Problem

How do I configure AD eDiscovery to collect from Microsoft Exchange?

Resolution

AccessData eDiscovery Exchange Connector Specifications

This article describes all the technical specifications required to successfully leverage the AD eDiscovery product to collect mail data from a Microsoft Exchange database.

Supported Versions

Exchange Server 2003, 2007, 2010, 2013, and 2016*.

*eDiscovery 6.2 and later.

Connection Technologies (MAPI and EWS)

AD eDiscovery can use two different technologies to collect mail data from Exchange depending on the version of the Exchange environment.  Both technologies (MAPI and EWS) are based on API’s provided by Microsoft.  AD Messaging Application Programming Interface (MAPI) is supported on Exchange versions 2003 – 2010.  Exchange Web Services (EWS) is supported on Exchange versions 2010 SP1 and newer where EWS has been enabled.  EWS Queries through the eDiscovery connector are performed as AQS.  Both require the same permissions and prerequisites as listed below. 

MAPI ports - TCP 135 RCP to negotiate connection and MS ephemeral port for response.

EWS ports - TCP 80/443

Permissions

AD eDiscovery requires that a service account be given permissions to the Exchange database in order to negotiate a connection and perform the required functions to obtain the mailbox information.  Specifications for the permissions this service account requires are found below.

Exchange Server 2003 and 2007

Along with having its own mailbox and being Mail Enabled, there are two permissions that should be set on the Mailbox Store or each mailbox that is to be the target of a collection.  Below is a list of the required permissions and what they allow the eDiscovery product to do:

• Receive As- full read access to all of the mailboxes in the Exchange database that are to be targeted for collection
• View Information Store Status- (a) enumerate all mailboxes in the database, (b) bypass maximum concurrent connections restriction (32) 

These permissions can be set on the individual mailbox level or on a group level by setting them on an Exchange Mailbox Store.  Below are some sample commands to use:

(Storage-group level)

Add permissions

get-storagegroup | add-adpermission -user  -extendedrights receive-as,ms-exch-store-visible -inheritancetype all

List permissions

get-storagegroup | get-adpermission -user 

Exchange Server 2010 and later

The AD eDiscovery product requires the same permissions on Exchange 2010 as it does on Exchange 2007 (i.e., mailbox, Mail Enabled, View Information Store Status, and Receive As).  To set these permissions, it is required that the commands listed below be used instead of the Exchange administration interface.  

(Database level)

Add permissions

get-mailboxdatabase  | add-adpermission -user  -extendedrights receive-as,ms-exch-store-visible -inheritancetype all

List permissions

get-mailboxdatabase | get-adpermission -user  | format-list *

As newer versions of Exchange are role-based, the specific role assigned is of little consequence.  Any role with the necessary rights will be able to read the data.

Other Permissions and Settings

AD eDiscovery cannot collect the information from a mail store if the account has been hidden.  The mail box must be “un-hidden” for the connector to work properly.

There may also be some mail boxes in an Exchange environment that have explicit deny permissions set.  This will also prohibit eDiscovery from collecting the mail information and must be removed for a successful Exchange mail collection.

Throttling

If Exchange has any throttling policies that could constrain the service account, Exchange could prevent eDiscovery from collecting successfully.  To prevent this, you may need to create a throttling policy that sets at least the following settings to "Unlimited", and attach the service account to that policy.

RCAMaxConcurrency
EWSMaxConcurrency
EWSMaxSubscriptions
CPAMaxConcurrency
EwsCutoffBalance
EwsMaxBurst
EwsRechargeRate

Descriptions of these settings and additional information about Exchange throttling policies can be found here.

Outlook Requirements

Collection Manager

Each Work Manager that will be collecting data from an Exchange Mail Server requires Outlook installed and a profile opened and configured.  Be sure to open Outlook and create a profile to complete the Outlook installation and for the eDiscovery connector to make contact with the Exchange Mail Server.  When a collection is executed, the Work Manager uses MAPI or EWS to establish a connection to the Exchange database and copy mailbox data into a local PST file. 

Export Manager

The Work Manager that will be receiving jobs to export data in PST format will also require Outlook installed with a profile configured.  Opening an Outlook profile will complete the preparation for the Work Manager to perform PST reduction (reducing the number of emails as selected by the user) and compaction (reducing the logical size of the PST file on disk).  AD eDiscovery has the ability to export a reduced number of emails in a single PST based on a selection made by the reviewer.  It does not have the ability to combine emails from multiple PST’s into a single PST based on reviewer selection. 

Outlook Versions

The following versions of Outlook are supported:

Outlook 2007 32-bit Standard & Professional
Outlook 2010 32-bit Standard & Professional
Outlook 2013 32-bit Professional Plus
Outlook 2016 (not 365) 32-bit Professional Plus

AD eDiscovery Configuration

Configure Mail Server for Collecting

1. Login to eDiscovery
2. Click the “Data Sources" tab
3. Click "Exchange” sub-tab
4. Click the "+" button on the right side of the page
   1. Select the correct version of Exchange from the “Version” drop-down menu.
      1. (If using the EWS connector, be sure to select “Exchange 2010 SP1” or “Exchange 2013”)
   2. Enter a friendly name in the “Name” field
   3. Leave locality blank
   4. Enter the address of the Exchange server (depending on the Exchange configuration, this is should be the directory server or CAS for Exchange)
   5. (EWS Only) Be sure to check “Exchange Web Services Enabled?” and enter the account credentials that have the appropriate rights to Exchange.
      1. The “Exchange Server-side Mailbox Indexing Enabled?” option can be checked if this feature has been enabled in Exchange. This feature will allow for targeted or filtered collections based on metadata values.

MAPI

Exchange Web Services (EWS)

           2. If all custodians fall under the same Exchange environment, select “Associate To All Custodians”

5. Click "OK"

Overview

Improper Exchange collector configuration will cause Exchange collections to fail.