Tag Archives: Migration

Kernel Migrator for Exchange

Exchange 2007, Exchange 2010, Exchange 2013, Exchange 2016Leave a comment

Migration of Exchange can be a complex, challenging and stressful task. It needs in-depth knowledge on Exchange and all the system connected to Exchange. Also, need to make sure the users are not affected during the migration with no data loss.

Kernel Migration helps to migrate Exchange mailboxes from one version of Exchange to another. Weather it can be a cross forest migration or migration from on premises to a hosted solution or even to your tenant in office 365. This tool supports all version of Exchange starting from Exchange Server 2000 to Exchange Server 2016, and hopefully, it support Exchange server 2019 migration soon as well. Kernel Migrator for Exchange is a clean and comfortable to use interface to make complete process more comfortable and have a controller over it.

In addition to mailbox migration Kernel Migration tool helps to perform the below:

· Pre-Migration Analysis.

· Public folder migration

· Global Address Book (GAL) Sync.

· Migrate outlook Rules

· Update outlook profile when mailbox is migrated.

· Reporting

· Migration cleanup

· Rollback Mailbox migration

· Rollback public folder migration

· Rollback GAL sync

Pre-Migration Analysis

Pre-Migration Analysis is to estimate the time it takes for migration. It helps to plan the migration and allow no or limited imaged to the end users. It allows to estimate the both the time for mailbox and the public folder data.

Public folder migration

Public folder migration can be tricky and complicated. Native scripts officering from Microsoft is manual and complex. This tool helps to migration the public folder data migration and also easily migration the public folder permission.

Global Address Book (GAL) Sync

GAL Sync is used when Exchange Cross forest migration performed. It helps to sync all the mail accounts from the source forest to the target Exchange forest as mail contacts. This tool can be used for GAL Sync as well to sync the email objects from both the forest as mail contacts. This helps to see the users from other forest users in their local address book. It also offers excellent control on the objects it can sync and exclude.

Migrate outlook Rules

Local Outlook Rules can also be uses to migrate from the source to the Target outlook. This option helps to have no or minimum action from the users end when the mailbox migrated.

Rollback

Rollback option is a great benefit which we can make use when we need it. Migration can many times leads to a rollback due to various reason. We should always be in a position to rollback to a state which was before. Kernel migrator for Exchange offers to rollback mailbox migration, public folder migration and also GAL sync objects.

Let’s see how simple is to migration mailbox from on-prem to office 365 using Kernel Migrator for Exchange.

1. Install the Kernel migration on the source forest Exchange server

2. Start the Kernel migration for Exchange -> click on Add project -> provide a Project Name.

3. Click on Add Job for Mailbox -> select the Project then provide the appropriate name and click Next

4. Select Migrate from Exchange Server then provide the Domain controller and other necessary details followed by the administrator account having full mailbox permission for each source mailboxes and click NEXT

5. In the next page slect the mailboxes which you wanted to migrate. You can drill down the OU where you have the users, or you can select the users which needs to migrate. We can also import CSV file with the list of mailbox to migrate.

6. In the next page, select migrate to Office 365 then provide the office 365 admin account credentials and click Next

7. This page is add any exception to migration content. By default, full mailbox is migrate. Select Next to continue with the next page.

8. Now select the corresponding source and target mailbox, so that content migrated to the correct target mailbox and click Next

9. Specify the Bad item limit which it can ignore before the migration fails then specify the how the mailbox content to synced between source and target mailboxes. Then click Next to continue

10. Provide the email address of the engineer who need to get the migration status update notification and click Next to continue

11. Select the time when the mailbox sync to happen. To avoid any mailbox sync in the working hours and also to save the network bandwidth.

12. Scheulde the sync when you wanted to start and also allows option to configure who should get detailed migration report. Click Next to create the migration Job.

13. The final configuration page provides detailed summary of all the configuration selected and allow us to validate. Based on the selection name, Kernel Migrator performs the migration.

Conclusion:

Kernel Migration for Exchange is clean and easy to use tool. It reduces the efforts and time for the Exchange administrator with minimum impact to the end users. It also provides detailed report to the administrator and other necessary alerts when any issues occur. It allows administrator to have great control over the migration which native migration tool does not offer. Certainly, would recommend this tool for the user’s migration from onprem to office 365.

