Understanding Multi-Mailbox Search

Applies to: Exchange Server 2010

If your organization adheres to legal discovery requirements (related to organizational policy, compliance, or lawsuits), Exchange Server 2010 Multi-Mailbox Search can help you perform discovery searches for relevant content within Exchange mailboxes.

Multi-Mailbox Search leverages the content indexes created by Exchange Search. The Exchange Control Panel (ECP) provides an easy-to-use search interface for non-technical personnel such as legal and compliance officers, records managers, and human resources (HR) professionals. To Role-based access control (RBAC) provides the Discovery Management management role group to delegate discovery tasks to non-technical personnel, without the need to provide elevated privileges that may allow a user to make any operational changes to Exchange configuration.

Contents

Uses for Multi-Mailbox Search

Based on Exchange Search

Discovery Management Role Group and Management Roles

Discovery Mailboxes

Performing a Discovery Search

Viewing Search Results

Logging of Discovery Searches

Legal Hold and Discovery

Uses for Multi-Mailbox Search

The following are some common uses of Multi-Mailbox Search:

• **Legal discovery   **Complying with legal discovery requests for messaging records is increasingly becoming one of the most important tasks for organizations involved in lawsuits. Without a dedicated tool, searching messaging records within several mailboxes that may reside in different mailbox databases can be a time-consuming and resource-intensive task. Multi-Mailbox Search allows you to search a large volume of e-mail messages stored in mailboxes across one or more Exchange 2010 servers, and possibly in different locations.
• Internal investigations   Multi-Mailbox Search can help you facilitate requests from managers or legal departments as part of internal investigations.
• Human Resources monitoring   Multi-Mailbox Search can help you facilitate HR requests, whether it be standard e-mail monitoring requirements or a specific search.

Return to top

Based on Exchange Search

Multi-Mailbox Search uses the content indexes created by Exchange Search. To provide the extensive search functionality required by Multi-Mailbox Search, new capabilities have been added to Exchange Search. With a single content indexing engine, no additional resources are used to crawl and index mailbox databases for Multi-Mailbox Search when discovery requests are received by IT departments.

To learn more about Exchange Search, see Understanding Exchange Search.

Multi-Mailbox Search also uses Advance Query Syntax (AQS), the familiar query syntax used by Windows Search and Instant Search in Microsoft Outlook 2007 and later. Users proficient with AQS can easily construct powerful search queries to search content indexes.

For more information about AQS, see Advanced Query Syntax.

Discovery Management Role Group and Management Roles

For users to perform discovery searches, you must add them to the Discovery Management RBAC role group. This role group consists of two management roles: The Mailbox Search role, which allows a user to perform a discovery search, and the Legal Hold role, which allows a user to place a mailbox on legal hold. To learn more about the Discovery Management RBAC role group, see Discovery Management. To learn more about RBAC, see Understanding Role Based Access Control.

By default, the Discovery Management role group doesn't have any members. The permissions to perform discovery-related tasks aren't assigned to any user. Also, by default, Exchange administrators don't have the permissions to perform a discovery search. Auditing of RBAC role changes makes sure that adequate records are kept to track assignment of the Discovery Management role group. For details, see Overview of Administrator Audit Logging.

For more information about adding users to the Discovery Management role group, see Add a User to the Discovery Management Role Group.

Return to top

Discovery Mailboxes

When performing a discovery search, you must specify a target mailbox in which to store the search results. A discovery mailbox is a special type of Exchange 2010 mailbox that provides the following functionality:

• Easier and secure target mailbox selection   When you use the ECP to create a discovery search, only discovery mailboxes are made available as a repository in which to store search results. You don't need to sort through a potentially long list of mailboxes available in the organization. This also eliminates the possibility of a discovery manager accidentally selecting another user's mailbox or an unsecured mailbox in which to store potentially sensitive message content.
• Large mailbox storage quota   The target mailbox should be able to store a large amount of messages that may be returned by a discovery search. By default, discovery mailboxes have a mailbox storage quota of 50 gigabytes (GBs). You can modify the quota to suit your requirements.
• Secure by default   Like all mailbox types, a discovery mailbox has an associated Active Directory user account. However, this account is disabled by default. Only users explicitly authorized to access a discovery mailbox have access to it. Members of the Discovery Management role group are assigned Full Access permissions to the default discovery mailbox. Any additional discovery mailboxes you create don't have mailbox access permissions assigned to any user.
• E-mail delivery disabled   Although visible in Exchange Server address lists, users can't send e-mail to a discovery mailbox. E-mail delivery to discovery mailboxes is prohibited by using delivery restrictions. This preserves the integrity of search results.

