Cross Forest E2K3 to 2010 Mailbox Migration with linked Mailboxes
I couldn’t find a proper document on performing a cross forest mailbox migration, so here we go…
This document has following assumptions:
- Source and Target forest have one way trust
- All CAS, HT and MBX servers are installed
- All certificated are installed
- Send and Receive connectors are configured
- Accepted domain and email address policy is configured.
- Disclaimer and any other exchange compliance or security rule configured.
- Antivirus and antispam are installed and configured.
- All the required ports are open between Exchange 2003 server to Exchange 2010 server
- Post migration users and mailboxes will be in a separate resource and exchange forest environment.
Steps to perform the Move mailbox:
- Extract all the emails of the user to PST so that any corrupt should not stop any migration or any big mailbox does not take hours to migrate. This is an optional step.
- Extract the AD attributes of the users like samaccountname, mailnickname, mail, proxyaddresses, homemdb, Publicdelegates, PublicdelegatesBL, Altrecipients, mail, mdbusedefaults by using csvde cmd or any AD extraction tool.
-
Inform the user about the following either by email or in a session or call
- Mailbox migration time so that user can expect some downtime
- Explain the changes and new features in exchange 2010.
- Explain the issues and the solution during the coexistence.
- Mailbox migration time so that user can expect some downtime
-
Prepare a new move request
- Login on the target domain with the user which have permissions in both the exchange org/forest
- Open the powershell and run the following commands to save the source domain credential. Keep the Powershell open until we finish this document.
$Rcred = Get-Credential
- Run the following commands to save the Local domain credential. We can skip this if the logged in user have enough permissions
$Lcred = Get-Credential
- Go to the v14scripts directory in powershell & Run the following command to create a new move request
- Login on the target domain with the user which have permissions in both the exchange org/forest
Prepare-MoveRequest.ps1 -Identity “useremailid” -RemoteForestDomainController “Source Domain Controller FQDN”
-RemoteForestCredential $Rcred -LocalForestDomainController “Target Domain Controller Fqdn” -LocalForestCredential $Lcred -LinkedMailUser -TargetMailUserOU “DN of new user OU”
Or
Use the following additional Commands for bulk users
- Create a csv file with the email ids of the users as per screenshot.
-
Run the following cmd from powershell after going to v14scripts directory
- $Users = get-content “pathname.csv of csv file”.
- Run the following cmd
- $Users = get-content “pathname.csv of csv file”.
Foreach ($User in $Users) {.Prepare-MoveRequest.ps1 –identity $User -RemoteForestDomainController “Source Domain Controller FQDN” -RemoteForestCredential $Rcred -LocalForestDomainController “Target Domain Controller Fqdn” -LocalForestCredential $Lcred -LinkedMailUser -TargetMailUserOU “DN of new user OU”}
5. Move the user mailbox
- Run the following command from the same powershell for single user
New-MoveRequest -Identity “useremailid” -RemoteLegacy -TargetDatabase “E2K10 Mailbox Database Name” -RemoteGlobalCatalog “Source Domain Controller/GC FQDN” -RemoteCredential $Rcred -TargetDeliveryDomain “TargetDomainName” -baditemlimit 30
Or
- Run the following command from the same powershell for bulk users
Get-content “pathname.csv of csv file” | New-MoveRequest -RemoteLegacy -TargetDatabase “E2K10 Mailbox Database Name” -RemoteGlobalCatalog “Source Domain Controller/GC FQDN” -RemoteCredential $Rcred -TargetDeliveryDomain “TargetDomainName” -baditemlimit 30
6. Additional command for changing the mailbox icon to a linked mailbox icon. This can be ignored
- Disable the user by using the same powershellDisable-Mailbox -Identity User1
- Reconnect the mailbox with the following command
Connect-Mailbox -Identity User1 -Database “Mailbox Database” –LinkedDomainController “Source Domain Controller/GC FQDN” -LinkedMasterAccount “email id of user login (source) domain” -LinkedCredential $Rcred
7. We should be done with the mailbox migration by this time. Now we need to give enough time to get the domain controller replication.
8. Once domain controllers are replicated check the user connectivity. Verify outlook and OWA working. Ensure Outlook is connecting to the correct mailbox server. If required reconfigure outlook.
End of mailbox migration.
