The account you run DiRT backup or restore under has to have specific rights to the local system and, optionally, to Exchange to do a complete backup.  In short it needs complete access to SQL in all cases and access to all mailboxes if you’ve selected to backup or restore subscriber messages.

Regardless of what backup options you select or which mail server you’re using, the account must be a member of the local administrators group to gain full read/write access to SQL.  Without this both the backup and restore portions of DiRT will fail.  If Unity system is its own domain controller, add the account to the “Administrators” group in the “Builtin” folder.   If the Unity system is a member server you need to add the account to the “Administrators” group from the “Local Users and Groups” section in the Computer Management applet.

NOTE: Being a member of the Domain Administrators group is NOT sufficient for this, you MUST be a member of the local administrators group.  In fact being a member of the Domain Administrator's group can cause problems since it may explicitly deny send as/receive as rights on the mailstores.

If you are not backing up subscriber messages, this is all you need to worry about.  If you are wanting to backup and restore subscriber messages using DiRT, follow the procedures for the messaging back end you are using.

Exchange 5.5

For Exchange 5.5 the account must have Service Account Admin privileges at the Organization, site and configuration levels.  To do this, go to the Exchange 5.5 administration console, select the Organization node at the top of the tree on the left and select properties from the file menu.  On the “Permissions” tab, select “Add” and pick the account you want to use for DiRT backup and restores.  For the “Roles” drop down, select “Service Account Admin” and click OK.

Repeat for the Site container and the configuration container under that.  This need to be done on all three of these levels or the ExMerge backup/restore process may fail.

Exchange 2007

Microsoft does not support the use of ExMerge with Exchange 2007 mailstores any longer.  Since DiRT uses ExMerge as its message transport for Exchange based systems, the option to restore messages is disabled in DiRT if there are Exchange 2007 mailstores present.  There are known work arounds to "trick" ExMerge into working with 2007, however they are not supported by Microsoft and are, as such, not supported by Cisco.  The .PST files from the backup can be used as you wish, however if you go this route you are entirely responsible for the consequences.

Exchange 2000/2003 or Mixed 2000/2003 and 55

On Exchange 2000/2003, the account needs to have send/receive rights for each mailbox you need to backup and restore messages to as well as "Exchange View Only Administrator" rights so the account can see the Exchange mailstores in question. 

 

See Restoring to an Exchange 2007 Based System section for details specific to restores with Exchange 2007

Adding Send As/Receive As Rights:

Unfortunately, Exchange 2000 makes this a little tricky due to the Active Directory security model.  Specifically if the account is a member of the Domain Administrators or Enterprise Admins group, it is explicitly denied access to individual user’s mailboxes.  As such you can’t just add the account to the Exchange Domain Servers group (whose members are given mailbox access rights) and be done.  In Active Directory inherited denies over ride inherited grants so users who are members of both Exchange Domain Servers and Domain Admins will not have rights to mailboxes.

I know, this is kind of confusing.  Welcome to Active Directory.  There are a couple of ways to handle this which are documented in the Microsoft Knowledgebase article Q262054 “How to get ‘service account’ access to all mailboxes in Exchange 2000”.  I recommend method #3 in that article (the method I document here).  This is what I’ve tested and have verified works.  If you want to  use a different mechanism, that’s fine, however if you get errors during message backups/restores using DiRT you need to come back and review your steps closely.

The first thing you need to do before you proceed is tell the Exchange administrator you want to see the “Security” tab on all objects. By default, for whatever reason, the Exchange Administrator doesn’t show the security tab for Mailbox Store objects which is exactly what we need to see to make this work.  To get this tab exposed you need to make a registry change.  Using RegEdit go to:

HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin

Add a new DWORD key there called “ShowSecurityPage” and set it’s value to 1.

It is not necessary to restart the server or cycle Exchange for this change to take effect.

Open the Exchange administrator and expand the “Servers” tree as shown in the figure below:

 

Click on the “Mail Store” object (selected above), right click and select properties.  On the properties dialog select the Security tab.  If you don’t see a security tab make sure you’ve properly added the registry key mentioned above before opening the Exchange administrator.  Hit the “Add” button and select the account you want to use for DiRT backups and restores and hit “OK”.  In the permissions list at the bottom make sure the “full control” box is checked in the “allow” column.  This should force all the “Allow” checks to be active and selected.

Repeat this process for each “Mail Store” object in each storage group in Exchange that home one or more subscribers.

Since the rights to the mailbox are being granted directly on the mail store objects it will ensure the account has full access to the mailbox for backups and restores.  Local rights on the object will over ride inherited rights (either grant or deny).  This method avoids any possible conflicting rights from other group memberships and the like which is why I recommend going this route.  The down side of this method is you need to remember to grant this account explicit rights on new mail stores in each storage group if they are added later.

Adding Exchange View Only Administrator rights:

1. Log on to the Cisco Unity server by using an account that is an Exchange Full Administrator. 
2. On the Cisco Unity server, on the Windows Start menu, click Programs > Microsoft Exchange > System Manager. 
3. In the left pane of the Exchange System Manager MMC, right-click the organization name at the top of the tree control, and click Delegate Control. 
4. In the Welcome to the Exchange Administration Delegation Wizard, click Next. 
5. In the Users or Groups dialog box, click Add. 
6. In the Delegate Control dialog box, click Browse. 
7. In the Select Users, Computers, or Groups dialog box, in the Look In list, click the name of the domain to which the Cisco Unity server belongs. 
8. Double Click on the user to grant permissions to.  The Delegate Control dialog box reappears. The account you selected appears in the Group (Recommended) or User box. 
9. In the Role list, click Exchange View Only Administrator. 
10. Click OK to close the Delegate Control dialog box. 
11. Click Next. 
12. Click Finish.