It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Intronis Backup
formerly ECHOplatform

Preparing For Mailbox Level Backups

  • Last updated on

This article includes the following topics:

  • Overview

  • Creating a Service Account

  • Application Impersonation

  • Enabling PowerShell Remoting

  • Disabling EWS Throttling

Overview

Before you can run a Mailbox Level backup, there are some configuration changes you will need to make to your Exchange server. The first thing you need is a service account to run the backups with. This service account must have the necessary permissions to retrieve mail from each mailbox you intend to back up. In addition, there are some settings you may need to change on the server to ensure the backups run smoothly. This article will give you the steps to prepare your system for Mailbox Level backups.

Creating a Service Account


First, create a new user mailbox. It is important there be both a domain user account and a mailbox belonging to that user. The mailbox should not be hidden from the GAL.

Next, add that user to the appropriate groups or roles. Depending on which version of Exchange you are backing up, those may be different:

 

Exchange 2007

Exchange 2010

Exchange 2013 / 2016

Group(s) / Role(s) 

Organization Administrator

Application Impersonation

Organization Management

Application Impersonation

Organization Management

Discovery Management

Application Impersonation

Application Impersonation


To grant the service account user Application Impersonation rights, use the following Exchange Management Shell commands:

For Exchange 2007...

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity ServiceAccount | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User ServiceAccount -ExtendedRights ms-Exch-EPI-May-Impersonate}

For Exchange 2010 / 2013 / 2016...

New-ManagementRoleAssignment –Name:ImpersonationAssignmentName –Role:ApplicationImpersonation –User:ServiceAccount

...where ServiceAccount is the name of the service account you will use to perform Mailbox Level backups and ImpersonationAssignmentName is the name you give the assignment (can be anything).

Enabling PowerShell Remoting


  1. To enable PowerShell remoting, perform the following steps.

  1. To verify if PowerShell remoting already is enabled, run the following command from an elevated PowerShell session:
    Enter-PSSession -ComputerName localhost
    Successfully establishing a PowerShell session displays the message below:

    testpowershellremoting.png

    A failed attempt to establish a PowerShell session displays the message below:

    testpowershellremoting2.png

  2. If you are unable to successfully run the command from step (1), use this command in an elevated PowerShell session to enable PowerShell remoting:
    Enable-PSRemoting -Force
    When done, the computer will be able receive remote PowerShell commands. The next step is to allow PowerShell authentication (if Exchange is hosted on a Windows Server 2008 (non-R2) server, skip to Disabling EWS Throttling.)

  3. Open Internet Information Services (IIS) Manager and then drill down to Sites > Default Web Site and click on PowerShell from the list that drops down. Then, double-click on Authentication in the IIS section.

    2016-04-21_20h05_53.png

  4. Right-click Basic Authentication and select Enable.

    powershellremoting2.png

  5. If the Exchange server is on a Windows Server 2008 (non-R2) machine, use the following command to enable Basic Authentication:
    winrm set winrm/config/service/auth '@{Basic="true"}'

Disabling EWS Throttling


This step is optional but is strongly recommended. It has been shown that EWS throttling may interfere with the Mailbox Level backups and prevent them from completing fully and successfully. Also, disabling EWS throttling may allow the backups to run more quickly. More information about client throttling can be found here. Exchange 2007 does not have configuration options for throttling policies so there is nothing to change if using Exchange 2007. To disable EWS throttling, use the following Exchange Management Shell commands:

  1. Create a throttling policy...
    New-ThrottlingPolicy <Policy>
    ...where <Policy> is the name you choose for the throttling policy. This can be anything you choose.

  2. Specify the nature of the throttling policy. For Exchange 2010 use:
    Set-ThrottlingPolicy <Policy> -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null -EWSMaxConcurrency $null -EWSMaxSubscriptions $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null
    For Exchange 2013 and 2016 use:
    Set-ThrottlingPolicy <Policy> -EWSCutoffBalance Unlimited -EWSMaxBurst Unlimited -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -EWSRechargeRate Unlimited -IsServiceAccount:$true

  3. Apply the throttling rule.
    Get-Mailbox | Set-Mailbox -ThrottlingPolicy <Policy>