Glossary
| Prepare-MoveRequest.ps1 | This is the script comes with the exchange 2010 for the preparation of the move mailbox |
| Identity | The Identity parameter uniquely identifies a mailbox in the source forest. Identity can be any of the following: |
| Common name (CN) | |
| Alias | |
| proxyAddress property | |
| RemoteForestCredential | The RemoteForestCredential parameter specifies the administrator who has permissions to copy data from the source forest Active Directory. |
| RemoteForestDomainController | The RemoteForestDomainController parameter specifies a domain controller in the source forest where the mailbox resides. |
| LinkedMailUser | The LinkedMailUser switch specifies whether to create a linked MailUser in the local forest for the mailbox user in the remote forest. |
| If the switch is provided, the script creates a target MailUser object linked to the source mailbox. If the switch is omitted, the script creates a regular target MailUser object. | |
| LocalForestCredential | The LocalForestCredential parameter specifies the administrator with permissions to write data to the target forest Active Directory. |
| LocalForestDomainController | The LocalForestDomainController parameter specifies a domain controller in the target forest where the mail-enabled user will be created. |
| MailboxDeliveryDomain | The MailboxDeliveryDomain parameter specifies an authoritative domain of the source forest so that the script can select the correct source mailbox user’s proxyAddress property as the target mail-enabled user’s targetAddressproperty. |
| By default, the primary SMTP address of the source mailbox user is set as the targetAddressproperty of the target mail-enabled user. | |
| TargetMailUserOU | The TargetMailuserOU parameter specifies the organizational unit (OU) under which the target mail-enabled user will be created. |
| RemoteCredential | The RemoteCredential parameter specifies an administrator who has permission to perform the mailbox move, for example, Administrator@humongousinsurance.com. |
| This parameter requires the creation and passing of a credential object. This credential object is created by using the Get-Credential cmdlet. | |
| RemoteGlobalCatalog | The RemoteGlobalCatalog parameter specifies the fully qualified domain name (FQDN) of the global catalog server for the remote forest. |
| RemoteLegacy | The RemoteLegacy switch specifies that this mailbox move is from a remote forest that doesn’t have Exchange 2010 installed. You don’t have to specify a value with this parameter. |
| BadItemLimit | The BadItemLimit parameter specifies the number of bad items to skip if the request encounters corruption in the mailbox. Use 0 to not skip bad items. The valid input range for this parameter is from 0 through 2147483647. The default value is 0. We recommend that you keep the default value 0 and only change the BadItemLimit parameter value if the request fails. |
| TargetDatabase | The TargetDatabase parameter specifies the identity of the database that you’re moving the mailbox to. If you don’t specify the TargetDatabase parameter, the command uses the automatic mailbox distribution logic to determine the database to move to. |
| TargetDeliveryDomain | The TargetDeliveryDomain parameter specifies the FQDN of the external e-mail address created in the source forest for the mail-enabled user when the move request is complete. This parameter is allowed only when performing remote moves with the Remote or RemoteLegacyparameter. |
| New-MoveRequest | This is a command to move the mailbox. |
| LinkedCredential | The LinkedCredential parameter specifies credentials to use to access the domain controller specified by the LinkedDomainController parameter. This parameter is optional, even if you’re enabling a linked mailbox. |
| LinkedDomainController | The LinkedDomainController parameter specifies the domain controller in the forest where the user account resides, if this mailbox is a linked mailbox. The domain controller in the forest where the user account resides is used to get security information for the account specified by the LinkedMasterAccount parameter. |
| This parameter is required only if you’re connecting a linked mailbox. | |
| LinkedMasterAccount | The LinkedMasterAccount parameter specifies the master account in the forest where the user account resides, if this mailbox is a linked mailbox. The master account is the account to which the mailbox links. The master account grants access to the mailbox. You can use one of the following values: |
| GUID | |
| Distinguished name (DN) | |
| DomainAccount | |
| User principal name (UPN) | |
| LegacyExchangeDN | |
| SmtpAddress | |
| Alias | |
| This parameter is required only if you’re connecting a linked mailbox. | |
| Connect-Mailbox | cmdlet to connect a disconnected mailbox to an Active Directory user object |
| Get-Content | This will fetch the contents from the file path and name mentioned. |
| Foreach | Statement repeats a group of embedded statements for each element in an array or an object collection |
Prabhat Nigam
Team @MSExchangeGuru
September 13th, 2011 at 5:29 am
Hi Team,
Could you please tell me as to where i can see the screenshot for this document located in step 4 of Cross Forest E2K3 to 2010 Mailbox Migration with linked Mailboxes?
I really need to know how the CSV file will look.
“Create a csv file with the email ids of the users as per screenshot”.
Thanks
October 13th, 2011 at 6:18 pm
Can’t see the screenshot either.
October 14th, 2011 at 1:43 pm
here is it.
bu222@prabhat.com
bu223@prabhat.com
April 13th, 2012 at 6:48 am
This article is kinda stupid in a way. why do this stupid guy is running preparemoverequest.ps1 with -linkedmailuser ? when the user accounts are still present in source forest and logging into the e2k3 forest and ADMT hasnt been run, why would you run the script with “-linkedmailuser” parameter. The explanation as you have mentioned above (copy and paste from technet) says “The LinkedMailUser switch specifies whether to create a linked MailUser in the local forest for the mailbox user in the remote forest. If the switch is provided, the script creates a target MailUser object linked to the source mailbox. If the switch is omitted, the script creates a regular target MailUser object”.
