Exchange 2013: Cross Forest/ORG Migration from Exchange 2010/2007
Cross forest migration steps blog was long time due from us. So here we go!
Cross forest has changed little bit and requires 3rd party cert in the source domain.
Some related blogs which can be useful before doing cross forest migration:
Exchange 2013 Design Guide – https://msexchangeguru.com/2013/07/30/exchange-2013-planning-and-design-guide/
Exchange 2013 Migration Guide – https://msexchangeguru.com/2013/05/10/exchange2013-migration/
Cross Forest E2K3 to 2010 Mailbox Migration with Linked Mailboxes – https://msexchangeguru.com/2011/08/29/migration/
Exchange 2013 PF Migration Guide – https://msexchangeguru.com/2013/04/18/exchange2013-public-folders/
This document has following assumptions:
-
Source and Target forest have a one or 2 way forest trust. This is optional.
-
All CAS, HT and MBX servers are installed in both the forests.
-
All certificated are installed.
-
Send and Receive connectors are configured
-
Accepted domain and email address policy is configured.
-
Disclaimer and any other exchange compliance or security rule configured.
-
Antivirus and antispam are installed and configured.
-
All the required ports are open between Exchange 2010 server and DCs to Exchange 2013 server and DCs
-
All CAS and transport configuration completed with the help of Migration Guide
-
All DAG and Database configuration complete with the help of Migration Guide
-
All MX, CAS and autodiscover public and AD dns records are configured.
Steps to perform the Move mailbox:
-
Extract all the emails of the user to PST so that any corrupt should not stop any migration or any big mailbox does not take hours to migrate. This is an optional step.
- Extract the AD attributes of the users like DisplayName, samaccountname, mailnickname, mail, legacyexchangeDN, proxyaddresses, homemdb, Publicdelegates, PublicdelegatesBL, Altrecipients, mail, mdbusedefaults, mDBOverHardQuotaLimit, mDBOverQuotaLimit, mDBStorageQuota by using csvde cmd or any AD extraction tool.
-
Inform the user about the following either by email or in a session or call
-
Explain the changes and new features in exchange 2013.
-
Explain the issues and the solution during the coexistence.
-
Explain about the Distribution List change if you have not provisioned.
-
Explain about PF DB access will be from URL during coexistence
-
-
Prepare Exchange 2013/2010/2007 for the migration
a. Upgrade and requirement:
-
Exchange 2013: CU2 or higher
-
Exchange 2010: SP3 or Higher
-
Exchange 2007: SP3 RU10 or higher
b. MRSProxy Configuration:
For cross-forest moves that are initiated from the target environment (known as a pull move type), you have to enable the MRS Proxy endpoint on Client Access servers in the source environment. For cross-forest moves that are initiated from the source environment (known as a push move type), you have to enable the MRS Proxy endpoint on Client Access servers in the target environment.
Run the below cmdlet in exchange 2010 and 2013.
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyMaxConnections 50
In the working forest we should be using the 3rd party certificate and this will also the browsing the url without warning. As far as we don’t see the red in the internet browser url bar, we don’t need the cert.
Otherwise
We need to import the root certificate from legacy exchange and import to the Exchange migration Servers certificate root. Basically the need is to access the url without certificate warning.
https://remotehost(owa fqdn)/EWS/mrsproxy.svc
If URL is not trusted then you will get the warning during migration as mentioned below:
The call to ‘https://mail.irm.com/EWS/mrsproxy.svc’ failed. Error details: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘mail.irm.com’. –> The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. –> The remote certificate is invalid according to the validation procedure..
+ CategoryInfo : NotSpecified: (:) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : [Server=2013VTC1,RequestId=2545e7db-29c5-4f09-820e-e36bc9e72fee,TimeStamp=10/20/2013 6:49:20 PM] DA23F7A0,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
+ PSComputerName : 2013vtc1.vtc2013.edu
5. Login and Authentication
- Login on the target domain with the user which have permissions in both the exchange org/forest
- Open the powershell and run the following commands to save the source domain credential. Keep the Powershell open until we finish this document.
$Rcred = Get-Credential
.
6. Creating new objects in the target forest
Go to the “C:Program FilesMicrosoftExchange ServerV15Scripts” directory in powershell to Run the following command
For one mailbox
.Prepare-MoveRequest.ps1 -Identity “Email id of the mailbox” -RemoteForestDomainController “sourcedomainFQDN” -RemoteForestCredential $Rcred -TargetMailUserOU “DN of the OU”
For Bulk mailbox
- Create a csv file with the email ids of the users as per screenshot.
- Run the following cmd from powershell after going to v14scripts directory
$Users = get-content “pathname.csv of csv file”.
- Run the following cmd
Foreach ($User in $Users) {.Prepare-MoveRequest.ps1 –identity $User -RemoteForestDomainController “Source Domain Controller FQDN” -RemoteForestCredential $Rcred -TargetMailUserOU “DN of new user OU”}
Single User
Prepare-MoveRequest.ps1 -Identity “Email id of the mailbox” -RemoteForestDomainController “Source Domain Controller FQDN” -RemoteForestCredential $Rcred -LinkedMailUser -TargetMailUserOU “DN of the OU”
Or
For bulk users
- Create a csv file with the email ids of the users as per screenshot.
- Run the following cmd from powershell after going to v15scripts directory
$Users = get-content “pathname.csv of csv file”.
- Run the following cmd
Foreach ($User in $Users) {.Prepare-MoveRequest.ps1 –identity $User -RemoteForestDomainController “Source Domain Controller FQDN” -RemoteForestCredential $Rcred -LinkedMailUser -TargetMailUserOU “DN of new user OU”}
Exchange 2010 – New-MoveRequest -Identity “mbx1” -Remote -TargetDatabase “Netcom1″ -RemoteGlobalCatalog pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu” -RemoteHostName mail.IRM.COM
Exchange 2007 – New-MoveRequest -Identity “mbx1” -Remotelegacy -TargetDatabase “Netcom1″ -RemoteGlobalCatalog pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu”
For Bulk user
Exchange 2010 – Get-content “pathname.csv of csv file” | New-MoveRequest -Remote -TargetDatabase “Netcom1” -RemoteGlobalCatalog “pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu” -RemoteHostName mail.IRM.COM
Exchange 2007 – Get-content “pathname.csv of csv file” | New-MoveRequest -Remotelegacy -TargetDatabase “Netcom1” -RemoteGlobalCatalog “pndc.irm.com” -RemoteCredential $Rcred -TargetDeliveryDomain “vtc2013.edu”
Run the below cmd to check the move status
Get-moverequest
Run the below cmd to check the statistics of the move
Get-MoveRequestStatistics mbx1 | fl
Run the below cmd to remove the moves
Get-moverequest | remove-moverequest
Or
Get-moverequest –status Completed | remove-moverequest.
The Migration ends here.
—————————————————————————————————————————————-
Prabhat Nigam
Microsoft MVP | Exchange Server
Team@MSExchangeGuru
May 26th, 2015 at 5:56 pm
It will be similar to this cross forest move but it is very interesting scenario. I will test in my lab as soon as I get some time.
May 31st, 2015 at 2:44 pm
Cheers Prabhat,
This is what I think it needs for this scenario:
Trust between both forests including permission to the admin account that be used for the mailbox moves.
a PS script to move the mailboxes
a tool to move Distribution Groups and Contacts
link the local AD accounts to the newly created mailboxes.
regards
May 31st, 2015 at 8:26 pm
For Distribution Groups and Contacts you need ADMT, rest all is mentioned in the blog. Please take a deep look.
June 2nd, 2015 at 4:01 am
Hi Prabhat,
Need to know below as the above scenario covers migration of users from legacy exchange forest to new exchange 2013 forest.
Is there anyway we can allow Exchange 2013 users to look at Exchange 2010 public folder in cross forest scenario ?
There is TechNet blog which describe steps to configure Exchange 2013 for legacy public folder access. However there is no such doc for cross forest scenario.
Please let me know your recommendation to get it done or work around.
June 2nd, 2015 at 9:03 am
Try owa url with /public in place of owa of 2010 forest.
Users will have to login with 2010 authentication
June 17th, 2015 at 8:16 am
Since the MRSproxy command isn’t available in Exchange 2007, what needs to be done on the Exchange 2007 server prior to migrating mailboxes?
Get- WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyMaxConnections 50
June 18th, 2015 at 6:22 pm
Hi Prabhat,
A question regarding schema upgrade, currently our forest/domain has no Exchange installed but planning to deploy Exchange 2013. But our environment has been applied with schema for exchange 2003. My question is do we need to clear or remove this version of schema before preparing exchange 2013 schema upgrade.
thank you
HK
June 18th, 2015 at 7:45 pm
Schema updates are not removable. The Exchange 2013 schema update will add what it wants regardless of what was added by Exchange 2003. Think of it more like “in addition to”.
June 18th, 2015 at 8:17 pm
Mike
It is not completely true. Exchange 2013 verifies many 2003 configuration.
June 18th, 2015 at 8:24 pm
Hawry,
You should have removed 2003 completely else 2013 schema update will not run.
Make sure we have moved all roles from 2003 to 2010 or 2007 – https://msexchangeguru.com/2014/05/31/e2003removale2010mixedmode/
June 19th, 2015 at 8:39 am
Can you please explain how to remove the Exchange 2003 schema updates? This will be a learning experience for me.
Thanks
June 20th, 2015 at 2:24 am
All I am talking about removing Exchange 2003 configurations.
June 20th, 2015 at 10:15 am
Oh I was just referring to the fact he said “our forest/domain has no Exchange installed”.
July 27th, 2015 at 11:40 am
Hi Mark/Prabhat,
There is no Exchange deployment in our forest/domain environment. However, the schema and domain has been preped in the past with Exchange 2003.
I understand the Exchange upgrade process but in this case there is going to be no upgrade. instead we will be deploying Exchange 2013 fresh to our environment.
Someone mentioned that we will need to remove the 2003 schema/attribute from AD prior to running the AD/Schema prep for Exchange 2013.
thank you,
July 27th, 2015 at 12:48 pm
If you have removed exchange 2003 gracefully then you should be good.
July 27th, 2015 at 4:08 pm
Hi Prabhat,
excellent Article, thanks for sharing. I Need to move about 250 Users to complete new AD 2012R2 and Exchange 2013 from Exchange 2010. So my question is, what do i better run first, ADMT migrating User Accounts or should i use the prepare-moverequest-ps1 script? If i youse the script is it still necessary to run the ADMT Tool. My Goal is to decomission the ald AD and Exchange Server. Thank you very much.
July 27th, 2015 at 4:43 pm
Hi Alex,
I would prefer to know the reason why would you like to go for new forest, unless there is a merger and domain change is required.
Cross forest migration adds more work than it looks. Yes, ADMT is required to sync password. Migration users with password then their computers then mailboxes then DLs then application servers.
July 28th, 2015 at 2:21 am
Hi Prabhat,
thanks for your reply. The main reason is to go away from a .local Domain to a .com top Level Domain. Next, we need to merge some Branch Offices ADs to one AD and in addition, there were made too many misconfigurations in the old AD as it is a grown structure over the past 15 years, so we need to start from scratch. What would you recommend?
July 28th, 2015 at 4:18 am
Hi Alex,
I would recommend same AD. Why do you wish to change from .local to .com?
.local is much safer.
In my view use old AD, migrate branches to the same AD.
If the AD is old and you are suspecting some issues then it would be better to do an AD Health check and remediation.
At the end of the day you have just 250 users, how many AD issues you may have, unless best practices were not followed.
But if you are still willing to go for cross forest them be prepared for more complexity than you are expecting right now.
July 30th, 2015 at 11:04 pm
How do you migrate public folders from 2013 to 2013 when merging companies?
August 5th, 2015 at 5:58 am
What is the issue you are facing? I can think of just migrating the mailboxes at this moment.
September 29th, 2015 at 10:39 am
Hello,
I couldn’t figure out the powershell.
I didn’t see anything about setting up a trust between the domains
I ran the $Rcred = Get-Credential on the new exchange server and given it domain admin credentials
My email domain on both is emaildomain.com
My old internal domain is oldinternal.lan
My new internal domain is newinternal.lan
My exchange db on the old domain is olddb
My exchange db on the new domain is newdb
My domain controller on the old domain is olddc.oldinternal.lan
My domain controller on the new domain is newdc.newinternal.lan
My old email external address is oldmail.externaladddress.com
My new email external address is newmail.externaladdress.com (which the old server can resolve to the new internal address as both are on the same internal subnet)
The users are set up on both domains.
I’m trying the command from the powershell on the old Exchange 2010 server –
New-MoveRequest -Identity “jsmith” -Remote -TargetDatabase “newdb″ -RemoteGlobalCatalog “newdc.newinternal.lan” -RemoteCredential $Rcred -TargetDeliveryDomain “newinternal.lan” -RemoteHostName newmail.externaladdress.com
What I get is a double >> and nothing happens press enter and you’ll still get the >> cursor on the next line
September 29th, 2015 at 1:43 pm
Run on Exchange management shell on Exchange 2013
September 29th, 2015 at 8:12 pm
Thanks – I tried on the Exchange 2013 server just now – the result is still >>. Given the variables I’ve supplied could you please give me the exact command to type?
