Like ESEUTIL, there are differences between the Exchange
2000 version of ISINTEG and previous versions. The –patch switch no longer
exists.
TABLE 7-2
ISINTEG Switches
Switch
Function
-fix
Specifies the fix mode. The default is check-only mode. In fix mode, ISINTEG will
fix any inconsistencies that it finds.
-verbose
Reports in verbose form.
-s
Specifies the server name against which to test.
-l [log filename]
Specifies the log filename.
-t [ref db location]
Indicates the location of the temporary database, also known as the reference
database.
-test [test name]
Selects the ISINTEG test.
544
Chapter 7:
EXERCISE 7-4
Running ESEUTIL
In this exercise, you will dismount the mailbox store, run ESEUTIL to defragment
the database, and then mount the mailbox store after the defragmentation is done.
1. Open the ESM.
2. Navigate to and expand the Administrative Groups folder.
3. Expand First Administrative Group.
4. Expand Exchange Server.
5. Expand First Storage Group.
6. Right-click on Mailbox Store.
7. Click on Dismount Store from the menu.
8. Click on Yes on the confirmation dialog box.
9. Open a command prompt.
545
10. Change directories to the c:\program files\exchsrvr\bin folder. Your actual
path may be different depending on where you installed the Exchange 2000
Server. During this exercise, simply use your correct path.
11. Enter eseutil /d “c:\program files\exchsrvr\mdbdata\priv1.edb”. Don’t
forget to use the double quotes around the command to accommodate the
spaces in the command line.
12. Press ENTER.
13. Depending on the size of the database, defrag will run and then terminate by
reporting the status and time it took to run the program.
14. Close the command prompt.
15. In the ESM, mount the mailbox store.
16. Click on OK in the success message dialog box.
17. Close the ESM.
546
Chapter 7:
FROM THE CLASSROOM
Backing Up
Backing up mission-critical services is, in itself,
mission-critical. When students come to class,
it is a good time to interact with engineers
from many different types of organizations and
find out what applications those organizations
believe are mission-critical. It is also very
interesting to hear their reaction when the
engineers find out which applications are
mission-critical.
Among the applications mentioned as being
mission-critical are e-mail, human resources,
payroll, customer management, and online
commerce. In the last two years, e-mail has
gone from being the second- or third-priority
application to being the number-one
mission-critical application among many.
Students used to say, “Payroll is the most
important application if it goes down,
especially during certain times.” Now they say,
“If e-mail isn’t working, then I won’t get
notified that the payroll service is down!”
It can be easy to find out how
mission-critical your e-mail application is
when it goes down. I have heard several
students remark that they thought they had
two or more days to restore e-mail. After the
e-mail service went down, they found out they
had hours, not days, to restore the service.
In fact, some organizations require that
some mailboxes be restored within 20 minutes,
and it is not unusual to find the requirement
for all mailboxes to be restored in a two- to
four-hour timeframe. Obviously, to meet these
requirements you must plan your restore and
backup routines very carefully.
—Shane Clawson, MCSE+I, MCT
When configuring Exchange 2000 for Advanced Security, you must consider some
additional factors when developing a disaster recovery plan. The Key Management
Services (KMS) provided in Exchange 2000 used for managing the enrollment of
users and the archiving of their keys for secure e-mail rely on several underlying
services. If one of the components involved with Advanced Security fails, it is
547
possible that all components will be inoperable, leaving secured e-mail in your
organization inaccessible. In short, recovering KMS in Exchange 2000 in the event
that all servers in your organization have failed (total disaster) requires:
■ The most recent backup of the Certificate Authority (CA) and subordinate
CA certificate (.p12 export files) and the associated passwords
■ The most recent backup of Active Directory that contains the KMS
administrator accounts
■ The most recent backup of the KMS database and the startup password
■ The KMS administrator’s password
Earlier in the book, we focused on how to enroll clients using KMS and Active
Directory. We have also already discussed how to recover the keys used to secure
e-mail. This section takes a step further and talks about how to ensure that the KMS
service can be restored in the event of a disaster. To learn more about KMS, and
how to administer advanced security using KMS, see Chapter 3.
Backing Up Key Management Services
KMS in Exchange 5.5 was a self-contained entity. In Exchange 2000, KMS can
be thought of as the combination of the Windows 2000 Enterprise Certificate
Authority, Active Directory Services, and the Key Management Service itself. All
three of these must be backed up together in order for KMS to be properly restored
in the event of a critical failure.