Simpler approach, Use preparemoverequest without -linkedmailuser parameter, and let it create a simple mail enabled user in the e2k10 forest. move the mailbox and in case you need linked mailboxes (if your are not moving users with admt at this time), follow the same procedure mentioned above to convert it to linked mailbox.
Makes senes ? why increase complexity. Follow the simplest process.
June 8th, 2012 at 4:12 pm
wizkiddAssKicker:
This article guiding you to use the same authentication forest but different mailbox forest.
Linked mailbox are being used in cloud and resource forest scenarios.
This is not a simple cross forest migration article. I would recommend you to read technet about the linked mailboxes and its requirements
Prabhat
June 7th, 2013 at 1:25 pm
hi,
pls sent the document for Microsoft server SBS 2003 to Microsoft Server SBS 2011 Migration details
Thanks
Swarn Singh Chawla
June 17th, 2013 at 4:31 pm
Hi Swarn,
Kindly try this and share the issues.
June 20th, 2013 at 1:46 am
Having read this I believed it was really informative. I appreciate you spending some time and energy to put
this article together. I once again find myself personally spending a significant amount
of time both reading and commenting. But so what,
it was still worthwhile!
June 22nd, 2013 at 3:10 pm
Awesome issues here. I’m very happy to look your post. Thanks a lot and I am looking ahead to touch you. Will you kindly drop me a mail?
July 5th, 2013 at 3:19 am
Appreciating the commitment you put into your website and in depth information you offer.
It’s nice to come across a blog every once in a while that isn’t the same old rehashed information.
Fantastic read! I’ve bookmarked your site and I’m including your RSS feeds to my Google account.
April 7th, 2014 at 2:41 am
[…] Cross Forest E2K3 to 2010 Mailbox Migration with linked Mailboxes – https://msexchangeguru.com/2011/08/29/migration/ […]
August 12th, 2014 at 1:11 pm
Hi,
After Prepare-MoveRequest, a weird x500 address is appended to ex2003 user like /cn=recipients/cn=myuserfd886837
How to avoid this problem?
Thanks!
August 12th, 2014 at 1:18 pm
If it is done by prepare-moverequest then it is not a problem, it is a preparation to move the mailbox. Are you facing any issue with it?
August 13th, 2014 at 10:51 am
Thanks Prabhat.
At Ex2010 the x500 ends with cn=myuser, but at Ex2003 the x500 ends with cn=myuserfd886837
Is this a normal behavior?
Does the x500 at Ex2003 should ends with cn=myuserfd886837 when the user name is myuser?
Thanks.
August 13th, 2014 at 10:55 am
yes this is normal. Check your users legacyexchangedn value. it might be same.
August 13th, 2014 at 11:06 am
Thanks Prabhat.
The Ex2010 target forest is user empty forest (there are no users/mailboxes). The Ex2010 mailboxes will be linked mailboxes. Then there are no legacyexchangedn value.
Thanks.
August 13th, 2014 at 11:25 am
check the current value in source.
August 13th, 2014 at 11:32 am
Thanks Prabhat,
At source forest the legacyExchangeDN value ends with cn=myuser. Is It needed user accounts exist at Ex2010 target forest prior mailbox migration?
Thanks.
August 13th, 2014 at 11:37 am
Prepare move request should create it.
August 13th, 2014 at 12:52 pm
Thanks Prabhat.
There are no problems with migration process. There are no problems when at Ex2003 the x500 ends with cn=myuserfd886837
Thanks for your valuable help.
May 26th, 2015 at 9:03 am
we have followed this post but we have faced the error “source domain controller unavailable or authentication failed” we don’t understand which part we are missing so please reply your feedback really help full for us
May 26th, 2015 at 9:15 am
Looks like login failure. Probably wrong password.
May 26th, 2015 at 9:25 am
We have successfully created the session. Both target and source credential are accessible but Prepare-MoveRequest.ps1 command not working
May 26th, 2015 at 5:50 pm
Check the permission to you login ID
May 27th, 2015 at 8:33 am
thanks its working but we are facing another problem as follow
C:\Users\vivek.joshi\Desktop\Scripts\Prepare-MoveRequest.Ps1 : Error while creating MEU. Error:Error creating mailuser CN=,CN=Users,DC=softobiz,DC=net in local
forest or setting its mandatory attributes. Error: Exception calling “Exists” with “1” argument(s): “A referral was returned from the server.
”
At line:14 char:1
+ C:\Users\vivek.joshi\Desktop\Scripts\Prepare-MoveRequest.Ps1 -Identity $mail -Re …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Prepare-MoveRequest.Ps1
0 mailbox(s) ready to move.
please give some advice
May 27th, 2015 at 12:39 pm
Now it looks like permissions in the destination
May 28th, 2015 at 12:18 am
We have a full permission for both source and destination. we are using administrator account. we don’t know where we are missing we don’t find the mailbox for move