3. Moving the Active Directory account using ADMT

ADMT is a great tool for Migrating and Restructuring Active Directory Domains ( user accounts, passwords, groups & group membership, computer accounts & much more.)

However It is very important to note that ADMT DOES NOT touch Exchange attributes.

ADMT can be executed before prepare-move request, after prepare-move request or skipped if we want to use a linked account.

Assuming Prepare-move request was executed first, when executing ADMT we need to merge the account with an existing MEU.

Below are screen grabs of the ADMT wizard. the critical options are highlighted.















 

If ADMT is run prior to the Prepare-MoveRequest.ps1 script is executed, we would need to execute Prepare-MoveRequest.ps1 with the -OverWriteLocalObject Switch.

Further reading Link

4. The Actual Move of Mailboxes.

Having prepared the environment, moving the mailbox should now be a breeze. Given that Moving mailbox is a large topic, so In order to keep this blog concise, I shall jump straight to the command & explain only what is relevant.

1. MRSProxy or NO MRSProxy

   MRSProxy encapsulates all communication between the organizations in HTTPS packets thus making the move seamless.

   Assuming the source forest has Exchange 2010 SP2 or above, enable MRSProxy in the source forest.

   Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -MRSProxyEnabled $true -MRSProxyMaxConnections 50

   Details can be found Here

   In the event that the source forest does NOT have an Exchange 2010 server, we cannot use the MRSProxy. So we skip the above step & use the -remotelegacy in lieu of -remote switch in the move command.

2. Command to Move the Mailbox across the forests ( pull the mailbox from source forest to the target forest )

   First save the credentials in two variables:

   ( target forest )

   $LocalCredentials = Get-Credential

   ( source forest )

   $RemoteCredentials = Get-Credential

   Then execute the command based on whether the source forest has MRSProxy enabled or not.

   • With MRSProxy DISABLED in the source ( even if there is a E2010 server in the source )

   New-MoveRequest

   -Identity johndoe@tailspintoys.com

   -RemoteCredential $RemoteCredentials

   -TargetDeliveryDomain 'tailspintoys.com'

   -RemoteGlobalCatalog dcx01.contoso.com

   -RemoteLegacy

   • With MRSProxy enabled in the source (on a server e2010.contoso.com )

   New-MoveRequest

   -Identity johndoe@tailspintoys.com

   -RemoteCredential $RemoteCredentials

   -TargetDeliveryDomain 'tailspintoys.com'

   -RemoteGlobalCatalog dcx01.contoso.com

   -Remote

   -RemoteHostName E2010.contoso.com

   Note: -RemoteHostName is the E2010 servers where we have enabled the MRSProxy

   When the above commands are executed, it will result in the source mailbox turning into a Mail User ( MEU) & the Target Mail User (MEU) into a user mailbox.

   Source forest:

   User Mailbox> Mail User ( MEU )

   Target forest:

   Mail User (MEU) > User Mailbox

   Before Move:

   

   Move Command:

After Move:

1. 

   Note: Issues to be aware of when moving across forests

   1. Outlook nickname cache is best cleared ( from the client side )
   1. Update OAB & replicate to the CAS servers. Have the users wait till it downloads or ask them to manually download the OAB.
   1. Depending on how end-users have created their outlook rules, it could break. You might need to re-create the outlook rules.
   1. Shared mailboxes + their users & manager + delegate sets should be moved together. you cannot have a manager in one forest & delegate in a different forest
   2. This Mailbox pull will result in the source mailboxes being hard deleted. Ensure you have a backup in case you need to retrieve the mailbox
   1. "Suspend this move when it is ready to complete" option is not available when moving across forest.

   Additional Reading.

   http://technet.microsoft.com/en-us/library/dd351123.aspx

   http://blogs.technet.com/b/exchange/archive/2010/08/10/3410619.aspx

5. Ensuring Mail flow between source & target during the co-existence phase.

The Method described below would work fine if we have to migrate all the mailboxes from the source forest to the target forest rapidly & in one scheduled activity. This is because both the source & target forest are authoritative for the same SMTP domain.

This drawback ( of having to move all the mailboxes in one scheduled outage ) would be acceptable if the number of mailboxes is small or the actual move would happen in a short span of time. However this is not a common scenario as most migrations would take several hours if not days or weeks.

In the event that the move of mailbox takes several hours, days or weeks, we would need to have e-mail flowing between the source forest, ( mailboxes which are going to be migrated ) & the target forest ( mailboxes which have already been migrated ) Thus a migrated user can send an e-mail to a user who is yet to be migrated & vice-versa.

