Discovery mailboxes are used as the repository for the metadata that
drives eDiscovery searches and the output the searches generate from
user mailboxes. If not present, two discovery mailboxes are created by the Exchange
installation procedure. The first is the discovery metadata mailbox
that holds information about completed and pending searches. You cannot
perform eDiscovery searches unless this mailbox is online and
available. It has a fixed name of
SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}. This mailbox is
created as an arbitration mailbox, and you can locate it with:Get-Mailbox –Arbitration
The
second type of arbitration mailbox is a discovery search mailbox, which
stores the items copied as a result of eDiscovery searches for later
access and review by users who have been granted permission to open the
mailbox. A single discovery search mailbox is created by the
installation procedure and should be accessible by users who are
members of the Discovery Management role group. As such, these users
should be able to open the default Discovery Mailbox and peruse its
contents. If you create additional discovery mailboxes, you must assign
Full Access to the accounts that will use these mailboxes for mailbox
searches if you want to open the mailboxes.
As explained below,
you can create other discovery mailboxes as required. To stop users
from attempting to send them email, new discovery mailboxes are
automatically hidden so that they don’t appear in address lists. If
someone attempts to send a message to a discovery mailbox by using its
SMTP address, Exchange will reject the message and return an NDR to
inform the user that “delivery to this address is restricted”.
You
can locate all the discovery mailboxes that exist in the organization
with EMS by using the following command. Knowing which database the
mailboxes are in is important because they will have to process many
transactions if items are copied following an eDiscovery search.
Get-Mailbox –RecipientTypeDetails DiscoveryMailbox | Format-Table Name, Database
The
Exchange installation procedure creates the default arbitration
mailboxes in the Users OU of the root domain. For this reason, unless
you are logged on to the root domain, you might have to establish the
correct Active Directory scope to find these mailboxes.
Creating additional discovery mailboxes
Exchange creates the default discovery mailbox in the mailbox
database of the first Exchange Mailbox server you deploy. This is an
acceptable configuration for small deployments but might prove
problematic for larger organizations, where the sheer volume of data
uncovered by an eDiscovery search could be very large in terms of the
number of items and the size of the storage required.
Storing
the results of eDiscovery searches should not be an issue because the
default quota assigned to the discovery mailbox is 50 GB. However,
remember that the Mailbox server that holds the database containing the
discovery mailbox has to do a lot of work to copy items a search
unearths. For example, if a search locates 10,000 items that occupy 6
GB, the server has to be able to accept the workload to copy and store
these items. The workload is composed of the CPU consumed during the
search, the storage for the discovered items, and the transaction logs
generated as the discovered items are created in the discovery mailbox.
A search might be performed several times before the final information
is captured, and each time, the server will be stressed, so think about
the following:
The
number of discovery mailboxes that are created and available within the
organization. One will suffice for small organizations, but perhaps it
is better to create a number of discovery mailboxes on different
servers for use by the teams that perform searches.
The
location of the discovery mailboxes. The ideal situation is that the
mailboxes being searched, the users who perform the search, and the
database hosting the target discovery mailbox should be on the same
site; this eliminates any need for extended network connections to
search, store, and review information. In any case, you need to
consider whether the server hosting the database that contains the
discovery mailbox has sufficient capacity to handle the load generated
by searches.
Users in the Discovery Management role group can perform searches. Part of creating a new search request is the selection of the discovery
mailbox that holds the result of the search. The need to hold
potentially huge amounts of data uncovered by searches is why discovery
mailboxes are assigned a 50-GB storage quota. When data are captured by
a search, users have to be granted Full Access to the discovery mailbox
if they want to open the mailbox and access the search results
You can create additional discovery mailboxes by using the New-Mailbox cmdlet with the Discovery switch. For example:
New-Mailbox 'Legal Action Discovery Mailbox' –UserPrincipalName '[email protected]' –Discovery
Tip
After
you create a new discovery mailbox, make sure that you assign Full
Access permission to the mailbox to the groups that need to access the
search results it stores. By default, the default discovery mailbox can
be opened by the Administrator account, but permission to access this
mailbox also needs to be granted to anyone who needs to access it.
If
you attempt to delete a mailbox database that holds discovery
mailboxes, Exchange reports an error, and you will need to move these
mailboxes before you can delete the database. Although EAC does not
display discovery search mailboxes in its mailbox list, it does in the
dialog box in which you select mailboxes to include in a migration
batch, so you can use EAC to move any discovery search mailboxes that
exist in a database. However, EAC does not allow you to include the
discovery arbitration mailbox in a migration batch, so if you need to
move it to another database, you have to do this through EMS. For
instance, this command moves the discovery arbitration mailbox to the
DB1 database:
New-MoveRequest -Identity 'SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}' -TargetDatabase 'DB1'