Backing Up the Certificate Authority
Microsoft recommends backing up the Enterprise Certificate Authority server using
the “entire server” option with NT Backup. You should back up this server for each
subordinate CA in your enterprise as well. However, you must do some additional
work to safeguard this critical service in Exchange 2000. To restore a Certificate
Authority, you must also use the Certification Authority MMC snap-in to back up
the CA certificate. This will create a .p12 file that will be used during the restore
process. When backing up the CA certificate, you will be prompted for a password.
Make this a very difficult password and safeguard the .p12 file and password in an
extremely secure place. If this password is compromised, your entire PKI will be
jeopardized.
548
Chapter 7:
EXERCISE 7-5
Backing Up the CA Certificate
In this exercise, you will back up the CA certificate and the Issued Certificate log
using the Certification Authority MMC snap-in.
1. Click on Start | Programs | Administrative Tools, then select Certification
Authority.
2. Right-click on the root object, point to All Tasks, and select Backup CA.
3. When the welcome screen appears for the Certification Authority Backup
Wizard, click on Next.
4. On the Items To Back Up screen, select the Private Key And CA Certificate
checkbox and the Issued Certificate Log And Pending Certificate Request
Queue checkbox. Make sure to also specify a path for the backup. Then click
on Next.
549
5. On the Select A Password screen, enter a complex password, confirm the
password, and click on Next. Note that it is important not to lose this
password. Make sure that you store it in an extremely safe location.
6. Verify the settings you have made in the CA Backup Wizard on the
Completing The Certification Authority Backup Wizard screen and then
click on Finish.
7. Navigate to the location that you specified for the backup to be placed and
verify that there is a DataBase folder and a .p12 file. You should move these
files to a very safe location. Preferably, you should move them off the
network until you need them for recovery purposes.
550
Chapter 7:
Backing Up Active Directory
Each Active Directory domain should include two or more domain controllers
(DCs). Each of these domain controllers contains a read/write copy of the domain
database. Changes made to any DC are automatically replicated to all other DCs
using a multimaster replication model, essentially making each DC an online
backup for all other domain controllers.
A domain database is a single partition of Active Directory. Active Directory is
the sum total of all objects in all Active Directory domain databases in an
organization. The AD component that ties them all together is the Global Catalog.
By having more than one domain controller in each domain, you guarantee that a
given AD domain will have no single point of failure. Because Windows 2000 uses
multimaster replication, a single failed DC does not necessarily constitute an
emergency situation. Even so, you should back up each domain controller in Active
Directory on a regular schedule. The Active Directory database is backed up when
you select the System State in Windows 2000 Backup on a DC (Figure 7-2).
Backing Up the KMS Database
The KMS database (KMSMDB.EDB) and associated KMS files will be backed up
when you perform a backup of the Exchange Server running KMS. You must select
FIGURE 7-2
From Windows
2000 Backup
Wizard, select
the option to
back up only the
System State data
551
the Microsoft Key Management Service object from the Items To Back Up screen in
the NT Backup Wizard (Figure 7-3). In fact, this option will not be available if the
KMS service is not running while the backup is performed. The KMS files are
located in PROGRAM FILES\EXCHSRVR\KMSDATA\ by default. It is important
that the Certification Authority be backed up at the same time that you back up the
KMS database in order to keep the CRLs (Certificate Revocation Lists) in sync.
Backing Up the KMS Database Remotely
You can back up KMS databases only on the local machine. This is because the
KMS database is hidden from the network to prevent unauthorized people from
browsing the network for the KMS server. There are a couple of workarounds in the
event that you must back up the KMS database remotely. You can install terminal
services on the KMS server and connect with a Terminal server client. Because
Terminal server can be detrimental to performance, you may choose to use lightweight
remote console software such as Symantec’s PC Anywhere or McAfee’s Remote
Desktop. Once connected to the KMS server, you can initiate NT Backup to back up
the KMSDATA folder. Then you can remotely back up the .bkf created by NT Backup.
FIGURE 7-3
Microsoft Key
Management
Service object in
the Backup
Wizard
552
Chapter 7:
The KMS database is hidden from the rest of the network and can be backed
up only on the local KMS server.
Restoring KMS
Prior to restoring the KMS database, make sure that Active Directory and
Certificate Server have been restored, are working properly, and are available.
Because of the additional password security associated with KMS administration,
restoring KMS is not as straightforward a process as restoring the information store
databases. However, the processes are similar. The KMS restore process is outlined
as follows:
1. Install KMS. Note that you do not have to install KMS on the same
computer or computername.
