Transition from Single Forest to Cross-Forest: User account and mailbox movement from one forest to another forest : Part-4
Transition from Single Forest to Cross-Forest: User account and mailbox movement from one forest to another forest: Part-4
Brief summary:
In the past 3 articles, I have given the information regarding different transition scenario, showed you the prerequisite for single to cross forest transition, installation of exchange 2007 service pack1 & configuring IIFP for gal synch.
For more information for the above 3 articles please click on the below link:
Transition from Single Forest to Cross-Forest: Brief Introduction how to go with transition process : Part-1
Transition from Single Forest to Cross-Forest: Installation of Exchange 2007 Service Pack 1 : Part-2
In this session we will look into the different possible situation of moving user account and mailbox to exchange 2007.
Introduction to ADMT (Active Directory Migration Tool) :
Active Directory Migration Tool (ADMT) is tool which will allow you to migrate users, computers and groups between the forest and domains and most of our exchange administrator are already knows about the importance of this tool.
It has to run from MMC console by clicking Administrative e tools and then we need to right click ADMT and select appropriate options like User Account Migration Wizard, Group Account Migration wizard, Computer Migration Wizard as on.
One of the interesting part regarding ADMT is after the release of ADMTv2 we got one more added feature called as migrating the passwords. These will really a good feature when we want to keep the same password. The most import part, I would like to talk regarding ADMT is migrating the account with sid history. Sid history holds security identifier (SID) information of the original account. If we are talking about exchange application and need to migrate a user from one forest to another forest it plays a vital role in these aspects, because it finds a match in AD based on the SID history stamped on the migrated account. If there was no SID history on the destination forest account it will create a disabled user account. I know most of the administrator have gone through this phase where disabled user account create and that time it will be really mess for us, so either we delete and recreate migrate the user account with SID migration option or else run ADclean tool (one of my favorite tool)
The above information is just a basic regarding the ADMT tool. For more information please click on this link
Introduction to Active Directory Migration Tool v2 for Administrators
Latest version of ADMT tool v3.0
Click on this to download ADMT tool
Move Mailbox between the forests:
Moving the mailbox between two different organizations is not a big deal if we understand the basic concept very well. Before we move the mailbox it is very important to take proper precaution.
Note: For moving the mailbox to exchange 2007 you can’t use Exchange Management Console instead of that you need to use Exchange Powershell only.
You can use the powershell command to move mailboxes in the following scenarios:
• Moving from an Exchange 2007 server in one forest to an Exchange 2007 server in another forest.
• Moving from a server running Exchange Server 2003 in one forest to an Exchange 2007 server in another forest.
• Moving from an Exchange 2007 server in one forest to an Exchange 2003 server in another forest.
• Moving from an Exchange 2000 server in one forest to an Exchange 2007 server in another forest.
Permission required for moving the mailbox:
The account you use for the source forest must be delegated the following:
• Exchange Recipient Administrator role for the source Exchange organization
• Exchange Server Administrator role and local Administrators group for the source server
How do we set the permission for source Exchange Organization:
Open Exchange Powershell command
Type the following command : $SourceCredential = Get-Credential
Now it will popup the login window, as I have installed exchange 2003 by using administrator so will give his credential for access the source information
Figure 1:
The account you use for the target forest must be delegated the following:
• Exchange Recipient Administrator role for the target Exchange organization
• Exchange Server Administrator role and local Administrators group for the target server
The account you use to run the command must be delegated the Exchange Server Administrator role on the server where you run the command.
How to set permission for target exchange organization:
It is as same like source credential but the only thing we will do is : we will type the following command
$TargetCredential = Get-Credential in the powershell
Figure 2:
After giving the credential we have to use the following command for moving the mailbox
Move-Mailbox -TargetDatabase "E2K7\First Storage Group\Mailbox Database" -Identity Test -GlobalCatalog e2k7.happy.com -SourceForestGlobalCatalog e2k3.smile.com -NTAccountOU "OU=Test,OU=Happy,OU=Galsync,DC=happy,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential
My Target Database : Exchange 2007 which is residing in happy.com
Identity : It is alias name of the source mailbox which I need to move
Global Catalog : Exchange 2007 forest GC
Source Forest Global Catalog : Exchange 2003 forest GC
NTAccountOU : This is container where you want to move the user account information.
