Exchange ‘Cross Forest’ Mail Migrations

KB ID 0001356

Problem

PeteNetLive is full of Exchange Migration walkthroughs, going all the way back to Exchange 2003. But what if you are migrating to another forest? Well for small migrations you can of course export mail from the old Exchange Server, and them import it into the new mailbox in the new domain/forest (usually via .PST files). I’ll provide links at the bottom of the page, if that’s what you would prefer to do.

Earlier this year, I got involved with a client that was migrating many domains into one, and this method seemed a better fit for them. The process/screenshots below are taken from my testing and proof of concept for this project.

As you can see, (above) I’ve got a source Exchange server, (Running Exchange 2010) in domaina.com, and I’ve got a target Exchange server, (Running Exchange 2016) in domainz.com

Note: You may guess from the server names, these are also domain controllers, (this is not recommended in a production environment!) My old Exchange server is also running Certificate Services, which will become apparent below.

 

Solution

The service that does all the ‘heavy lifting’, is the Microsoft Exchange Mailbox Replication Service. Out first task is to get it running on the legacy Exchange server. Open the Exchange Shell and execute the following command;

[box]Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyConnections 50[/box]

Ensure the service is running;

The front end of the MRS service is presented via IIS, and it’s secured with HTTPS, so it will use the certificate you have presented, (i.e the same one for OWA). Therefore the new (Target Exchange Server) needs to trust that certificate. If you have a publicly signed certificate from a third party vendor, then you don’t need to import anything you can skip this step.

The World is Full of People Who are Scared of Certificates! I have no idea why? For a certificate to work, you need to TICK TWO BOXES;

  • BOX ONE: You need the trust the Certificate Authority who issued the certificate, (this is printed onto the certificate, and in most cases can be extracted from the web certificate as well. This is the CA Certificate of the issuer, NOT the certificate you see in OWA.
  • BOX TWO: The certificate will have a name on it, it will be either the common name, or a subject alternative name (within the certificate), it will look something like, owa.your-domain.com, or *.your-domain.com for example. This must be resolvable via DNS, and also be the hostname you are looking at.

Below, I’m simply importing the Root CA Certificate, from DomainA into my Exchange server on DomainZ.

Note: Start > Run > mmc.msc > File > Add/Remove Snap-in > Certificates > Local Computer.

In production, I’d setup conditional forwarding between the two domains to handle DNS, but in this case I’m being lazy and just putting the FQDN of the Exchange 2010 server in the Exchange 2016’s hosts file, (old school eh!)

To Setup Conditional Forwarding; Take a look at the first three steps in this article.

Providing you have done everything correctly, you should be able to ‘browse’ from Exchange 2016, to Exchange 2010, to the following URL, and not receive any certificate errors, it should look like this;

[box]https://servername.domain-name.com/EWS/mrsproxy.svc[/box]

Note: If you get any certificate/untrusted errors, fix them before proceeding.

Pre-Staging the Cross Forest MailBox Migration

Actually moving the mailboxes is a ‘two-step‘ procedure, first you pre-stage the move, this creates a Mail User* in the new domain.

*Note: A Mail User is an a little bit like a Contact insofar as they both have external email addresses (i.e ‘username@domaina.com’, while the mail user is in domainz.com, (until the mailbox is migrated). The difference between a Mail user and a contact is, a mail user has a logon name and a password. Once migrated the Mail User is converted into a User Mailbox in the new domain, and the User Mailbox back in old domain gets converted into a Mail User with an email address of username@domainz.com for the mail user in domaina.com. This (while being cool) allows mail flow between the domains during migration. (Assuming your DNS is all setup correctly, of course).

The following procedure is carried out on the new Exchange server, open an Exchange Shell Window and execute the following command;

[box]$Rcred = Get-Credential[/box]

Then supply an administrative account in the SOURCE, (remote) domain.

Repeat the procedure, but this time use Lcred;

[box]$Lcred = Get-Credential[/box]

Then supply an administrative account in the TARGET, (local) domain.

Exchange has a script to do the do the staging for you, it’s in the Exchange install directory, in the ‘scripts’ folder. Mine is in the C: drive, but the path to yours may be different, (depending on how you installed Exchange). But once located, you need to change to the directory that the Prepare-MoveRequest.ps1 script is in i.e.;

[box]cd “c:\Program Files\Microsoft\Exchange Server\V15\Scripts”[/box]

Note: V15 denotes Exchange 2013 and 2016.

Now execute the following command, (this is all one command if it gets wrapped);

[box].\PrepareMoveRequest.ps1 -Identity “username@domaina.com” -RemoteForestDomainController dc2a.domaina.com -RemoteForestCredential $Rcred -LocalForestDomainController dc1z.domainz.com -LocalForestCredential $Lcred -TargetMailUserOU “OU=Migrated,DC=domainz,DC=com“[/box]

Note: This assumes you have created the OU to migrate into! And, (as you can see in the example below,) I’m using the public email address of my user, not the internal one, (it doesn’t matter).

Execute Cross Forest Mailbox Migration

Now the mailboxes are ‘pre-staged’ we can select them for migration, in the new Exchange environment, Recipients > Migration  >Add > Move to this forest.

Add.

Select the User(s) > Add > OK.

Next.

 

Enter the administrative credentials for the source domain > Next.

Enter the FQDN, of the legacy server, (use the SAME NAME that’s on the certificate) > Next.

Give the migration ‘Batch’ a name > Set the ‘target’ email domain > Select the target Exchange Database, (and Archive database if applicable) > Next.

Note: If you keep getting failed migrations, that say ‘FailedOther‘ then you can raise the bad item limit, and large item limits.

Select a user to get the mail notification > Select ‘Automatically Complete Migration Batch’ (or it will stop at 95% and you will have to complete this manually) > New.

You can now view progress in the ECP, (a big buggy and slow to update,) or by running ‘Get-MoveRequest | Get-MoveRequestStatistics

 If there’s a problem, both the ECP (Exchange Control Panel) and EMS (Exchange Management Shell) should give you a clue. You can remove and rerun a migration on a failed user and nothing will break! Sometimes you need to raise the bad item limit or make sure the source mailbox isn’t too large before proceeding for example. (Use the search box at the top of the page, I’ve posted a lot of Mailbox Move problems).

Related Articles, References, Credits, or External Links

Exchange 2007 / 2010 – Export Mailbox’s to PST files

Exchange 2003 – Exporting Mail to .pst files with ExMerge

Exchange (2010 Post SP1 and Newer) Bulk Importing Mail From PST Files

MRS Proxy Error ‘The connection to the server could not be completed’

29 thoughts on “Exchange ‘Cross Forest’ Mail Migrations

  1. Got a quick question. I am in the process of moving to a new domain. I have already migrated user account and the computer account, but when i migrate the associated mailbox from the old domain it creates a new user on the new domain. I missing a step somewhere or doing it in the wrong order?

  2. I am migrating/merging multiple domains and exchange environments, when I move the mailbox to the destination exchange server, will the old exchange server have a Linked User or someway for the old email addresses to find the mailbox? My previous migrations have moved the mailbox and AD account at the same time (within a few minutes of each other), this will be the first time they will be done on separate days.

    • Yes it leaves a ‘mail user’ on the old Exchange organisation that points to the ‘mailbox user’ on the new Exchange organisation.

  3. Hi,

    This article is awesome. I did have an issue with your command “.PrepareMoveRequest.ps1 ” appears to be a typo. Correct command is “.Prepare-MoveRequest.ps1”.

  4. hey mate, if doing a cross forest migration from exchange 2010 to 2016 do i need to patch 2010 first? like if you were doing a co-existence same domain scenario. thanks

    • Before ANY migration take the source not the latest version! Theres a quite a new update rollup for SP3 on 2010 as well.

  5. Just curious we are looking to do this, and have done it before but when we did it last time it created all new mailboxes on the client side with a client old/new data message. The problem is on 750 mailboxes it creates alot of strain.

    I thought the SID History is supposed to come over and Outlook should see its the same account? or maybe we did it in the wrong order.

    Also, any change that permissions like sharing calendars and send as rights come over too when you migrate accounts and then mailbox?

    • 1. SID History: This is a domain migration thing more than an Exchange one, SID history is not really applicable to mailboxes.
      2. Permission Migrations: No Thinks like Delegates and share d mailboxes will not be migrated, you can get this information pipes out via Powershell before you start, and recreate it while Migration is going on, but for permissions both entities will need migrating at the same time so this can gat a little complicated.

      Pete

  6. Thank you for your excellent article!

    I have a problem though when migrating:
    Data migrated:
    Migration rate:
    Error: MissingLegacyDNException: The user object for ‎’user@domain.com‎’ does not have a valid LegacyExchangeDN property and cannot be migrated. (I changed the address)

    What does that mean? I googled around and it seems that i have to fill an custom x500 address for the mailbox?

    • Thats exactly what it is its an x500 address, you can add/remove them on bulk using PowerShell

  7. I was very interested in the article about migrating mailboxes from domain A to domain Z.
    I have a trust of two domains, A and B. In domain A, I have Exchange Server 2010 in domain B, I have an Exchange server 2016. Users from domain B have a linked mailbox in domain A on Exchange Server 2010. There is an option to modify your script so that migrate mailboxes from Exchange Server 2010 to Exchange Server 2016 when they already have accounts created in the domain where Exchange 2016 is already in place? Thanks in advance for your help!

    • How many mailboxes are we talking about? If its not may can you not simply export and import the mail manually? I’m using Quest ODME to something similar at the moment?

        • Your problem is not migrating data, that’s easy, jeez you could spit it all out into pst files and manually import it if you wanted to, or use Code2/Quest to move the data straight from one to the other, the problem is repointing 150 outlook profiles. Take a look at ODME, its about £5 a mailbox and does everything you would want.

  8. What’s the typical speed to expect when migrating mailboxes. We’ve run a few tests and it takes about 90-100 minutes for a 2GB mailbox. If that’s what to expect then we’re looking at a migration of a 10 GB mailbox taking 7-8 hours. And if we plan to run 5-10 migrations at the same time it will take longer. Do you have any suggestions?

    • Nope thats about right! I’m assuming you are going to 2016? and you have Gigabit Switches?

  9. Hi Pete,
    we bought a company and now we like to migrate all mailboxes to our EXCH.
    We like to migrate from DomainSG (EXCH2016) to DomainDS (EXCH2013).

    Is this possible ?

      • Hi Pete, the setup is done. The MRSProxies are enabled and tested.
        The preparation with PREPARE-MoveRequest.ps1 was also successful.

        But when I start the migration I get this error:
        MigrationPermanentException: Error: MapiExceptionCorruptData: Unable to write mailbox info. ‎(hr=0x8004011b, ec=-2147221221)‎ Diagnostic context: Lid: 1607 StoreEc: 0x8004011B Lid: 1494 —- Remote Context Beg —- Lid: 36024 StoreEc: 0x8004011B Lid: 59009 StoreEc: 0x8004011B Lid: 53912 StoreEc: 0x8004011B Lid: 1750 —- Remote Context End —- Lid: 9954 StoreEc: 0x8004011B

        Do you have any ideas where to look ?

        • Looks like a common problem of corrupt emails, (Note: sometimes email is fine its just spam in a foreign language!) simply add ‘ -BadItemLimit 200’ to the command.

  10. Hey Pete, our scenario is a new domain AND an Exchange upgrade! We have the new domain set up (integrated with trust, etc following your great guidelines) but users have not yet been migrated. All users currently in old domain have secondary smtp email with new domain. My question is, do I bring up a new, clean 2019 Exchange server in the new domain then migrate mailboxes per this article or should I upgrade from Exchange 2013 following MS instructions in the old domain then migrate my server into the new domain? I am afraid to put the cart before the horse. Your expert advice is greatly appreciated!

  11. Pete,

    i have folowed this process and it seems to be working properly, but my end goal is to have a linked mailbox in the new exchange with the AD account i nthe old domain, when ia mdone with this process the mailbox in the new exchange is a “user’ mailbox and the AD account is disabled. the AD account should be diabled i na linked mailbox situation so i am confused

    • If it were my problem to solve, I’d back them up and restore them to the destination. But you’ll need to recreate the permissions at the destination.

  12. I was unsure if use a backup/restore of the pst or make a copy through the outlook client. Thank you for the suggestion!
    Regards

Leave a Reply

Your email address will not be published. Required fields are marked *