The additional steps to achieve this would involve:

 

1. Add a new accepted domain e.g. @tailspintoys.local in the target forest and also add this domain as a secondary SMTP address to the target forest objects.

Thus we have an additional secondary SMTP e-mail address of johndoe@tailspintoys.local

set-emailaddresspolicy -id "Default Policy" -enabledemailaddresstemplates SMTP:@tailspintoys.com,smtp:@tailspintoys.local

update-emailaddresspolicy -id "Default Policy"

 

2. Modify the move command used earlier. Change the TargetDeliveryDomain to tailspintoys.local

e.g. New-MoveRequest -Identity johndoe@tailspintoys.com -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'tailspintoys.local' -RemoteGlobalCatalog dcx01.contoso.com -RemoteLegacy

Thus the Target address on the MEU in the source forest after the mailbox is moved will be johndoe@fabrikam.local besides the expected proxy addresses.

Once Executed, we will now have the MEU in the source having a target address of tailspintoys.local

 

3. Create appropriate connectors for mail flow.

In order to have e-mail flowing between the two forests we would need to configure connectors in both the forests. This procedure could vary depending on how the existing mail flow is configured.

Here are the PowerShell commands used in my lab:

source_to_target mail flow

Source send connector

new-SendConnector

-Name 'source_to_target'

-Usage 'Internet'

-AddressSpaces 'SMTP:*.tailspintoys.local;1'

-IsScopedConnector $false

-DNSRoutingEnabled $false

-SmartHosts 'ex01.fabrikam.com'

-SmartHostAuthMechanism 'None'

-UseExternalDNSServersEnabled $false

-SourceTransportServers 'ex01.contoso.com'

Target receive connector

new-ReceiveConnector

-Name 'source_to_target'

-Usage 'Internet'

-Server 'EX01.fabrikam.com'

-Bindings '0.0.0.0:25'

-RemoteIPRanges '10.10.10.103'

target_to_source_and_internet mailflow

target send connector

new-SendConnector

-Name 'target_to_source_and_internet'

-Usage 'Internet'

-AddressSpaces 'SMTP:*;1'

-IsScopedConnector $false

-DNSRoutingEnabled $false

-SmartHosts 'ex01.contoso.com'

-SmartHostAuthMechanism 'None'

-UseExternalDNSServersEnabled $false

-SourceTransportServers 'EX01.fabrikam.com'

source receive connector

new-ReceiveConnector

-Name 'target_to_source_and_internet'

-Usage 'Custom'

-Server 'Ex01.contoso.com'

-Bindings '0.0.0.0:25'

-RemoteIPRanges '10.10.10.11'

-AuthMechanism 'Tls, ExternalAuthoritative'

-PermissionGroups 'AnonymousUsers, ExchangeServers'

Note1: usage = internet as this would not require authentication.

Note2: RemoteIPRanges is the IP address of the server used in the send connector matching this receive connector. This will result in only the identified server being able to send e-mail over this receive connector.

Note3: For this example I have chosen to create a separate send & receive connector in both the forests. However you could also achieve this by modifying the existing receive connectors instead of creating new receive connectors.

6. Additional configuration needed.

• AutoDiscovery for outlook clients ( also used by free-busy )  Reference link
• Free-busy / Availability information.
• Redirecting OWA across forests
• Linked mailboxes
• Shared / Resource mailboxes

I hope to cover these in future blogs, time permitting.

Additional Reading Link1 Link2 Link3

Thank you for reading this far & I hope this blog was useful for your cross-forest migration.

Next Blog: How Groups can be migrated across forests & what kind of issues can crop up.

A Quick blog on how to execute an Exchange PowerShell script (.ps1 extension) from a command prompt.

A .ps1 cannot be executed from a Command prompt. to execute it one needs to use a PowerShell shell. Further if this script calls any exchange cmdlet, it would require to be executed in an Exchange Management Shell.

The following command does all three in one line. i.e. run the script from c:\script\script.ps1 ( which is an exchange script ) from a command prompt.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -psconsolefile "C:\Program Files\Microsoft\Exchange Server\V14\Bin\exshell.psc1" -file "C:\script\script.ps1"

I dint find this well documented anywhere hence I put together this Blog post on the required hotfixes for Exchange 2010 sp1 on Windows 2008 R2.

