Tuesday, September 9, 2008

Journaling + Archive = Ideal Litigation Searches -- Part1

Requiring litigation searches has been a long standing topic for most IT departments. The issue is how to deploy a method to do this that both appeases the litigation team in question, while allowing for the Journaling mailbox to not become encumbered to the point that it ceases to properly function.

My answer is one that I have been deploying to the field in a solution comprised of Exchange journaling, and SherpaSoftware’s Archive Attender.

I set up Journaling at the Hub Transport level in order to catch everything that passes through. This will inherently catch more traffic than setting up Journaling at the database level, and provide the litigation team all of the raw emails they need. The only complications with this are determining the folder structure to which these messages used to belong, and the fact that the Journaling mailbox could quickly grow out of control. The assumption of growing out of control is caused by either a lack of retention restrictions, or depending on the project requirements, poor planning.

That being said, I prefer to use a single Journaling mailbox on its own storage group and database in combination with Archive Attender. The reason for this is that there need not be any prior knowledge of message location, and the search speed is still relatively quick in Archive Attender. It is possible to break these out at the database level which could result in quick searches, but more personnel overhead and management. Something to consider:

We need to create a rule on the Journaling mailbox to pipe all unwanted emails (items such as backup notifications that will never have legal relevance) to some folders to be deleted prior to them being archived. This will save on storage if you have a process that continually sends generic emails or updates. The best way to do this that I know of is:

1. Create MRM policies, folders, and schedules.

a. Open the Exchange Management Console

b. Organization Configuration -> Mailbox -> Manage Custom Folders -> New Customer Folder

c. Create a folder for the items you want to delete.

d. Click the Managed Folder Mailbox Policies tab and create a new policy.

e. Go back to the Manage Custom Folders tab and expand the tree for the folder. Right click the content settings and click properties. Set retention to 1 day, and to delete permanently.

f. Apply the policy to the mailbox by right clicking on the Journal mailbox (under Recipient Configuration), clicking the Mailbox Settings tab, Messaging Records Management, and clicking properties. Choose the policy to apply.

g. Navigate back to Server Configuration -> Mailbox -> Right click Exchange Server and click on the Messaging Records Management tab.

h. Click customize and choose a schedule to run it. Depending on the volume of items going to this folder, you might want to run this a few times during the day.

2. We now need to create a rule in Outlook.

a. Open up Outlook for the Journaling mailbox. Create rules to pipe messages meeting X criteria to the managed folders you created upon arriving.

b. Even though it is best practice no to, we need to leave the Journaling mailbox visible by the GAL so that it is accessible by Archive Attender. We can offset this by only allowing Exchange to email it via:

Set-Mailbox journal -AcceptMessagesOnlyFrom "Microsoft Exchange" -RequireSenderAuthenticationEnabled $True

3. Now that the exceptions are done, we need to configure Archive Attender to run on the mailbox.

a. Create a policy that applies to all messages in the inbox, and archives them without a stub.

b. You will want this policy to run at least once per day if not 2-3 times.

c. You will also want to configure the policy to NOT archive the managed folder that we created by creating an exception in the folder list.

d. Under conditions choose ‘Capture all messages.’

e. The schedule is a dynamic setting that is based on your company size. This could range anywhere from every 10 minutes, to once per day. My default is to perform the task every 30 minutes to ensure that it doesn’t fall behind (if the processing power is there).

f. We will also want to ensure that the archive is searchable and that the policy as applied. Both of these can be set in the properties of the Journal user in Archive Attender.

4. We now have all mail that passes through the Hub Transport server going to the Journaling mailbox, parse for irrelevant mail to be purged, and then pushed off to the archives leaving no stub behind. This is good for a couple of reasons.

a. It provides an easy way to search mail, whether it is through Archive Attender, or another tool from SherpaSoftware called Discovery Attender (Slated to be fully integrated in their next release!)

b. It keeps the Journaling mailbox empty, and efficient!

This concludes part one. I will be writing up part two soon that will cover litigation searches in Archive Attender, and PST exports.

See here for part 2.

No comments: