MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Exchange 2013: Cross Forest/ORG Migration from Exchange 2010/2007

Cross forest migration steps blog was long time due from us. So here we go!

Cross forest has changed little bit and requires 3rd party cert in the source domain. 

Some related blogs which can be useful before doing cross forest migration:

Exchange 2013 Design Guide – https://msexchangeguru.com/2013/07/30/exchange-2013-planning-and-design-guide/

Exchange 2013 Migration Guide – https://msexchangeguru.com/2013/05/10/exchange2013-migration/

Cross Forest E2K3 to 2010 Mailbox Migration with Linked Mailboxes – https://msexchangeguru.com/2011/08/29/migration/

Exchange 2013 PF Migration Guide – https://msexchangeguru.com/2013/04/18/exchange2013-public-folders/

This document has following assumptions:

  1. Source and Target forest have a one or 2 way forest trust. This is optional.
  2. All CAS, HT and MBX servers are installed in both the forests.
  3. All certificated are installed.
  4. Send and Receive connectors are configured
  5. Accepted domain and email address policy is configured.
  6. Disclaimer and any other exchange compliance or security rule configured.
  7. Antivirus and antispam are installed and configured.
  8. All the required ports are open between Exchange 2010 server and DCs to Exchange 2013 server and DCs
  9. All CAS and transport configuration completed with the help of Migration Guide
  10. All DAG and Database configuration complete with the help of Migration Guide
  11. All MX, CAS and autodiscover public and AD dns records are configured.

Steps to perform the Move mailbox:

  1. Extract all the emails of the user to PST so that any corrupt should not stop any migration or any big mailbox does not take hours to migrate. This is an optional step.
  2. Extract the AD attributes of the users like DisplayName, samaccountname, mailnickname, mail, legacyexchangeDN, proxyaddresses, homemdb, Publicdelegates, PublicdelegatesBL, Altrecipients, mail, mdbusedefaults, mDBOverHardQuotaLimit, mDBOverQuotaLimit, mDBStorageQuota by using csvde cmd or any AD extraction tool.
  3. Inform the user about the following either by email or in a session or call
    1. Explain the changes and new features in exchange 2013.
    2. Explain the issues and the solution during the coexistence.
    3. Explain about the Distribution List change if you have not provisioned.
    4. Explain about PF DB access will be from URL during coexistence
  4. Prepare Exchange 2013/2010/2007 for the migration

a. Upgrade and requirement:

  • Exchange 2013: CU2 or higher
  • Exchange 2010: SP3 or Higher
  • Exchange 2007: SP3 RU10 or higher

b. MRSProxy Configuration:

For cross-forest moves that are initiated from the target environment (known as a pull move type), you have to enable the MRS Proxy endpoint on Client Access servers in the source environment. For cross-forest moves that are initiated from the source environment (known as a push move type), you have to enable the MRS Proxy endpoint on Client Access servers in the target environment.

Run the below cmdlet in exchange 2010 and 2013.

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyMaxConnections 50

c. Import Certificate: Only for lab.

              In the working forest we should be using the 3rd party certificate and this will also the browsing the url without  warning. As far as we don’t see the red in the internet browser url bar, we don’t need the cert.

              Otherwise

              We need to import the root certificate from legacy exchange and import to the Exchange migration Servers certificate root. Basically the need is to access the url without certificate warning.

              https://remotehost(owa fqdn)/EWS/mrsproxy.svc

              If URL is not trusted then you will get the warning during migration as mentioned below:

              The call to ‘https://mail.irm.com/EWS/mrsproxy.svc’ failed. Error details: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘mail.irm.com’. –> The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. –> The remote certificate is invalid according to the validation procedure..

              + CategoryInfo : NotSpecified: (:) [New-MoveRequest], RemoteTransientException

              + FullyQualifiedErrorId : [Server=2013VTC1,RequestId=2545e7db-29c5-4f09-820e-e36bc9e72fee,TimeStamp=10/20/2013 6:49:20 PM] DA23F7A0,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

              + PSComputerName : 2013vtc1.vtc2013.edu


 

5. Login and Authentication

  • Login on the target domain with the user which have permissions in both the exchange org/forest
  • Open the powershell and run the following commands to save the source domain credential. Keep the Powershell open until we finish this document.

           $Rcred = Get-Credential

.

