Chat with us, powered by LiveChat
Request Pricing
WW +41 21 641 6080 | US +1 800 256 0192 | CA +1 800 935 0725 | FR +33 261 880008 | UK +44 808 1890445
Contact Us
Home > Corporate Data Backup > Enterprise Data Backup Tools > Exchange backup software

Enterprise-Grade Microsoft Exchange Server Backup Software for Mission-Critical Environments

Recover any Exchange Item or the Entire Database Fast with Bacula Enterprise

*This page covers on-premises Exchange instances only. For M365 backup, Bacula Enterprise provides a separate dedicated backup and recovery tool.

As of 2026, 45,754 organizations worldwide run Microsoft Exchange Server on-premises to manage critical business communications, including email, calendars, contacts, and task scheduling. Without regular Exchange backups, organizations risk losing critical mailbox data permanently because a single server crash or a ransomware attack can halt operations indefinitely and expose the business to compliance violations and financial penalties. Email is also the primary attack vector for ransomware, which makes Exchange one of the most targeted systems on a corporate network.

Given that Exchange keeps a portion of its data in memory at all times and only writes it to disk at set intervals, a standard file-based backup tool will miss whatever data is still in memory at the time of execution. In other words, the backup results in an incomplete snapshot that cannot be reliably restored.

To back up Exchange reliably while it is still active, Bacula Enterprise provides two purpose-built backup plugins for two distinct failure scenarios. The VSS Plugin coordinates directly with the Exchange database engine at the full database level. The EWS Plugin coordinates directly with the Exchange database engine at the individual item level.

The Exchange VSS Plugin uses the Windows Volume Shadow Copy Service to capture application-consistent backups at the database level while Exchange remains online, and it is the recommended tool when the whole Exchange deployment has been impacted and the priority becomes getting the full database back online pronto.

Backup Exchange EWS

Download Trial

The Exchange EWS Plugin, on the other hand, uses Microsoft’s Exchange Web Services API to back up and restore individual mail items at the user level, including emails, attachments, contacts, tasks, and calendar entries, without any disruption to the running Exchange server.

Administrators can deploy either plugin independently, but for the strongest on-premises Exchange protection, it is best to run both together under the same Bacula Director, which is the central component that manages and coordinates all Bacula backup operations.

Key Features of Bacula Enterprise MS Exchange Backup Software

If your organization needs full disaster recovery in the event of a server failure or ransomware attack, deploy the VSS Plugin. However, if your priority is recovering individual mail items at the user level, the EWS Plugin is the dedicated tool for that exact purpose. Yet again, Bacula Systems recommends running the two plugins together under the same Bacula Director.

VSS Plugin (Database level) EWS Plugin (Single-item level)
Backup Coverage Full Exchange database and storage groups that include transaction logs and Active Directory configuration Individual emails, attachments, calendar appointments, contacts, tasks, and folder structures at mailbox level
Backup Types and Scheduling Full and Incremental backups with flexible scheduling and retention policies¹* Full, Incremental, and Differential backups with multiple parallelization capabilities and flexible scheduling
Restore Capabilities Full and single database restore Individual item restore including single emails, attachments, contacts, tasks, and calendar entries; export to filesystem; restore to original mailbox or migrate to a different Exchange destination
Administration and Management Centralized management via BWeb Management Suite GUI, command-line console, and web interface; job notifications and automated verification jobs User-friendly restore reports; advanced mailbox discovery; email indexing for content-based browsing; management via BWeb Management Suite and command-line console
Storage and Infrastructure Backup to local disk, NAS, SAN, tape, cloud storage including Amazon and Azure; encryption and compression of backup data Backup to local disk, NAS, SAN, tape, cloud storage including Amazon and Azure; encryption and compression of backup data
Privacy and Filtering N/A- Privacy controls are managed at the Exchange level. The VSS Plugin backs up the full database without item-level filtering. Powerful filtering for privacy, spam, and security; exclude specific messages from backup entirely or from the catalog index only; control which email header fields are indexed; export in MIME format for migration to a different mail platform
Platform and Version Support Requires Windows Server; Exchange must be in an Active Directory domain; clustering supported via Database Availability Groups Exchange Server on-premises; communicates via HTTPS through the EWS endpoint; no agent installation required on the Exchange server

¹ Differential backups are not supported for the VSS Plugin and can result in lost transaction log files. Use Full and Incremental backups only.

What You Need to Know Before Deploying the VSS and EWS Plugins

Deployment Requirements

The VSS Plugin requires several mandatory configuration steps on the Exchange server before the first backup runs. The EWS Plugin, on the other hand, has no prerequisites on the Exchange server itself and is operational as soon as the Bacula File Daemon is configured.

EWS Plugin

  • No agent or additional software needs to be installed on the Exchange server.
  • The plugin runs from the Bacula File Daemon on the backup client host and communicates with Exchange over HTTPS through the standard EWS endpoint.
  • The Exchange server’s own resource footprint is unaffected by backup operations.

