Exchange 2013: Cross Forest/ORG Migration from Exchange 2010/2007
Cross forest migration steps blog was long time due from us. So here we go!
Cross forest has changed little bit and requires 3rd party cert in the source domain.
Some related blogs which can be useful before doing cross forest migration:
Exchange 2013 Design Guide – https://msexchangeguru.com/2013/07/30/exchange-2013-planning-and-design-guide/
Exchange 2013 Migration Guide – https://msexchangeguru.com/2013/05/10/exchange2013-migration/
Cross Forest E2K3 to 2010 Mailbox Migration with Linked Mailboxes – https://msexchangeguru.com/2011/08/29/migration/
Exchange 2013 PF Migration Guide – https://msexchangeguru.com/2013/04/18/exchange2013-public-folders/
This document has following assumptions:
-
Source and Target forest have a one or 2 way forest trust. This is optional.
-
All CAS, HT and MBX servers are installed in both the forests.
-
All certificated are installed.
-
Send and Receive connectors are configured
-
Accepted domain and email address policy is configured.
-
Disclaimer and any other exchange compliance or security rule configured.
-
Antivirus and antispam are installed and configured.
-
All the required ports are open between Exchange 2010 server and DCs to Exchange 2013 server and DCs
-
All CAS and transport configuration completed with the help of Migration Guide
-
All DAG and Database configuration complete with the help of Migration Guide
-
All MX, CAS and autodiscover public and AD dns records are configured.
Steps to perform the Move mailbox:
-
Extract all the emails of the user to PST so that any corrupt should not stop any migration or any big mailbox does not take hours to migrate. This is an optional step.
- Extract the AD attributes of the users like DisplayName, samaccountname, mailnickname, mail, legacyexchangeDN, proxyaddresses, homemdb, Publicdelegates, PublicdelegatesBL, Altrecipients, mail, mdbusedefaults, mDBOverHardQuotaLimit, mDBOverQuotaLimit, mDBStorageQuota by using csvde cmd or any AD extraction tool.
-
Inform the user about the following either by email or in a session or call
-
Explain the changes and new features in exchange 2013.
-
Explain the issues and the solution during the coexistence.
-
Explain about the Distribution List change if you have not provisioned.
-
Explain about PF DB access will be from URL during coexistence
-
-
Prepare Exchange 2013/2010/2007 for the migration
a. Upgrade and requirement:
-
Exchange 2013: CU2 or higher
-
Exchange 2010: SP3 or Higher
-
Exchange 2007: SP3 RU10 or higher
b. MRSProxy Configuration:
For cross-forest moves that are initiated from the target environment (known as a pull move type), you have to enable the MRS Proxy endpoint on Client Access servers in the source environment. For cross-forest moves that are initiated from the source environment (known as a push move type), you have to enable the MRS Proxy endpoint on Client Access servers in the target environment.
Run the below cmdlet in exchange 2010 and 2013.
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyMaxConnections 50
In the working forest we should be using the 3rd party certificate and this will also the browsing the url without warning. As far as we don’t see the red in the internet browser url bar, we don’t need the cert.
Otherwise
We need to import the root certificate from legacy exchange and import to the Exchange migration Servers certificate root. Basically the need is to access the url without certificate warning.
https://remotehost(owa fqdn)/EWS/mrsproxy.svc
If URL is not trusted then you will get the warning during migration as mentioned below:
The call to ‘https://mail.irm.com/EWS/mrsproxy.svc’ failed. Error details: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘mail.irm.com’. –> The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. –> The remote certificate is invalid according to the validation procedure..
+ CategoryInfo : NotSpecified: (:) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : [Server=2013VTC1,RequestId=2545e7db-29c5-4f09-820e-e36bc9e72fee,TimeStamp=10/20/2013 6:49:20 PM] DA23F7A0,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
+ PSComputerName : 2013vtc1.vtc2013.edu
5. Login and Authentication
- Login on the target domain with the user which have permissions in both the exchange org/forest
- Open the powershell and run the following commands to save the source domain credential. Keep the Powershell open until we finish this document.
$Rcred = Get-Credential
.
