We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Backup

Exchange Message-Level Backup

  • Last updated on

The Exchange Message-Level backup is a secondary backup method that should be used in addition to the server/database backup that is done using the Barracuda Backup Agent. The primary use case for the Exchange Message-Level backup is to recovery deleted or lost email messages from a specific point in time. Since the Exchange Message-Level backup is a separate backup method from the BBA backup, more backup data will be added to your Barracuda Backup device. 

The Exchange Message-Level backup protects and allows for the recovery of the following:

  • Email messages in each user mailbox;
  • User mailbox folder structure; and
  • Email attachments to each email message

The Exchange Message-Level backup does not protect or allow for the recovery of the following:

  • The entire user mailbox (including metadata) that can be restored back into the Exchange database;
  • Contacts;
  • Calendars;
  • Tasks; or
  • Any other non-email message data


All of the following configuration sections for Exchange Message-Level backup take place on the Exchange Client Access Server (CAS). In some cases, like a standalone Exchange Server, the database server and CAS are the same system.

Exchange Message-Level backup is supported on Exchange 2010, 2013, and 2016.

Additionally, you must have the following configured:

  • Outlook Web Access;
  • The Primary and Secondary DNS setting on the Barracuda Backup device must the DNS servers which participate in Active Directory (AD); and
  • The service account (will be created below) must have an Exchange mailbox and SMTP address

For Exchange Message-Level backups to work properly, DNS must be set up correctly. DNS servers on the Barracuda Backup device must be DNS servers that participate in AD. The simplest way to determine which DNS servers to use is to use the IP addresses of your AD Domain Controllers.

Creating a Service Account

It is strongly recommended that you use a service-type account and not your administrator account to prevent inherited deny permissions from causing issues. This service account requires an Exchange mailbox and SMTP address and must be a member of the Domain Users group; adding the service account to any administrative groups may cause issues with access to user mailboxes.

As a best practice, use a unique account for this integration point and grant it the least level of privileges required, coordinating with the system administrator. This account requires administrative privileges to the Exchange server. For additional information, see Security for Integrating with Other Systems - Best Practices.

Use the following steps to create a service account to be used by Barracuda Backup:

These steps are performed using Microsoft Exchange Server 2013. The Exchange Admin Center in both Exchange 2013 and 2016 are almost identical. The steps for creating a service account and mailbox in Exchange 2010 are slightly different.

  1. Log into the Exchange Admin Center, click the down arrow next to the plus + symbol, and click User mailbox:
  2. In the new user mailbox window, enter the required fields to create the new mailbox to be used by Barracuda Backup:
  3. Click save.
  4. Open Active Directory Users and Computers, locate the new user created in step 2, and open Properties:
  5. Click the Member Of tab, add the new user as a member of the Domain Users group, and remove any other groups listed here (required):
  6. Click Apply, and click OK to close the Properties dialog box.

Impersonation Rights

In order for the Barracuda Backup service account to access other mailboxes within the Exchange environment, you must give the account impersonation rights. To assign impersonation rights:

  1. Open the Exchange Management Shell and run the following command, replacing ServiceAccount with the Service Account username created in the previous section:
    New-ManagementRoleAssignment -Name:BarracudaBackup -Role:ApplicationImpersonation -User: ServiceAccount
  2. (Optional) It is good practice to perform a  group policy update on the Exchange Server to replicate permissions. Run the following command either using PowerShell or at a command line:
    gpupdate /force

Create the Exchange Message-Level Data Source

You can add the Exchange Message-Level data source as a standalone data source or as an add-on to an already configured Barracuda Backup Agent data source. The steps below demonstrate how to add the data source from scratch. If the agent data source already exists, you can skip to step 6.

  1. Log into Barracuda Backup and select the associated Barracuda Backup device in the left pane or in the devices table (for customers with multiple Barracuda Backup devices).
  2. Go to the Backup > Sources page, and click Add a Computer.
  3. Complete the following information on the Add a Computer page:
    1. Computer description

    2. Computer name

  4. In the Computer type drop-down menu, select Microsoft Windows.

  5. Once the Exchange data source is configured, click Save.

  6. The Add Data Source page displays. Type in a Data Description, and from the Data Type drop-down menu, select Message-Level Backup (Exchange).
  7. In the Message-Level Backup (Exchange) section, complete the following:
    1. Exchange Version – Version of Microsoft Exchange in the environment
    2. Username Username of the service account created in the previous section
    3. Password – Password for the service account created in the previous section
    4. Windows Domain Name – Fully qualified domain name (FQDN), for example, domain.local
    5. Base DN (Optional) – LDAP Base Distinguished Name of your AD, for example, DC=domain,DC=local

      The BASE DN field is optional; enter the Base Distinguished Name only if directed to do so by Barracuda Technical Support.

  8. Click Test Exchange Connectivity to verify Barracuda Backup can connect to the Exchange Server using the entered login credentials.
  9. Finish configuring the backup schedule name, the offsite replication destination, and click Save.
  10. Once the data source is configured, the Schedules page displays. The Exchange Message-Level container should now display under the data source in the selection tree. For more information on backup scheduling, see Backup Scheduling.

Exchange Message-Level Backup for Multiple Domains

If you have multiple domains, you must create a conditional forwarder to configure Exchange Message-Level backup and protect mailboxes across all domains.

Complete the following steps for each domain configured for Exchange Message-Level backup:

  1. Log into the original DNS server configured on the Barracuda Backup appliance, and open the DNS Manager.
  2. Right-click Conditional Forwarder, and click New Conditional Forwarder:
  3. The Edit Conditional Forwarder dialog box displays; enter the DNS Domain.
  4. Click in the IP addresses of the master servers section, and enter the IP Address.
  5. Select Store this conditional forwarder in Active Directory:
  6. Click OK.
Last updated on