eDiscovery Limits and Throttling Policies in Exchange Server and Office 365

by Bharat Suneja

In Exchange 2013 and Exchange Online, In-Place eDiscovery allows you to search a large number of mailboxes. Although the searches are performed against the indexes built by Exchange Search, they can potentially consume significant system resources.

In on-premises deployments, this generally happens in control of or with the knowledge of Exchange admins, who can and often do monitor server performance and undoubtedly get to hear about any performance degradation from their users. In the Exchange Online service, it becomes even more important to cap resource consumption so other tenants in the multi-tenant environment are not impacted.

Here are the eDiscovery-related settings in a throttling policy and the default values.

Property Default Description
ComplianceMaxExpansionDGRecipients 10000 Maximum number of recipients to expand in distribution groups when a discovery search is looking for a specified recipient.
ComplianceMaxExpansionNestedDGs 25 Maximum number of nested distribution groups to expand when a discovery search is looking for a specified recipient.
DiscoveryMaxConcurrency 2 Maximum number of eDiscovery searches that can run at the same time.
DiscoveryMaxMailboxes 5000 Maximum number of mailboxes searched in a single eDiscovery search.
DiscoveryMaxKeywords 500 Maximum number of keywords in an eDiscovery search
DiscoveryMaxPreviewSearchMailboxes 5000 Maximum number of mailboxes returned in an eDiscovery search preview
DiscoveryMaxStatsSearchMailboxes 100 Maximum number of mailboxes for which keyword statistics are returned
DiscoveryPreviewSearchResultsPageSize 200 Number of items displayed on a single page in eDiscovery preview
DiscoveryMaxKeywordsPerPage 25 Maximum number of keywords to show statistics for on a single page in the EAC
DiscoveryMaxRefinerResults 10 This parameter isn’t used and will be removed.
DiscoveryMaxSearchQueueDepth 32 Maximum number of concurrent discovery search threads that can be active at the same time.
DiscoverySearchTimeoutPeriod 10 Number of minutes that a discovery search will run before it times out.

You can retrieve the eDiscovery-related throttling policy parameters in your on-premises environment using the Get-ThrottlingPolicy cmdlet.

Get-ThrottlingPolicy | fl Compliance*, Discovery*

Raise eDiscovery limits in Exchange Server

In on-premises environments, you can modify throttling policies using the Set-ThrottlingPolicy cmdlet. But you can’t modify the global/default throttling policy. You’ll need to create a new throttling policy, set the intended parameters of the new policy and apply it to users who conduct eDiscovery searches. See Exchange workload management for more details about how throttling policies work in Exchange 2013.

  1. Create a new throttling policy

    This example creates a new throttling policy called Foo, sets the maximum number of mailboxes searched in a discovery search to 10,000 and maximum number of concurrent searches to 10.

    New-ThrottlingPolicy Foo -DiscoveryMaxMailboxes 10000 -DiscoveryMaxConcurrency 10

  2. Apply the new throttling policy

    Of course, you still need to apply the throttling policy to users who’ll be performing eDiscovery searches. This example applies the new throttling policy to the user bsuneja.

    Set-Mailbox bsuneja -ThrottlignPolicy Foo

    Members of the Discovery Management role group can perform eDiscovery searches. So it makes sense to apply the new throttling policy to all of them. This example applies the new throttling policy to all members of the Discovery Management role group.

    Get-RoleGroupMember “Discovery Management” | Set-Mailbox -ThrottlignPolicy Foo

  3. Verify the new throttling policy is applied to intended users

    How do you know it worked? It’s easy to verify. This command lists all mailboxes that have the new throttling policy Foo applied. Because the Filter parameter doesn’t take the name of the throttling policy (Foo, unlike the Set-Mailbox cmdlet), we capture its DistinguishedName property in the $policy variable and use the variable in the recipient filter.

    $policy=(Get-ThrottlingPolicy Foo).distinguishedName
    Get-Mailbox -ResultSize unlimited -Filter {ThrottlingPolicy -like $policy} | ft name,ThrottlignPolicy -Autosize

eDiscovery limits in Office 365

You can’t view or change throttling policies in Office 365.

In Office 365/Exchange Online, resource utilization is controlled in a similar manner, but customers can’t view or control throttling policies. Understandably so – keeping the service running and healthy is Microsoft’s job.

You can find the Office 365/Exchange Online eDiscovery limits in Search limits for In-Place eDiscovery in Exchange Online. They’re reproduced in the table below with some comments, but they can and do change so always a good idea to check the source doc for the latest. Most significantly, the maximum number of mailboxes you can search in a single search was raised to 10,000 mailboxes not too long ago.

Description of limit Limit More info and workarounds
The maximum number of mailboxes that can be searched in a single In-Place eDiscovery search. 10,000

If you have more than 10,000 mailboxes in your organization, you won’t be able to use the Search all mailboxes option on the Mailboxes page in the EAC. To search large numbers of mailboxes (up to 10,000 mailboxes total per search), you can organize users into distribution groups or dynamic distribution groups and then specify a group on the Mailboxes page in the EAC.