6. Creating new objects in the target forest
Go to the “C:Program FilesMicrosoftExchange ServerV15Scripts” directory in powershell to Run the following command
For one mailbox
.Prepare-MoveRequest.ps1 -Identity “Email id of the mailbox” -RemoteForestDomainController “sourcedomainFQDN” -RemoteForestCredential $Rcred -TargetMailUserOU “DN of the OU”
For Bulk mailbox
- Create a csv file with the email ids of the users as per screenshot.
- Run the following cmd from powershell after going to v14scripts directory
$Users = get-content “pathname.csv of csv file”.
- Run the following cmd
Foreach ($User in $Users) {.Prepare-MoveRequest.ps1 –identity $User -RemoteForestDomainController “Source Domain Controller FQDN” -RemoteForestCredential $Rcred -TargetMailUserOU “DN of new user OU”}
Single User
Prepare-MoveRequest.ps1 -Identity “Email id of the mailbox” -RemoteForestDomainController “Source Domain Controller FQDN” -RemoteForestCredential $Rcred -LinkedMailUser -TargetMailUserOU “DN of the OU”
Or
For bulk users
- Create a csv file with the email ids of the users as per screenshot.
- Run the following cmd from powershell after going to v15scripts directory
$Users = get-content “pathname.csv of csv file”.
- Run the following cmd
Foreach ($User in $Users) {.Prepare-MoveRequest.ps1 –identity $User -RemoteForestDomainController “Source Domain Controller FQDN” -RemoteForestCredential $Rcred -LinkedMailUser -TargetMailUserOU “DN of new user OU”}
Exchange 2010 – New-MoveRequest -Identity “mbx1” -Remote -TargetDatabase “Netcom1″ -RemoteGlobalCatalog pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu” -RemoteHostName mail.IRM.COM
Exchange 2007 – New-MoveRequest -Identity “mbx1” -Remotelegacy -TargetDatabase “Netcom1″ -RemoteGlobalCatalog pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu”
For Bulk user
Exchange 2010 – Get-content “pathname.csv of csv file” | New-MoveRequest -Remote -TargetDatabase “Netcom1” -RemoteGlobalCatalog “pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu” -RemoteHostName mail.IRM.COM
Exchange 2007 – Get-content “pathname.csv of csv file” | New-MoveRequest -Remotelegacy -TargetDatabase “Netcom1” -RemoteGlobalCatalog “pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu”
Run the below cmd to check the move status
Get-moverequest
Run the below cmd to check the statistics of the move
Get-MoveRequestStatistics mbx1 | fl
Run the below cmd to remove the moves
Get-moverequest | remove-moverequest
Or
Get-moverequest –status Completed | remove-moverequest.
The Migration ends here.
—————————————————————————————————————————————-
Prabhat Nigam
Microsoft MVP | Exchange Server
Team@MSExchangeGuru
November 2nd, 2013 at 4:56 am
[…] For Cross forest mailbox migration check this link: https://msexchangeguru.com/2013/11/02/e2013crossforestmigration/ […]
November 5th, 2013 at 2:22 pm
MRSProxyEnabled was new in Exchange 2010 and with that said, the instructions in this blog post will not work when migrating from Exchange 2007. RemoteLegacy and Remote Moverequest has different syntax.
November 6th, 2013 at 1:09 am
Nice catch Adam. I have updated the blog with 2007 cmds
following are purpose of the switches.
Remote – An Exchange 2010 Client Access (CAS) server is present in the source forest. The Remote switch specifies that the move you’re initiating is outside of your organization, and that this move is being initiated from the target forest. You don’t have to specify a value with this parameter. You can’t use this parameter in conjunction with the Outbound switch.
Remote Legacy – There is no Exchange 2010 CAS server in the source forest. The RemoteLegacy switch specifies that this mailbox move is from a remote forest that doesn’t have Exchange Server 2013 installed. You don’t have to specify a value with this parameter.
November 12th, 2013 at 3:24 pm
Excellent article
November 13th, 2013 at 11:27 pm
I have two E13 environments in my lab with a 2-way forest trust, but with both environments having the MRS proxy turned on but Forest B cannot see Forest A. Have you got any thoughts on this? I get the following when I run Test-MigrationServerAvailability
AutoDiscover failed with a configuration error: The migration service failed to detect the migration endpoint using the Autodiscover service. Please enter the migration endpoint settings or go back to the first step and retry using the Autodiscover service.