Let me explain you what is happening in the background when you move the mailbox
1) Open Server Connections
Connect to the source and target server - checks if credential and server version is valid
2) Gather Source Information
Read source User Mailbox attributes
Check if source mailbox is a system mailbox (Fail if it is)
Check if source user does not have a mailbox (Fail if it does not)
3) Gather Target information
Check mailbox size limit against target database limits
Check if we can match the source NT account in the target Forest (account match based on SMTP address, source objectSID and target sidHistory, and legacyExchangeDN). If match is found, this account will be email enabled.
Check if target mailbox exists (used to determine if merge is needed)
Check if source mailbox is a resource mailbox (If it is the target user must be disabled)
4) Update Directory Information before Move
Lock access to source mailbox
Create the target mailbox
Lock target mailbox
5) Move Mailbox Content
Move the mailbox content
6) Update Directory Information after Move
Update mailbox location attributes on source and target user accounts
Unlock target mailbox
Let see how it works:
My Scenario:
Domain 1 : smile.com
Host name : e2k3.smile.com
Role : Exchange 2003\AD\DNS
Domain 2: Happy.com
Host name : E2k7.happy.com
Role : Exchange 2007\AD\DNS
Created a OU called as Test on both the domains and created few test users only in smile.com.
See this below figure 3:
Smile.com Domain Structure:
Happy Domain structure - Figure 3.1:
Now I will show some possible scenario and their effect:
I have installed ADMTv3.0 on both the AD servers (testing purpose) but I would prefer you to install it on the source server or else in target server. In target server you should have the access rights for source administrator when you are migrating sid history otherwise it will give you access denied. That’s why I preferred to move the user account by ADMT which is installed on my source server.
Path of the ADMT file : C:\windows\ADMT
Ok now let’s concentrate on moving the user account between the forests.
I am moving the user account from smile.com to happy.com.
Scenario 1:
Installed ADMTv3.0 on Happy.com domain
Running ADMT tool just to move the user account and then I will move the mailbox. Eg: I took the user account called as Test1 (user Account)
Figure 4:
Figure 4.1 : Welcome screen
Figure 4.2 : Domain Selection:
Figure 4.3 : User select Option:
Figure 4.4 : User Selection:
Figure 4.5 : Target domain OU
Figure 4.6 : Password Options:
Figure 4.7 : Account Transition Options:
Note if you select Migrate user SID’s to target domain it will give you an error message if you don’t have appropriate rights:
So it’s better to use source administrator account to run this tool.
But as we are going through some scenario I have unchecked sid migration and clicked next
Figure 4.9 : User options:
Figure 4.10 : Object Property Exclusion: Here you can exclude specific object properties if required
Figure 4.11 : Conflict Management:
Figure 4.12 : Completion the user account summary details:
Figure 4.13 : Migration Process
Tips: For checking log process you can either go to C:\WINDOWS\ADMT\Logs or click on view logs button
Note: if you see the above logs you will see one option called Errors and it is clear indication that user account which I have moved is having some error.
Reason: Could not disable or expire source account. Access is denied. (Because I am running this tool from happy.com and Administrator is from Happy.com
Now I am going to run move-mailbox command
Set the logging credential for both source and target domain $SourceCredential = Get-Credential & $TargetCredential = Get-Credential from the powershell
Moved the mailbox by running move mailbox command from the powershell
Output:
Figure 15:
If you see the above figure : ADMT moved the Test1 account plus a DL Testusers and in the Testusers DL you will see only one member : Test1
When I started to move the mailbox from source to destination it has created a disabled user account for that mailbox as it is not able to find sid value.
Now let me show you the Exchange management console Figure 6:
Based on the above figure you can see that Test1 is created as Linked Mailbox.
Scenario 2:
I will create a user account called as Test2 and then I will move the mailbox of Test2 from source to target.
Output:
Same output as like what we had in scenario 1, Figure 7:
Scenario 3:
I am going to run ADMT tool from Source server i.e E2k3.smile.com and while migrating the user account I will choose SID migration option and enable the user account in the target domain. Then I will move the mailbox from powershell.
Output:
Figure 8:
You can see that there is only user account for test3 and also it has built the mailbox.
In the Exchange management console: Figure 9
It has created as User mailbox.
