Exchange 2010 Edge Transport Server Backup and Recovery

 

The Exchange Server 2010 Edge Transport Server role is responsible for all incoming and outgoing internet email for an organization.

Typically deployed within a secure perimeter network, or DMZ, the Edge Transport Server is basically a smart host or SMTP relay server for the organization, and can protect from viruses, spam, and also perform other rule-based actions to control the flow of email in and out of the network.

What Needs to be Backed Up on Edge Transport Servers

To plan for backup and recovery of the Edge Transport server you first need to understand where the server stores its configuration and data.

Active Directory Lightweight Directory Service – each Edge Transport server runs its own instance of AD LDS, which is used to store a subset of information about recipients in the Exchange organization, as well as information about the connectors that are established between the Edge Transport server and the Hub Transport servers for mail flow.  The AD LDS database and log files are stored on the file system of the server.

Edge Configuration – the Edge Transport server configuration can be exported to an XML file for cloning between servers and for recovery purposes.  The Edge configuration file is stored on the file system of the server.  This does not include the Edge Subscription information that connects the Edge Transport server to Hub Transport servers.

System State – the system state contains information such as service startup and dependency settings in the registry, which is important if any settings have been modified from the defaults.  The System State is also important if extra third party applications or agents have been installed on the Edge Transport server, local security policies have been applied, administrative accounts or groups created or modified, and a range of other items that may be important in a recovery.

Other Files – other files such as transport queue databases and log files are also stored on the file system.

Planning the Edge Transport Server Backup

When you are planning the Edge Transport server backup strategy there are different approaches you can take depending on your requirements.

Backing up Everything

A full system backup of the server encompasses all of the required information for a recovery, however this takes longer to backup and consumes the most backup storage.

This makes it impractical if frequent backups are required throughout the day, for example in a high volume email environment the transport queue databases might be backed up every 5 minutes to reduce the risk of losing in-transit emails if the server crashed.

A full backup can also take longer to recover in some cases, however this is less of a concern if multiple Edge Transport servers are deployed.

Backing up the Minimum

A backup of just the Edge Transport configuration is the most efficient in terms of time frames and storage space, and can be run only when a configuration change has been made.

However the recovery time may be longer because a new host would need to be provisioned from scratch to import the config.

There may also be more manual intervention required because importing the configuration to a new server still requires the Edge Subscription to be set up again.  In addition, this backup strategy does not protect the transport queue databases, log files, or any third party applications and agents installed on the server.

Backing Up and Restoring Edge Transport Servers

For the purposes of this demonstration I’ve made a few changes to a default Edge Transport server install on Windows Server 2008 R2.

The default log file paths have been modified:

An Edge Subscription is in place:

.NET Framework 4 has been installed via Microsoft Update:

Exporting/Importing the Edge Configuration

The Edge Configuration can be exported and imported using a script provided with Exchange Server 2010.  The script is located in the \Scripts folder of your Exchange Server 2010 installation folder, which by default would be:

C:\Program Files\Microsoft\Exchange Server\V14\Scripts

On the Edge Transport server launch an Exchange Management Shell and run the script to export the Edge Configuration.

.\ExportEdgeConfig.ps1 -cloneConfigData C:\EdgeConfig\ex2-edgeconfig.xml

Edge configuration is exported successfully to C:\EdgeConfig\ex2-edgeconfig.xml

For this demonstration the server operating system has been manually reinstalled to simulate a recovery scenario, and the Exchange Server 2010 reinstalled with the Edge Transport server role.

Note: the Edge Transport server can be a domain member however it is not a valid role for using Setup /m:RecoverServer to restore a failed server. In some scenarios you may encounter an error that “The Exchange Server is in an inconsistent state” when trying to reinstall the server.  If you do then click here for the solution.

When the new Edge Transport server is ready you can import the Edge Configuration to it using a script that is once again located in your Exchange Server 2010 installation folder.