LepideMigrator for Exchange (LME)

Exchange 2003, Exchange 2007, Exchange 2010, Exchange 20131 Comment

Exchange migration involves a lot of effort and time; it is one of the most complex migrations to perform. After doing tons of exchange migration, I realized that not every environment is the same and not every migration is the same. During an exchange migration, everyone’s mailbox will be moved from one version of Exchange to the latest version or to the other organization. With the upgrade of Exchange servers, it is important that client outlook version is also upgraded to the latest level or to the level of Exchange servers. Thus, in a way everyone has to undergo some kind of changes with learning, while adopting a new Exchange environment into the organization.

LepideMigrator for Exchange (LME) is the new latest Exchange migration tool from Lepide which helps in performing a migration from one Exchange Environment to another which is either located locally or another network or even in the Office 365 or Exchange hosted solution in the cloud environment. It supports different migration scenarios, like

· Exchange 2003 / 2007 and Exchange 2010

· Exchange 2003 / 2007 and Exchange 2013

· Exchange 2010 and Exchange 2013

· Migration from any Exchange Server to Office 365

· Public Folder Migration

· Intra-forest Exchange Migration

· Cross-forest Exchange Migration

Given below are a few interesting features of the products.

1. Innovative technique to migrate the large number of mailboxes from source Exchange server to the target which enhances the performance. It can be installed on multiple computers and increase migration volume depending on the requirement. We can also schedule the mailbox move by creating schedule jobs. It provides rich filtering options to filter unwanted email and migrate only necessary email to the target and can also provide the option to undo or rollback the mailbox migration, if necessary.

2. Exchange migration is a time-consuming process which needs a lot of effort and time. To reduce the migration efforts, we can sync the complete source mailbox to the target much ahead of time and just do an incremental sync only before the final cutover. This helps in avoiding any kind of data loss and outage to the users.

3. Report is very important for the migration and helps in tracking migration history and plan for the future migration. Notification helps administrator to notify the status of the migration status with email alerts for the job status, job completion, or job cancelation.

Migrations of the mailbox using LepideMigrator for Exchange is a very easy process and let’s understand on how easy it is to configure and to migrate a mailbox from one forest to another.

Given below is the Setup of my lab

1. Source forest Green.com

2. Target Forest blue.com

3. Creating DNS forwarding and trust between green.com and blue.com

Given below is a step-by-step instruction to perform cross forest migration.

1. Install LepideMigrator for Exchange at the source or target forest. In this scenario, the tool is installed on the source forest green.com. It is installed on the Windows 7 machine with outlook client installed

2. To perform the configuration, start the LepideMigrator for Exchange, Right click on All projects -> click on ‘Add Project’ -> provide the name to the Mailbox migration project

3. Then, create the new Job for the mailbox migration and provide the name for the same and click on ‘Next’

4. Connect to the source forest domain control by providing the IP address and administrator credentials. Then click on ‘Next’

5. Select all the necessary required users to migrate into the target domain and click on ‘Next’

6. Input the target domain controller IP address and the admin credentials. Make sure to specify ‘Different Domain’ for cross forest migration scenario and then click ‘Next’. You can also pull down ‘Migrate To’ to select the different options like same domain or office 365.

7. It also provides the filters to include or exclude the message based on date and folder. Click on ‘Next’ to continue

8. Here, we need to map the source mailbox with the target forest mailbox. It provides the option to map the source mailbox to target pre-created mailbox automatically. If not, we could provide the CSV file specifying the source and target mailbox mapping.

9. Another option could also be to create the target mailbox using the tool itself. Select all the source mailbox and click on message icon, then click on ‘Start’.

10. Once the target mailbox is created, then you could see the mapping done automatically for each of the source mailbox with the target. Click on ‘Next’ to continue.

11. Specify option to Skip the Bad item count or if you just want to do only the mailbox content synchronization, and then click on ‘Next’.

12. Specify the email address to receive various notifications for Job start, Job stop, Job completion, mailbox migration start / finish etc.