ADClean Utilty (when to use this tool)
One more thing I would like add based on my experience with exchange 2003. There will be a situation where you will come across with scenario 1 and scenario 2 in Exchange 2003 or 2007 transition between the forests. In this situation we can use ADclean utility of exchange 2003. Let me show the steps. In this example I am using the Test 1 account and disabled account Test11 which I need to merge.
Copy the ADclean.exe and dsclean.dll from Exchange 2003 bin directory to C root drive of Exchange 2007.
Then run adclean.exe
Welcome Screen click on next (Figure 10)
Identify Merging Account Figure 11
In the above screen I have selected the OU of merging account
Reviewing Merging Accounts Figure 12
Need to select source account and target account for merging them both.
Begin Merging Accounts Figure 13
Then it will do merging process Figure 14:
Output :
Figure 15
In the above figure you can see that Test user account has been merged with test disabled user account and now i have only one user account for my mailbox
Once you move the mailboxes to target domain then you can safely uninstall the Exchange 2003 from source domain.
I hope this article is being very informative for you all to understand how the transition from single forest to cross forest.
Related Article:
Transition from Single Forest to Cross-Forest: Brief Introduction how to go with transition process : Part-1
Transition from Single Forest to Cross-Forest: Installation of Exchange 2007 Service Pack 1 : Part-2
How to Transition from Single Forest to Cross-Forest
Thanks to:
I would like to thanks to Mr.Harjinder Singh (v-9harsi) who had helped me by giving some hints for configuring the IIFP and it won't possible me unless and until he clarified certain confusion which was running in my mind, thank harji for spending bit time with me during this lab setup.
Subin John one of my good trainer who helped me to understand the basic concept of ADMT function and made me capable of working in Exchange enviroment.
Rodney R. Fournier who had very well explained the configuration of IIFP in his website : Identity Integration Feature Pack (IIFP) - GalSync unleashed. Because without his article I won't come to know what is the basic rights i need to give.
Microsoft for publishing the information regarding this environment setup.
And last but not least v-9groups and all the viewers who have spend their time to go through these articles.
If anybody feel to add comment they are most welcome.
You failed to point out that if the legacy/source AD environment is Windows 2000 you cant use cross-mailbox move as detailed in part 4. You get the error.
Domain Controller 'lima.contoso.com' Operating System version is 5.0 (2195) Service Pack 4. The minimum version required is 5.2 (3790) Service Pack 1.
Microsoft say both source and target DC's must be Windows 2003, so if you have AD 2000, you need to EXMERGE your mailboxes and use the import-mailbox cmdlet to migrate mailboxes to EX2007.
Reply to this
Hi Rob,
Thanks for your info, you are correct. It will be value key point for us if any one planning to do it.
Reply to this
How to move bulk mailboxesm instead of running Move-Mailbox command every time
Thanks\
Reply to this
hi mate,
Try this script:
For moving bulk of mailboxes to specific target
In Exchange 2003 we have 4 mailboxes called as AVP, VP, CEO & President under Executive Storage group database and HR Mailbox on the Management Storage group of Exchange 2003 server.
Now I need to move the above 5 mailboxes to Executive storage group database. I can move by the method called as scripting.
Steps:
1) Open a notepad and just type the alias name for the mailboxes which you need to move to the target database eg:
AVP
VP
President
HR
2) Then save it as “Users.txt” and location like c:\users.txt (In Exchange 2007 Server)
3) Then open another new notepad and copy the below code:
# 1. Login into destination Exchange 2007 Server
# 2. Set the database name in line $TargetDatabase = "Executive" where you want to move the mailboxes
# 3. Put the list of all user's alias into c:\users.txt file
# 4. Copy this file at C:\Program Files\Microsoft\Exchange Server\scripts with name Move-Mailboxes.ps1
# 5. Run the cmdlet from Exchange Power Shell
# 6. Once all mailboxes moves check the file c:\MoveLog.txt file for any error during movement
$TargetDatabase = "Mailbox Database"
$SourceFile = "c:\users.txt"
$a = remove-item c:\Movelog.txt -ea SilentlyContinue
$error.Clear()
$UserList = Get-Content $SourceFile
foreach($user in $UserList)
{
$message = "Moving User -> " + $user
write-output $message | out-file -filePath "c:\MoveLog.txt" -append -noClobber
move-mailbox -Identity $user -TargetDatabase $TargetDatabase -BadItemLimit 5 -Confirm: $false
if($error.Count -ne 0)
{
$message = "User " + $user + " failed to move ???????????"
