One my friend reached me today asking for some help on migration project. They are using Quest to help customer to AD/Exchange migration and stuck on the huge effort for system preparation. I think Quest should already have provided tool to help get permission ready rapidly, while from project execution aspect, a proved check-list may make you more comfortable, especially when customer would like to know what changes you make to their environment.

 

This is the quick check-list I personally consolidated in past projects, just try it.

**Only proved on migration from Exchange Server 2003 to 2010**

Domain Preparation

Source Domain Controller (xxx.com)

  

Domain Controller Host Name

  

AD Site

  

Domain Controller IP Address

  

IP Setting: DNS Servers

  

IP Setting: WINS Server

  

Domain Controller Operating system

  

Domain Controller Roles

  

Domain Functional Level

  

Forest Functional Level

  

DNS Setting: List all avaialable domain zones:

  

DNS Setting: Conditional Forwarders

  

DNS Setting: Conditional Forwarders Target

  

Zone Transfer (Only transfer to specified IP address)

  

Create Second Zone

  

Second Zone Resolve Success

  

DNS FQDN Name Ping Test (on Source SPOC DCs - xxx)

  

FQDN Name Ping Result

  

NetBIOS Name Resolution

  

NetBIOS Name Ping Result

  

Windows Server Support Tools Installed

  

Firewall turned-off for all client PCs

1. turn "Security Center" through group policy
2. disable Windows Firewall service through group policy

  

enable GC Replication and Index for service attributes:

  

adminDisplayName

  

extensionAttribute15

  

Target Domain Controller (xxx.com)

  

Domain Controller Host Name

  

AD Site

  

Domain Controller IP Address

  

IP Setting: DNS Servers

  

IP Setting: WINS Server

  

Domain Controller Operating system

  

Domain Controller Roles

  

Domain Functional Level

  

Forest Functional Level

  

DNS Setting: List all avaialable domain zones:

  

DNS Setting: Conditional Forwarders

  

DNS Setting: Conditional Forwarders Target

  

DNS FQDN Name Ping Test (on Target SPOC DCs - xxx)

  

FQDN Name Ping Result

  

NetBIOS Name Resolution

  

NetBIOS Name Ping Result

  

Windows Server Support Tools Installed

  

Firewall turned-off for all client PCs

1. turn "Security Center" through group policy
2. disable Windows Firewall service through group policy

  

enable GC Replication and Index for service attributes:

  

adminDisplayName

  

extensionAttribute15

  

  

Trust

Two-way Trust Done

  

Disable SID filtering

Netdom trust johndemo.local /domain:rogertech.local
/quarantine:No /usero:administrator /passwordo:Passw0rd

  

  

Account Preparation

Single Administrative Account

  

Source Domain Account Preparation

  

built-in Administrators group on source DC

  

Full Control on Domain partition via ADSIEdit

  

Read on Configuration partition via ADSIEdit

  

Administrators group on all exchange servers, and other involved application servers

  

Full Control permission on the OUs where the source synchronized objects are located.

  

Full Control permission on source Exchange2003 servers

HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin
Value name: ShowSecurityPage
Data Type: REG_DWORD
Value data: 1

  

Full Control permission on the Microsoft Exchange System Objects OU

  

Modify public folder replica list, Modify public folder deleted item retention, and Modify public folder quotas permission on the ESM administrative groups

  

Group Policy to add <your single administrative account> to local administrators group in all clients

1. Create one Domain Local security group names as QMMAdminGroup in Target domain
2. Add <your single administrative account> into QMMAdminGroup
3. Modify default domain policy (or create a new one) to add this QMMAdminGroup into Administrators group on all clients

  

Target Domain Account Preparation

  

built-in Administrators group on target DC

  

Full Control on Domain partition via ADSIEdit

  

Read on Configuration partition via ADSIEdit

  

Full Control on Exchange organization via ADSIEdit

CN=<ExchangeOrganizationName>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<...>,DC=<...>

  

Full Control permission on the OUs where the target synchronized objects are located.

