Due to the number of searches I’ve been getting for this I will tell how I did Symantec Backup Exec Exchange GRT backups to disk. If you’ve not read my reasons for not using GRT to backup Exchange, you should probably do so. If you still insist on using it, keep reading.

First off, an Exchange GRT backup cannot be encrypted by Backup Exec when a backup-to-disk device is used. In order to encrypt the backup, I’ve instead chosen to use EFS. When Backup Exec does a GRT backup, it doesn’t store these backups in the “Veritas” Folder (At least in 11D and 12 it doesn’t) like it does with the other backups. Instead it creates a folder for each storage group that begins with IMG followed by a sequence of numbers. Anytime a GRT backup is started, a new set of folders are created. Removeable backup-to-disk devices are specified with a drive letter, so these IMG folders are created under the root folder (Making it much more difficult to use EFS, because we cannot tell EFS to automatically encrypt all folders under the root folder).

So I was wanting to use a removable backup-to-disk device and encrypt our Exchange backups. After watching the IMG folders, I realized that the numbers weren’t random. I believe Backup Exec begins at 000001 and begins counting up. If your Exchange GRT backup, backs up 2 storage groups, this number will increment twice with every backup (Backup Exec puts the storage groups in separate folders). If I chose to encrypt the backup after it is complete, it takes FAR too long on a USB disk, so I created a script that will create the necessary folders before the Exchange GRT backup begins.

I’ve included the source code to this script. You’ll need to install ActivePerl before it will work (Google it). Rename the script to end with the extension “.pl”. I swap my backup disks on Friday. On Friday this script will delete the IMG files off of the backup disk (Because Backup Exec doesn’t seem to delete the IMG folders on its own). The script then opens a file in the backup exec folder to read the last number used for an IMG number. It then creates 1 IMG folder (Uncomment the appropriate sections to have it create multiple IMG folders for a backup), then tells the system to encrypt that folder. Any files added to this folder after we encrypt it are automatically encrypted.

Create the file “C:\Program Files\Symantec\Backup Exec\scripts\enc_fold_num.txt”. Look at your last backup and find the IMG folder with the highest number. Enter this number without leading 0′s into this file. Edit the script and make sure it is creating the folders on the right drive letter. Next you’ll need to edit your Exchange backup job. Under the Pre/Post Job section, you’ll need to add the path for this perl script (You may need to specify the perl executable and feed it this perl script so that it actually runs).

This last step is the most important by far. You NEED to backup your EFS certificate. If you don’t, and something happens to this server, you will not be able to access the data on your backup drives. You’ll need to encrypt something in order to get an EFS certificate. You might go ahead and tell it to encrypt a file (Right click on it and click Properties, then click the check for encrypt). To backup your EFS certificate, open up Internet Explorer. Click Tools->Internet Options. Click the “Content” tab. Then click the “Certificates” button. Under the “Personal” tab, there should be a certificate that says it is intended for “Encrypting File System”. Click the “Export’ button on this certificate. Click Next. Tell it to export the private key. Click Next. Enter a password (Don’t lose this password). Enter a file name, click next. Then click Finish.

Copy this EFS certificate to a safe place. It is probably a good idea to test and make sure that you can import the certificate elsewhere and read the encrypted data (If you can’t read it, you’ll get an “access is denied” error when you try to access it). Also take note of the expiration date listed in the box. Calendar this date (If it is in the next 10 years) —– When it comes your system will create a new EFS key automatically and you won’t be able to read your backups unless you export the new key.

Symantec has created a way in which they can restore a single email message with Backup Exec. This technology is called a GRT (Granular Restore Technology). I’ve used it in Backup Exec 11D and 12. I’ve found that it proves to be more of a pain than a help because:

1. You cannot backup to disk and encrypt the backup (At least using Symantec’s built-in encryption)
2. When using a removable back-up-to-disk device to backup, it creates folder that begins with IMG ,instead of storing the backups under the “veritas” folder on the removable back-up-to-disk device.
3. The system won’t automatically overwrite/delete the GRT backups on removable-back-up-to-disk drives. Instead the drive will simply run out of space.

I’ve found that Microsoft Exchange can take care of most of the granularity that we need. Exchange can be configured to keep deleted items so many days. To find this setting in Microsoft Exchange 2003, log into your exchange server. Open the Microsoft Exchange “System Manager”. Now expand Administrative Groups->Your Domain->Servers->Your Server Name->Your Storage Group . Now right click on a “Mailbox Store” and click “properties”. Click the “Limits” tab. Adjust the “Keep Deleted Items for (days)”. Also note this is only specific to this information store. If you have a server with multiple information stores, you’ll need to adjust them all separately.

To recover an individual item you’ll need to set Outlook to show Recover Deleted Items . As the previous link instructs, click start->run. Type “regedit”. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Options . On the Edit menu, click Add Value, and then add the following registry value:

Value name: DumpsterAlwaysOn
Data type: DWORD
Value data: 1

Close the registery editor and close and reopen Outlook. Under the Tools menu, you should now have a “Recover Deleted Items” option. Now you can use the “Recover Deleted Items” in Outlook to get back any item that has been deleted in the last X-days (You set this yourself inside of Exchange). This is MUCH easier than dealing with Symantec’s GRT technology.