As you may already know a total of 6 Hotfixes are required.

Kb 979099

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=87f72529-d316-42e8-bf77-a46951f66dda&displaylang=en

OR

http://support.microsoft.com/kb/979099

Kb 979744

http://connect.microsoft.com/VisualStudio/Downloads/DownloadDetails.aspx?DownloadID=27109

Kb 977020

http://connect.microsoft.com/VisualStudio/Downloads/DownloadDetails.aspx?DownloadID=27977

Kb 982867

http://code.msdn.microsoft.com/KB982867/Release/ProjectReleases.aspx?ReleaseId=4520

FilterPack64bit

Private build\983440

https://connect.microsoft.com/VisualStudio/Downloads/DownloadDetails.aspx?DownloadID=29092

OR

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=983440

<<Disclaimer: This is meant to be a quick rough list of links to the hotfixes to help me as well as others in the field. I presume the links to the Hotfixes might change in the future when the teams are finished testing  >>

I love Microsoft products. Here is an example of why.  Working for Microsoft I get to play around with them for free. This Blog is an example of what I am talking about.

A couple of years back my mother started documenting our entire extended family. ( which is actually four different trees spanning at least 6 generations. After splitting the largest tree there were at least 75+ names left on a single sheet of paper.

The best my mother could do was glue two or more large sheets of Foolscap paper together to write this down. When I saw this I immediately thought of digitizing it and thought it will be a weekend activity.

Circa 2005; Internet to the rescue ! And after exploring many propriety software available on the internet I had to rule them all out one by one. Reasons varied from un-friendly interface to propriety methods of storage. ( considering that I would be sharing this out to the extended family for possible  updates or simply viewing )

Finally after many hours spent exploring and ruling out options I zeroed on Visio after seeing how somebody else had done it. ( Website no longer available. )

I found this options scalable and  somewhat convenient, but it was not to be.

In Hindsight I believe my approach needed some fine tuning. I built my own templates for the common shapes like male, female, married, child, etc. ,etc.

I got started assembling the bricks, and that’s when I realized how dam difficult aligning and sizing the different shapes is.  And I had not even started putting details. Picture how aligning all the above shapes into the below would be like.

Each shape is in fact a simple grouping of discrete lines. With no other choice I carried on the cumbersome task to putting all the objects together. Not regularly but when ever I had some free time on a weekend.

All This happened sometime in 2005 and till December 2008 I was barely 25 % done with the entire tree in spite of spending a lot of time on this. I did think of Exploring AutoCAD but it was not to be. ( remembering my AutoCAD days in 1998-99 )

In December 2008 when I was somewhere 25% done with the tree I met a colleague who was the Expert on Visio & who's job profile was to demonstrate & sell Visio to customers  ( he actually sat right next to me for a very long time).  In some discussion on Visio I mentioned to him I was in progress of creating this family tree and was having a tough time. That’s when he suggested why don’t I type the names in Excel File and simply import them into a Visio file.

How ingenious ! But I dint know how that could be done. A couple of minutes later he was showing me the organizational chart feature in Visio.

Here is what he did.

File > New > Organizational Chart.

Created a Couple of Objects, then exported the file to excel.

Looking at the excel file I immediately understood how Visio built the hierarchy. Just 3 columns matter and additional 2 columns for the name and title.

• Unique_ID

Each person must have a unique ID

• Reports_To

Which should have the Unique_ID of the parent

• Master_Shape

For the identifying shape from the library.

In Short, we reverse Engineered the Visio file into Excel to understand the Required fields.

What I got :

• Ability to build a diagram from scratch with virtually no skillset in Visio.
• No messy aligning , shapes, grouping & un-grouping. ( Trust me this can be Really Messy )

• Just Type all the details in Excel & simply import them into Visio.

So, Put the Data into Excel & it take less then a minute for importing. ( compared to many many many hours doing it the old way. )

I can also simply e-mail either the Visio or a Jpeg file to the extended family. Or if I need some help in filling out the details I simply e-mail the excel file to relatives & ask them to fill it up.

( every one has Microsoft excel )

In hindsight I feel like an idiot for having spent so many hours attempting to do it using my own template :(

Some problems I faced on the way & how I resolved them:

1. Every Spelling update made resulted in the Visio needing a re-import.

Thus I needed to make the Visio dynamically linked to the excel file. If the excel file is updated it should reflect in the Visio without re-importing it.

Done. It was a simple option in Visio.

