Multi-Mailbox Search (also known as a discovery
search) in Exchange Server 2010 provides your organization with the
ability to respond to legal discoveries or other internal
investigations as required by facilitating discovery search across multiple mailboxes. The ability to use Multi-Mailbox
Search is delegated through Role-Based Access Control (RBAC) using the
management role group Discovery Management. Non-technical users who have been delegated to perform discovery searches can perform these searches through the ECP, without requiring Exchange administrative access or other elevated privileges.
Multi-Mailbox Search uses the Exchange Search content indexes, and queries are constructed using the Advance Query Syntax (AQS), which is also used by Windows Search
and Instant Search in Microsoft Outlook 2007 and later, so that users
delegated the Discovery Management role can create queries using syntax
they're already familiar with.
A target mailbox must be specified when performing a discovery search; mailboxes of the type discovery are the only targets that can be selected when you perform a discovery search using the ECP. Exchange Server 2010 creates one discovery mailbox with the display name Discovery Search Mailbox, but others can be created as necessary. Discovery mailboxes can only be created in the EMS with the New-Mailbox cmdlet using the Discovery
switch, and by default a newly created discovery mail has no mailbox
access permissions assigned. In addition, by default discovery
mailboxes are visible in address lists, but users can't send e-mail to
them; delivery is prohibited with delivery restrictions.
Multi-Mailbox Search also relies on a system mailbox named SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}.
This mailbox (like other system mailboxes) is not visible in the EMC,
nor does it appear in any address lists; the purpose of this mailbox is
to host metadata for the Multi-Mailbox Search functionality.
1. Litigation Hold
The litigation
hold functionality in Exchange Server 2010 provides the means for your
organization to respond to impending litigation or internal
investigations. When expectations such as these arise, all records,
including e-mail, relating to the litigation or internal investigation
are expected to be retained. Whereas one means of addressing this may
be to configure journaling, journaling can present additional
challenges to IT personnel such as database growth and performance
implications (each message is sent twice). These challenges can be
especially significant for impending events such as litigation because
the full scope of the resultant discovery are likely not fully defined
yet, which means that you may have to configure a much larger group of
mailboxes for journaling than will ultimately be required for the
actual discovery to ensure that you are compliant to avoid severe
penalties.
Litigation hold addresses these issues by preventing items in the Recoverable Items folder from being purged permanently while the litigation
hold is in place. The Recoverable Items folder replaces the dumpster in
previous versions of Exchange.
In brief, though, when a user hard deletes an item (by pressing Shift+Delete simultaneously) or empties her Deleted Items folder, the items are placed in the Deletions subfolder of Recoverable Items; the contents of the Deletions subfolder are what is visible through the Recover
Deleted Items tool in Outlook or OWA; this is the only folder within
Recoverable Items whose contents are accessible by the user. When an
item is deleted using the Recover Deleted Items tool in Outlook or OWA,
it's moved to the Purges subfolder of Recoverable Items, and is purged from this folder the next time the Managed Folder Assistant runs. When a mailbox is placed on litigation hold,
items are no longer purged from the Purges subfolder. If a mailbox has
been configured with a personal archive, when litigation hold is
enabled the deleted content in the archive mailbox goes into the
Recoverable Items folder of the archive mailbox.
A final subfolder of Recoverable Items is the Versions folder; again, this folder and its contents are not visible to the user. The Versions folder is used for litigation holds; when a mailbox is placed on litigation
hold, any changes to certain properties on any items within the mailbox
causes a copy of the original item to be stored in the Versions folder
in a process called copy on write. The properties that initiate a copy on write are outlined in Table 1.
Note:
The behavior of retaining items in the Purges
folder, and retaining copies of modified items, can also be attained by
enabling Single Item Recovery on a mailbox. When Single Item Recovery
is enabled, items are retained in the Purges folder for the duration of
the deleted items retention period configured on the mailbox (or on the
mailbox database, if it has not been set on the mailbox directly). When
a litigation hold is configured on the mailbox, items are retained in
the Purges folder for the duration of the litigation hold, regardless
of the deleted items retention period set on the mailbox or database.
Table 1. Properties That Initiate a Copy on Write
| ITEM TYPE | PROPERTIES THAT INITIATE COPY ON WRITE |
|---|
| Messages (IPM.Note*) Posts (IPM.Post*) |
Subject Body Attachments Senders/Recipients Sent/Received Dates
|
| Items other than messages and posts |
Any change to a visible property, except the following:
Item location (when an item is moved between folders) Item status change (read or unread) Changes to retention tag applied to an item
|
| Items in the default folder Drafts | None (items in the Drafts folder are exempt from copy on write) |
Note:
All items in the Recoverable Items folder, including items in the Purges and Versions folders, are indexed by Exchange Search,
and are discoverable using Multi-Mailbox Search, even though the Purges
and Versions folders and their contents are not visible to the user.
1.1. Placing a Mailbox on Litigation Hold
A mailbox can be placed on legal or litigation hold by users who have been assigned the Legal Hold Management role or been added to the Discovery
Management RBAC role group; this is accomplished through the ECP or EMC
in Exchange Server 2010 SP1 or via the EMS using the Set-Mailbox cmdlet with the LitigationHoldEnabled parameter set to $true; to remove a legal hold, set the LitigationHoldEnabled parameter to $false. In Exchange Server 2010 RTM, legal holds can only be configured via the EMS using the Set-Mailbox cmdlet.
In addition, if your
organization requires that users are informed when a legal hold is
enabled, the Retention Comment property can be set as well; when
configured, this property provides a notification for both retention
and legal holds.
The following example enables a legal hold on a mailbox and configures a Retention Comment to notify the user of the legal hold:
Set-Mailbox tamer.salah -LitigationHoldEnabled $true -RetentionComment "This mailbox
has been placed on legal hold; you will be unable to permanently delete any items until
further notice."
Note:
It may take up to one hour for the legal hold to take effect.
Figure 1 shows the same litigation hold being configured via the ECP.
The Retention Comment configured with the preceding example is displayed in Outlook 2010, in the Backstage view, as shown in Figure 2. The Retention comment is not visible in Exchange Server 2010 Outlook Web App.