6. Creating new objects in the target forest 

      Go to the “C:Program FilesMicrosoftExchange ServerV15Scripts” directory in powershell to Run the following command

     For one mailbox

     .Prepare-MoveRequest.ps1 -Identity “Email id of the mailbox” -RemoteForestDomainController “sourcedomainFQDN” -RemoteForestCredential $Rcred -TargetMailUserOU “DN of the OU”

     For Bulk mailbox

  • Create a csv file with the email ids of the users as per screenshot.
  • Run the following cmd from powershell after going to v14scripts directory

          $Users = get-content “pathname.csv of csv file”.

  • Run the following cmd

Foreach ($User in $Users) {.Prepare-MoveRequest.ps1 –identity $User -RemoteForestDomainController “Source Domain Controller FQDN” -RemoteForestCredential $Rcred -TargetMailUserOU “DN of new user OU”}

OR
Creating Linked objects for the Resource Forest configuration.
For Linked user run the below command. This is useful for cloud kind of configuration where your authentication forest is different than exchange forest. We call it a resource forest configuration of exchange

Single User
Prepare-MoveRequest.ps1 -Identity “Email id of the mailbox” -RemoteForestDomainController “Source Domain Controller FQDN” -RemoteForestCredential $Rcred -LinkedMailUser -TargetMailUserOU “DN of the OU”

Or

For bulk users

  • Create a csv file with the email ids of the users as per screenshot.
  • Run the following cmd from powershell after going to v15scripts directory

          $Users = get-content “pathname.csv of csv file”.

  • Run the following cmd

Foreach ($User in $Users) {.Prepare-MoveRequest.ps1 –identity $User -RemoteForestDomainController “Source Domain Controller FQDN” -RemoteForestCredential $Rcred -LinkedMailUser -TargetMailUserOU “DN of new user OU”}

7. Move Mailbox
Run the below command to move mailbox
For Single user

Exchange 2010 –  New-MoveRequest -Identity “mbx1” -Remote -TargetDatabase “Netcom1″ -RemoteGlobalCatalog pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu” -RemoteHostName mail.IRM.COM

Exchange 2007 – New-MoveRequest -Identity “mbx1” -Remotelegacy -TargetDatabase “Netcom1″ -RemoteGlobalCatalog pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu” 

 

For Bulk user

Exchange 2010 – Get-content “pathname.csv of csv file” | New-MoveRequest -Remote -TargetDatabase “Netcom1” -RemoteGlobalCatalog “pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu” -RemoteHostName mail.IRM.COM

Exchange 2007 – Get-content “pathname.csv of csv file” | New-MoveRequest -Remotelegacy -TargetDatabase “Netcom1” -RemoteGlobalCatalog “pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu”

8. To check the move status

Run the below cmd to check the move status

Get-moverequest


Run the below cmd to check the statistics of the move

Get-MoveRequestStatistics mbx1 | fl


Run the below cmd to remove the moves

Get-moverequest | remove-moverequest

Or

Get-moverequest –status Completed | remove-moverequest.

The Migration ends here.

—————————————————————————————————————————————-

Prabhat Nigam

Microsoft MVP | Exchange Server

Team@MSExchangeGuru


91 Responses to “Exchange 2013: Cross Forest/ORG Migration from Exchange 2010/2007”

  1. Prabhat Nigam Says:

    It will be similar to this cross forest move but it is very interesting scenario. I will test in my lab as soon as I get some time.

  2. Hawryk Says:

    Cheers Prabhat,
    This is what I think it needs for this scenario:
    Trust between both forests including permission to the admin account that be used for the mailbox moves.
    a PS script to move the mailboxes
    a tool to move Distribution Groups and Contacts
    link the local AD accounts to the newly created mailboxes.

    regards

  3. Prabhat Nigam Says:

    For Distribution Groups and Contacts you need ADMT, rest all is mentioned in the blog. Please take a deep look.

  4. Nitin Says:

    Hi Prabhat,

    Need to know below as the above scenario covers migration of users from legacy exchange forest to new exchange 2013 forest.
    Is there anyway we can allow Exchange 2013 users to look at Exchange 2010 public folder in cross forest scenario ?
    There is TechNet blog which describe steps to configure Exchange 2013 for legacy public folder access. However there is no such doc for cross forest scenario.
    Please let me know your recommendation to get it done or work around.

  5. Prabhat Nigam Says:

    Try owa url with /public in place of owa of 2010 forest.

    Users will have to login with 2010 authentication

  6. Kim Kristensen Says:

    Since the MRSproxy command isn’t available in Exchange 2007, what needs to be done on the Exchange 2007 server prior to migrating mailboxes?
    Get- WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyMaxConnections 50

  7. hawry Says:

    Hi Prabhat,

    A question regarding schema upgrade, currently our forest/domain has no Exchange installed but planning to deploy Exchange 2013. But our environment has been applied with schema for exchange 2003. My question is do we need to clear or remove this version of schema before preparing exchange 2013 schema upgrade.

    thank you
    HK

  8. Mike Says:

    Schema updates are not removable. The Exchange 2013 schema update will add what it wants regardless of what was added by Exchange 2003. Think of it more like “in addition to”.