Launch the Exchange Management Shell, and then run the import script to validate that the configuration can be applied.  This checks for such things as valid file system directories to confirm that that they can be recreated when the configuration is imported.

.\ImportEdgeConfig.ps1 -cloneConfigData C:\EdgeConfig\ex2-edgeconfig.xml -isImport $false -cloneConfigAnswer C:\EdgeConfig\ex2-answer.xml

Warning:Passwords will be encrypted with the default script encryption key

Validation succeeded for ConnectivityLogPath element of type DirectoryPath
Validation succeeded for MessageTrackingLogPath element of type DirectoryPath
Validation succeeded for PickupDirectoryPath element of type DirectoryPath
Validation succeeded for PipelineTracingPath element of type DirectoryPath
Validation succeeded for ReceiveProtocolLogPath element of type DirectoryPath
Validation succeeded for ReplayDirectoryPath element of type DirectoryPath
Validation succeeded for RoutingTableLogPath element of type DirectoryPath
Validation succeeded for RootDropDirectoryPath element of type NullableDirectoryPath
Validation succeeded for SendProtocolLogPath element of type DirectoryPath
Validation succeeded for SourceIPAddress element of type IPAddress
Validation succeeded for SourceIPAddress element of type IPAddress
Validation succeeded for Bindings element of type Bindings
Validation succeeded for Fqdn element of type FQDN

Answer File is successfully created: C:\EdgeConfig\ex2-answer.xml

Next, import the configuration file by switching the -isImport parameter to $true.

.\ImportEdgeConfig.ps1 -cloneConfigData C:\EdgeConfig\ex2-edgeconfig.xml -isImport $true -cloneConfigAnswer C:\EdgeConfig\ex2-answer.xml

Warning:Passwords will be encrypted with the default script encryption key

WARNING: The contents of the pipeline tracing log may contain sensitive information. Make sure all content is either
removed or secured appropriately.

WARNING: The command completed successfully but no settings of 'exchangeserverpro.local' have been modified.
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport

Confirm
Are you sure you want to perform this action?
Removing Receive connector "EX2\Default internal receive connector EX2".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): a

WARNING: The command completed successfully but no settings of 'IPAllowListConfig' have been modified.
WARNING: The command completed successfully but no settings of 'IPAllowListProviderConfig' have been modified.
WARNING: The command completed successfully but no settings of 'IPBlockListConfig' have been modified.

WARNING: Edge Transport servers don't use the MaxDumpsterSizePerStorageGroup, MaxDumpsterTime, MaxReceiveSize,
MaxRecipientEnvelopeLimit, and SupervisionTags parameters. Therefore, setting these parameters will have no effect.

Importing Edge configuration information Succeeded.

Note the warning that the Transport service requires a restart. This does not happen automatically, so run the following command from the Exchange Management Shell.

restart-service msexchangetransport

Although the relevant Connectors are added to the Edge Transport server when the Edge Configuration is imported, they are not correctly set up on both ends (ie on the AD Site/Hub Transport servers as well). To do this you will need to re-run the Edge Subscription process.

Create an Edge Subscription file on the Edge Transport server by running the following command in an Exchange Management Shell.

New-EdgeSubscription -FileName c:\edgesubscription.xml

Confirm
If you create an Edge Subscription, this Edge Transport server will be managed via EdgeSync replication. As a result,
any of the following objects that were created manually will be deleted: accepted domains, message classifications,
remote domains, and Send connectors. After creating the Edge Subscription, you must manage these objects from inside
the organization and allow EdgeSync to update the Edge Transport server. Also, the InternalSMTPServers list of the
TransportConfig object will be overwritten during the synchronization process.
 EdgeSync requires that this Edge Transport server is able to resolve the FQDN of the Hub Transport servers in the
Active Directory site to which the Edge Transport server is being subscribed, and those Hub Transport servers be able
to resolve the FQDN of this Edge Transport server. You should complete the Edge Subscription inside the organization in
 the next "1440" minutes before the bootstrap account expires.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

Copy the XML file to an Exchange 2010 server in the organization. Launch the Exchange Management Console and navigate to Organization Management/Hub Transport. Start the New Edge Subscription task.

