Exchange Single Item Restore

Overview
Installation
Configuration
Backup
Restore Scenarios
Exchange Single Item Restore Screens
Notes

Overview 

This user’s guide presents how to use the Exchange Single Item Restore feature with Bacula Enterprise and the VSS Exchange Plugin allowing to interactively restore selected Exchange Mailboxes.

Note

Since 16.0.7, Bacula Enterprise offers the Exchange EWS Plugin which uses the advanced technology from Microsoft to restore single item in a very easy way. Review this documentation for further information about it.

Features Summary

The Bacula Enterprise Exchange Single Item Restore provides the following main features:

Console interface
BWeb Management Suite interface
Exchange interface

Scope

This document will present solutions for Bacula Enterprise 8.4 and later, which are not applicable to prior versions. The Exchange Single Item Restore has been tested and is supported on Red Hat Enterprise Linux (RHEL) 6 and 7, Ubuntu 14.04, Debian 7 and 8, working with Microsoft Exchange Server 2010 and 2013.

Installation 

Packages of the Exchange Single Item Restore plugin are available for supported platforms in the “single-item-restore” download area. The package delivered is usually a previous Bacula Enterprise version, therefore please search for previous versions in your download area or keep the version installed when upgrading your Storage Daemon. Please contact Bacula Systems to get access to them or if you would have any question.

Download the plugin package to your Storage Daemon server and then install using the package manager:

# rpm -ivh bacula-enterprise-single-item-restore*.rpm

The package manager will ensure that your Bacula Enterprise version is compatible with the Exchange Single Item Restore plugin and will install dependencies. On Redhat, installing the perl-JSON package from rpmforge is required.

Note

On Redhat 8.X and 9.x, you must have the the AppStream repository enabled to install the perl-File-Copy. The perl-File-Copy module is a dependency required by the bacula-enterprise-single-item-restore package.

Since Bacula Enterprise 16.0.13.

# cat /etc/yum.repos.d/dag.repo
[dag]
name = Red Hat Enterprise  - RPMFORGE
baseurl = https://www.baculasystems.com/dl/DAG/rhel6-64
enabled = 1
protect = 0
gpgcheck = 0

# cat /etc/yum.repos.d/baculasystems.repo
[singleitemrestore]
name = Bacula Enterprise
baseurl = https://www.baculasystems.com/dl/<id>/rpms/single-item-restore/<version>/rhel6-64
enabled = 1
protect = 0
gpgcheck = 0

[bacula]
name = Bacula Enterprise
baseurl = https://www.baculasystems.com/dl/<id>/rpms/bin/<version>/rhel6-64
enabled = 1
protect = 0
gpgcheck = 0

Where <id> is your customer download area identifier and <version> is the current Bacula Enterprise version.

# yum install bacula-enterprise-single-item-restore

The Exchange Single Item Restore also contains a specific Bacula Enterprise service called “bee-exchange” that must be installed and running on each Exchange server that is used to run the restore process. This installation is done by executing the dedicated installer program bacula-enterprise-win64ExchangeSingleItemRestore-VERSION.exe, where VERSION represents the product version number like 8.4.0-1 or 8.6.5-1.

Note: Upgrading the “bee-exchange” service may not work in all cases. Bacula Systems recommends to explicitly deinstall an older version before installing a newer one.

The service will start a REST / HTTP daemon that will listen on localhost:8081 by default. It is possible to configure the service to listen on an external IP address and use HTTPS and / or http authentication. If you decide to keep the default values for the bind address (localhost), you will need to run the internet browser used for the restore operation on the Exchange Server itself. Assuming the Exchange Server to be properly protected against unauthorized access, this provides a reasonably safe default protection against misuse.

Notes about the “bacula” Account on Redhat

All shell commands in this document use the “bacula” Unix account to run.

On Red Hat, the Unix “bacula” account is locked by default. This implies that it is not possible to execute a command such as su - bacula successfully.

It is possible to unlock the “bacula” account, or to use “sudo -u bacula” to execute commands. For example:

bacula@storage# /opt/bacula/bin/bconsole

This could be run from the root account using the following command:

root@storage# sudo -u bacula /opt/bacula/bin/bconsole

It is also possible to start a shell session using

root@storage# sudo -u bacula /bin/bash

Alternatively, unlock the “bacula” unix account and use su with a command such as:

root@storage# chsh -s /bin/bash bacula
root@storage# su - bacula
bacula@storage# whoami
bacula

Samba SMB Shares

The Bacula Enterprise Exchange Single Item Restore plugin will use Samba SMB shares automatically to provide the needed data to the Exchange system. It will set up those shares automatically.

