This article includes the following topics:
Overview
Creating a Service Account
Application Impersonation
Enabling PowerShell Remoting
Disabling EWS Throttling
Overview
Before you can run a Mailbox Level backup, there are some configuration changes you will need to make to your Exchange server. The first thing you need is a service account to run the backups with. This service account must have the necessary permissions to retrieve mail from each mailbox you intend to back up. In addition, there are some settings you may need to change on the server to ensure the backups run smoothly. This article will give you the steps to prepare your system for Mailbox Level backups.
Creating a Service Account
First, create a new user mailbox. It is important there be both a domain user account and a mailbox belonging to that user. The mailbox should not be hidden from the GAL.
Next, add that user to the appropriate groups or roles. Depending on which version of Exchange you are backing up, those may be different:
| Exchange 2007 | Exchange 2010 | Exchange 2013 / 2016 |
---|---|---|---|
Group(s) / Role(s) | Organization Administrator Application Impersonation | Organization Management Application Impersonation | Organization Management Discovery Management Application Impersonation |
Application Impersonation
To grant the service account user Application Impersonation rights, use the following Exchange Management Shell commands:
For Exchange 2007...
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity ServiceAccount | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User ServiceAccount -ExtendedRights ms-Exch-EPI-May-Impersonate}
For Exchange 2010 / 2013 / 2016...
New-ManagementRoleAssignment –Name:ImpersonationAssignmentName –Role:ApplicationImpersonation –User:ServiceAccount
...where ServiceAccount
is the name of the service account you will use to perform Mailbox Level backups and ImpersonationAssignmentName
is the name you give the assignment (can be anything).
Enabling PowerShell Remoting
To enable PowerShell remoting, perform the following steps.
To verify if PowerShell remoting already is enabled, run the following command from an elevated PowerShell session:
Enter-PSSession -ComputerName localhost
Successfully establishing a PowerShell session displays the message below:A failed attempt to establish a PowerShell session displays the message below:
If you are unable to successfully run the command from step (1), use this command in an elevated PowerShell session to enable PowerShell remoting:
Enable-PSRemoting -Force
When done, the computer will be able receive remote PowerShell commands. The next step is to allow PowerShell authentication (if Exchange is hosted on a Windows Server 2008 (non-R2) server, skip to Disabling EWS Throttling.)Open Internet Information Services (IIS) Manager and then drill down to Sites > Default Web Site and click on PowerShell from the list that drops down. Then, double-click on Authentication in the IIS section.
Right-click Basic Authentication and select Enable.
If the Exchange server is on a Windows Server 2008 (non-R2) machine, use the following command to enable Basic Authentication:
winrm set winrm/config/service/auth '@{Basic="true"}'
Disabling EWS Throttling
This step is optional but is strongly recommended. It has been shown that EWS throttling may interfere with the Mailbox Level backups and prevent them from completing fully and successfully. Also, disabling EWS throttling may allow the backups to run more quickly. More information about client throttling can be found here. Exchange 2007 does not have configuration options for throttling policies so there is nothing to change if using Exchange 2007. To disable EWS throttling, use the following Exchange Management Shell commands:
Create a throttling policy...
New-ThrottlingPolicy <Policy>
...where<Policy>
is the name you choose for the throttling policy. This can be anything you choose.Specify the nature of the throttling policy. For Exchange 2010 use:
Set-ThrottlingPolicy <Policy> -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null -EWSMaxConcurrency $null -EWSMaxSubscriptions $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null
For Exchange 2013 and 2016 use:Set-ThrottlingPolicy <Policy> -EWSCutoffBalance Unlimited -EWSMaxBurst Unlimited -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -EWSRechargeRate Unlimited -IsServiceAccount:$true
Apply the throttling rule.
Get-Mailbox | Set-Mailbox -ThrottlingPolicy <Policy>