Tuesday, October 21, 2014

Recover Deleted Mailbox in Office 365

Recovering deleted mailboxes are not new for us as Exchange Admins but this becomes quite tedious when we are managing an Exchange Hybrid Environment with Federated Identity.



Recovering mailbox in a traditional On premises Environment or a fully hosted Exchange Online Environment are straight forward with few easy steps. Refer the below articles to know this in detail.

Exchange On premises : Connect or restore a deleted mailbox

Exchange Online : Delete or Restore User Mailboxes in Exchange Online

This blog post is written to cover few important and complex mailbox recovery scenario with Office 365 and we begin with recovering deleted mailbox in cloud in a Exchange Hybrid deployment with federated identity.

Exchange hybrid deployment with Federated Identity, this involves both ADFS and Directory synchronization. In this setup, AD account associated On premises is a key component, unlike the above scenarios, if this object is deleted its impossible for us to set things as before. We can still recover the mailbox contents alone in Cloud though the On premises AD account is deleted as the associated Office 365 account still remains in deleted users for 30 days and the mailbox will be available in soft deleted mailboxes for the next 30 days. Even if the Object in Office 365 is deleted post 30 days retention, we still have possible ways to get the mailbox recovered to a new cloud only mailbox from Removed mailboxes which I will explain in the later part of this article.

To clarify my above statement lets do some quick discussion on this topic, In a DirSync environment objects are Synchronized from On premises to cloud and the Source of Authority is On premises for managing the objects and when we enable Federated Identity the Identity management is moved to On premises via ADFS and provides a true SSO experience for users when accessing Office 365.

On the Technical background every AD object is unique with an Object GUID we call this as an Source Anchor and the same is synchronized to Cloud and gets set as the Immutable ID for the associated MSOL object in Office 365, this is the binding parameter that ensures that these two identities are tied up to each other to achieve a true SSO.

When you are using DirSync, Objects are Synchronized from On premises to Azure and the changes that are enforced on these objects are synchronized periodically, The default interval is 3 hrs. and still you can customize this to your needs and also force DirSync on demand. With this being said, when an Object is removed from On premises the same is removed in Azure and if we want to restore the deleted object by chance and wanted to set things as before, then we need to restore the deleted object only from On premises AD and then perform some tweaks on the recovered object and Sync it back to Azure.

Example of a DirSync object in Admin portal


More information on the above said point is updated in this Microsoft knowledge base article with the workaround which is the key for this article.

Review here: How to troubleshoot deleted user accounts in Office 365

Refer Resolution 3: Recover a user account that was deleted because the on-premises user object was deleted from the on-premises Active Directory schema Section.

Following the steps outlined is an straight forward process where we can recover the deleted object from AD Recycle bin if we have Windows Server 2008 R2 and Later Functional levels and if we don't have AD Recycle bin or your Functional level is below the required criteria then we can utilize the AdRestore tool to perform the recovery of the deleted AD object from Tombstone. Authoritative Restore is also an option but this is not recommended.

In addition to the above methods, we have one more reliable method of recovering the object from tombstone using LDP.exe as I don't have AD recycle bin available in my environment I am utilizing this method to recover the object and this is method is not shown in the knowledge base article.

Instructions to use LDP.exe and performing the recovery is already covered excellently in this below article

Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE) 



In addition to the above recovery steps, we do have one important note to consider, when you expand the deleted item container it will list only few objects based on the Maxpagesize settings in the environment and to over come this you can perform a search on the Tool using the below filter and then follow the recovery process.

During the search use the Filter “(samAccountName=?)” Where ? Refers to the deleted account samaccountName which will normally be the alias of the account.



Search options are explained in detail here: http://support2.microsoft.com/kb/284928/en-us


As stated in the knowledge base article once the object is recovered from Tombstone it will be made available as a stripped object without any vital attributes set on the object and the most important part is it will be recovered with the same Object GUID as before which is required for us to rebind this object to the MSOL object.