To use Samba SMB network shares, installing and configuring the “samba” package is mandatory. To configure the /etc/samba/smb.conf file for use with Bacula the script install-single-item-restore.sh needs to be run.

root@storage# /opt/bacula/scripts/install-single-item-restore.sh install
Do you want to initialise Samba smb.conf [yes/No]: yes
Choose a Workgroup [BACULA]:

Need to set a password to "bacula" user
New SMB password: *******
Retype new SMB password: ******

Configuration done.

root@storage# cat /etc/samba/smb.conf
[global]
workgroup = BACULA
wide links = yes
follow symlinks = yes
unix extensions = no
include = /etc/samba/bacula.d/main.conf

At this point, it is possible to modify /etc/samba/smb.conf to add your own configuration directives. See below for some hints regarding security-related settings.

The network share configurations used by the Exchange Single Item Restore will be stored in the directory /etc/samba/bacula.d. Customizing the template used by Bacula to generate configuration files is possible by using a template file.

Depending on the version of the Samba server and its actual configuration, modifications to the template share will be required. In particular, the Exchange Single Item Restore will create symbolic links inside the created share which point to locations outside the shared directory tree. As this can pose a security risk, Samba by default may prevent clients access to such links. To allow these client accesses, which are reasonable as the target location is under control, and the “bacula” user account is assumed to be safe against misuse, a template such as the following should be put in place:

[root@storage ~]# cat /etc/samba/bacula.d/custom.tpl
[__share__]
    path = __path__
    browseable = No
    level2 oplocks = No
    oplocks = No
    posix locking = No
    wide links = Yes
    read only = No
    valid users = bacula
    follow symlinks = Yes

Note the explicit setting of follow symlinks = Yes and wide links = Yes. These, along with the global Samba configuration setting of allow insecure wide links = Yes, will allow a client to access the symbolically linked data locations that are required by the Exchange Single Item Restore. We suggest to review the impact of those settings in the manual describing the smb.conf configuration file.

The Samba server can also be configured to join your AD domain, and it is possible to allow a group of users to mount and use the Bacula network share. However, configuring the Samba server to use an existing Active Directory server is not covered by this document.

The Samba share will be used by the Exchange server to access the database and log files. We advise testing the creation of a Samba share and accessing it from the Exchange server to make sure that everything is configured properly at the network level.

bacula@storage# /opt/bacula/bin/smbadd --add --share test1 --path /opt/bacula/bin
bacula@storage# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[test1]"
Loaded services file OK.

# Global parameters
[global]
        workgroup = BACULA
        unix extensions = No
        idmap config * : backend = tdb
        include = /etc/samba/bacula.d/bacula-test1.conf
        wide links = Yes


[test1]
        path = /opt/bacula/bin
        valid users = bacula
        read only = No
        browseable = No

bacula@storage# smbclient //localhost/test1
Enter bacula's password:
Domain=[BACULA] OS=[Windows 6.1] Server=[Samba 4.2.3]
smb: \> ls
  .                                   D        0  Fri May  3 14:15:48 2013
  ..                                  D        0  Fri Jun 12 16:21:39 2015
  bacula                              A     1614  Fri May  3 14:15:46 2013
  bacula-dir                          A  2771768  Fri May  3 14:15:47 2013
  bacula-fd                           A   887111  Fri May  3 14:15:47 2013
  bacula-sd                           A  2169994  Fri May  3 14:15:48 2013
...

At this point, it should be possible to mount the network share “test1” from the Exchange server using the “bacula” account. This can be verified using Windows’ Explorer. As the created shares are not browseable, they will not appear automatically in an Explorer window showing the Storage Daemon host; instead, the full path to the share needs to be entered into the address bar.

To delete the network share the following command can be used:

bacula@storage# /opt/bacula/bin/smbadd --del --share test1

Note on SMB Password

The password used in the SMB share should not contain the following characters: &, ’ and “.

BWeb Management Suite GUI Notes

To use the BWeb Management Suite graphical GUI with the Exchange Single Item Restore option, it is currently necessary to install and configure BWeb Management Suite on the Storage Daemon where the relevant jobs are stored. If the Director is not on the same machine as the Storage Daemon, it should not be a problem, just remember that the administrator needs to connect to the correct BWeb Management Suite instance to use specific Exchange Single Item Restore screens.