  9. Prabhat Nigam Says:

    Mike
    It is not completely true. Exchange 2013 verifies many 2003 configuration.

  10. Prabhat Nigam Says:

    Hawry,
    You should have removed 2003 completely else 2013 schema update will not run.
    Make sure we have moved all roles from 2003 to 2010 or 2007 – https://msexchangeguru.com/2014/05/31/e2003removale2010mixedmode/

  11. Mike Says:

    Can you please explain how to remove the Exchange 2003 schema updates? This will be a learning experience for me.

    Thanks

  12. Prabhat Nigam Says:

    All I am talking about removing Exchange 2003 configurations.

  13. Mike Says:

    Oh I was just referring to the fact he said “our forest/domain has no Exchange installed”.

  14. ExchangeROCKS Says:

    Hi Mark/Prabhat,

    There is no Exchange deployment in our forest/domain environment. However, the schema and domain has been preped in the past with Exchange 2003.
    I understand the Exchange upgrade process but in this case there is going to be no upgrade. instead we will be deploying Exchange 2013 fresh to our environment.

    Someone mentioned that we will need to remove the 2003 schema/attribute from AD prior to running the AD/Schema prep for Exchange 2013.

    thank you,

  15. Prabhat Says:

    If you have removed exchange 2003 gracefully then you should be good.

  16. Alexander Says:

    Hi Prabhat,
    excellent Article, thanks for sharing. I Need to move about 250 Users to complete new AD 2012R2 and Exchange 2013 from Exchange 2010. So my question is, what do i better run first, ADMT migrating User Accounts or should i use the prepare-moverequest-ps1 script? If i youse the script is it still necessary to run the ADMT Tool. My Goal is to decomission the ald AD and Exchange Server. Thank you very much.

  17. Prabhat Nigam Says:

    Hi Alex,

    I would prefer to know the reason why would you like to go for new forest, unless there is a merger and domain change is required.

    Cross forest migration adds more work than it looks. Yes, ADMT is required to sync password. Migration users with password then their computers then mailboxes then DLs then application servers.

  18. Alexander Says:

    Hi Prabhat,
    thanks for your reply. The main reason is to go away from a .local Domain to a .com top Level Domain. Next, we need to merge some Branch Offices ADs to one AD and in addition, there were made too many misconfigurations in the old AD as it is a grown structure over the past 15 years, so we need to start from scratch. What would you recommend?

  19. Prabhat Nigam Says:

    Hi Alex,

    I would recommend same AD. Why do you wish to change from .local to .com?

    .local is much safer.

    In my view use old AD, migrate branches to the same AD.
    If the AD is old and you are suspecting some issues then it would be better to do an AD Health check and remediation.

    At the end of the day you have just 250 users, how many AD issues you may have, unless best practices were not followed.

    But if you are still willing to go for cross forest them be prepared for more complexity than you are expecting right now.

  20. MigrationGuy Says:

    How do you migrate public folders from 2013 to 2013 when merging companies?

  21. Prabhat Nigam Says:

    What is the issue you are facing? I can think of just migrating the mailboxes at this moment.

  22. boe Says:

    Hello,

    I couldn’t figure out the powershell.

    I didn’t see anything about setting up a trust between the domains

    I ran the $Rcred = Get-Credential on the new exchange server and given it domain admin credentials

    My email domain on both is emaildomain.com

    My old internal domain is oldinternal.lan

    My new internal domain is newinternal.lan

    My exchange db on the old domain is olddb

    My exchange db on the new domain is newdb

    My domain controller on the old domain is olddc.oldinternal.lan

    My domain controller on the new domain is newdc.newinternal.lan

    My old email external address is oldmail.externaladddress.com

    My new email external address is newmail.externaladdress.com (which the old server can resolve to the new internal address as both are on the same internal subnet)

    The users are set up on both domains.

    I’m trying the command from the powershell on the old Exchange 2010 server –

    New-MoveRequest -Identity “jsmith” -Remote -TargetDatabase “newdb″ -RemoteGlobalCatalog “newdc.newinternal.lan” -RemoteCredential $Rcred -TargetDeliveryDomain “newinternal.lan” -RemoteHostName newmail.externaladdress.com

    What I get is a double >> and nothing happens press enter and you’ll still get the >> cursor on the next line

  23. Prabhat Nigam Says:

    Run on Exchange management shell on Exchange 2013

  24. boe Says:

    Thanks – I tried on the Exchange 2013 server just now – the result is still >>. Given the variables I’ve supplied could you please give me the exact command to type?

