S 6.149 Data backup under Exchange

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

A data backup policy must be drawn up for Exchange and should be integrated into the existing data backup policy of the organisation (see also module S 1.4 Data backup policy). In this, not only Exchange servers, but also the Outlook clients should be taken into consideration.

Data backup for Exchange Server databases

It is recommendable to backup the information memories, i.e. the Exchange Server databases for mailboxes. The type of backup (complete or incremental) must be defined. Since Microsoft Exchange systems require the Windows Active Directory for proper operation, this should also be backed up.

Furthermore, it is recommendable to only permanently delete already deleted Exchange objects in mailboxes and public folders (on the server side) after a couple of days and only upon final data backup. These settings can be performed for each individual information memory. Moreover, it is recommendable to not to permanently delete deleted mailboxes within a certain period (the default setting is 30 days). These values must be adapted to the respective requirements of the company and/or government agency.

Exchange Server databases should be backed up at least daily. Therefore, backup and recovery should be performed online, if possible, i.e. without shutting down the Microsoft Exchange services. The backup policies, i.e. the specific procedure, depend on the version in this case.

In order to backup an installation of Microsoft Exchange Server offline, the Microsoft Exchange services must be shut down. Then, the Exchange directory must be backed up, including all sub-directories. This way, the entire binary data of the Exchange server is collected. This variant is recommendable for less frequently performed backups (e.g. once a week).

Data backups of local Outlook folders

Mail data backup must also include the clients. If personal Outlook folders are stored on the user systems, it must be guaranteed that this data is included in the data backup in order to avoid losses of data. This also applies to offline folders.

The steps to be taken in detail when backing up data differ depending on the different Exchange/Outlook variants. For example, Microsoft Technet contains a description of this process for the version 2010:

• The backup and recovery features of Microsoft Exchange 2010 are based on volume shadow copies of the Microsoft Windows Server architecture. The databases are backed up online (see "Exchange Backup and Recovery Architecture").
• The high-availability properties of Microsoft Exchange 2010 must be taken into consideration during data backup. "Backup and Restore Concepts" provides an overview.
• Data of an Outlook .PST file can be backed up using the Microsoft add-in: "Backup for personal folders". This is described in "Managing PST files in Microsoft Outlook".

Review questions:

• Is the data of the used Exchange and Outlook components backed up regularly?
• Is there a data backup policy for Exchange/Outlook taking into consideration all relevant components?