13. Notification configuration needs the SMTP address and other necessary configurations. Please provide the same and continue with the ‘Next’.

14. Specify the time duration to deny or permit the migration for the specific time period. It is important to make sure that migration is not done at the production hours, which could have the user performance impact. Click on ‘Next’ to continue.

15. Then schedule the migration depending on the requirement and click on ‘Next.

16. Finally, verify the summary details and click on ‘Finish’ to complete the Job creation.

17. It’s now the time to generate the license file and upload it to http://www.lepide.com/lepide-migration-for-exchange. It generates the generate activation file, download the import it to activate the same.

18. Once the license is activated, we are ready to start the mailbox migration by right clicking on the Job and select the option ‘Start Job’.

Report Console

1. Report console helps to generate the migration statistics report. It helps to analyze the migration details and also to track the status. This report has the complete statistics of the migration performed using the server. It has details of number of jobs, with the domain details and the Exchange version specifications.

To start the report console

2. Start the LepideMigrator for Exchange

3. Click on tool -> click on Report Console

4. Login with the account and password as ‘lepadmin’

5. To understand the details of each of the migration job, click on the Job name. It gets the detailed information with number of mailboxes, total folders, migrated messages and status. Below is the reference screen shot.

6. You could also generate some quick reports in html or pdf file using the options available in the bottom left corner of the LepideMigrator for Exchange tool.

Conclusion:

This migration could take some time depending upon factors like the size of the source mailbox, bandwidth, source and target server performance, etc. Migration using a ‘LepideMigrator for Exchange’ is much simpler to configure and manage than a native migration tool. It provides option to migrate the account with SID History and also copy the password from the source to target account, which is very important for the cross forest migration scenario. It also provides option to migrate public folders and also apply the settings like mailbox rights, send as permission, public folder administration rights send on behalf, message delivery restriction, and public folder client permission.

I believe, LepideMigrator for Exchange is a compressive tool to perform migration under various scenario. This tool has all the features to perform end to end migration.

You can find the detailed information about the tool at http://www.lepide.com/exchangemigrator/ and  also download the trial version from http://www.lepide.com/exchangemigrator/download.html

Configure Exchange 2013 Internet mail flow during migration

Exchange 2013Leave a comment

As part of upgrading to Exchange 2013 from Exchange 2007/2010, we need to make sure that Exchange 2013 is the point of communication for sending and receiving email from the Internet.In addition to installing, configuring, and testing Exchange 2013 Server, migration also consists of configuring and testing mail flow between Exchange 2013 and Exchange 2007/2010. In this article we will understand on how to configure for both sending and receiving emails from internet

 

Configure Exchange 2013 Internet mail flow during migration

Hope this articles helps you

Migrate from Exchange 2010 to Exchange 2013

Exchange 20072 Comments

Microsoft has released the latest cumulative update 2 (CU2) of Exchange Server 2013. I believe it is the right time for an organization to start planning to migrate Exchange 2010 to Exchange 2013.

Below article should give you the quick idea on how to migrate from Exchange 2010 to Exchange 2013 environment in the production environment.

How to migrate Exchange 2010 to 2013 – Part 1

 

How to migrate Exchange 2010 to 2013 – Part 2

Hope you like this article 😉

Step by step Instructions for Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2 – Part 3

Windows 2008, Windows 2008 R2Leave a comment

This is the last and final part with back-out procedure of step by step instruction for subordinate CA migration from windows server 2003 to windows server 2008 R2

1. Back-Out Procedure

In case of migration failure i.e. if the Certificate authority service fails to stop, auto enrollment failure or error/issue in any of the verifying migration steps. Then the back-out procedure has to be executed to restore the CA service on the source server.

a. Removing CA Role from Destination server

Log on to the destination server, and start Server Manager.

In the console tree, click Roles.