  

Full Control permission on the Microsoft Exchange System Objects OU

  

Full Control permission on each mailbox database and associated public folder database

Get-Mailbox | Add-MailboxPermission -User <your single administrative account> -AccessRights FullAccess

Get-MailboxDatabase | Add-ADPermission -User <your single administrative account> -AccessRights GenericAll -ExtendedRights Receive-As,Send-As

Get-PublicFolderDatabase | Add-ADPermission -User <your single administrative account> -AccessRights GenericAll -ExtendedRights Receive-As,Send-As

  

Organization Management group membership for target Exchange Server 2010

  

Public Folder Management group membership for target Exchange Server 2010

  

Recipient Management group membership for target Exchange Server 2010

  

Administrators group on all exchange servers, and other involved application servers

  

ApplicationImpersonation role on target Exchange Server 2010

New-ManagementRoleAssignment –Name QMMAppImpersonation -Role ApplicationImpersonation –User <your single administrative account>

  

ms-Exch-EPI-May-Impersonate extended right

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User ((Get-User -Identity qmmadmin) | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <your single administrative account> -ExtendedRights ms-Exch-EPI-May-Impersonate}

Get-PublicFolderDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <your single administrative account> -ExtendedRights ms-Exch-EPI-May-Impersonate}

  

Group Policy to add <your single administrative account> to local administrators group in all clients

1. Create one Domain Local security group names as QMMAdminGroup in Target domain
2. Add <your single administrative account> into QMMAdminGroup
3. Modify default domain policy (or create a new one) to add this QMMAdminGroup into Administrators group on all clients

  

 

  

QMM Console (xxx)

  

Grant "Log on as a service" right to <your single administrative account> via local security policy

  

Verify <your single administrative account> belongs to Administrators group membership

  

  

Exchange Server Preparation

Source Exchange Server - 2003

  

Exchange Server Name

  

Exchange Server IP Address

  

IP Setting: DNS Servers

  

IP Settings: WINS Server

  

Existing Accepted Domains

  

Email Redirection Target Domain SMTP namespaces

  

mail route SMTP name space

  

Smart Host Address

  

Mailbox Access and Email Flow Verification

  

Default Source Domain -> Default Target Domain

  

Default Source omain -> Email Redirection Target SMTP name space

  

Offline Address Book Downloading Availability

  

Create a temp Storage Group for synced mailbox-enabled objects

  

Exchange Server

  

Storage Group name

  

Enable "circular logging" for this storage group

  

Mailbox Store name

  

Full Backup Done

  

Create "Aelita EMW Recycle Bin" Public Folder

  

Creating Administrator Mailboxes for Public Folder, Free/Busy and Calendar Synchronization

  

Specifying displayName Value for source EX2K3 mailbox database via ADSIEdit

1. Locate CN=First Storage Group,CN=InformationStore,CN=EX2K3,
CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Mail,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<…>,DC=<…>

2. copy adminDisplayName value to displayName field.

  

Firewall turned-off

  

Target Exchange Server - 2010

  

Exchange Server Name

  

Exchange Server IP Address

  

IP Setting: DNS Servers

  

IP Settings: WINS Server

  

Accepted Domains

  

Existing Accepted Domains (Related)

  

Email Redirection Target Domain SMTP namespaces

  

Email Address Policies

  

Remote Domains

  

Add email redirection Source Domain SMTP namespace

  

Send Connector

  

mail route SMTP name space

  

Smart Host Address

  

Create Target Mailbox Database for migration

  

Database Name

  

Mount Availability

  

Limit Configuration Matching with policy

  

Public Folder Database Association

  

Offline Address Book Association

  

Default Receive Connector permission group -> Anonymous

  

Mailbox Access and Email Flow Verification

  

Default Target Domain -> Default Source Domain

  

Default Target Domain -> Email Redirection Source SMTP name space

  

Offline Address Book Downloading

  

Full Backup Done

  

Create "Aelita EMW Recycle Bin" Public Folder

  

Creating Administrator Mailboxes for Public Folder, Free/Busy and Calendar Synchronization

  

Creating Custom Throttling Policies

New-ThrottlingPolicy QMMExAccountThrottlingPolicy

Set-ThrottlingPolicy QMMExAccountThrottlingPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null

Set-ThrottlingPolicyAssociation -Identity <your single administrative account> -ThrottlingPolicy QMMExAccountThrottlingPolicy

  

Installing the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1,
and Restart Server

  

Disable RPC Encryption on Target Exchange 2010 Servers

Set-RpcClientAccess –Server EX2010.rogertech.local –EncryptionRequired $false

  

firewall turned-off

  

  

QMM Console Preparation

Firewall turned-off

  

Installing the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1,
and Restart Server

  

Double check <your single administrative account> is in local Administrators group

  

  

 

Originally posted at "Http://blogs.technet.com/b/rogerliu".