Best Method for Cross Forest Mailbox Moves
Hi There,
I'm having trouble moving mailboxes from one forest to another and need a couple of things clarified.
On the destination forest do I need to create the AD account pre-move or an AD account WITH mailbox?
I've tried moving mailboxes with mixed results, for example I tried moving an account by creating a mailbox on the destination server first and got this issue;
[PS] C:\>New-MoveRequest -Identity 'test.mailbox@resourcegroup.co.uk' -Remote -TargetDatabase 'Users from LRTT' -Remote
HostName 'mail.lrtt.co.uk' -RemoteCredential $Cred -TargetDeliveryDomain 'resourcegroup.co.uk'
Target user 'Test Mailbox' already has a primary mailbox.
+ CategoryInfo : InvalidArgument: (test.mailbox@resourcegroup.co.uk:MailboxOrMailUserIdParameter) [New-Mo
veRequest], RecipientTaskException
+ FullyQualifiedErrorId : CBF9D817,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
and then I removed the account and tried and got this issue;
[PS] C:\>New-MoveRequest -Identity 'test.mailbox@resourcegroup.co.uk' -Remote -TargetDatabase 'Users from LRTT' -Remote
HostName 'mail.lrtt.co.uk' -RemoteCredential $Cred -TargetDeliveryDomain 'resourcegroup.co.uk'
The operation couldn't be performed because object 'test.mailbox@resourcegroup.co.uk' couldn't be found on 'thdc2.Resou
rceGroup.co.uk'.
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : E0AD70F2,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
Can anyone help?
Many Thanks
May 23rd, 2012 5:36am
Hi
You need to have a mail user object in the destination organisation which has the same values as the source object.
See the mandatory attributes section in this document:
http://technet.microsoft.com/en-us/library/ee633491
Cheers, Steve
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2012 5:40am
Hi Steve,
Thanks for your quick reply. Is thee a simple way to copy this information or is it a time consuming process of copying and pasting??
May 23rd, 2012 5:42am
Hi,
This should help:
http://technet.microsoft.com/en-us/library/ee861103
Leif
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2012 6:30am
Thanks Leif,
When I try that I get;
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>./Prepare-MoveRequest.ps1 -Identity test.mailbox@lrtt.co.uk
-RemoteForestDomainController thdc1.resourcegroup.co.uk -RemoteForestCredential $RemoteCredentials -LocalForestDomainCon
troller kadc1.lrtt.co.uk -LocalForestCredential $LocalCredentials
C:\Program Files\Microsoft\Exchange Server\V14\Scripts\Prepare-MoveRequest.ps1 : Error looking up source MBX test.mailb
ox@lrtt.co.uk in source forest.
At line:1 char:26
+ ./Prepare-MoveRequest.ps1 <<<< -Identity test.mailbox@lrtt.co.uk -RemoteForestDomainController thdc1.resourcegroup.c
o.uk -RemoteForestCredential $RemoteCredentials -LocalForestDomainController kadc1.lrtt.co.uk -LocalForestCredential $L
ocalCredentials
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Prepare-MoveRequest.ps1
0 mailbox(s) ready to move.
I am correct in running the command on the new domain aren't I?
Am I also right in thinking that;
$LocalCredentials = new domain credentials
$RemoteCredentials = old domain credentials
May 23rd, 2012 9:39am
I have a job aid posted on my blog to perform cross forest mailbox moves that I documented for my migration. Nothing should exist in the target Forest no mailbox, no user, not even the GAlsync contact (if you were doing galsync) Any objects that exist
in the target forest causes too many issues trying to merge the attributes causing duplicate accounts ie. jchong73643 or failing to stamp attributes etc.
http://msexchangetips.blogspot.com/2012/05/exchange-2007-to-exchange-2010-cross.html
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2012 11:33am
Hi James,
I'm not moving from Exhcange 2007 to 2010, I'm moving from a 2010 server in one forest to a 2010 server in another.
Does your guide still apply?
Many Thanks
May 23rd, 2012 11:42am
Yes steps are still the same. Just make sure no objects exist in the target, prepare the move request, then move the mailbox which will merge. Than run the ADMT which will find the account already exist and bring over the SID.
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2012 11:49am
I've managed to successfully get 1 mailbox READY to move... can someone tell me how I get it to move??