On the Roles pane click, Remove Roles

If the Before you begin page appears click Next

On the Remove Server Roles, Uncheck ACTIVE Directory Certificate Services and click Next

Click Remove on the Confirm Removal Selection and restart the server once completes

Remove Destination server from domain

Rename the Destination server

b. Adding CA Role on Source Server

Rename the source server to the initial name

Add the source server to domain

Launch Add or Remove programs and select add/remove windows components and select Certificate Service and click, Next

Select Enterprise Subordinate CA as CA Type and select “Use custom settings to generate the key pair and CA Certificate”

On the Public and Private Key Pair click Import and select the backed up file .p12 and enter the password and click next

Click Next to proceed with the CA configuration and close

c. Restoring CA DB on source server

Launch Certificate Authority snap in

Select CA node and click on Actions, All Task and Restore CA

On the Items to Restore select Private key and CA Certificate and Certificate Database and Certificate Database Log

Browse the CA DB Location and Click Next

Enter the password set while backing up the CA

d. Restore Certificate template list

Open a command prompt window.

Type certutil -setcatemplates +<templatelist1>,<templatelist2>.. and press ENTER.

 

Hope this article was informative and helpful to you .  This is based on test with real time scenario.

Below are the links of other part of the article

Part 1 – Preparing Source CA and Target server
Part 2 – Restoring the Source from backups and Verifying the migration

Please comment if you like this article 🙂

Step by step Instructions for Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2 – Part 2

Windows 2003, Windows 2008, Windows 2008 R2Leave a comment

Here is the next part of the article with the step by step Instruction for Subroutine CA Migration from Windows Server 2003 to Windows Server 2008 R2.  In this 2nd part we talk about restoring the source CA from backups on the new Windows Server 2008 R2 and Verifying the migration

1. Restore Source CA Server from backup

a. Restore CA DB

Log on to the destination server by using an account that is a CA administrator.

Start the Certification Authority snap-in.

Right-click the node with the CA name, point to All Tasks, and then click Restore CA.

On the Welcome page, click Next.

On the Items to Restore page, select Certificate database and certificate database log.

Click Browse. Navigate to the parent folder that holds the Database folder (the folder that contains the CA database files created during the CA database backup).

Click Next and then click Finish.

b. Restore CA Registry

Create a backup of the current Registry setting

Open the exported registry file from source servers in notepad and verify the registry values

Open a Command Prompt window.

Type reg import <Registry Settings Backup.reg> and press ENTER.

Type net start certsvc and press ENTER.

c. Restore Certificate template list

Open a command prompt window.

Type certutil -setcatemplates +<templatelist1>,<templatelist2>.. and press ENTER.

2. Verifying migration

a. Verify ACL’s on the AIA and CDP Containers

Logging to DC and open Active Directory Sites in Services

On the Console click on Top Node

Click View and Show Services node you will find Services folder on the Left and expand to reach Public key Services

Expand Public Key Services

Click AIA folder and in the details pane, select the name of the source CA.

On the Action menu, click Properties.

Click the Security tab, and then click Add.

Click Object Types, click Computers, and then click OK.

Type the host name of the target CA, and click OK.

In the Allow column, select Full Control, and click OK.

If Account unknown with security identifier exist then select it and remove the object.

In the left pane, select CDP and the host name of the source CA.

In the details pane, select the first CRL object.

On the Action menu, click Properties, and then click the Security tab.

In the list of permitted group or user names, select the name of the source CA, click Remove, and then click Add.

Click Object Types, select Computers, and then click OK.

Type the host name of the target CA, and click OK.

In the Allow column, select Full Control, and then click OK.

If Account unknown with security identifier exist then select it and remove the object.

b. Verify Registry

Verify that CAServerName is a registry string value located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\ registry key. It should be updated to represent the DNS or the host of the new CA host.

Verify that CACertPublicationURLs and CRLPublicationURLs are both registry multi-string values located under the same key as CAServerName.

c. Verify Auto Enrollment

Log on to a domain member computer by using an account that has Autoenroll, Enroll, and Read permissions for the certificate templates that are assigned to the destination CA.

Click Start, and then click Run.

Type certmgr.msc, and then click OK to open the Certificates snap-in.

In the console tree, right-click Certificates – Current User, click All Tasks, and then click Automatically Enroll and Retrieve Certificates to start the Certificate Enrollment wizard.

On the Before You Begin page, click Next.

On the Request Certificates page, a list of one or more certificate templates should be displayed. Select the check box next to each certificate template that you want to request, and then click Enroll.