September 30th, 2015 at 2:56 am
you are missing inverted commas somewhere or you have supplied an extra space.
Send me the screenshot at prabhat@MSExchangeGuru.com
October 7th, 2015 at 10:07 pm
Hi
I’m moving exchange 2013 to a new exchange 2013 in another forest.
I have to move groups,users and computers first before I do the exchange 2013 migration?
And would this guide be the same for the above scenario?
Thanks
John
October 8th, 2015 at 12:26 am
No John. You have to run Admt to migrate users groups and computers.
October 8th, 2015 at 10:40 pm
Thanks for the reply. Cool. I know but the sequence is run ADMT 3.2 first.
Per https://technet.microsoft.com/en-us/library/ee861103
October 9th, 2015 at 1:27 am
Yes, ADMT first. ADMT user migration, then computers migration then mailbox migration then group and servers migration.
October 13th, 2015 at 5:36 pm
You can ignore this command on Exchange 2007. Rest of the other migration commands are mentioned in the blog. This should have worked.
May 19th, 2016 at 1:00 pm
How will Outlook behave post migration? would one need to reconfigure or will it re-connect to the new exchange environment after restart? (considering auto-discover is setup correctly)
May 27th, 2016 at 10:36 am
For anyone getting the >> when running the new move request command, the issue is due to copying and pasting the command from the website. Some of the quotes get changed to a “?” symbol. Just replace all the quotes before you run the command.
May 27th, 2016 at 2:57 pm
User just need to restart outlook after the popup.
May 31st, 2016 at 12:47 pm
receiving the error below doing move request. any idea? I’ve enable mrsproxy and no cert errors from the target domain.
MRSProxyEnabled : True
MRSProxyMaxConnections : 50
The call to ‘https://s7nysrvex01.s7dev.local/EWS/mrsproxy.svc’ failed. Error details: The requested service,
‘https://s7nysrvex01.s7dev.local/EWS/mrsproxy.svc’ could not be activated. See the server’s diagnostic trace logs for
more information..
+ CategoryInfo : NotSpecified: (:) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : [Server=HORIZON-EXCH,RequestId=d9bd3ea5-b856-4553-8184-3f301dd37b82,TimeStamp=5/31/2016
4:15:20 PM] [FailureCategory=Cmdlet-RemoteTransientException] 80274777,Microsoft.Exchange.Management.RecipientTask
s.NewMoveRequest
+ PSComputerName : horizon-exch.horizon.local
June 1st, 2016 at 2:35 am
What are you doing? A cross forest move or something else.
June 6th, 2016 at 4:30 am
Update AD replication
and
get-mailboxdatabase |clean-mailboxdatabase
June 22nd, 2016 at 5:33 pm
[…] boîte aux lettres entre 2 organisations Exchange différentes. Je vous invite à lire l’article https://msexchangeguru.com/2013/11/03/e2013crossforestmigration. Microsoft fournissait avec Exchange 2003 un outil pour migrer les dossiers publics entre 2 […]
January 21st, 2017 at 3:03 am
Hi,
In Exchange 2007 and 2013 Cross forest migration, Coexistence possible? Exchange 2013 can redirect the OWA/Auto discovery to 2007 if the user mailbox not migrated yet.
Thanks,
Binosh
January 21st, 2017 at 3:43 am
Coexistence possible but generally you have use 2 urls one for 2007 and other for 2013. For on-Prem to office 365 we are using targetowaurl value which I hv not tested in 2013 to 2007 redirection so You can try your luck with targetowaurl. Technically I think it should work but I can’t confirm. Test and update here. Below blog will help you in configuring this value.
https://msexchangeguru.com/2015/03/29/cu8activesyncmigrationchange/
May 5th, 2017 at 3:20 am
Hi,
It is possible to configure cross domain relationship between Exchange server 2007 (CCR) and Exchange server 2016 to have free busy. If the answer is “Yes” what is prerequisite for each domain level AD i.e Active Directory domain and forest level. whether we have to windows 2003 or 2008 or Full 2012.
Thanks
Tirou
May 9th, 2017 at 11:22 pm
You need to configure Calendar federation.