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>./Prepare-MoveRequest.ps1 -Identity test.mailbox -RemoteFor
stDomainController kadc1.lrtt.co.uk -RemoteForestCredential $RemoteCredentials -LocalForestDomainController thdc1.resou
cegroup.co.uk -LocalForestCredential $LocalCredentials -LinkedMailUser
Appending x500:/o=LRTT/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Test Mailbox to proxyAddress
s of New Object in Local forest.
Appending x500:/o=ResourceGroup/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Test Mailboxa53 to
roxyAddresses of Object(CN=Test Mailbox,CN=Users,DC=lrtt,DC=co,DC=uk) in Source forest.
Preparation for test.mailbox done.
1 mailbox(s) ready to move.
Help? :)
May 24th, 2012 10:12am
My blog posts shows, did you try or were you getting an error
New-MoveRequest -Identity "CN=alexander htet,OU=FromILM,OU=GALSync,DC=corp,DC=dom" -RemoteLegacy -TargetDatabase "mdb04 tier2" -baditemlimit 100 -acceptlargedataloss -RemoteGlobalCatalog "sourceDC" -RemoteCredential $Remote -TargetDeliveryDomain "TargetDC"
-SuspendWhenReadyToComplete
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 10:20am
Hi James,
Is -TargetDatabase where the mailbox is moving TO or FROM?
May 24th, 2012 10:25am
target is the TO.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 10:28am
Also you dont need to specifiy the whole DN "cn=blah blah" like below you can just use the username
New-MoveRequest -Identity "Bjones" -RemoteLegacy -TargetDatabase "mdb04 tier2" -baditemlimit 100 -acceptlargedataloss -RemoteGlobalCatalog "sourceDC" -RemoteCredential $Remote -TargetDeliveryDomain "TargetDC" -SuspendWhenReadyToComplete
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
May 24th, 2012 10:30am
I tried this but it failed :(
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>New-MoveRequest -Identity test.mailbox@lrtt.co.uk -Remote -T
argetDatabase 'Users from LRTT' -RemoteHostName 'kamx1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -TargetDeliveryD
omain 'mail.resourcegroup.co.uk'
The call to 'https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc' failed because no service was listening on the specified endpoi
nt. Error details: There was no endpoint listening at https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc that could accept the m
essage. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
--> The remote name could not be resolved: 'kamx1.lrtt.co.uk'
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemotePermanentException
+ FullyQualifiedErrorId : C4DA96C7,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 10:30am
What server is 'kamx1.lrtt.co.uk' and what server is 'mail.resourcegroup.co.uk'
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
May 24th, 2012 10:34am
kamx1.lrtt.co.uk is the mailserver that the mailbox is moving FROMmail.resourcegroup.co.uk is the CAS server that the mailbox is moving TO
I've checked KAMX1 and it does has the EWS virt dir in IIS and its running SSL Require SSL and Ignore Client Certs.
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 10:36am
instead of kamx1.lrtt.co.uk you need to use the DC not the source exchange.
Do this
-RemoteGlobalCatalog "sourceDC"
Not this
-RemoteHostName 'kamx1.lrtt.co.uk'
Then targetdeliverydomain is just just the domain name of the new domain you're moving to resourcegroup.co.uk (not the exchange server name)James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
May 24th, 2012 10:40am
OK I'll give that as whirl!! Thanks a lot!
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 10:41am
It requests a RemoteHostName
cmdlet New-MoveRequest at command pipeline position 1
Supply values for the following parameters:
RemoteHostName:
:/
May 24th, 2012 10:48am
Doesn't this suggest that there's an issue on kamx1?
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>New-MoveRequest -Identity test.mailbox@lrtt.co.uk -Remote -T
argetDatabase 'Users from LRTT' -RemoteGlobalCatalog 'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -TargetDeli
veryDomain 'resourcegroup.co.uk'
cmdlet New-MoveRequest at command pipeline position 1
Supply values for the following parameters:
RemoteHostName: kamx1.lrtt.co.uk
The call to 'https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc' failed because no service was listening on the specified endpoi
nt. Error details: There was no endpoint listening at https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc that could accept the m
essage. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
--> The remote name could not be resolved: 'kamx1.lrtt.co.uk'
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemotePermanentException
+ FullyQualifiedErrorId : C4DA96C7,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
It loks to me that https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc isnt working..
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 10:53am
Did you truncate the -remotelagacy paramter? Use exactly like below.