Click Finish to complete the enrollment process.

In the console tree, double-click Personal, and then click Certificates to display a list of installed user certificates and to verify that the certificate that you requested is displayed.

Hope you liked this article and got some good understanding of migration process of CA server windows server 2003 to windows server 2008. Please continue with the last part with the backup process. You should know this part to revert back if necessary.

Below are the links for the other parts

Part 1 – Preparing source and target CA  server for migration.

Part 3 – Blackout procedure.

Step by step Instructions for Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2 – Part 1

Exchange 2007, Windows 2008, Windows 2008 R21 Comment

Below are the step by step comprehensive Instructions for subroutine CA migration from Windows Server 2003 to Windows Server 2008 R2.
This article is published in three parts and in this part we will discuss more in details on about preparing of source and destination server for the migration

1. Preparing Source Server

Map network share in source server to copy backup files

Perform/Verify System state backup of Source CA

a. Verify and backup CA Template set

Open Command prompt

Type certutil.exe – catemplates > catemplates.txt

Verify the contents of catemplates.txt with the templates displayed in Certificate Authority snap-in

b. Verify and backup CA’s CSP and signature algorithm

Open Command prompt

Type certutil.exe –getreg ca\csp\* > csp.txt

Verify that the csp.txt contains CSP detaill

c. Publish CRL with extended validity period

Open Certificate Authority snap in

In the console tree right click “Revoked Certificates” and click Properties

Record the current CRL Publishing Parameters

Set the CRL Delta publishing interval to 2 days

Click on “Revoked Certificates” -> all task -> publish -> Delta CRL only

d. Backup CA DB and Private Key

Map shared network drive to take the backup

on Certificate authority snap-in right click point to All task and backup CA

On the Welcome page of the CA Backup wizard, click Next.

On the Items to Back Up page, select the Private key and CA certificate and Certificate database and certificate database log check boxes, specify the backup location, and then click Next.

On the Select a Password page, type a password to protect the CA private key, and click Next.

On the Completing the Backup Wizard page, click Finish.

After the backup completes, verify the following files in the location you specified CAName.p12 containing the CA certificate and private key Database folder containing files certbkxp.dat, edb#####.log, and CAName.edb

Open command prompt and type Net stop Certsvc to stop Certificate Service

e. Backup CA Registry

Click Start, point to Run, and type regedit to open the Registry Editor.

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, right-click Configuration, and then click Export.

Specify a location and file name, and then click Save. This creates a registry file containing CA configuration data from the source CA.

f. Remove source server

Launch Add or remove program

Click Add/Remove windows components and uncheck Certificate Services

Click next and finish

Remove source server from domain

Delete AD computer object

Rename source server to some temp name

2. Preparing Destination Server

Change destination server name to the initial source server name

Add destination server to domain

Map network share used in taking the backup on source server

a. Import the CA certificate

Start the Certificates snap-in for the local computer account.

In the console tree, double-click Certificates (Local Computer), and click Personal.

On the Action menu, click All Tasks, and then click Import to open the Certificate Import Wizard. Click Next.

Locate the <CAName>.p12 file created by the CA certificate and private key backup on the source CA, and click Open.

Type the password, and click OK.

Click Place all certificates in the following store.

Verify Personal is displayed in Certificate store. If it is not, click Browse, click Personal, and click OK.

b. Add CA and IIS roles on destination server

Log on to the destination server, and start Server Manager.

In the console tree, click Roles.

On the Action menu, click Add Roles.

If the Before you Begin page appears, click Next.

On the Select Server Roles page, select the Active Directory Certificate Services and Web Server (IIS) check box, and click Next.

On the Introduction to AD CS page, click Next.

On the Role Services page, click the Certification Authority check box, and Certification Authority Web Enrollment and click Next.

On the Specify Setup Type page, specify either Enterprise and click Next.

On the Specify CA Type page, select Subordinate CA, and click Next.

On the Set Up Private Key page, select Use existing private key and Select a certificate and use its associated private key.

In the Certificates list, click the imported CA certificate, and then click Next.

On the Configure Certificate Database page, specify the locations for the CA database and log files.

On the Confirm Installation Selections page, review the messages, and then click Install.

Hope you liked this article, please continue with the next part where we will discuss in details of the below

Part 2 – Restoring the Source from backups and Verifying the migration
Part 3 – Back Out procedure

Active Directory Cross Forest Migration from Active Directory 2003 to Active Directory 2008 – Part 2

Active Directory, Exchange 2007, Exchange 20103 Comments

This is continuation of Part 1. Please continue with part two

Creating and configuring ADMTAdmin Service account

Now we need to create and configure ADMT service account to make sure ADMT service account (admtadmin) account has appropriate rights to perform the migration tasks

1. Create a Server account admtadmin in green.com and add the green\admtadmin to the local domain admin group of green.com

2. Connect Red.com active directory users and computers and add green\admtadmin as member of built in Administrators group

Figure 17. Adding “green\admtadmin’ as the member of built-in administrators group in red.com

Preparing and configuration PES (Password Export Server)

1. Login to the domain member server in green.com where the ADMT tool is installed and run the below command. This is to generate the encryption key for importing in to import it the source domain controller. This command will generate the encryption key file at C:\Pes.pes and it will prompt for the password and confirm password.

admt key /option:create /sourcedomain:red /keyfile:”c:\PES.pes” /keypassword:*

Figure 18. Exporting Encryption key from ADMT server

2. Copy the file C:\pes.pes to the root Directory (c:\) source(red.com) domain controller

3. login to source domain controller (red.com) and install the PES tool.

4. During the installation it will prompt for the location of the encryption key. Click on browse and point to the encryption file which was copied recently (C:\pes.pes) and click on Next

Figure 19. Importing Encryption key file into the Password export server

5. Enter and confirm with the same password with used to which exporting the encryption key at point 1 above and click on next

Figure 20. Confirming with password for importing encryption key

6. It will prompt to PES Service account. Specify the account green\admtadmin account with the password and click on ok to continue. Once configuration is completed, server will prompt for the reboot and confirm to reboot the server.

Figure 21. providing green\admtadmin service account to run the PES serve service

7. Password Export server will not start automatically. It has to be start manually. Only start when ever required or when ever migration is performed.

Figure 22. Password Export server service is disabled by default

8. Right click on the service and select start. you should be able to see the started status on the services console

Figure 23. Password export server service status after manually starting the service

configuring source domain controller(red.com)

Once PES service is configured then we have to configure registry to allow password export. Below is the steps to perform the same.

1. Login to the domain controller and start registry editor (regedit)

2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. Access Allowpasswordexport and change the value form  0 to 1

Figure 24. Enabling password export settings from the registry

Disable SID Filtering

if we need SID history on the target domain, then we have to disable SID filtering. Run the below command on the target domain to disable SID filtering

netdom trust source.com /domain:target /quarantine:No /usero: source_admin_act   /passwordo: source_administrator_pwd

Figure 25. Disabling SID filtering

 

Migrating User from red.com and green.com

1. We will be migration user krishna.kumar from red.com to green.com. We can verify and make a note of user objectsid from the source domain with the help ldp tool or simple ldap query.

Figure 26. ObjectSid details of user krishna.kumar

2. login to the target domain member server with the green\admtadmin where ADMT tool is installed

3. Start Active directory migration tool from administrative tools

4. right click on the Active Directory Migration tool and select User Account migration wizard and click on Next

Figure 27. Starting the User Account Migration Wizard

5. Select source domain,source domain controller and Target domain and target domain controller and click on next

Figure 28. Source and Target domain details for migration

6. Select users from the domain under User Selection option and click on next

Figure 29. Manual user selection

7. Add the user krisha.kumar and click on next

Figure 30. Adding krishna.kumar for user migration

8. Create a Target OU in Target domain and point to the same to create the migrated user account

Figure 31. Select the target OU where the migrated used should be created

9. Select the option Migrate passwords

Figure 32. Selection migrate Password option and select the source domain controller

10. Select the option Target same as source and also enable to the option Migrate user SIDs to target domain and click on Next

Figure 33. option to selected on how to handle migrating accounts

11. Type account from the source domain which has administrative rights and click on next

Figure 34. Admin account for adding SID History on migrated account

12. Select some of the import option likes update user rights, Migrate associated user group, fix users group membership and click on next

Figure 35. Option to migrate associated user groups, profiles and settings

13. Entire AD properties will be migrated to the target account. Just in case if you need any kind of properties execution then figure 36 shows the option to exclude the same.