write-output $message | out-file -filePath "c:\MoveLog.txt" -append -noClobber
$message = "Error:::: " + $error[0].ToString()
write-output $message | out-file -filePath "c:\MoveLog.txt" -append -noClobber
$error.Clear()
}
}
In the above code you will see the location for target database : Executive that is what the location I have decided. If you want to move some other location then you can type “Mailbox Database” and save the above code called as “movemailboxes.ps1”
This movemailboxes.ps1 can be run from the any location but it will be good if we save this file in “C:\Program Files\Microsoft\Exchange Server\Scripts”
Reply to this
Alternatively, you can save the names to a text file (one per line) and run this:
get-content c:\namesfile.txt | get-mailbox -domaincontroller sourcedomaincontroller.sourcedomain.tld | move-mailbox -targetdatabase "targetexserver\targetexdb" -globalcatalog targetdomainglobalcatalog.targetdomain.tld -sourceforestglobalcatalog sourcedomainglobalcatalog.sourcedomain.tld -ntaccountou “ou=accountou,ou=nextuptree,dc=targetdomain,dc=tld" -sourceforestcredential $sourcecredential -targetforestcredential $targetcredential -maxthreads 10 -confirm:$false
the maxthreads is crucial or you'll be pulling one mbox at a time over whatever pipe you've got. If you're doing 200 mboxes, you'll need to multithread it or you'll be doing damage control on Monday
Reply to this
I have a question, I'm migrating the same scenario, but every that I move a maibox to the other domain I have some errors about update: rror was found for Exchange Test (mailusr@mydomain.com) because: Error occurred in the step: Updating attributes...
Finally my question is? what is the job of Identity Lifecycle in a Exchange 2007 migration?
Thank you
Reply to this
Hi mate,
I am stuck up in something else so you will get late reply from me. I would like to know what is the current status whether your issue is resolved or not.
When you are getting this error give me some more details i will be glad to assist you
Regards
Ismail
Reply to this
Hi,
1) The following url from MS http://technet.microsoft.com/en-us/library/aa996926.aspx
says the 2-way forest trust is optional.
2) In a real world scenario, if I do *not* create the 2-way forest trust, I assume, the Exchange migration should go fine, but I will have issues in running applications which still remain in the source forest.
3) Could you please confirm point 2.
-Many Thanks.
Reply to this
hi mate,
Could you please let me know what sort issue you will face?
regards
Ismail
Reply to this
Hi Ismail,
Let me give you the full picture:
- I have 2 forests and the migration is from E2K to E2K7.
- The source forest does not have a W2K3 DC, and at this point, the customer does not want to make any changes to the source forest.
- So, I am trying to convince the customer to have a W2K3 DC in the source forest, since without a W2K3 DC in the source forest, I can not use the move-mailbox command to migrate mailboxes (the Move-Mailbox cmdlet can communicate only with DCs running atleast W2K3, SP1).
- Hope the above explains the scenario.
- Could you please let me know when forest trusts are required as opposed to external trusts ?. Basically I need a very good reason to have W2K3 DC in the source forest.
Many Thanks.
Reply to this
Hi,
I had the same problem, contacted PSS to help me with this issue, however they did not find a solution. When I switched over to Exmerge and import mailbox, I noticed there was a problem with the email adresses. Turned out that there were contacts created in an other domain in the same forest. Because the Exchange organization is forest-wide, it found that the smtp address was already in use, and gave the error in step "updating attributes".
Hope this helps you cracking the case.
Regards
Helles
Reply to this
Hi,
AS per your blog "Transition from Single Forest to Cross-Forest" how will the Free/Busy date to be taken care of ? Request you to provide some details on it if possible including different scenarios.
Thnaks.
Reply to this
Hi,
As per Microsoft for transition-from-single-forest-to-crossforest http://technet.microsoft.com/en-us/library/aa996926.aspx they have used Interorganisation for Free/Busy info replication but is it anywhere mentioned in your blog ?
Regards,
Gautam.
Reply to this
I would reccomend leaving the old server up for a while once you complete the transition to 2007. If you do leave the old one running the clients wont need any intervention they will automatically be directed to the new 2007 server when they access outlook for the first time after their mailbox move.
I love www.ExchangeServerInfo.com !!!!!!
Reply to this