Note, group membership is calculated only when the search or a hold is created. If a user is added/removed from the group later, the search or hold won’t be updated automatically. You’ll have to edit the search and add/remove the mailbox.

The maximum number of mailboxes that can be placed on In-Place Hold in a single In-Place eDiscovery search. 10,000

In-Place Hold is integrated with In-Place eDiscovery, so the same limit applies here.

Additionally, you can’t use the Search all mailboxes option on the Sources page to place an In-Place Hold even if your organization has less than 10,000 mailboxes. To place a Hold, you must specify mailboxes.

To place a large number of users on In-Place Hold (up to 10,000 mailboxes total per In-Place Hold), you can specify distribution groups or dynamic distribution groups, which makes the task easier, with the caveat noted above about group membership changes.

A better option for placing a hold on a large number of mailboxes is to use a Litigation Hold. Using lots of single In-Place eDiscovery searches to place mailboxes on hold isn’t recommended. For more information, see Place all mailboxes on hold.

The maximum number of mailboxes that can be searched in a single In-Place eDiscovery search that still allows you to view keyword statistics. 100

After you run an eDiscovery search estimate, you can view keyword statistics. These statistics show details about the number of items returned for each keyword used in the search query. If more than 100 source mailboxes are included in the search, an error will be returned if you try to view keyword statistics.

To view keyword statistics, reduce the number of source mailboxes to 100 or fewer, and then rerun the search estimate. When you’re satisfied with the search query, you can add additional source mailboxes to the search and then copy or export the search results.

The maximum number of In-Place eDiscovery searches that can run at the same time in your organization. 2

If an eDiscovery search is started while two previous searches are still running, the third search won’t be queued and will instead fail. You have to wait until one of the running searches is completed before you can successfully start a new search.

Also, estimate-only and copy searches are both considered In-Place eDiscovery searches. So, if you are running an estimate-only search and a copy search at the same time, you can’t start another search until one of the running searches is completed. However, you can preview or export the search results from another search while two searches are running.

The maximum number of keywords that can be specified in a single In-Place eDiscovery search query. 500

Boolean operators, such as AND and OR aren’t counted against the total number of keywords. For example, the keyword query cat AND dog AND bird AND fish consists of four keywords.

The maximum number of items displayed on the search preview page when previewing In-Place eDiscovery search results. 200

When you preview search results, the mailboxes that were searched are listed in the right pane on the eDiscovery search preview page. For each mailbox, the number of items returned and the total size of these items are also displayed. Items returned by the search are listed in the right pane. Up to 200 items are displayed on the preview page.

Items from each mailbox can’t be displayed in the right pane by clicking a mailbox in the left pane. To view the items returned from a specific mailbox, you can copy the search results and view the items in the discovery mailbox.

The maximum number of In-Place Holds that can be placed on a single mailbox. 5

If more than five In-Place Holds are placed on a mailbox, then all content in that mailbox is placed on hold (and not just the content that matches the search criteria of any query-based hold.) All content is held until the total number of holds on a mailbox is reduced to five or less. Holding all mailbox content is similar in functionality to a Litigation Hold.

This limit does not exist. See Maximum number of In-Place Holds on a mailbox in Exchange 2013 and Office 365.

The maximum number of keywords that can be specified in all In-Place Holds placed on a single mailbox. 500

If multiple In-Place Holds are placed on a user’s mailbox, the maximum number of keywords in all search queries is 500. That’s because Exchange Online combines all the keyword search parameters from of all In-Place Holds by using the OR operator. If there are more than 500 keywords in the hold queries, then all content in the mailbox is placed on hold (and not just that content that matches the search criteria of any query-based hold). All content is held until the total number of keywords in all In-Place Holds is reduced to 500 or less. Holding all mailbox content is similar in functionality to a Litigation Hold.

Maximum number of variants returned when using a prefix wildcard to search for an exact phrase in a keyword search query or when using a prefix wildcard and the NEAR operator. 10,000

For non-phrase queries we use a special prefix index. This only tells us that a word occurs in a document, not where in the document it occurs. To do a phrase query we need to compare the position within the document for the words in the phrase. This means that we cannot use the prefix index for phrase queries. In this case we are internally expanding the query with all possible words that the prefix expands to (i.e. “time*” can expand to “time OR timer OR times OR timex OR timeboxed OR …”).

10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. For non-phrase terms there are no upper limit.

Compliance Search in Office 365

The new Compliance Search feature in Office 365 and Exchange 2016 scales up to allow you to search unlimited mailboxes and comes with great performance, keyword highlighting and other features that’ll make for a great eDiscovery search experience. See Introducing Compliance Search in Office 365 on the Office blog and Compliance Search in the Office 365 Compliance Center in documentation.

{ 0 comments… add one now }

Leave a Comment

{ 1 trackback }

Previous post:

Next post: