A lot of people confuse journaling, which is the process of capturing a set of communications for future use, with archiving,
which is the practice of removing less frequently accessed or older
message data from the message store in favor of a secondary storage
location.
Archiving is all
about getting stuff—usually older and bulkier messages and
attachments—out of your mailboxes, so you can reduce the performance
hit on your comparatively expensive Mailbox server storage systems and
reduce your backup windows.
Journaling is
record keeping; you're defining a set of users whose traffic you must
keep track of, and Exchange dutifully captures faithful copies of every
message they send or receive. As stated before, journaling is one of
the main strategies that compliance and archival vendors use to get
messaging data into their solutions.
Although you may not have any explicit applicable
regulatory language that forces you to implement journaling, journaling
can still be one of the easiest ways to meet the requirements you do
have. As compliance becomes more of an issue, the ability to quickly
and easily put your hands on complete and accurate records of messaging
communications will become critical.
Exchange Server 2007 journaling capabilities are
essentially identical to those in Exchange Server 2010. The base
journaling mechanism used by Exchange 2010 is envelope journaling,
which captures all recipient information (even Bcc: headers and
forwards). However, you have two options for journaling:
Standard journaling (a.k.a. per-mailbox
database journaling) uses the Journaling agent on Hub Transport servers
to journal all messages sent to and from recipients and senders whose
mailboxes are homed on specified mailbox databases.
Premium
journaling (a.k.a. per-recipient journaling) also uses the Journaling
agent on Hub Transport servers, but it's more granular. It offers you
the ability to design journaling rules for groups or even specific
users if need be.
You must have an Exchange Enterprise Client Access License (CAL) to use premium journaling.
1. Implementing Journaling
The Journaling agent, present on your Hub Transport
servers, is responsible for detecting whether a given message falls
under your journaling rules. When you use standard journaling, you
enable it for an entire mailbox database. Any messages sent to or by
recipients whose mailboxes are located on a journal-enabled database
will be detected by the Journaling agent and copies will be sent to a
designated journal recipient. This
journal recipient can be another recipient in the Exchange
organization—if it is an Exchange mailbox it must be dedicated to the
purpose—or an SMTP address on another messaging system.
Journaling to an external recipient may seem like a
crazy idea at first blush. However, this allows Exchange 2010 to be
used with compliance and archival solutions that are not part of the
Exchange organization or even with hosted solution providers.
If you use an external journal recipient, you should
ensure that your SMTP transport connections to the external system are
fully secure and authenticated.
When you use premium journaling, you create journal
rules that define a subset of the recipients in your organization.
Premium journaling rules are stored in the Active Directory and
propagated to all Hub Transport servers, depending on the normal AD
replication mechanism. The Journaling agent on the Hub Transport server
detects that the rule matches a given message and again sends a copy of
the message to the journal recipient. Premium journaling rules are
found on the Hub Transport subcontainer of the Organization
Configuration in the Exchange Management Console.
Journaling rules can have three scopes, which helps the Journaling agent decide whether it needs to examine a given message:
The Internal scope matches messages where all senders and recipients are members of the Exchange organization.
The External scope matches messages where at least one sender or recipient is an external entity.
The Global scope matches all messages, even those that may have already been matched by the other scopes.
To create a new journaling rule, run the New Journal Rule wizard found on the Actions pane.
This same operation can be performed by using the Exchange Management Shell and the following command:
New-JournalRule -Name 'Journal VIP mail' -JournalEmailAddress
'volcanosurfboards.com/Users/zz_VIP Mail Archive' -Scope 'Global'
-Enabled $True -Recipient 'VIPs@somorita.com'
1.1. Managing Journaling Traffic and Security
If you are using an internal mailbox as your
journaling recipient, you should be aware that it may collect a large
amount of traffic. Though you can use the same mailbox for all journal
reports generated in your organization, you may need to create multiple
mailboxes to control mailbox size and ensure that your backup windows
can be maintained. If you are using the Unified Messaging role in your
organization, you may not want to journal UM-generated messages such as
voicemail because of the large amount of storage space it requires. (On
the other hand, you may be required to preserve these types of messages
as well as your regular email.)
Journaling mailboxes should be kept very secure and
safe from everyday access because they may one day be material evidence
in the event that your business is sued or must prove compliance to
auditors.
To guard against the loss of journaling reports in the event of trouble within your Exchange organization, you can designate an alternate journaling mailbox. This mailbox will receive any nondelivery reports that are issued if your journaling recipient cannot be delivered to.
Unfortunately, you can configure only a single
alternate mailbox for your entire organization. Not only can this cause
performance and mailbox size issues, but your local regulations may
prevent you from mixing multiple types of journal information in one
mailbox.
Note that since the introduction of RMS
interoperability with messaging and transport rules, it brings up some
new issues, notably with journaling. Exchange Server 2010 now has the
ability to decrypt and journal an unencrypted version of a message.
2. Reading Journal Reports
The journaling process creates a special Exchange message known as the journal report.
This message is essentially a wrapper that contains a summary of the
original message properties. It also contains a pristine copy of the
original message that generated the report, neatly attached to the
journal report.
The journal reports are designed to be human and
machine readable, allowing you to automate processing of journal
reports via a third-party application as well as perform manual checks
on the data.
Table 1 shows the fields that Exchange 2010 places in the journal report.
Table 1. Exchange 2010 Journal Report Fields
Field | What It Contains |
---|
To | The
SMTP address of a recipient in the To header or the SMTP envelope
recipient. If the message was sent through a distribution list, this
field contains the Expanded field. If the message was forwarded, this
field contains the Forwarded field. |
Cc | The
SMTP address of a recipient in the Cc header or the SMTP envelope
recipient. If the message was sent through a distribution list, this
field contains the Expanded field. If the message was forwarded, this
field contains the Forwarded field. |
Bcc | The
SMTP address of a recipient in the Bcc header or the SMTP envelope
recipient. If the message was sent through a distribution list, this
field contains the Expanded field. If the message was forwarded, this
field contains the Forwarded field. |
Recipient | The
SMTP address of a recipient who is not a member of the Exchange 2010
organization, such as Internet recipients or recipients on legacy
Exchange servers. |
Sender | The sender's SMTP address, found either in the From or Sender header of the message. |
On Behalf Of | The relevant SMTP address if the Send On Behalf Of feature was used. |
Subject | The Subject header. |
Message-ID | The internal Exchange Message-ID. |
Depending on your routing topology and
journal rule configuration, you may receive multiple journal reports
for a given message. This is not an error; it reflects the fact that
any given Hub Transport server may not have a complete view of the
organization, depending on AD replication, recipient caching, and other
factors.