November 14th, 2013 at 12:23 am
@Alex
Interesting 2013 to 2013.
Trust was not a necessity but it confirms connectivity so if you open “AD Domain and Trusts” and properties of the forest –> on the trust tab- are you able to see the remote domain? If yes then move to the next else fix this part.
Make sure you have configured exchange 2013 source forest with autodiscover SCP and all urls.
Make sure you have 3rd party certificate installed in source exchange server which is reachable to internet so that cert can be validated or you can use internal CA cert as mentioned in the blog.
Follow the steps mentioned for Exchange 2010.
If you face any issue then let me know at which command it failed.
November 14th, 2013 at 7:59 am
[…] Exchange 2013: Cross Forest/ORG Migration from Exchange 2010/2007 […]
November 20th, 2013 at 6:31 pm
The trust is working without an issue and I am able to use the SCP in each domain. I currently do not have 3rd party certificates because neither of these two machines can see the internet.
I can add a CA certificate if you think that would fix it.
November 20th, 2013 at 7:05 pm
Please do so.. also add the cert to both servers. It needs cert and validation.
December 5th, 2013 at 8:56 pm
Hi Prabhat,
I’ve added all the certificates and trying to add a migration endpoint and it still isn’t being allowed from Domain B. If I add Domain B to Domain A as a migration endpoint there is no problems but the reverse has issues.
any thoughts?
December 5th, 2013 at 9:30 pm
Hi Alex,
Please see if restart of the server helps.
December 8th, 2013 at 6:43 pm
Hi Prabhat,
Unfortunately the restart hasn’t resolved it. I think I have a problem with the certificate chain as the error in the command line says that it couldn’t establish a trust relationship yet I configured the certificates the same way in both domains.
Is it possible to have the move request work from the source domain (domain A) which has the migration endpoint configured without the need to configure the migration endpoint on domain B?
Thanks
December 8th, 2013 at 8:06 pm
Certificate has to be verified. without cert migration will not work. mail me if you need me to take remote and check
January 7th, 2014 at 9:16 am
I’m doing a 2013 to 2013 migration, where the mailboxes need to be linked until the user account is ready to be moved to the new forest (2 companies splitting). I can successfully move the mailbox to the target and it shows as a linked mailbox. However the original source user account does not update the HomeMDB attributes, so when the user next opens outlook it does not redirect them to the new mailbox in the target domain. When I have done prior 2010 – 2010 cross forest migrations I remember this being populated.
I have FIM2010 setup between to the two forests for pre-population with a MS federated trust for free/busy.
Any help is appreciated.
January 7th, 2014 at 10:23 am
@ Matt
-Are the user able to login using owa?
-Did you type the source authentication correct?
-Check this blog if you have missed any parameter. This is for 2010 but command should have required parameters which should be same in 2013
https://msexchangeguru.com/2011/08/29/migration/
January 7th, 2014 at 2:31 pm
From OWA I can logon with the target account, but not the source account.
This is the prepare command used.
$LocalCredentials = Get-Credential
$RemoteCredentials = Get-Credential
.\Prepare-MoveRequest.ps1 -Identity JoeDoe@smtp.com -RemoteForestDomainController dc01.Source.local -RemoteForestCredential $RemoteCredentials -LocalForestDomainController dc01.target.local -LocalForestCredential $LocalCredentials -uselocalobject -linkedmailuser
I will check out the link
January 7th, 2014 at 2:39 pm
Correction – both source and target can logon with OWA from Source and Target domains (I had a password change on the target)
January 7th, 2014 at 2:41 pm
Let me repro and share the attributes which will change on both side.
January 7th, 2014 at 2:42 pm
Do we have a full-2 way trust for now to test?
January 7th, 2014 at 2:43 pm
Yes, full two-way transitive forest trust / ADMT 3.2 / PES / FIM 2010 SP1 – All working as expected
January 9th, 2014 at 9:30 am
Got it working – thanks for the help, it now uses a guid for the redirection, not the homeMDB
January 9th, 2014 at 9:36 am
Hey Matt,
It will be great if you can share the resolution for someone who get into the same issue.
You had mentioned the outlook issue. Was it a DNS entry for the autodiscover or something else?