  25. Prabhat Nigam Says:

    you are missing inverted commas somewhere or you have supplied an extra space.
    Send me the screenshot at prabhat@MSExchangeGuru.com

  26. john Says:

    Hi

    I’m moving exchange 2013 to a new exchange 2013 in another forest.
    I have to move groups,users and computers first before I do the exchange 2013 migration?

    And would this guide be the same for the above scenario?

    Thanks
    John

  27. Prabhat Nigam Says:

    No John. You have to run Admt to migrate users groups and computers.

  28. john Says:

    Thanks for the reply. Cool. I know but the sequence is run ADMT 3.2 first.
    Per https://technet.microsoft.com/en-us/library/ee861103

  29. Prabhat Nigam Says:

    Yes, ADMT first. ADMT user migration, then computers migration then mailbox migration then group and servers migration.

  30. Prabhat Nigam Says:

    You can ignore this command on Exchange 2007. Rest of the other migration commands are mentioned in the blog. This should have worked.

  31. Michael Says:

    How will Outlook behave post migration? would one need to reconfigure or will it re-connect to the new exchange environment after restart? (considering auto-discover is setup correctly)

  32. Simon Says:

    For anyone getting the >> when running the new move request command, the issue is due to copying and pasting the command from the website. Some of the quotes get changed to a “?” symbol. Just replace all the quotes before you run the command.

  33. Prabhat Nigam Says:

    User just need to restart outlook after the popup.

  34. Michael Says:

    receiving the error below doing move request. any idea? I’ve enable mrsproxy and no cert errors from the target domain.

    MRSProxyEnabled : True
    MRSProxyMaxConnections : 50

    The call to ‘https://s7nysrvex01.s7dev.local/EWS/mrsproxy.svc’ failed. Error details: The requested service,
    ‘https://s7nysrvex01.s7dev.local/EWS/mrsproxy.svc’ could not be activated. See the server’s diagnostic trace logs for
    more information..
    + CategoryInfo : NotSpecified: (:) [New-MoveRequest], RemoteTransientException
    + FullyQualifiedErrorId : [Server=HORIZON-EXCH,RequestId=d9bd3ea5-b856-4553-8184-3f301dd37b82,TimeStamp=5/31/2016
    4:15:20 PM] [FailureCategory=Cmdlet-RemoteTransientException] 80274777,Microsoft.Exchange.Management.RecipientTask
    s.NewMoveRequest
    + PSComputerName : horizon-exch.horizon.local

  35. Prabhat Nigam Says:

    What are you doing? A cross forest move or something else.

  36. Prabhat Nigam Says:

    Update AD replication
    and
    get-mailboxdatabase |clean-mailboxdatabase

  37. Migrer vos ressources Exchange vers une nouvelle organisation sans impacter vos utilisateurs – La communauté METSYS Says:

    […] boîte aux lettres entre 2 organisations Exchange différentes. Je vous invite à lire l’article https://msexchangeguru.com/2013/11/03/e2013crossforestmigration. Microsoft fournissait avec Exchange 2003  un outil pour migrer les dossiers publics entre 2 […]

  38. Binosh Says:

    Hi,

    In Exchange 2007 and 2013 Cross forest migration, Coexistence possible? Exchange 2013 can redirect the OWA/Auto discovery to 2007 if the user mailbox not migrated yet.

    Thanks,
    Binosh

  39. Prabhat Nigam Says:

    Coexistence possible but generally you have use 2 urls one for 2007 and other for 2013. For on-Prem to office 365 we are using targetowaurl value which I hv not tested in 2013 to 2007 redirection so You can try your luck with targetowaurl. Technically I think it should work but I can’t confirm. Test and update here. Below blog will help you in configuring this value.
    https://msexchangeguru.com/2015/03/29/cu8activesyncmigrationchange/

  40. Tirou Says:

    Hi,
    It is possible to configure cross domain relationship between Exchange server 2007 (CCR) and Exchange server 2016 to have free busy. If the answer is “Yes” what is prerequisite for each domain level AD i.e Active Directory domain and forest level. whether we have to windows 2003 or 2008 or Full 2012.
    Thanks
    Tirou

  41. Prabhat Nigam Says:

    You need to configure Calendar federation.

Leave a Reply

Categories

Archives

MSExchangeGuru.com