VSS Plugin

  • Circular logging must be disabled on each Exchange database, because it overrides the transaction log management that VSS depends on for incremental consistency.
  • At least one file from each drive used by Exchange must be explicitly included in the Bacula Fileset, since the VSS Plugin uses drive inclusion to determine which volumes to snapshot.
  • Accurate mode must be enabled in the Bacula Job resource, otherwise files may be missed or duplicated during backup.
  • VSS backup jobs must run as separate Bacula jobs from standard Windows file backup jobs, given that the VSS subsystem is not available in the WinPE bare metal recovery environment.

Recovery

The VSS Plugin recovers Exchange data at the database level. The EWS Plugin, on the other hand, recovers at the individual item level, with full control over which mailboxes, folders, and items are restored.

EWS Plugin

  • Individual emails, attachments, contacts, tasks, or calendar entries are restored directly to the Exchange server over HTTPS, with no disruption to the running Exchange environment.
  • Restore jobs target specific mailboxes, folders, or individual items through the Fileset configuration, so administrators recover only the affected mailbox, folder, or item.
  • Recovered items can be restored to the original mailbox, relocated to a subfolder, or migrated to a different Exchange destination.
  • A restore report is generated after each job confirming which items were recovered and warning administrators of any items the restore process could not reach.

VSS Plugin

  • The VSS Plugin restores the full Exchange database or individual storage groups to the original location, and Exchange is operational again once the restored databases are mounted.
  • Exchange deployments running in Database Availability Groups are generally supported, but full guarantee across all cluster configurations is not possible.

Privacy and Compliance

The VSS Plugin captures the full Exchange database as a block. Consequently, privacy controls must be managed at the Exchange administration level. The EWS Plugin, however, lets administrators decide exactly which messages get backed up, which get indexed in the Bacula catalog, and which are excluded entirely.

EWS Plugin

  • The email_exclude_expr parameter removes messages matching the defined expression from the backup entirely, for environments where certain mailbox content must not be retained.
  • The email_exclude_index_expr parameter keeps the item in the backup but removes it from the Bacula catalog index, for environments where data must be retained but cannot be searchable by backup administrators.
  • The email_fields_exclude_index parameter limits which email header fields are indexed in the catalog, for deployments where cataloging sender or recipient data triggers a GDPR or internal policy concern.

VSS Plugin

  • Backup data is encrypted at the volume level using AES 128, AES 192, or AES 256, protecting Exchange database backups both in transit and at rest.
  • Every VSS backup job can be verified automatically or through a manual verification job from the Bacula console.

Migration Support

Both the VSS Plugin and EWS Plugin participate in Bacula Copy and Migration jobs. Backup data replicates to secondary storage or migrates between storage pools without re-reading the source data. When the MIME option is enabled, the EWS Plugin stores item content in RFC 2077 format, which can be imported directly into a different mail platform without conversion.

Bacula Enterprise: Full Platform Coverage

Backup Security and Compliance

Bacula Enterprise takes a multi-layered approach to securing Exchange backup data across transport encryption, storage-level protection, and ransomware detection within the same platform.

  • Immutable Backup Copies –WORM-compatible storage locks backup data against modification or deletion once written. No network-accessible path to recovery points exists for an attacker holding valid service credentials.
  • AES Per-Client Encryption – Configurable at AES 128, AES 192, or AES 256 per client from source to storage destination. A breached storage target exposes only that client’s data, not the entire backup estate.
  • FIPS 140-3 Compliance – Cryptographic modules meet the federal standard required by government and military organizations across all supported daemons.
  • Granular Access Controls – User permissions scope to specific jobs, restore workflows, and management functions. No single account carries unnecessary reach across the backup environment.
  • Complete Activity Auditing – Every backup, restore, and configuration change is logged with user identity and timestamp. Security teams get an unbroken audit trail for incident investigation and compliance review.
  • SIEM Integration – Backup infrastructure security events feed into external SIEM platforms that pull the backup layer into the organisation’s existing incident response workflows, so the backup environment is visible to the SOC.
  • Regulatory Framework Support – Platform controls map to GDPR, HIPAA, SOC 2, PCI DSS, and NIST requirements through encryption, configurable retention policies, and detailed audit logs.

Storage and Recovery

A ransomware backup strategy fails if recovery itself is slow, untested, or limited to a single path. Bacula gives administrators multiple independent recovery options so no single point of failure eliminates the ability to restore.