2. If you are restoring KMS to same machine, stop KMS and move the current
contents of the KMSDATA directory to another location. Note that if the
KMSDATA directory isn’t empty before you restore KMS, you will receive a
0xC103798A error.
3. If the KMS password was placed in a Kmserver.pwd file, place this file on the
server.
4. Start the KMS service. If the KMS password was not placed in a
Kmserver.pwd file, type in the password to start the service.
5. Restore KMS using NT Backup.
6. Stop and restart the KMS service.
KMS Restoration Problems
In the process of reinstalling or restoring KMS, you may run into some KMS-specific
problems. Although many problems with KMS in Exchange 5.5 are documented,
that documentation may prove to be useless and at the very least outdated by KMS
in Exchange 2000 for reasons that this book has already mentioned. Here are two
known issues related to KMS restoration to watch out for on the exam:
■ Error 0xC103798A
■ Error c104172 with ESE Event ID 619
553
Error 0xC103798A When recovering a failed machine, you may decide to
reinstall KMS. During the installation process, you may get the following message:
Setup failed while installing sub-component Key Management
Service with error code 0xC103798A (please consult the
installation logs for a detailed description). You may cancel
the installation or try the failed step again.
The most likely cause of this error is that a database for a previously installed version
of KMS still exists in the KMSDATA folder. To fix this problem, you should move
the data in the KMSDATA folder to another location and then perform the
installation again. It is a good idea not to delete the previous database, as you may
need it in the future.
Error c104172 with ESE Event ID 619 Error c104172 is not unique to
KMS. However, it may occur when you mount the KMS database after a restore.
When attempting to mount the database, you may receive the following error:
An internal processing error has occurred. Try restarting the
Exchange System Manager or the Microsoft Exchange Information
Store service, or both.
ID no: c1041724
Exchange System Manager
The following event will be logged into the application log as well:
Event
Event
Event
Event
Type: Error
Source: ESE98
Category: Logging/Recovery
ID: 619
If you encounter this error and event ID, it is very likely that you did not select the
Last Restore Set checkbox during the restore process. This means that a hard
recovery was not performed on the database. Before you can mount the database,
you will need to force a hard recovery. You can do so using ESEUTIL:
eseutil /cc [path to directory containing Restore.env]
Another option is to run the restore again and select the Last Restore Set checkbox.
554
Chapter 7:
CERTIFICATION SUMMARY
This chapter has wrapped up discussions of technologies that earlier chapters
introduced and covered specific exam objectives. Planning your Exchange Server
backup and restore routines is an important part of the production cycle of your
Exchange Server. Much of your administrative time may be involved with planning
to recover from the unexpected or having to recover from the expected disaster.
Some of the disaster may be user-induced, but you will still need to recover the data.
You can create storage groups and mailbox stores to facilitate both the backup and
the restore process.
Because backup and restore are very important functions in the real world, you
can expect Microsoft to make them an important test area. You need to know about
a number of important utilities, again for both the test and to be able to do your job
effectively when administering an Exchange 2000 Server.
You must also fix clearly in your mind the types of restore scenarios that could
come up. Some examples of such scenarios include restoring to the same server after
data corruption, restoring to the same server after a hardware failure and repair,
restoring to a new replacement server of the same name or different name, and
restoring to a recovery server not intended for production for the purposes of
recovering deleted messages from tape backup.
So now you are nearly done with the book, and you are studying to administer
Exchange 2000 Server and to take the test. Just a few more items to read and
understand and you are ready to go. Good luck!
Two-Minute Drill
✓
555
TWO-MINUTE DRILL
❑ You can create storage groups to facilitate backup and restore.
❑ You can create mailbox stores to facilitate backup and restore.
❑ The database remains available during an online backup.
❑ To do an offline backup, you first must dismount the storage group or store.
Messaging is not available during an offline backup.
❑
❑
❑
❑
Transaction logs are deleted after an offline backup.
Never manually delete the transaction log files.
A normal or full backup backs up all files, databases, and transaction logs.
A normal or full backup deletes the transaction log files after the database has
been successfully backed up.
❑ After a normal or full backup, everything you need for a restore is on the tape.
❑ An incremental online backup does delete the transaction log files. You will
need these files for a restore.
❑ A differential online backup does not delete the transaction log files. You will
need these files for a restore.
❑ You should never manually delete the transaction log files.
Restoring User Data
❑ Users can recover deleted messages from inside Outlook 2000 up to the
deleted item retention period you specify.
❑ The default item retention period is zero days.