Configuration 

Storage Daemon Configuration

On the Storage Daemon host server, the bconsole program has to be configured properly to allow the “bacula” user to connect to the Director with the configuration file /opt/bacula/etc/bconsole.conf.

bacula@storage# /opt/bacula/bin/bconsole
Connecting to Director mydir-dir:9101
1000 OK: 10002 mydir-dir Version: 8.4.0 (31 October 2015)
Enter a period to cancel a command.
* version
mydir-dir Version: 8.4.0 (31 October 2015) x86_64-redhat-linux-gnu
* quit

The Exchange Single Item Restore package contains a script that enables testing the connection with the Director and testing if the system can mount the Bacula Virtual File System properly.

bacula@storage#  /opt/bacula/scripts/install-single-item-restore.sh check
I: Try to restart the script with sudo...
I: Found catalog MyCatalog
I: bacula-fused started on /tmp/bee-bfuse.XXXXX
I: MyCatalog found
I: 10 Client(s) found
I: /tmp/bee-bfuse.XXXXX unmounted
I: bacula-fused (rw) started on /tmp/bee-bfuse.XXXXX
I: MyCatalog found
I: 10 Client(s) found
I: /tmp/bee-bfuse.XXXXX unmounted
OK: All tests are good.

The Bacula Virtual File System is not designed to be used by end users to browse or restore files directly. If you try to access and browse the mount point, you will not see any files.

bee-exchange Service

It is possible to configure the bee-exchange service on the Exchange server by creating a configuration file named bee-exchange.conf in the Bacula Enterprise installation directory on the Exchange server.

C:> type c:\Program Files\Bacula\bee-exchange.conf
###################################################################
# Bacula Enterprise Exchange Single Item Restore Configuration File
###################################################################
Port=8082
Hostname=*
SSL

The following parameters can be set:

Port: Specify the TCP/IP port to use. Ex: Port=8080
Hostname: Specify the TCP/IP interface to bind to. Ex: Hostname=192.168.0.1
SSL: Use SSL. Ex: SSL
SSLName: Specify SSL Certificate name to use. Ex: SSLName=MyCert
LogFile: Specify a custom Log file.
DataDir: Specify a custom Data directory.
Authentication: Specify a Authentication scheme (Ntlm, Basic, IntegratedWindows, Anonymous). Ex: Authentication=Anonymous

The service must be restarted after creation or modification of the configuration file.

The service account requires Read and Write permissions to all files in the folder with the database and sufficient access rights including the “mailbox import export” role. These permissions can be granted using impersonation as described in https://msdn.microsoft.com/en-us/library/bb204095.aspx and https://technet.microsoft.com/en-us/library/ee633452%28v=exchg.141%29.aspx

For example, if the local “System” account is member of the “Server Management” security group

# New-ManagementRoleAssignment -Name "Import Export_Enterprise Support" -SecurityGroup "Server Management" -Role "Mailbox Import Export"

Backup 

This product uses backups that are created as described in the Bacula Systems documentation of the Exchange server functionality of the VSS plugin, which at this time is available as Exchange VSS Plugin.

In short, backups need to be done with a line like Plugin = “vss:/@EXCHANGE/” in the File Set used.

There are no additional considerations beyond what is detailed in the above mentioned white paper, which also implies that Exchange Single Item Restore can be added to an existing Bacula Enterprise infrastructure and can be used with all existing backups.

Restore Scenarios 

With Text Console Interface

The Exchange Single Item Restore provides a console program that allows you to initialize the Exchange restore process.

[root@storage ~]# su - bacula -c '/opt/bacula/bin/mount-exchange'
Automatically Selected Catalog: MyCatalog

Client list:
1: bacula6-fd
2: wgb-exch13-fd
Select a Client: 2
Selected wgb-exch13-fd

Job list:
1: wgb-exch13.2016-12-20_13.09.55_18
2: wgb-exch13.2016-12-20_14.28.11_20
3: wgb-exch13.2016-12-20_14.28.53_21
4: wgb-exch13.2016-12-21_17.37.15_31
5: wgb-exch13.2016-12-21_17.42.36_32
6: wgb-exch13.2016-12-21_23.45.18_35
7: wgb-exch13.2016-12-27_13.09.24_06
Select a Job: 7
Selected wgb-exch13.2016-12-27_13.09.24_06
Automatically Selected Exchange Server: WGB-EXCH13

Exchange Database list:
1: MailboxDBA
2: MailboxDBStandalone
Select an Exchange Database: 1
Selected MailboxDBA

I: From the Exchange server web browser, you need to access the bee-echange
    service that uses the default URL: http://localhost:8081/?Share=exch22968

I: The Network share name is "exch22968"

I: Once the restore is done and the database is dismounted,
   press enter to finish and cleanup the session.

At this step, the Exchange data files are available locally on the Storage Daemon server, and a samba network share is configured.