New-MoveRequest -Identity test.mailbox@lrtt.co.uk
-RemoteLegacy -TargetDatabase
'Users from LRTT' -RemoteGlobalCatalog
'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials
-TargetDeliveryDomain 'resourcegroup.co.uk'
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
May 24th, 2012 11:02am
That gives me the following;
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>New-MoveRequest -Identity test.mailbox@lrtt.co.uk -RemoteLeg
acy -TargetDatabase 'Users from LRTT' -RemoteGlobalCatalog 'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -Targ
etDeliveryDomain 'resourcegroup.co.uk'
An Active Directory error 0x51 occurred when trying to check the suitability of server 'kadc1.lrtt.co.uk'. Error: 'Acti
ve directory response: The LDAP server is unavailable.'
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : F617BA2E,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
The previosu commands looked as if it should work if only for the EWS error.
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 11:15am
Is 'kadc1.lrtt.co.uk as GC?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
May 24th, 2012 11:17am
Yup, the only one on that site.
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 11:17am
From the 2010 server you're running the move request, can you ping kadc1? Also you're not blocking any standard ports to the DC 389 etc?
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
May 24th, 2012 11:17am
From the 2010 server you're running the move request, can you ping kadc1?
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
AHAR!!! Good point, I'd set the servers IP using the hosts file on my PC as im running the command from PS on my PC but I guess the server needs it too!! D'oh!
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 11:19am
I added the required hosts records to the mail servers and I still get the same issues;
[PS] C:\Windows\system32>New-MoveRequest -Identity test.mailbox@lrtt.co.uk -Remote -TargetDatabase 'Users from LRTT' -Re
moteGlobalCatalog 'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'resourcegroup.co.uk'
cmdlet New-MoveRequest at command pipeline position 1
Supply values for the following parameters:
RemoteHostName: kamx1.lrtt.co.uk
The call to 'https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc' failed because no service was listening on the specified endpoi
nt. Error details: There was no endpoint listening at https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc that could accept the m
essage. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
--> The remote name could not be resolved: 'kamx1.lrtt.co.uk'
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemotePermanentException
+ FullyQualifiedErrorId : C4DA96C7,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
;/
May 24th, 2012 11:31am
I've made progress, the inverted commas were ballsing it up.
Now I get;
[PS] C:\Windows\system32>New-MoveRequest -Identity test.mailbox@lrtt.co.uk -Remote -TargetDatabase 'Users from LRTT' -Re
moteGlobalCatalog 'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'resourcegroup.co.uk'-Re
moteHostName kamx1.lrtt.co.uk
The call to 'https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc' failed. Error details: Could not establish trust relationship f
or the SSL/TLS secure channel with authority 'kamx1.lrtt.co.uk'. --> The underlying connection was closed: Could not es
tablish trust relationship for the SSL/TLS secure channel. --> The remote certificate is invalid according to the valid
ation procedure..
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : 42D47808,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 11:42am
I think I've found the issue in event log;
Microsoft Exchange could not find a certificate that contains the domain name mail.lrtt.co.uk in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default KAMX1 with a FQDN parameter of mail.lrtt.co.uk. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
May 24th, 2012 11:58am
How come you are still using the remotehostname parameter? Is is still not working if you just do like below?
New-MoveRequest -Identity test.mailbox@lrtt.co.uk
-RemoteLegacy -TargetDatabase
'Users from LRTT' -RemoteGlobalCatalog
'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials
-TargetDeliveryDomain 'resourcegroup.co.uk'
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 11:59am
Hi There,
That didn't work, it moaned about LDAP.
I've discovered that it's a certificate issue that I've got now.
"Microsoft Exchange could not find a certificate that contains the domain name mail.lrtt.co.uk in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default KAMX1 with a FQDN parameter of
mail."
May 24th, 2012 12:13pm
If it's moaning about your new exchange not being able to communicate with your old DCs than I would expect more problems down the line not just with mailbox moves. You need to find out why it can't communicate with the DC.
That error about the certificate is generic everybody and their cousin gets that error when they first build exchange.
You need to check the ports required for mailboxe moves.
MapiExceptionNetworkError: Unable to make connection to the server. (hr=0x80004005, ec=2423)
http://msexchangetips.blogspot.com/2010/11/mapiexceptionnetworkerror-unable-to.htmlJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 12:23pm