❑ You can recover a deleted mailbox up to the deleted mailbox retention period.
❑ Run Mailbox Cleanup Agent to see which mailboxes do not have associated
user accounts.
❑ Put mission-critical mailboxes, those that must be restored before other
mailboxes, in their own separate mailbox store.
556
Chapter 7:
❑ Put transaction log files and database files on separate physical drives.
❑ Put each storage group on its own drive or set of drives.
❑ Recovery servers for message recovery must be in an isolated forest.
❑ Restore information stores from tape backup.
❑ Databases restored from online backups must replay the current set of
transaction logs and patch files to be current.
❑ Be sure to select the Last Restore Set checkbox to force a hard recovery.
❑ You can use ESEUTIL /CC to force a hard recovery.
❑ A hard recovery forces the ESE to replay the transaction logs.
❑ You must dismount the database prior to a restore.
❑ You must dismount the database prior to running ESEUTIL.
❑ Running ISINTEG can take a very long time, during which the database will
be unavailable.
❑ In general, 1018 error messages indicate a hardware problem.
❑ You want to fix the hardware problem first.
❑ A 1018 error could also indicate a corrupt database not caused by any
particular hardware problem.
❑ Attempt to restore a corrupted database from tape backup first, before
running ESEUTIL or ISINTEG.
❑ Use ESEUTIL to defragment a database.
❑ Have we mentioned before that you should never manually delete the
transaction log files?
❑ You are running out of time to remember this.
Two-Minute Drill
557
❑ If one of the components involved with Advanced Security fails, it is possible
that all components will be inoperable, leaving secured e-mail in your
organization inaccessible.
❑ KMS in Exchange 5.5 was a self-contained entity. In Exchange 2000, KMS
can be thought of as the combination of the Windows 2000 Enterprise
Certificate Authority, Active Directory Services, and the Key Management
Service itself.
❑ The KMS files are located in PROGRAM FILES\EXCHSRVR\KMSDATA\
by default.
❑ To restore a Certificate Authority, you must also use the Certification
Authority MMC snap-in to back up the CA certificate. This will create a
.p12 file that will be used during the restore process.
558
Chapter 7:
SELF TEST
1. You are the Exchange administrator for your company. You want to be able to back up your
Exchange 2000 Server computer, which is a member server in the domain. Which of the
following are legitimate options for backing up your server? (Choose all that apply.)
A. The Windows 2000 backup program on the domain controller
B. The Windows 2000 backup program on the member server
C. A third-party backup program with an Exchange agent
D. Any third-party backup program
2. You are the Exchange administrator for your company. You are preparing the disaster recovery
plan for your Exchange 2000 Server. You are considering using a recovery server as part of your
process. What factors should you consider when making your plan?
A. DNS services
B. The number of storage groups
C. The number of mailbox stores
D. The number of user accounts
E. The amount of RAM in the recovery server
F.
The disk drive configuration of the recovery server
Restoring User Data
3. You are the administrator for the Exchange 2000 Server computer. Your server has a single
storage group and a single mailbox store. The configuration items for the mailbox store are in
the default configuration. You back up the Exchange databases once each week on Sunday
morning. Today is Wednesday. Mary Jo called you this morning to report that she has
accidentally deleted some critical messages that she received Monday morning. She checked her
Deleted Items folder in Outlook and it was empty. What can you do to recover Mary Jo’s
messages?
A. Create a new user account in the ADUC. Connect this account to Mary Jo’s mailbox.
Configure Outlook with a profile using the new account. Open Outlook and copy the
messages to a .pst file.
Self Test
559
B. Instruct Mary Jo to open Outlook, go to the Deleted Items folder, and use the Recover
Deleted Item tool from the Tools menu.
C. Using the ESM, recover the deleted items for Mary Jo.
D. Update your resumé.
4. You are the Exchange administrator for your company. You have two Exchange 2000 Server
computers named Exch1 and Exch2. Each server has a single storage group with two databases.
Exch1 has mbstore1 and mbstore2. Exch2 has mbstore3 and mbstore4.
Fred has a mailbox on Exch1. Last week, Fred deleted several messages that he now needs. You
attempted to restore Fred’s mailbox on Exch2 by restoring mbstore1 onto Exch2. You then ran
the Mailbox Cleanup Agent on the new copy of mbstore1. You were unable to connect Fred’s
mailbox to another AD user account. What should you do?
A. Promote Exch2 to a domain controller. In the ADUC, connect Fred’s account to the
mailbox on the mbstore1 copy.