Select the Active Directory Site you wish to create the subscription with, and then browse and select the XML file that you copied from the Edge Transport server.

Click New to complete the Edge Subscription wizard.

The Edge Transport server role has now been recovered by:

  1. Reinstalling the operating system and Exchange Server 2010
  2. Importing a backup of the Edge Configuration
  3. Re-establishing the Edge Subscription

By only backing up the exported Edge Configuration file this technique takes up the least backup time and storage, however the restoration is more effort (note that the use of virtualization, templates or other automated build processes would speed it up to varying degrees).

  • The customized log path settings were restored
  • The Edge Subscription was manually recreated
  • Additional applications were not recovered and need manual reinstallation

So depending on the server there will be additional effort to bring it back to full service, if only the Edge Configuration was ever backed up.

Full System Backup/Restore for Edge Transport Servers

For this demonstration I used Windows Server Backup to take a full system backup of the Edge Transport server to use for bare metal restore.

This backup takes longer than if you were only exporting and backing up the Edge Configuration on a regular basis.  However the restore process is simpler and possibly even faster than the previous method, because the full system is being restored, although this would depending on your backup infrastructure and whether the restore media was on hand or needed to be brought in from offsite.

Once the full system restore is complete the server is ready to go, including the Exchange Server 2010 installation and all other applications and configurations on the server.

Although the Edge Subscription is restored by this method, if you test it from the Hub Transport server you may find that it is temporarily broken.

[PS] C:\>Test-EdgeSynchronization

RunspaceId                  : 6143dd90-7b9b-40f2-8120-15e58a8e2f54
SyncStatus                  : Failed
UtcNow                      : 9/08/2010 2:29:59 AM
Name                        : EX2
LeaseHolder                 : CN=EX1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Gr
                              oups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exchange
                              serverpro,DC=local
LeaseType                   : Option
FailureDetail               : The EdgeSync cookie has not been updated as expected. It may indicate EdgeSync has encoun
                              tered synchronization errors. For more information, check the EdgeSync logs.
LeaseExpiryUtc              : 9/08/2010 2:46:13 AM
LastSynchronizedUtc         : 9/08/2010 1:46:13 AM
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
RemoteDomainStatus          : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Skipped
CredentialRecords           : Number of credentials 3
CookieRecords               : Number of cookies 2

You can usually fix this by simply restarting the EdgeSync service on the Hub Transport server.

[PS] C:\>Restart-Service MSExchangeEdgeSync

The Edge Subscription should now test successfully.

[PS] C:\>Test-EdgeSynchronization

RunspaceId                  : 6143dd90-7b9b-40f2-8120-15e58a8e2f54
SyncStatus                  : Normal
UtcNow                      : 9/08/2010 2:32:16 AM
Name                        : EX2
LeaseHolder                 : CN=EX1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Gr
                              oups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exchange
                              serverpro,DC=local
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 9/08/2010 3:30:15 AM
LastSynchronizedUtc         : 9/08/2010 2:30:15 AM
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
RemoteDomainStatus          : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Skipped
CredentialRecords           : Number of credentials 3
CookieRecords               : Number of cookies 2

The Edge Transport server role has now been recovered by performing a full system restore of the server.

  • The custom log path settings were restored
  • The Edge Subscription was maintained
  • The additional applications were also recovered

By taking full system backups of the Edge Transport server the restoration process was simplified, however the backups themselves take up more time and backup storage.

Summary

As you can see there are pros and cons to each backup strategy for the Edge Transport server role in Exchange Server 2010.  In most environments the full system backup/restore method works best as it simplifies almost every aspect of the process, with the only trade off being the extra time and storage capacity needed during backups.  The config export/import method tends to be more suited to migrating the Edge Transport server to new hardware, or adding additional Edge Transport servers into the environment.