Once the object is recovered we need to re-add the User Principal Name and the necessary Attributes to the AD account and re-enable it for exchange as before and then execute the DirSync, once this is done this recovered object will get in sync with the Cloud object available in the deleted users list and that will get enabled and moved to Active users with the Mailbox intact as before.


*One more important tweak you need to make is to set the On premises Remote Mailbox object Exchange GUID matching the Exchange Online Mailbox GUID, this is done to make the Hybrid mailbox moves possible as this is mandate for the accounts to be in sync when we move mailboxes from Cloud to On premises.

Detailed behavior is explained in this Community Post : Exchange Hybrid Deployment – Moving Cloud-Based Mailboxes to the On-Premises Organization

Once everything is set we can access the Mailbox as before with our On premises credentials and experience the true SSO.

This completes the recovery process for our scenario.

*As stated earlier in the blog post it is still possible for us to recover the mailbox without restoring the AD object On premises this is done to recover the mailbox contents and it will not assist us in bringing the original setup back as with the above formal process and this is still a good solution if we just want to get the mailbox contents from the deleted mailbox.

Recovering soft deleted Mailbox directly in cloud

Navigate to Exchange Admin center and click on (…) and select deleted mailboxes and it will list the soft deleted mailboxes with the deleted date.

Now click on the mailbox that you want to restore and select Restore button and when you do this you will be prompted to enter the details, ensure that you fill in the Display Name and choose the logon name suffix as "@tenantname.onmicrosoft.com" update the password and finish the recovery process.


Once this is done the Mailbox is recovered in cloud and you can access the mailbox by granting yourself Full Access to it and export the mailbox contents to a PST.

Also you can recover the mailbox from Soft deleted mailboxes using Undo-SoftDeletedMailbox cmdlet and then follow the PST process.


We can follow the above process as long as the mailbox is available under soft deleted mailboxes which is 30 days from the date of deletion.

*If you have enabled Litigation hold or In Place hold on the mailbox before deletion the contents are preserved as the mailbox will be moved to Inactive Mailboxes.

Review here: Manage inactive mailboxes in Exchange Online

Recovery Method with a New AD object

*We still have option to recover the mailbox post this 30 days retention date from Removed mailboxes which will occur once the MSOL object is deleted and the associated mailbox is moved from Soft deleted mailboxes to hard deleted mailboxes  ( Removed / Orphan Mailboxes).

We can check for this mailbox using Get-RemovedMailbox Cmd let in Exchange Online and make a note of the GUID and reconnect it to a new Cloud only account as shown in the below blog post and recover the contents.

Review here: Recovering a deleted mailbox in Microsoft Office 365


Once the AD object On premises is deleted you can delete the corresponding MSOL object in Office 365 permanently with the -RemovefromRecyclebin cmdlet and once this is done the Mailbox is hard deleted and moved to Removed mailboxes and then you can very well follow the above process and bring it back to life with a new Cloud only account as a first step.




*Once the mailbox is mapped to the new cloud only account it behaves like a mailbox provisioned fully in cloud that will not contain an ImmutableID which is the key for our recovery.

*Add the necessary SMTP address of your federated domain and make it primary if its not set correct.

 *Next, we will create a new AD object and the set the object as before with the necessary attributes and Primary SMTP (We can create a Remote Mailbox object On premises). Now we can force Dirsync or wait for the DirSync schedule run. We are all good now to utilize the SMTP matching feature (Soft Match) to bind the On Premises AD object to the MSOL object which sets the new AD object's Object GUID as the immutable ID in MSOL and then the mailbox is functional as before with SSO.



Review the SMTP Matching knowledge base here: http://support2.microsoft.com/kb/2641663

*If you get any NDR for the old emails you can utilize the below knowledge base article and re-construct the X500 address and add it to the account On premises which will DirSync to cloud and make things work as before.

Review here: http://support2.microsoft.com/kb/2807779/en-us

This completes this recovery method.

Note:

This method is also a reliable method but not a recommended method by Microsoft, Also unfortunately this is not working in my Hybrid deployment with DirSync where the Mailbox is getting moved to soft deleted mailboxes instead of Removed mailboxes even though I force fully remove the MSOL object from Office 365.