B. On Exch1, dismount mbstore1. On Exch2, stop and start the Information Store service.
Run the Mailbox Cleanup Agent.
C. Install another Exchange 2000 Server computer in an isolated forest. Restore mbstore1 to
this server. Connect Fred’s mailbox to a new user’s account.
D. On Exch2, dismount mbstore3. Mount the copy of mbstore1. Run ISINTEG –fix.
5. You are the Exchange administrator for your company. You have configured a Windows 2000
member server as your Exchange recovery server. You will use this server to recover single
mailboxes should the need arise. To verify proper restore procedures, you restore the database
files from the production Exchange Server’s online tape backup. During the restore, you used
the correct database and path names. After the restore, you are unable to mount the database.
What should you do?
A. In the ESM, select the This Database Can Be Overwritten By A Restore checkbox. Mount
the database.
B. Run ISINTEG –patch. Mount the database.
C. Change the path of the transaction log file to match the path of the original server.
D. Select the Last Restore Set checkbox during restore. Run ESEUTIL /D. Mount the
database.
560
Chapter 7:
6. You are the Lotus Notes administrator for your company. The Notes activity has been slow
because most of the users have requested to be migrated to Exchange so that they can use
Outlook 2000. While you were checking the event log of one of the Windows 2000 member
servers that host Exchange, you notice the Netlogon and the Exchange services are not started.
You attempt to start them, but fail. You suspect the Registry is corrupted. What should you do
to repair the Registry?
A. Restart the server using the Last Known Good Configuration.
B. Copy the System.Alt file to System.dat and restart the server.
C. Restore the Sysvol folder from the backup.
D. Restore the System State from the backup.
7. You are the Exchange administrator for your company. The sales department users have told
you that e-mail is mission-critical to them, and that in the case of failure their mailboxes must
be restored first and as soon as possible. You have a single Exchange 2000 Server computer in
your organization supporting 1,542 users. The current size of the information store is nearly
14GB. You currently back up the information store to a single 4 MM DAT drive and must
keep the backup in one set. What should you do?
A. Create new storage group.
Create a new mailbox store in the storage group.
Put the transaction logs on a different physical drive.
Move the sales department users’ mailboxes to the new store.
B. Create a new storage group.
Create a new mailbox store in the storage group.
Accept the default location for the log files.
C. Create a new mailbox store in the existing storage group.
Modify the storage group’s properties so that the log files are put on another physical drive.
D. Create a new mailbox store in the existing storage group.
Leave the mailbox store’s properties so that the log files are on the same physical drive.
Self Test
561
8. Your company has three Windows 2000 domains in a single forest. Each domain is in one of
the company’s three locations in North America. You are the administrator for the Exchange
2000 Server computer located in the San Diego office. Users in the San Diego office are
complaining that they cannot open some messages in the public folder. After checking, you
find that some of the folders are corrupted in the public folder structure. What should you do
to resolve this problem?
A. Dismount the public folder store. Run ISINTEG –fix. Mount the store.
B. Run ISINTEG –patch. Start the information store service.
C. Run ESEUTIL /CM. Start the information store service.
D. Run ESEUTIL /CC. Mount the store.
9. You are the Exchange administrator for your company. Your company’s Windows 2000
environment consists of a single domain across three sites. You have Exchange 2000 Server
computers located at each of the sites. During your regular review of the event log files on one
of the computers, you find there is a string of –1018 ESE error messages in the log. Users with
mailboxes on this server have not reported any problems when they connect to their mailboxes.
You need to fix this problem, but you do not want to damage the contents of the mailbox
store. What could you do?
A. Stop the information store service and truncate the transaction log files. Restart the
information store.
B. Dismount the mailbox store and run ISINTEG –fix. Remount the mailbox store.
C. Repair the disk subsystem hardware and restore the mailbox store from backup.
D. Dismount the mailbox store and run ESEUTIL /CC. Remount the mailbox store.
10. You are an Exchange administrator for your company. There is a single Exchange Server with a
single storage group. The storage group contains mailbox stores for the sales, engineering,
management, production, HR, and finance departments. You work second shift and are
responsible for the backups. When you got to work today, the administrator on the first shift
had left a note that he has begun an ISINTEG process to fix some anomalies on the sales
database. He is asking that you monitor the process through to completion. However, when
you check, you find that the ISINTEG process has failed to run. What could you do to ensure
that it can successfully run?
A. Start the ISINTEG process with a “runas” process and specify the Exchange service account
as the credentials for the process.