Figure 36. Option to execute ad properties on the migrating objects.

14. keep the default option do not migrate source object if the conflict is detected it the target domain and click on Next

Figure 37. Conflict management option

15. Click on Finish to kick start the user migration

Figure 38. Finishing the user migration

16. Once the migration is completed, you should be able to see the details on the screen. To get some advance or log detail, click on view log

Figure 39. Migration progress status

17. log file has some very good amount of information on what exactly happened during the migration. Details like Account been replicated, created, SID history added, password copied and other group membership details etc.

Figure 40. Migration log details

18. On the target domain we can see the Krishna.Kumar is create with all the group membership and also see that associated groups is also been migrated to the destination. You can also verify the entire user properties.

Figure 41. krishna.kumar user property after migration with group membership details

19. We can also verify the object Sid and Sid history been crated on the new object in the target domain. Sid history is the same source objectsid.

Figure 42. Objectsid and SidHistory details of krishna.kumar after migration

20. To check if the password is been copied, login to one of the client computer with the same password as the source domain. Below figure 43. shows the details of the login account with the domain name.

Figure 43. login details on krishna.kumar on the green.com workstation

Active Directory Cross Forest Migration from Active Directory 2003 to Active Directory 2008 – Part 1

Active Directory, Exchange 2007, Exchange 2010Leave a comment

When we say cross forest ad migration then the first thing which comes to the mind is Active Directory Migration Tool. It’s a free and very easy and powerful tool from Microsoft. Doesn’t look very fancy but does its task. There are various tools available in the market to perform cross forest migration but at we will talk about ADMT and its features and how we can use it. Before you work on ADMT in the production, you need to perform through understanding of the ADMT, test it in the lab and then it to the production.

Note: Not performing through testing can be distractive for the users. Users may lose password, lose share access and you will be in trouble.

ADMT features

1. It provide various wizards to migrate User accounts, computers accounts, service accounts, Group

2. Migrate Sid History which helps user to maintain the access to network share, application and other services even after the user been migrated to different forest

3. Migrate password form source forest to target forest.

                                                      

Red.com Green.com

Current Lab Setup

Red.com DomainGreen.com Domain
Domain controller (windows 2003) Domain controller(windows 2008)
following Software installed in Source domain controller
PES 3.1(Password Export Server)   		Domain member Server(windows 2003)
following Software installed
ADMT 3.0(Active directory migration tool)
.net Framework version 2.0
SQL 2005 with latest service pack

Installation of ADMT tool on the Domain member Server

Please follow the below process order to install prerequisites and ADMT. If you have domain member server is windows 2008 or Windows 2008 R2 then you can install the latest version of the ADMT 3.1 or 3.2 respectively. In my lab I have the domain member server as widows 2003 so I am forced to install ADMT 3.0

  1. Install Microsoft .NET Framework Version 2.0 Redistributable Package (x86)
  2. Install SQL 2005
  3. Install Latest SQL service pack
  4. Install ADMT tool and accept the default database selection (If SQL 2005 is not installed prior to installing ADMT tool then it will automatically install Microsoft SQL Server Desktop Edition)

DNS Configuration between forests

DNS Configuration is a one of the primary requirement to communicate between two forests

DNS can be configured in two ways, either by creating secondary zone or forwarders. Configuring forwarders is much easier then creating secondary zone. Secondary zone has a read-only copy of the particular domain but forwarders are just forward the request to the target domain. Response to the DNS request is much faster in secondary zone than forwarders

Let me show you show to create secondary zone.

