Managing Compliance in Microsoft Exchange Server 2010
- 11/24/2010
- The joy of legal discovery
- Personal archives
- Messaging records management
- How the Managed Folder Assistant implements retention policies
- Putting a mailbox on retention hold
- Putting a mailbox on litigation hold
- The very valuable dumpster
- Discovery searches
- Auditing administrator actions
- Auditing mailbox access
- Message classifications
- Protecting content
- Outlook Protection Rules
- Rules help compliance, too
How the Managed Folder Assistant implements retention policies
After you apply a retention policy to a mailbox, you can either wait for the next scheduled run of the MFA or start it manually so that the new policy is applied immediately. When the MFA runs, it performs the following tasks:
It applies the tags specified in retention policies to the mailboxes covered by these policies and stamps the items in the various folders covered by the policies with the appropriate tag name and expiration date.
It populates new managed folders into mailboxes that are under the control of a managed folder policy.
If a policy defines a retention or expiry period for items, it stamps a Messaging Application Programming Interface (MAPI) property (ElcMoveDate) on the items indicating the date and time from which the retention period will start. A future run of the assistant can then use this date and time to calculate when to delete an item or mark it as expired.
It locates items in folders that are past their expiration date and takes whatever action is defined in the policy (delete, age out, move to another folder).
If required by policy, it journals new items that have been placed in managed folders. In this context, journaling is different than that performed by transport rules because items are only processed when the MFA is active rather than immediately when they arrive into the folder. The MFA does not use the transport engine to journal items because there is no guarantee that the transport role is installed on the mailbox server that hosts the managed folders.
The default schedule for the MFA on Exchange 2010 mailbox servers extends from 1 A.M. to 9 A.M. daily. On small servers that host a few hundred mailboxes, the MFA invariably has plenty of time to complete processing of all mailboxes during its scheduled timeslot. On large servers where several thousand mailboxes might need to be processed, a run of the MFA might not complete during its timeslot, especially if this is the first time that policies are applied and many items have to be deleted or moved into an archive.
As discussed in Chapter 12, “Mailbox Support Services”, Exchange 2010 SP1 introduces a new method to schedule and perform the work done by mailbox assistants, including the MFA. When the scheduled window for the MFA opens on an Exchange 2010 RTM server, the Assistant begins to process all mailboxes one after another as quickly as possible. In effect, the MFA sprints through all its work in an attempt to reach the finish line as quickly as possible. This creates a high processing load on the server, and this could occur at the same time that other housekeeping activities happen, such as background maintenance and backup jobs. The fact that the MFA does more work than ever before to stamp new items and process items according to the conditions specified in retention policies is also of concern, as this drives additional server load.
Instead of sprinting to the finish, the Exchange 2010 SP1 version of the MFA assesses the expected workload in terms of the number of mailboxes that it has to process and then spreads out its processing across the complete window. For example, if 600 mailboxes are to be processed over three hours, the MFA will create its own internal schedule to process 200 mailboxes per hour, or roughly three mailboxes per minute. In addition, there is a checkpoint defined for the work cycle, at which time the MFA will look for new mailboxes that should be added to its list for processing. The default values for the work cycle and checkpoint are both one day, meaning that the MFA will attempt to process every mailbox in its list daily and will check for new mailboxes daily. Overall, the work cycle mechanism makes more effective use of server resources in an easy and relaxed manner throughout the day and doesn’t create potential spikes in demand.
You might find that you want to run the MFA immediately, perhaps to apply a policy to a group of users for the first time. To force a nonscheduled run of the MFA on an Exchange 2010 server, connect to the server that hosts the database where the mailboxes are located, start EMS, and enter this command:
Start-ManagedFolderAssistant
Exchange 2010 SP1 will still process the mailboxes if you force an immediate run, but the mailboxes will be processed as described earlier.
Forcing immediate execution for a selected mailbox is a useful thing to do when you start to apply policies to mailboxes and want to gauge the effect of the policy by examining the output of a log file, which might be easier than asking users what happened to the contents of their mailboxes (especially if you’ve made a mistake with the policy and just removed half of the items from the mailbox). To force processing for a selected mailbox, we specify its name with the –Identity parameter:
Start-ManagedFolderAssistant -Identity 'Akers, Kim'
To process a group of mailboxes, we either provide a set of mailbox identifiers as input or use the Get-Mailbox cmdlet with a filter to retrieve a set of mailboxes and pipe it as input to Start-ManagedFolderAssistant. In the first example, two mailbox identifiers are provided as input. In the second, we process all the mailboxes in a database, and in the third, we use a filter to find all the mailboxes from a particular office.
"Redmond, Tony", "Akers, Kim" | Start-ManagedFolderAssistant Get-Mailbox -Database 'VIP Data' | Start-ManagedFolderAssistant Get-Mailbox -Filter {Office -eq 'Dublin'} | Start-ManagedFolderAssistant
The time required for the MFA to complete its run depends on the number of mailboxes and the number of items to which it has to apply retention policies. A run on a small server that hosts a few hundred mailboxes will complete in a couple of minutes unless the mailboxes hold thousands of items. On the other hand, processing 7,000 mailboxes, each of which holds an average of 20,000 items, could take several hours, especially if the server is loaded with other tasks or the policies cause a heavy I/O load because many items are permanently removed or moved from primary to archive mailboxes. You should monitor the first runs of the MFA on a server to gauge the scope of the activity and how long a “normal” run takes to complete. Equipped with this information, you’ll be able to quickly assess whether future runs are progressing as expected.
After the MFA has applied a new policy to a mailbox, the next time that the user connects to the mailbox with a client that supports retention policies, she will see that retention tags are shown on items and the retention policy options are visible. Another important point that you should understand is that if you apply a retention policy that contains a default policy tag, the MFA will stamp the default tag on every item in the mailbox. This action will force Outlook to download the complete contents of the mailbox the next time the client connects and synchronizes with Exchange. Clearly, such a massive synchronization has the potential to flood a network and keep clients fully occupied for a long time. Including a default archive tag in a policy does not have the same effect, as the MFA does not stamp every item with this tag.