562
Chapter 7:
B. Delete the transaction log files first and then restart the ISINTEG process.
C. Restore the sales database from tape backup and then run the ISINTEG process.
D. Dismount another database first, then restart the ISINTEG process.
11. You are the Exchange administrator for your company. You have a single Windows 2000
domain with a single Exchange 2000 Server computer. You receive calls from your users stating
they are unable to connect to their mailboxes. When you check, you find that the information
store service has shut down improperly. You suspect that this has caused the mailbox store to
shut down improperly as well. You examine the database header and discover that the database
is in an inconsistent state. How can you bring the mailbox store online without damaging the
database?
A. Restart the information store and remount the database.
B. Run ESEUTIL /D and remount the database.
C. Run ISINTEG -patch and remount the database.
D. Run ESEUTIL /P and remount the database.
12. You are the Exchange administrator at your company. You are responsible for maintaining the
KMS. Every night you perform a backup of KMS using NT Backup. You recently enrolled 50
new users using KMS. You want to make sure you can restore these users’ certificates in the
event of a disaster. What else must you do in addition to backing up KMS? Choose the best answer.
A. When backing up KMS using NT Backup, select the option to back up Private Key And
CA Certificate and Issued Certificate Log And Pending Certificate Request Queue.
B. Use the Certification Authority Backup Wizard to back up the Private Key And CA
Certificate and Issued Certificate Log And Pending Certificate Request Queue.
C. Use the Export Wizard to create a p.12 file.
D. Do nothing; all you need is the KMS backup.
13. You are the Exchange administrator for your company. You have just restored KMS. However,
when you attempt to mount the KMS database, you receive the following error message:
An internal processing error has occurred. Try restarting the
Exchange System Manager or the Microsoft Exchange Information
Store service, or both. ID no: c1041724 Exchange System Manager
Lab Question
563
What must you do to be able to mount the database? Choose the best answer.
A. Run ESEUTIL /CM.
B. Run ESEUTIL /CC.
C. Run ISINTEG –patch.
D. Run ISINTEG –fix.
14. You are the Exchange administrator for a syndicated radio program. On a regular basis, you
check the services on the Exchange Server to make sure all Exchange services are running. You
notice that the KMS service is not running. What impact will this have on the users currently
enrolled in Advanced Security?
A. Users will be unable to send and receive secure e-mail.
B. Users will be able to send but will not be able to receive secure e-mail.
C. Users will be able to send and receive secure e-mail but will not be able to open secure
e-mail.
D. There will be no effect on users currently enrolled.
E. Users will have to reenroll when the service is restarted.
LAB QUESTION
You are the Exchange administrator for your company. You have deployed a single Exchange 2000
Server computer. You want to configure the server for optimum performance and fault tolerance.
You must provide for the following:
■ There are 3,200 mailboxes.
■ Each mailbox may have up to 100MB of storage.
■ Two hundred and twenty salespeople have mission-critical mailboxes.
■ In the event of a disaster, you must first restore the sale department’s mailbox, without
affecting other mailboxes that may still be available. Also, the process of restoring other
mailboxes must not interfere with the sales department’s mailboxes.
■ You must be able to restore from tape backup the sales department’s mailboxes within 40
minutes of being notified.
■ The backup and restore plan must be as simple as possible using the least amount of media
possible. The processes also must be unattended.
564
Chapter 7:
■ All mailboxes must be backed up within a six-hour timeframe.
You have the following equipment available:
■ Your company has selected a tape backup unit that can store 180GB of data per tape unit
and can read and write at 40GB per hour.
■ You have several disk controllers available that will support RAID 0, 1, and 5. Each
controller can support up to 15 drives. To support RAID configurations, all drives in the
array must be on the same controller.
■ Your company has selected 50GB capacity drives.
Your task is to configure the server with the appropriate hard drives and tape backup devices to
support the mission requirements. You have no limitations or requirements other than the ones
previously listed. How will you configure the server?
Drive and Controller Configuration Work Area:
Lab Question
Tape Unit Work Area:
565
566
Chapter 7:
SELF TEST ANSWERS
1. þ B and C. If you want to use the Windows backup program to back up the Exchange
databases, you must use the backup program at the server, which in this case is a member
server. You can also use a third-party program with an Exchange agent, which is the part that
allows you to do an online backup of the database.
ý A is wrong because the Exchange database is not the domain controller. D is wrong because
you can’t just use any third-party backup program. The program must include an agent for
backing up Exchange databases.
