Sachin Filinto Blog
The purpose of this blog is to document how a cross-forest migration is done with native Exchange 2010 tools. Another reason I am writing this blog is that I did not find this method documented either in the Microsoft community content nor on the internet. ( Same SMTP domain but Different AD Domain / forest )
This Blog is a meant to be very concise & to the point article on how to go about the migration using built-in tools like ADMT & Prepare-MoveRequest.ps1 script which can be freely downloaded from the Microsoft website & is included with Exchange 2010 Service Pack 1 respectively.
This Method of co-existence & migration could be classified as Short co-existence with a One-way GAL synchronization.
To start with we need to get some basics crystal clear.
a. proxyaddresses & targetaddress
proxyaddresses is the main attribute where e-mail address information is kept. When you open the properties of a recipient in Outlook and look at the "E-mail Addresses" tab, you are looking at this attribute. This is a multi-valued string containing all the addresses that represent the recipient.
e.g. SMTP:firstname.lastname@example.org, smtp:email@example.com,X400:c=US;a= ;p=contoso;o=Exchange;s=user101
In contacts and mail-enabled users (MEU) this attribute will point to a mailbox outside the Exchange organization, for example, to a Hotmail account or to another's company address.
Source & for further reading : Link
b. Mail Enabled User ( MEU )
Also Known As: Mail User /Mail-Enabled Active Directory user.
A mail user is similar to a mail contact, except that a mail user has Active Directory logon credentials and can access resources. Thus a MEU represents a user outside the Exchange organization. Each mail user has an external e-mail address. All messages sent to the mail user are routed to this external e-mail address & for this it uses the targetAddress attribute mentioned earlier in this Blog.
A MEU does not appear different from a mailbox in the GAL.
Source & further reading Link , Link ,Link
To move a mailbox from an Exchange 2003/07/10 Server to another Exchange 2010 forest, the target forest must contain a valid mail-enabled user (MEU) with a specified set of Active Directory attributes.
There are several ways to Create this MEU in the target forest ( ILM/ FIM / Custom Scripts / Prepare-MoveRequest.ps1 )
For a list of mandatory & optional attributes see this Link. In this blog I shall cover only the Prepare-MoveRequest.ps1
When executed some of the things this Script does is:
a. Creates a disabled "Mail User" in the target forest & copies proxyaddresses attribute from the source forest to target forest. ( besides other attributes )
b. Stamps the targetaddress attribute of the target object.
c. Append the LegacyExchangeDN value from the source forest object as a X500 Proxy address of the target object.
d. Append the LegacyExchangeDN value from the target forest object as an X500 Proxy address of the source object.
Lets take a look at each of these points in more detail.
The following diagram shows the output when Prepare-MoveRequest.ps1 is executed.
The following diagram shows the Mail User created in the target forest.
The following diagram shows the disabled Mail User in the target forest.
The following diagram shows the LegacyExchangeDN attribute of the Mail User in the target forest.
The following diagram shows the targetaddress attribute of the Mail User in the target forest.
The following diagram shows the LegacyExchangeDN from the source forest being appended as the x500 Proxy address in the target forest.
The following diagram shows the x500 proxy address on the target MEU
The following diagram shows the LegacyExchangeDN from the target forest being appended as the x500 Proxy address in the source forest.
The following diagram shows the LegacyExchangeDN from the target forest as a x500 proxy in the source forest.
The following diagram shows the empty targetAddress in the source forest.
.\Prepare-MoveRequest.ps1 -RemoteForestDomainController dcx01.contoso.com -RemoteForestCredential $RemoteCredentials -LocalForestDomainController dc01.fabrikam.com -LocalForestCredential $LocalCredentials -TargetMailuserOU "OU=mig,DC=fabrikam,DC=com" -verbose -identity johndoe
You need to define $LocalCredentials & $RemoteCredentials before executing the above command.
For this we can use:
(Target Forest )
$LocalCredentials = Get-Credential
(Source Forest )
$RemoteCredentials = Get-Credential
Note: In the examples shown above, Contoso.com is the Source forest & Fabrikam.com is the target forest. @tailspintoys.com is the SMTP domain used in both the source & target forests.
( It is advisable to use the -verbose switch to log any possible warning & errors. )
a. A very critical point to note is that by adding the LegacyExchangeDN value as an X500 proxy address in the opposing forests, ensures that replying to any e-mails prior to the migration will not result in an NDR. ( Exchange does not necessarily use the SMTP address when replying to e-mails from internal users )
b. This Script DOES NOT copy the password & the SID ( For that you need to use ADMT).
c. Prepare-MoveRequest.ps1 should be run prior to ADMT. Thus ADMT would need to be executed with the "Migrate and Merge Conflicting Objects" option selected. ( more details in ADMT section )
d. If executed for all users in the Organization, this can effectively be used to populate the GAL in the target forest prior to moving the mailbox from source to target.
As seen in the Below screenshot, a MEU is not distinguishable in the GAL of the target forest )
For further reading on the Prepare-MoveRequest.ps1 script see Link
…To be continued in Part II
Moving to a new forest and retaining the same SMTP domain ( with native scripts ) - Part II
Thanks for sharing the thoughts to deal the special case
Thanks a lot for sharing. It´s really an excellent guide (the best I have found)
I have to migrate same way (Exchange 2010 to Exchange 2010), but AD user will be migrated to a child domain A and mailbox to a different child domain B. Then linked mailbox will be required.
How should I address it?
Thanks for you time replying
Linked mailboxes are ideally used when the AD account & mailbox are sitting in seperate forests. you do not need to use linked mailboxes when both are in the same forests. From what you describe, Domain A & B are in a single forest so no need for linked mailbox.
how can we can we migrate Security groups and distribution groups in cross forest and how coexistence will happen