January 9th, 2014 at 9:42 am
It was an inherited permission on the source users’ OU – I also noticed that ADMT cannot be run until after the mailbox has moved to the target domain, otherwise it throws a strange MRSPROXY 404 error on the target pull migration server that cannot be resolved – even if you delete and recreate the target object using FIM or directly with prepare-moverequest.ps1; a PST import is needed at this point.
February 6th, 2014 at 8:48 pm
We have 3 different forests and we have trust established between all 3. We already have Exchange 2007 and 2010 in 2 of the forests and in the 3rd we have installed a new Exchange 2013. We want to keep the users in each AD Forest intact but have their mailboxes migrated from Exchange 2007 and 2010 to the 3rd forest with the Exchange 2013.
Is this possible and if so how do we accomplish it?
February 7th, 2014 at 1:23 am
@Amir
Yes this is possible and all cloud configuration are being done with this configuration. This is called Exchange resource forest configuration which will create a linked mailbox in the 2013 and it will be linked with the 2010/2007 user.
I have updated the blog with the command in the step 6 after or “Creating Linked objects for the Resource Forest configuration.” This command has little difference which has an addition of switch -Linkedmailuser.
February 17th, 2014 at 6:54 pm
Thanks for the update. We migrated one test mailbox from Exchange 2010 to Exchange 2013. Is there a way to have these environments coexist until the migration is completed?
For example the test user which we migrated resides on AD forest A and the Exchange 2013 is on AD Forest B. When we launched the Outlook for the user which migrated their mailbox to 2013 it could not find the mailbox (Both their computer and AD User accounts are on Forest A while Exchange 2013 is on Forest B).
February 17th, 2014 at 7:41 pm
Amir
Give me the error.
Do u hv autodiscover configured. Do u hv all 2013 configuration completed?
February 17th, 2014 at 7:43 pm
Yes coexistence works but you need separate URLs or need some extra redirection done
February 20th, 2014 at 11:52 am
Is there a reason why I am not seeing my 2010 Exchange server in ecp of 2013? Both servers are on same subnet, however 2013 is on new AD and 2010 is on old AD but both have two-way trust. I do have SP3 installed too and CU4 on 2013
February 20th, 2014 at 12:02 pm
This is by design, you can’t see the servers in the separate AD.
By the way from where you got CU4 for 2013 which has not released yet.
February 20th, 2014 at 12:12 pm
Typo its CU3
Basicaly I got new AD and new 2013 wanting to move users to new ID (thats done) now I want to move from 2010 to 2013.. so if i follow the steps above that should be it?
February 20th, 2014 at 12:17 pm
This blog is covering the migration steps. So yes your mailboxes will be moved with these steps.
Please make sure you have configured exchange 2013 with the help of the Migration guide mentioned at the top of the blog.
February 20th, 2014 at 12:19 pm
Yup got that covered. Thanks Prabhat.
February 21st, 2014 at 10:47 am
Prabhat,
I got the mailbox moved, yey
So one thing I am still working on is that.. my mailbox that I moved from ForestA to ForestB it has ForestB.com tied to it but it should be user@forestA.com ?
Basically what I am doing is this
Created 2013 new AD/Exchange
Migrating users/mailboxes from 2010 exchange servers to new 2013 – user migration all good
I basically want users to login to their laptops with new ADNew\User and also when they pop-up their outlook for their mailbox to connect to new_exchange with same User@domain.com.
Call it consolidation/migration of 5 diff AD’s to 1NewAD.
I want to migrate users one by one not all at ones.
February 21st, 2014 at 11:37 am
@Ziva
6. Creating new objects in the target forest
In the above section you can see there are 2 parts.
One can allow you to use same domain as the exchange 2013
and
Other is allow you use old AD and new Exchange 2013 – We do this using linked mailboxes which allows linked user to login using other AD.
Let me know if this helps
April 2nd, 2014 at 12:56 pm
Does the following command actually work on 2007 since the MRSProxy isn’t available in 2007?
Run the below cmdlet in exchange 2010 or 2007.
Get- WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyMaxConnections 50
Thanks
April 7th, 2014 at 2:39 am
Thank you Mike for the pointer. I have updated the blog.