2. I need to figure out how to maintain the order when the file is imported into Visio.

i.e.  Elder Siblings should be to the left of their younger sibling.

I put an additional field which had a number. So after importing the excel file, I displayed the number to sort out siblings. Then hide the number.

3. Printing Across multiple Pages. ( 2 Problems here )
   1. Margin the Printer leaves

I knew that all printers have a limitation to printing right to the edge. But dint know how much I could push the printer I was using. After wasting many sheets of paper I decided not to bother. Simply chop off the extra paper with a blade.

2. Overlap Printed ( a couple of mm )

Dint bother fixing this. Simply cut a strip off along with solution of point a.

Going ahead I need to solve the following challenges:

1. Differentiate Male & female.

I have used two master Shapes ( manager & delegate ) mapping to a Descendant & His / Her Spouse.

If I need to Differentiate between Male & Female, I would need four master Shapes

(Male Manager, Female manager, Male Delegate & Female Delegate )

Given that there are no more shapes to be used I might need to create some custom shapes. ( Non-Standard - not going to attempt it just yet  )

What I lost:

• Unique shapes male and female. ( I Think i can workaround that by creating a custom shape but not going to attempt it just yet )

• A lot of time I spent on the old method.

==========================================

Some Statistics:

• 4 Family trees - 1 for each Grand Parent. ( 1 Tree split into 2 due to size, so 5 Trees )
• 390  different persons.
• Largest tree of 135 Individuals
• Up to 6 generations Documented.
• 13 A3 sheets of Paper for printing in landscape mode.
• Many Hours to put it all together.

Unfortunate that i cannot upload the tree over here.

Adding further value:

1. Put this up on a website. ( Ahh…. That’s another Blog topic )

2. Capture as much information as possible in the excel file and look for ways to put it up  on the Visio.

( DOB, DOD, Photo, Etc )

Credit also to a friend of mine who tickled me into moving forward.

- Sachin Filinto

Building on my previous couple of blogs on Cross-Forest Migration, in this blog I will describe how Groups can be successfully migrated across a forest. I will also list out some gotchas & how they can be addressed.

Migrating groups is something I've seen customers assume are not important however when the groups are actually moved, customers experience the pain point some of which could have been mitigated.

1. Detect & fix any corruption in the groups attributes ( if any ).

Common corruption we see is invalid characters in critical attributes like alias & display name. (space, period, special characters, etc.)

There are several ways to detect this corruption. The most simple & crude way would be to do a Get-Group to list all the mailboxes. Any group with invalid attributes would show up in yellow. Besides this you can also use the Office 365 readiness tool to report on invalid attributes ( highly recommended ).

The only reliable fix to detected corruption would be to manually correct the attributes either from ADUC or from ADSI Edit or a similar tool.

Note the difference between Detect & fix above.

I’ve seen customer attempt to fix this corruption via a script to disastrous effect. ( what logic do you use ? )

Tip: If any attributes were changed & you are using Exchange 2003, you should update the RUS & also replicate across the domain controllers.

2. Execute ADMT to copy groups along with the SID.

when executing ADMT, Fix the group membership in the new forest. This could be in one pass or multiple passes depending on your requirements.

A point of significance here is that ADMT does NOT copy all Exchange attributes from the source to target forest.

3. Convert Groups to Universal.

Exchange 2010 requires a local Global Catalog server in the Active Directory site where Exchange resides to query for group expansion. A Global catalog can expand domain local, global, and universal groups. However, domain local groups (and sometimes global groups) can only be expanded within the domain. Hence the GC will be unable to expand a domain local group in a subdomain.

Thus Exchange Server 2007 & 2010 force you to create all new distribution groups as universal distribution groups even if you have a single domain in the forest.

To convert groups to universal using PowerShell run this command:

Get-Group | where { ($_.RecipientTypeDetails -eq "NonUniversalGroup" -or  $_.RecipientType -eq "MailNonUniversalGroup") -and ($_.GroupType -notlike "*DomainLocal*")} |Set-Group –Universal

Iterate by running this command till all groups are converted to universal.

Tip: There are other methods to accomplish this, e.g. with the dsmod command, however the method listed above is what I chose & it works like a charm.

4. Mail enable the groups with source Primary, Secondary (if any) SMTP & legacyExchangeDN.

Given that prepare-moverequest.ps1 cannot be used to prepare groups we need to use another tool for copying the SMTP addresses ( note the plural ) from the source to target forest (both Primary & secondary addresses) along with the LegacyExchangeDN stamped as a x.500 address, reasons for which have been explained in earlier posts.