2. þ A, B, C, E, and F are all good choices. Each one of these will play a part and can affect the
length of time the restore can take.
ý D has nothing to do with backing up or restoring the Exchange databases. There is no
relationship between the number of user accounts and the number of mailboxes. It is possible
to have many fewer mailboxes than user accounts.
Restoring User Data
3. þ D is the best choice here. The default configuration for the mailbox store is to have zero
days set for the deleted items retention period, so you lose the ability to recover the items.
Since you back up only once each week on Sunday, last Monday’s messages aren’t on tape
backup, so it offers no help. Your only hope for salvation is to get your resumé updated and on
the street so that you can get another job as a Notes administrator before your boss finds out
about this catastrophe!
ý A is just incorrect, even if this idea would work (and it won’t). The problem is not with the
account; the messages are gone, which means there is nothing to copy to the .pst file. B is
wrong because the scenario clearly states that the deleted item folder is empty. C is incorrect.
You can’t use the ESM to recover deleted items.
4. þ C is the only choice among these answers that makes any sense. The issue is that Fred has
deleted messages from his mailbox and you need to recover these messages from a tape backup.
You will need to do this on a recovery server, not a production server, and in an isolated forest.
ý A, B, and D are all wrong because they do not involve using a recovery server. A is really bad
for suggesting that promoting a machine to a domain controller would influence the fix.
B is really bad for suggesting that you dismount a database on one server to be able to affect a
Self Test Answers
567
fix of a database on another server. D is bad because there is an empty database slot in the
storage group available for ISINTEG to use.
5. þ C is the best choice. After a restore, the transaction logs must be replayed to make the
database consistent from an online backup. The most probable cause here is that the log files
cannot be located because they are in a different folder.
ý A is wrong because there is no database on the recovery server to overwrite. B is wrong
because –patch is not an option in E2K. D is wrong because selecting the checkboxes is what
you do to force a hard recovery after the restore. You would need to run ESEUTIL only if you
did not select that checkbox, and in that case you would use the /CC switch and not the /D switch.
6. þ D is correct. The Registry is one of the items that gets backed up with the System State.
ý A is wrong because using the LKGC is effective in the case of an invalid configuration
change, but won’t do much for a corrupted Registry. B is incorrect; don’t rename this file.
C is wrong because the System State contains the Registry, not the sysvol.
7. þ C. This is a really difficult set of choices and you should read the question very closely. The
issue at the root of the question is that the sales department’s users’ mailboxes must be restored
first, before anyone else. The rest of the narrative about the number of users and IS size and
tape drive is just “filler” to distract you. Creating a new mailbox store is the logical answer.
Nothing in this scenario should lead you to believe a new storage group is required, so you can
throw out answers A and B. Now the choices are between answers that pose different solutions
as to what to do with the log files. It is always better to put the log files on a separate drive.
ý A, B, and D. See the explanation for the correct answer.
8. þ A. This is a folder corruption problem that you can fix with ISINTEG.
ý B, C, and D are all wrong. As mentioned previously, the –patch switch does not exist.
ESEUTIL is simply the wrong utility to use to solve this problem.
9. þ C is the correct answer. The predominant cause of 1018 errors is a hardware malfunction.
To eliminate the error, you will need to fix the underlying problem first. Only answer
C does so.
ý A, B, and D. No matter what else is right in the other answers, if you don’t fix the hardware
problem, the 1018 errors are not going away.
568
Chapter 7:
10. þ D is the best choice. You must dismount the database to use ISINTEG and it will be
unavailable for the duration of the process.
ý A is a poor choice because you do not need to use the “run as” process and the Exchange
service account no longer exists. Exchange services use the Windows 2000 system account.
B is a really bad choice. Have we mentioned before that you never want to delete the log files?
C is a bad choice. You don’t need to restore the database to run ISINTEG.
11. þ D is the best choice here. The /P switch will repair the database.
ý A is wrong. The IS probably won’t start, and if even it does, the database will still be
corrupt. B is a bad choice as it defragments the database but won’t fix the corruption.
C is wrong because this version of the product no longer has a –patch switch.
12. þ Answer B is the correct answer. In addition to backing up KMS using NT Backup,
administrators of KMS should also back up the Certification Authority.
ý The options listed in A are not available with NT Backup. The p.12 file is created when you
perform B, so C is invalid. D is a partially true statement. However, depending on the
circumstance in which the KMS failed, there is a possibility that the client certificates will be
corrupted or lost. Having a backup of the Certification Authority and specifically the issued
certificate log will guarantee a full recovery.