  • Air-Gapped Tape – Tape volumes ejected from the library and stored offline are physically unreachable from any network-based attack. No credential compromise, however deep, reaches an ejected tape.
  • Backup Copy Jobs. Restore points write to a separate storage target under independent credentials and a different retention policy. A corrupted or deleted primary backup set leaves the copy job’s restore points untouched.
  • Bare Metal Recovery – Bacula recovers a complete server from scratch, including the operating system, applications, and data, without requiring a prior manual installation. Both Linux and Windows systems are covered, with UEFI and EFI support.
  • Multiple Storage Target Types – Backups write to local disk, NAS, SAN, tape libraries, and cloud object storage including S3, Azure, and Google Cloud within a single policy. Organizations implement the 3-2-1-1 rule without managing separate tools for each destination.
  • Tiered Storage Workflows – Data moves across storage tiers automatically as it ages and keeps recent recovery points on fast storage while older data shifts to lower-cost or offline destinations.
  • Geographic Backup Replication – Backup sets copy to geographically separate storage locations. A site-wide outage does not take recovery points down with it.
  • Automated Restore Validation – Recoverability is confirmed through automated testing, and backup administrators know recovery points are usable before an incident forces the question.

Multi-Environment Coverage

Ransomware does not discriminate by workload type. Bacula protects physical servers, virtual machines, containers, databases, and cloud infrastructure under one policy engine and one audit trail.

  • Multi-Platform Virtualization – Native integration covers VMware vSphere, Hyper-V, KVM, Red Hat Virtualization, Xen, Azure VM, Proxmox, Nutanix AHV, and OpenStack with consistent policy application across all hypervisors.
  • Container and Cloud-Native Support – Full protection for Docker, Kubernetes, and OpenShift environments includes persistent volume backups and application-consistent snapshots.
  • Database BackupHot backup support covers Oracle, SQL Server, MySQL, PostgreSQL, SAP HANA, MariaDB, Percona, and IBM DB2 with full transactional consistency. Database backups are reliable for recovery, not just for storage.
  • SaaS Application Protection – Microsoft 365, Google Workspace, and Exchange Online are protected with granular restore capability down to individual emails and calendar entries.
  • Multi-Cloud Storage Integration – Native support covers S3, Azure, Google Cloud, Oracle Cloud, and Glacier interfaces. Organizations are not locked into a single cloud provider for backup storage.
  • Windows Environment – Windows Encrypting File System, Microsoft VSS with MS SQL Server and Exchange, Active Directory, and mount point snapshots all run under a single Windows agent.

Backup Management and Administration

  • BWeb Management Suite. Bacula’s primary web-based GUI handles job configuration, monitoring, reporting, and security analysis across the entire backup environment from a single interface.
  • Scalability Without Limits. The same platform architecture manages environments from a handful of servers to deployments numbering in the thousands, all under one management plane.
  • Tenant Isolation. MSPs and large enterprises partition the backup environment into independently administered units. Each unit carries its own configuration, policies, and access controls.
  • External System Integration. Bacula connects to monitoring tools, IT ticketing systems, and directory services including LDAP and Active Directory. No custom development is required.
  • Volume-Independent Licensing. License fees are based on environment size, not data volume. Backup capacity grows without triggering higher costs.

Frequently Asked Questions

Why are standard file-level backups bad for Exchange Server?

Because Exchange keeps a portion of its data in memory at all times and only writes it to disk at set intervals. A generic backup tool that copies files directly from a disk will miss whatever data is still in memory at the time of execution, in turn producing an incomplete snapshot that cannot be reliably restored.

What is the difference between the VSS Plugin and the EWS Plugin?

The VSS Plugin operates at the database level and is the right tool when the entire Exchange deployment needs to be recovered fast after a disaster. The EWS Plugin operates at the item level and is the right tool when a specific email, contact, task, or calendar entry needs to be recovered without touching the database. For the strongest on-premises Exchange protection, Bacula Systems recommends running the two plugins together.

Do I need to stop the Exchange server to run a backup?

No. The VSS Plugin uses the Windows Volume Shadow Copy Service to capture application-consistent database snapshots while Exchange continues running. The EWS Plugin communicates with the live Exchange server over HTTPS and doesn’t require Exchange to pause at any point during the backup.

Do I need to disable circular logging for Exchange Server backup?

Yes. Circular logging must be disabled on each Exchange database before the first VSS backup runs. Circular logging overrides the transaction log management that the Windows VSS Exchange writer depends on for incremental backup consistency.

Can I restore a single email without restoring the entire Exchange database?

Yes. The EWS Plugin restores individual emails, attachments, contacts, tasks, or calendar entries directly to the Exchange server without touching the database.

How secure is Exchange backup data in Bacula Enterprise?

Backup data is encrypted in transit between the Bacula File Daemon and Storage Daemon over TLS. Data at rest is encrypted at the volume level using AES 128, AES 192, or AES 256. The Bacula File Daemon holds no credentials to access storage targets directly, which means a compromised Exchange host cannot read, modify, or delete backup data stored on the Bacula Storage Daemon.

You may also be interested in:
bare metal restore
server tape backup
active directory backup and recovery