Exchange 2010 Setup creates one discovery mailbox with the display name Discovery Search Mailbox. You can use the Shell to create additional discovery mailboxes. By default, the additional discovery mailboxes you create won't have any mailbox access permissions assigned. For details about how to create a discovery mailbox, see Create a Discovery Mailbox.

Multi-Mailbox Search also uses a system mailbox with the display name SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} to hold Multi-Mailbox Search metadata. System mailboxes aren't visible in the Exchange Management Console (EMC) or in Exchange address lists. Before removing a mailbox database where the Multi-Mailbox Search system mailbox is located, you must move the mailbox to another mailbox database.

Return to top

Performing a Discovery Search

Users who are been added to the Discovery Management role group can perform discovery searches. To learn more about the Discovery Management role group, see Discovery Management Role Group and Management Roles earlier in this topic.

You can perform a discovery search using the Web-based interface in the ECP, as shown in the following figure. This makes it easier for non-technical users such as records managers, compliance officers, or legal and HR professionals to use Multi-Mailbox Search. You can also use the Shell to perform discovery searches.

Discovery search interface

When performing a search, a search object is created in Exchange 2010. This object can be manipulated to start, stop, modify, and remove the search. Items returned by a discovery search are copied to the discovery mailbox selected as the target mailbox for the search. Multiple searches can run concurrently.

The following applies to performing a discovery search:

• Keywords   You can specify keywords and phrases to search message content. You can also use the logical operators AND, OR, and NOT. To search for an exact match of a multiple word phrase, you must enclose the phrase in quotation marks. For example, searching for the phrase "plan and competition" returns messages that contain an exact match of the phrase, whereas specifying plan and competition returns messages that contain the words plan and competition anywhere in the message. You can also use AQS. For details, see Advanced Query Syntax. For more information about advanced keyword searches, see Advanced Keyword Searches.

  Note

  Multi-Mailbox Search doesn't support regular expressions.

• Senders and recipients   To narrow a search, you can specify the senders or recipients of messages. You can use e-mail addresses, display names, or the name of a domain to search for items sent to or from everyone in the domain. For example, to find e-mail sent by anyone to Contoso, Ltd, specify @contoso.com in the From field in ECP. You can also specify @contoso.com in the Senders parameter in the Shell.

• Date range   By default, Multi-Mailbox Search doesn't limit searches by a date range. To search for messages sent during a specific date range, you can narrow the search by specifying the start and end date. If you don't specify an end date, the search will return the latest results every time you restart it.

• Mailboxes   Multi-Mailbox Search can search all mailboxes located on Exchange 2010 Mailbox servers in the Exchange organization, or you can specify the mailboxes to be searched. You can also specify a distribution group to include mailbox users who are members of the group.

• Personal archive   By default, if the personal archive is enabled for a mailbox user, Multi-Mailbox Search also searches the archive mailbox. There's no option in ECP to override this. To exclude archive mailboxes, you must use the Shell to create or modify the search.

• Message types   By default, only e-mail messages are searched. However, you can also include the following message types to search: contacts, documents, instant messaging conversations, journal, meetings, and notes.

• Attachments   Multi-Mailbox Search searches attachments supported by Exchange Search. Support for additional file types can be added by installing search filters (also known as an iFilter) for the file type on Mailbox servers.

• Unsearchable items   Unsearchable items are mailbox items that can't be indexed by Exchange Search. Reasons include lack of an installed search filter for an attached file, a filter error, and encrypted messages. When creating a discovery search, you can include unsearchable items in search results.

• Safe list   Certain file types don't contain content that can be indexed and, as a result, aren't indexed by Exchange Search. These file types are added to a safe list by creating a null filter value in the registry. Exchange Setup creates a null filter registry value for several file types. Mailbox items containing these file types aren't returned in the list of failed items. For a list of default search filters and default null filter entries, see Default Filters for Exchange Search.