April 15th, 2014 at 10:42 am
What would cause the (same smtp or shared name) Free /Busy to work only one way ?
Example: Yesterday morning abc was able to see Free Busy cba (cross forest) , last night abc and cba were able to see eichother free busy, this morning cba can see abc … its like only one Free Busy can work at the times?
Where should I look for errors?
April 16th, 2014 at 3:53 pm
Hey Ziva,
Could you be more description and clear.
April 16th, 2014 at 5:35 pm
The Get- WebServicesVirtualDirectory has space in it,as you know most people will copy and paste 🙂
To answer your question:
Basically the free busy calendar works only one directional but was working for few hrs in both directions … and it seems like its changing its directions.
Anyway:
Two forests Abc.com and Cba.com
Shared SMTP: contoso.com
Abc.com can query free busy calendar from cba.com but not the other way around.
I did availability address and also export autodiscover config cmdlets as suggested (w/o federation) ..
Can you point me into direction where I should lookup some error logs etc on cba.com forest?
Also to mention abc.com has exchange 2010 and cba.com has exchange 2013
April 16th, 2014 at 5:59 pm
thank you. Space is fixed.
If it was working both ways then you should know the latest change which might have broken this.
Any update is the 1st point to check
I would suggest you to start from the starting point.
May 13th, 2014 at 9:21 am
Prabhat,
One last piece …
So the resources (conf room etc) , how can I have both forests be able to book same conf room?
I have conf room in ForestA but ForestB users cant book it because they cant see it.
I also created test room and migrated over to ForestB, ForestA users can see migrated room however when they book it , it does not accept or get any notification …
Can you let me know what would be best way to have resources in both forests to be able to book same room ? and see the free/busy?
Do remember this is shared namespace.
May 14th, 2014 at 4:37 pm
@Ziva
Do we have organization relationship set for availability. Check the below mentioned link if this helps
http://technet.microsoft.com/en-us/library/bb125182.aspx
Another option to try is to configure a contact for the email address in forest A for forest B room mailbox.
October 18th, 2014 at 9:52 am
When migrating 2007 to Exchange 2013 CU6 we got this error starting the New-MoveRequest “Recipient ” isn’t a mailbox”. Seems to be a bug which might be fixed with CU7. ()
I could not fix or work around it. After downgrading to CU5 New-MoveRequest runs without issues.
October 27th, 2014 at 3:11 am
My business is moving out from its parent company to operate independently in business. A new IT infrastructure is created for my company. So far my company IT users are part of Parent’s company’s group IT infrastructure and their AD user accounts are hosted on a Windows 2008 ADDS forest with mailboxes hosted on Exchange 2010. The new IT infrastructure will have Windows 2012 ADDS forest with a new domain and will use Exchange 2013. Currently my company has about 70 business users. Is its possible to extract mailboxes into a PST file in Exchange 2010 (in parent domain/forest) and merge it with newly created mailboxes on Exchange 2013(new domain/forest)to keep the migration process simpler????
October 27th, 2014 at 3:20 am
Yes you can extract the emails into pst then import into exchange 2013 mailboxes.
February 5th, 2015 at 12:53 pm
[…] https://msexchangeguru.com/2013/11/03/e2013crossforestmigration/ […]
April 17th, 2015 at 3:29 pm
Hello
Is there a blog post that describes the pre-requisites that need putting in place before the migration can start. I am looking to run a 2007 > 2013 cross Forest migration and would be good to know how to configure the 2013 side with connectors, certificates, etc. Thanks
May 7th, 2015 at 3:40 am
Have a look on this one.
https://msexchangeguru.com/2013/05/10/exchange2013-migration
May 25th, 2015 at 10:53 am
Dear Prabhat,
Thank you for your excellent Exchange support articles. My client’s Exchange 2007 environment is currently managed by a third party provider and they use resource forest to access their mailbox and there is a DirSync to synch the GAL. The plan is to bring Exchange back in house in their own domain and managed by themselves. There will be no coexistence and no link between the two forests/Exchange once mailboxes/Distribution Groups and Contacts moved over.
Do you have an article to cover this type of forest migration which includes mailboxes, distribution groups and contact. What sort of process do you recommend for Outlook profile migration. in the past I used Profile Redirector.
Your advise very much appreciated as ever.
Hawry