13. þ B is the correct answer. ESEUTIL should be run with the /cc parameter to enforce a hard
recovery.
ý A is wrong, as /cm will simply dump the Restore.env file. C and D are incorrect, as
ISINTEG will do nothing to help in this scenario. In fact, the –patch parameter no longer
exists in Exchange 2000.
14. þ D is correct. In fact, when you are not enrolling new users, it is recommended that you stop
the service to reduce even further the chance that it might be discovered on the network and
compromised.
ý A, B, and C are all untrue statements. E is not true either. Just because the service stops does
not mean the certificate will expire.
Lab Answer
569
LAB ANSWER
Solving this lab question will require some “stubby pencil” engineering work and calculations:
■ You must support 3,200 mailboxes with an individual mailbox limit of 100MB. This means
you must accommodate 320GB of data (3200*100MB=320,000MB).
■ However, you have special support requirements for 220 sales users who can store 22GB of
data. You must be able to restore their mailboxes before other mailboxes in less than 40
minutes. To support this requirement, you will put the sales mailboxes in their own
mailbox store and in their own storage group.
■ This leaves 2,980 other mailboxes, or 298GB of data. As your tape units will back up at the
rate of 40GB per hour, you will need 7.45 hours to back up the information store.
However, you must back up the database in no more than six hours, so you need to make
some adjustments. You will have to spilt the users among multiple mailbox stores (two
stores) and use multiple tape backup units, one for each store. To support this configuration,
you will need separate storage groups for each of the mailbox stores to allow you to restore
the transaction log files separately. If you were to use a single storage group, when you back
up from each tape unit, each tape will include the same transaction log files, which would be
awkward during a restore as each tape unit would attempt to restore the same log files. A
better design is to use two storage groups and one tape unit per storage group.
■ Using two storage groups with a single mailbox store, you will have 1,490 users per mailbox
store and 149GB of data. Thus you will need 3.75 hours for backup, which is within the
six-hour window.
■ To summarize, you will have three storage groups; you will use a tape unit for each of the
storage groups; each tape unit has enough capacity for you to do a normal (full) backup
every day using a single tape, which makes the backup as simple as possible.
Okay, let’s design the storage groups and mailbox stores:
Storage group 1
Sales mailbox store
Sales users’ mailboxes
Storage group 2
Mailbox store 2
Half of the user mailboxes
Storage group 3
Mailbox store 3
Half of the user mailboxes
570
Chapter 7:
Now let’s configure the disk drives:
Controller 0
Disk 0; Disk1
RAID 1; contains the operation system
files and the Exchange operating files
Controller 0
Disk 2
Windows 2000 page file
Controller 0
Disk 3; Disk 4
RAID 1; transaction log files for storage
group 1
Controller 0
(Disk 5; Disk 6) (Disk 7; Disk 8)
RAID 0 +1; storage group 1 (sales
mailboxes at 22GB maximum)
Controller 1
Disk 9; Disk 10
group 2
Controller 1
(Disk 11; 12; 13; 14) (Disk 15; 16; 17; 18)
RAID 0+1; storage group 2 (1,490 or half
the remaining user mailboxes at 149GB
maximum)
Controller 2
Disk 19; Disk 20
group 3
Controller 2
(Disk 21; 22; 23; 24) (Disk 25; 26; 27; 28)
RAID 0+1; storage group 3 (1,490 or half
the remaining user mailboxes at 149GB
maximum)
Notice that you are using four drives in the array for storage groups 2 and 3. This is because using
three drives provides only 150GB of storage, whereas 149GB might be required, and that would fill
the drives too full to be efficient. This overall drive configuration will support the requirements for
performance and fault tolerance.
You will need three tape units and use one tape unit to back up each storage group. Remember,
the backup must be simple and unattended, which means that the administrator will not be there to
change tapes. The potential size of the database is too big for a single unit to handle, so you split the
users among different mailbox stores. Putting the mailbox stores in different storage groups makes
them “self-contained” with their transaction log files. This simplifies both the backup and potential
restore.

Disaster Recovery for Exchange 2000

Transcription

Similar documents

AcendexAssure

Disk to Disk Backup for IBM Midrange Servers

Exchange 2003 Single E-mail/Mailbox Restore: From an image

Read it - NovaStor

Darshanen Vasanthan

The Writing Side of Sales

Plan to Restore America

CBeyond BeyondMobile

MS Exchange Server backup with BackupAgent

Issue 122 - Jan 2002 - Isle of Wight PC User Group