• Encrypted items   Because messages encrypted using S/MIME aren't indexed by Exchange Search, Multi-Mailbox Search doesn't search these messages. If you select the option to include failed items in search results, these S/MIME-encrypted messages are returned as failed items.

• IRM-protected items   Messages protected using Information Rights Management (IRM) are indexed by Exchange Search and therefore included in discovery search results. Messages must be protected by using an Active Directory Rights Management Services (AD RMS) server in the same Active Directory forest as the Exchange 2010 Mailbox server. For more information about IRM, see Information Rights Management.

  Important

  When Exchange Search fails to index an IRM-protected message, either due to a decryption failure or because IRM is disabled, the protected message isn't added to the list of failed items. If you select the option to include failed items in search results, the results may not include protected messages that couldn't be decrypted.
  To include IRM-protected messages in a search, you can create another discovery search to return messages with .rpmsg attachments. You can use the query string attachment:rpmsg to search all protected messages. This will return all IRM-protected messages from the mailboxes searched, whether indexed or not. This may result in some duplication of search results in scenarios where one search returns messages that match the search criteria, including protected messages that have been indexed successfully. The search doesn't return protected messages that couldn't be indexed. Performing a second search for all protected messages also includes protected messages that were successfully indexed and returned by the first search. Additionally, the protected messages returned by the second search may not match the search criteria such as keywords used for the first search.

For details about how to perform a discovery search, see Create a Discovery Search.

Return to top

Viewing Search Results

Search results are copied to the discovery mailbox selected as the target mailbox for the search. If you use a target mailbox other than the default Discovery Search Mailbox, you must assign mailbox access permissions to authorized users so they can access that discovery mailbox. Authorized users can access the mailbox using Outlook Web App or Outlook.

To find out how to assign Full Access mailbox permissions to a user, see Manage Full Access Permissions.

A new folder with the same name as the search is created in the target mailbox. To store messages returned from that mailbox, a subfolder is created for each mailbox searched. The folder name consists of the mailbox user's display name along with the date and time when the search was created. Messages are copied to a folder that has the same name as their location in the searched mailbox. For example, if the search name is Discovery-ProjectContoso, and a message located in the Inbox folder in Paul Shen's primary mailbox is returned, the folder hierarchy created in the discovery mailbox would be Discovery-ProjectContoso -> Paul Shen-9/4/2009 3:57:10 PM -> Primary Mailbox > Inbox. Any message flags, including read/unread status and follow-up flags, are maintained.

Return to top

Logging of Discovery Searches

There are two types of logging available for discovery searches:

• Basic logging   Basic logging is enabled by default for all mailbox searches. It includes information about the search and who performed it. Information captured about basic logging appears in the body of the e-mail message sent to the mailbox where the search results are stored. This message is located in the folder created to store search results.
• Full logging   Full logging includes information about all messages returned by the search. This information is provided in a comma-separated value (.csv) file attached to the e-mail message that contains basic logging information. The name of the search is used for the .csv file name. This information may be required for compliance or record-keeping purposes. To enable full logging, you must select Enable full logging in the EMC or specify the logging level using the LoggingLevel parameter in the Shell.

For details, see Multi-Mailbox Search Logging.

Return to top

Legal Hold and Discovery

As part of discovery requests, you may be required to preserve mailbox content until such time that a lawsuit is disposed. To preserve mailbox content, messages deleted or altered by the mailbox user must also be preserved. In Exchange 2010, this is accomplished by using the Recoverable Items folder.

When a mailbox is placed on legal hold, messages and other mailbox items deleted by the user, and all instances of changes made to mailbox items, are preserved in the Recoverable Items folder. Deleted items older than the deleted item recovery period configured for the mailbox database or the mailbox user are hidden from the user, but are still retained in the Recoverable Items folder. This allows such items, and all instances of changes made to mailbox items, to be returned in a discovery search.

To learn more about legal hold, see Understanding Legal Hold. For details about how to place a mailbox on legal hold, see Place a Mailbox on Legal Hold.

To learn more about recoverable items, see Understanding Recoverable Items.

Return to top