  1. Login to Green.com Domain controller
  2. Access DNS Manager
  3. Right click on the forward lookup zone and select New zone and click on Next

Figure 1. Creating new Zone

   4. Select Secondary zone and click on Next

Figure 2. Creating new Secondary Zone

   5. Provide the target domain name and click on Next

Figure 3. Providing DNS Zone name

6. Provide red.com DNS server IP address and click on Next and click on finish to complete the configuration

Figure 4. Configuring with Master DNS server of red.com

7. Need to follow the above same process (1 to 6) on the red.com DNS server to create the secondary zone for green.com domain

Cross forest trust configuration

1. Connect to the Target domain controller (green.com) and access Active directory domain and trusts from the Administrative tools

2. Right click on Active directory Domain and trusts and click on properties.

Figure 5. Starting with Trust configuration

3. Select the Trust Tab and click on new Trust and select next on welcome screen

Figure 6. Trusts tab to start the new trust configuration between forests

4. Provide the trust name with the source domain red.com and click on next

Figure 7. Domain name which you wanted to trust

5. Select external trust, as you cannot create cross forest trust between AD 2003 and AD 2008 and click on next

Figure 8. Configuring External trust

6. Select “two way” trust and click on next

Figure 9. Selecting Two-way trust option

7. Select the option “both this domain and the specified domain”

Figure 10. Option to select trust on both from red.com and green.com

8. Input the source (red.com) account which has administrative privileges and click on next

Figure 11. Passing account having administrative privileges on red.com

9. Select “Domain-Wide authentication” for red.com and click on next

Figure 12. Selecting Domain-wide authentication on outgoing trust for local domain

10. Domain wide authentication for the local domain and click on next

Figure 13. Selecting Domain-wide authentication on outgoing trust for specified remote domain

11. Select “yes, confirm the outgoing trust”

Figure 14. Confirmation to create outgoing trust

12. Select “Yes, confirm the incoming trust” and next and click on finish the configuration.

Figure 15. Confirmation to create incoming trust

13. Successfully created outgoing and incoming external trust between both the forest

Figure 16. Successful status of external trust creation.

 

 

I hope you like this part of the article will soon come up the other parts of the articles.

Microsoft Exchange 2003 to Exchange 2010 Cross Forest migration in Brief

Exchange 20074 Comments

I wanted to write this article from a very long time and unfortunately I could not make it up. Today I decided to write this in just few lines and come back with in-depth details. Migration from One platform to other is not easy and it needs lots of planning , efforts and times. Things can go wrong at every step but just don’t give up, don’t give up, don’t give up…

  • Prepare new AD forest and Install exchange 2010 in the new forest. Exchange 2010 can also be a different organization due to merger and acquisition. 
  • Migration cannot happen over night and its important that we make necessary configuration that users from both the forest are able to send and receive emails and they are able to see Global Address book of each other and more importantly free busy information is synchronized.  

  • Configure mail flow between exchange 2003 and exchange 2010 using SMTP connectors for exchange 2003 and Send and receive connectors for exchange 2010

  • Configure FIM 2010 or ILM 2007 for GAL synchronization between exchange 2003 and exchange 2010

  • Configure Inter org replication tool to share free busy information between exchange 2003 to Exchange 2010

  • GAL sync will create Mail Enabled contacts(MEU) in the target forest,  for each mailboxes in the source forest. With Custom code, FIM/ILM can also create mail enabled users(MEU) in the target forest instead of mail enabled user

  • If only Mail enabled users are created using FIM/ILM then you can use Prepare- MoveRequest.ps1

  • Prepare-MoveRequest.ps1 will convert the mail enabled contacts to mail enabled users and it will also disable the user and it will copy the follow attributes to the destination mail enabled user – legacyExchangeDN, mail, mailnickname, msExchmailboxGuid, proxyAddresses, X500, targetAddress, userAccountControl, userprincipalName

  • Prepare a server for installation of ADMT(Active directory migration tool).  This tool will help to get the SID History and export the password of source account to destination

  • SID History is to maintain the access of users resources on the target domain and Password export server will help in exporting the password form source account to the destination account

  • I think you are all set now to move the mailbox from the exchange 2003 to exchange 2010 using the Powershell cmdlet

I think this the quick summary process of migration from exchange 2003 to exchange 2010. I am very eager to write this complete article in details. I will come back soon on this soon 🙂