For a verification of basic functionality, the Windows’ Explorer can be used (remember that, as the share should not be browseable, the complete path needs to be entered in the address line). This is shown in figure Verifying Access to a Created SMB Share. Note the “File” folder without time stamp – this is represented by a symbolic link, and unless it can be opened in the Explorer window without problems, security restrictions are set too tightly in the /etc/samba/smb.conf file and the dynamically created share. In that case, reviewing and modifying those settings will be necessary.

Verifying Access to a Created SMB Share

Note that this access verification should only be useful during deployment and initial configuration of the Exchange Single Item Restore. Once things work out without further manual interaction, it is possible to directly use the actual restore functionality, described below.

To actually mount and browse the Exchange database, connect to the Exchange server and start a browser with the URL printed above.

The Bacula Enterprise Exchange service will handle all steps necessary to restore a mailbox (see chapter Exchange Single Item Restore Screens) through a Graphical User Interface.

To cleanup the restore session, just press “Enter” in the terminal session where the mount-exchange script was started.

With BWeb Management Suite Interface

The Exchange Single Item Restore option in BWeb Management Suite is a wizard allowing easy restoration of items from an Exchange database.

The first step is to select the Client where the VSS backup job was done (see fig. Client Selection).

Once the Client is selected, the administrator needs to select the Job (a Restore Point) to restore. (Fig. Restore Point Selection).

If the selected Job is a valid VSS backup job, the third step will display a list of all Exchange databases included. (Fig. Exchange Database Selection).

At this point, Bacula will create a network share with Samba, and the administrator needs to connect to the Exchange server and open the URL displayed in the wizard with a web browser. The Exchange Server address field is set to the Bacula Client address (see fig. Connection to Exchange Single Item Restore Service) automatically and can be changed if desired. Note that by default, the Exchange Single Item Restore windows service does not accept remote connections, so accessing it requires using a web browser started on the Exchange server console. (See chapter Exchange Single Item Restore Screens)

Connection to Exchange Single Item Restore Service

Once the restore is actually done, it is important to terminate the restore session to release resources (fig. Terminate the Restore Session).

Exchange Single Item Restore Screens 

The “Restore Single Mailbox from Exchange Database” page should be displayed as shown in figure Bacula Exchange Single Item Restore GUI. At this point, operations will take place directly on the Exchange server and will accomplish the following operations:

Mount the network share
Check the Exchange database status
Perform recovery if needed
Create a Recovery database
Mount the Recovery database
Browse and restore mailboxes
Dismount and cleanup

In order to mount the network share where the Exchange database is available, “Bacula Share Parameters” must be specified. Then press the “Start Recovery” button. All steps will then be executed one after the other (fig. Recovery Database Setup). Information about a particular step is available by clicking on “Details” (fig. Details of an Operation).

Once in the last tab, the recovery database will be mounted and available to the Exchange console and the Powershell interface. The list of all mailboxes will be displayed like shown in figure Mailbox List. It is possible to select a Mailbox and restore it to another database.

Once the restore is actually done, it is important to terminate the restore session to release resources (fig. Dismount Recovery Database) on the Exchange server, and then terminate the restore session in the “mount-exchange” terminal session or in the BWeb page.

Notes 

Cache Directory

To speed up future Exchange Single Item Restore sessions, some files that are generated during a restore session are kept in a cache directory.

storage# ls /opt/bacula/working/mount-cache
MyCatalog-2.idx  MyCatalog-5.idx  MyCatalog-8.idx
MyCatalog-4.idx  MyCatalog-6.idx  MyCatalog-9.idx

It is possible to remove files in the cache after some time. They are re-generated if needed.

Limitations

The PST export is not yet implemented in the Bacula Exchange Single Item Restore service.
The Bacula Exchange Single Item Restore Service is not multi-threaded and can serve only one request at a time.
The Exchange Single Item Restore feature uses the Bacula BVFS interface to list files and directories. The Bacula BVFS interface is known to have some performance issues with MySQL catalog backends due to internal MySQL limitations with indexes on TEXT columns. For VMWare and Exchange Single Item Restore, it should not impact performance too much (the backup structure is usually quite small) but Bacula Systems advises using the PostgreSQL catalog backend for the best experience.
The Exchange Single Item Restore performance may vary depending on various factors. For example, Bacula will have to read more data if the Volume was written with a large number of concurrent jobs.
The Exchange Single Item Restore is not compatible with FileDaemon data encryption.
The password used in the network share between the Bacula Storage Daemon and the Exchange server should not use : &, ’ and “
The Exchange Single Item Restore is compatible with file based devices (cloud, dedup, aligned, file, etc..). Tape devices are not supported.