This same behavior is experienced by Microsoft team and found this works well for fully hosted scenario and not for Hybrid deployment with DirSync and still I am awaiting for a possible solution and update here soon.

Update: 

After working with Microsoft team we identified the workaround, where this could possible be a Sync issue between MSODS and Exchange Online which is not moving the mailbox from soft deleted mailboxes to hard deleted ( Removed Mailboxes) once MSOL object is removed.

To fix this we recovered the mailbox available under soft deleted mailboxes using Undo-SoftDeletedMailbox cmdlet , which recovered the mailbox with the note to assign the License before the grace period expires which will remove the mailbox if not done.

We waited for the grace period to expire and then the mailbox was successfully moved to the hard deleted mailboxes and available under Removed Mailboxes.

Once this is done we are all set to follow the instructions provided above under "Recovery Method with a New AD object " method for successful recovery.

Finally,

You can additionally prevent accidental deletions in Azure when using Dirsync by following the instructions provided in the below Blog post.

DirSync: How To Avoid Syncing Accidental Deletes To The Cloud Directory

Believe this post is quite useful for readers to recover mailboxes in a Hybrid environment with federated identity and also other possible mailbox recovery scenarios with Office 365.

Update:

Microsoft team is making some significant changes to the Mailbox recovery with Office 365 by discontinuing method of recovering the mailbox using hard delete option, since this impacts other service related access with Office 365 and suggests us with a new supported method to be followed henceforth via the below EHLO Blog post.

Background:

Why Is This a Benefit?

Previously, if you could not recover both the user and the mailbox, you would have to perform an unsupported process of hard-deleting a mailbox. This process was unreliable and sometimes caused a ripple effect on other services such as SharePoint and Lync. If the process failed, you were left with very limited options, and ultimately had to call support.


Below are the steps stated in the article for recovery

What Do I Need To Do To Take Advantage of This New Option?

All you need to do is create a new user with a mailbox and merge the data. The way you create the user with a new mailbox will depend on if you use DirSync or the Microsoft Online Portal to create users.

1. Create the user and Mailbox.

Using DirSync:

Create the user and remote mailbox from the on-premises Exchange management tools.
Force a directory synchronization.


Not Using DirSync:

Log into http://portal.office.com.

Create and license the user.

2. Run the cmdlet to merge the accounts. This is done from PowerShell connected to Exchange Online.

A) Connect PowerShell to Exchange Online. To do this, see http://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx

B) Run the following Command and retrieve the GUID for the soft-deleted mailbox that you want to restore: Get-Mailbox -SoftDeletedMailbox

C) Run a cmdlet similar to the following to restore the mailbox: New-MailboxRestoreRequest -SourceMailbox <GUID from Step 2B> -TargetMailbox <GUID from Step 1>

NOTE 1:  If the mailbox source and/or target is an archive, use the following switches (-SourceIsArchive and/or -TargetIsArchive)

NOTE 2: The value in Step 2C calls for the account GUIDs, but they can take other values such as an SMTP address or a UPN. The reason we recommend using GUIDs is to reduce the chances that there will be any confusion or conflict between the source and destination.

Access the complete post here to know more: A better way to recover a mailbox

Update:

Microsoft team recently published a new guidance article on this topic below,

Common mailbox recovery scenarios for hybrid environments

Update:

Microsoft Exchange Online Team recently announced the availability of new Mailbox Recovery Troubleshooter that would guide you to the best possible Recovery option , when restoring a deleted user mailbox in EXO.

Access the Troubleshooter here: https://aka.ms/MailboxRecovery

Official Blog post here: Introducing the Mailbox Recovery Troubleshooter

Update:

Access the latest Blog posts on this topic in an Exchange Hybrid environment.

Recover soft-deleted mailboxes in an Exchange Hybrid scenario

How to restore an inactive mailbox for a federated user in an Exchange Hybrid deployment

As an add-on read review the detailed guidance from Microsoft to know how to remove a former employee from Office 365

Stay tuned for latest updates...

No comments:

Post a Comment