The tool in question is one which was released for migrating an Exchange 2010 sp1 hosted tenant (/hosting mode ) to another forest which is running Exchange 2010 sp2 ( Non-Hosting mode )

The entire archive of scripts & documentation can can be downloaded from http://blogs.technet.com/b/exchange/archive/2012/02/03/released-migrating-from-exchange-server-2010-in-hosting-mode-to-exchange-server-2010-sp2-whitepaper.aspx

Once un-compressed, we need to run two scripts. One to Create an .xml file with the group details & the second to import the same .xml into the target Forest which will restore the group attributes.

• CreateADMTGroupList.ps1 to Create an .xml file of the group details.

• Copy this xml file to the target forest & import it using the next command.

• RestoreGroupAttributes.ps1 to restore the group attributes to the groups which would have already been copied to the target forest using ADMT.

5. Export list of groups having “exception to e-mail address policy” in source forest & Set the same “policy exception” for the groups copied into the target forest.

 Since hosting environments have the "Automatically update e-mail addresses based on e-mail address policy" unchecked, One un-needed thing the above script does it set an the "Automatically update e-mail addresses based on e-mail address policy" to be unchecked. ( thus the Recipient Policy will not be applied. )

Command to Export ( source forest )

 Get-mailbox | where {$_.policiesexcluded -eq "{26491CFC-9E50-4857-861B-0CB8DF22B5D7}"}

Command to Import ( target forest )

set-mailbox -emailaddresspolicyenabled $false

6. Export List the groups hidden in the source forest & hide the same in the target forest.

for whatever reason they may have been hidden in the source forest, the same would have to be set in the target forest.

Command to Export ( source forest )

Get-mailbox | where {$_.HiddenFromAddressListsEnabled -eq "true"}

Command to Import ( target forest )

Set-mailbox -HiddenFromAddressListsEnabled $true

7. Identify which groups have another group as manager & fix managed-by issue

In Exchange 2010, Unlike earlier versions, distribution groups & mailboxes cannot be managed by groups - only individual users. So it's possible that prior to migration, some groups were used to manage the distribution group.  Now, members of these groups cannot modify the group.

To resolve this, a script Set-DistributionGroupOwners.ps1 can be used. This script replaces a distribution group or security group, which is specified in the “ManagedBy” attribute of a distribution group, with members of the group.

 The script ( Set-DistributionGroupOwners.ps1 ) can be downloaded from here : http://gallery.technet.microsoft.com/scriptcenter/756b02bd-fb8c-4071-b7b3-3e9022831678

additional details can be found here : http://blogs.technet.com/b/exchange/archive/2011/05/04/how-to-manage-groups-with-groups-in-exchange-2010.aspx

8. Enabling users to manage distribution groups but not create or remove them.

The script ( Manage-GroupManagementRole.ps1 ) can be downloaded from here :

additional details can be found here : http://blogs.technet.com/b/exchange/archive/2009/11/18/how-to-manage-groups-that-i-already-own-in-exchange-2010.aspx

9. Upgrade distribution group version.

Distribution groups ( AD objects ) have a version which determine which features are enabled. for example, if the version is E2003, features which are available in later version like E2010 remain greyed out. (e.g. DL moderation ).

In order to get all the features of Exchange 2010, we need to upgrade the version with the below commands.

Command to Upgrade the groups:

Get-DistributionGroup | Set-DistributionGroup -ForceUpgrade

Command to Report the version:

Get-DistributionGroup | ft Name,Exchangeversion

10. Upgrading the E-mail Address Policy

If the email address policy is not upgraded, we will not be able to open the object in EMC

The below command will report which of the e-mail address policies ( aka Recipient Policies ) are legacy.

Get-EmailAddressPolicy | where { $_.RecipientFilterType -eq "Legacy" } | Format-List Name,RecipientFilter*,ExchangeVersion

The below command will upgrade them.

Get-EmailAddressPolicy | where {$_.RecipientFilterType –eq “Legacy”} | Set-EmailAddressPolicy –IncludedRecipients AllRecipients

Note 1 : If you have complex email addressing policies please test before executing the above command.

Note 2 : Mailbox Manager policies are no longer available in 2010 & thus have to be removed.

11. QBDG

Query Based Distribution Groups are best re-created from scratch as the actual query parameters could have changed significantly.