Search WWW Search

Tuesday, May 22, 2012

Exchange 2007 to Exchange 2010 Cross Forest Migration Job Aid

Here is a production job aid I've created to perform cross forest mailbox moves migrating from Exchange 2007 to Exchange 2010.


This Job Aid is to provide the steps required to migrate a ipcfcdom user account and mailbox to corp.dom The instructions will cover using ADMT to migrate the user account, profile and computer. The instructions will also cover using Powershell to migrate the mailbox. Finally the instructions will cover migrating the SharePoint and ResolveIT accounts.


This document is intended for use by Server Engineering.


Step Description

CORP.DOM = New Target Forest
IPCFCDOM= Source Forest


Verify that the computer is Wired and set classID to corp “ipconfig /setclassid * corp” (This may not apply to you. This is to ensure new migrated systems will use the DHCP servers in the new Forest and not the source Forest)

1. Provision source AD account to be Exchange Aware.

a. Log into DCEXCASP01 (Target Exchange 2010 CAS Server). Launch Exchange Management Shell Start  All Programs  Microsoft Exchange Server 2010

b. Change directory to C:\Program Files\Microsoft\Exchange Server\V14\Scripts

c. Type: $Local = Get-Credential you will get a windows prompt. Enter your admin credentials for the ipcfcdom domain. Type: $Remote = Get-Credential you will get a windows prompt. Enter your admin credentials for the corp.dom domain.

d. Delete the GALsync contact in the Corp domain OU GalSync\FromILM for the user you are migrating. If you don’t it merges with the contact producing john doe1734633. Then you will need to rename it to take out the random numbers and set the contact to apply email address policy and set corp as the external address.

.\Prepare-MoveRequest.Ps1 -Identity "CN=Alexander Htet,OU=reston,DC=ipcfcdom,DC=inphonic,DC=com" -RemoteForestDomainController "" -RemoteForestCredential $Remote -LocalForestDomainController "eqdcp01.corp.dom" -LocalForestCredential $Local -TargetMailUserOU "OU=FromILM,OU=GALSync,DC=corp,DC=dom" -UseLocalObject –overwritelocalobject

New-MoveRequest -Identity "CN=alexander htet,OU=FromILM,OU=GALSync,DC=corp,DC=dom" -RemoteLegacy -TargetDatabase "mdb04 tier2" -baditemlimit 100 -acceptlargedataloss -RemoteGlobalCatalog "" -RemoteCredential $Remote -TargetDeliveryDomain "corp.dom" -SuspendWhenReadyToComplete

Ignore Warning Message

WARNING: When an item can't be read from the source database or it can't be written to the destination database, it

will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting Exchange not copy such items to

the destination mailbox. At move completion, these corrupted items will not be available at the destination mailbox.

e. To check the status of the mailbox move, launch Exchange Management Console

f. Expand Recipient Configuration  Move Requests. Double click the user to get the stats on progress

2. Migrate the user account to corp.dom using ADMT

a. Log into the ADMT server EQDCP03.CORP.DOM with svcadmt account

b. Launch Active Directory Migration Tool on desktop

c. Action menu, user account migration Wizard

d. 1. Welcome page, next

e. 2. Domain selection, click next. All fields should be pre-populated

f. Source: DC: fcrs05 Target: Corp.dom DC: Eqdcp01

g. Select Users from Domain

h. Add and find the user to be migrated

i. Target OU choose destination OU

j. Password Options, Migrate Passwords

k. Password Migration Source DC: fcrs05

l. Enable Target Accounts. Migrate user SIDS to target domain

m. Enter ipcfcdom\svcadmt credentials

n. Fix users group memberships

o. Object Property Exclusion, leave blank

p. Migrate and merge conflicting objects. Move merged objects to the specified Organization unit

q. Finish

3. Migrate the user profile using ADMT

a. Action menu, security Translation Wizard

b. Welcome page, next

c. Previously migrated objects

d. Domain selection, click next. All fields should be pre-populated

e. Select computers from domain

f. Add and find computer to be migrated. Domain selected should be ipcfcdom

g. Translate Objects, User profiles.

h. Security Translation Options, Add

i. Finish.

j. Log in corp.dom ADUC. Locate the migrated account and uncheck “user must change password at next logon”

After a few seconds the Active Directory Migration Tool Agent Dialog menu will pop up. Select the radio button “Run pre-check and agent operation” and click start. If you get the following error below it means the corp\svcadmt is not local admin on the client machine.

Unable to determine the local path for ADMIN share on the machine "desktop". rc=-2147024891

When the Agent Operation changes from Running to Successful, click Close.

4. Migrate the computer to corp.dom using ADMT

a. Action menu, computer migration Wizard

b. Welcome page, next

c. Domain selection, click next. All fields should be pre-populated

d. Select computers from domain

e. Add. Location should be ipcfcdom

f. Target OU = Automatic Updates, Non Production, Infrastructure, Infrastucture Clients...

g. Translate Objects, unselect all.

h. Minutes before computers restart = 1

i. Object Property Exclusion, skip

j. Conflict Management. Migrate and merge conflicting objects. Move merged objects to the specified target Organizational Unit

k. Finish. Close. After a few seconds the Active Directory Migration Tool Agent Dialog menu will pop up. Select the radio button

l. Run pre-check and agent operation and click start. Ater status changes to completed you can click close.

5. Post User Configuration

a. When the computer has rebooted, ensure that user logs into corp.dom domain as the computer will still default to ipcfcdom.

b. Delete the "Closest GC” registry key. Search the registry for this key and delete it

c. Launch Outlook. You do not need to create a new profile. You will receive warning message that Outlook must restart due to administrative changes. Ignore the message and continue with Outlook.

6. Set the migrated user’s account extensionattribute15 to “migrated” so Galsync will not create contact for this user in the corp.dom domain. Failure to do this will create a contact for an already existing user in corp.dom causing email issues.

a. Log in dcexcasp01.corp.dom

b. Type adsiedit.msc in the run box

c. Expand Default Naming Contact and highlight the OU where the user resides.

d. Right click the user and properties. Search for extensionattribute15 and type in “migrated” without the quotes

7. Migrate the user’s SharePoint Account. You will need DB owner rights to SP DB.

a. Log into the SharePoint server DCSPAPPS01

b. Launch cmd

c. STSADM -o migrateuser –oldlogin ipcfcdom\user -newlogin corp\user –ignoresidhistory


You should receive “operation completed successfully”

Update the display name. After migrating the SharePoint account, the display name changes from John Doe to corp\jdoe. To change it back to the friendly name:

1. Log into SharePoint Server DCSPAPP01

2. Launch Powershell

3. Enter the following lines one at a time

a. [Reflection.Assembly]::Load("Microsoft.SharePoint, Version=, Culture=Neutral, PublicKeyToken=71e9bce111e9429c")

b. $site = New-Object -TypeName Microsoft.SharePoint.SPSite -ArgumentList

c. $user = $site.RootWeb.SiteUsers["corp\jdoe"]

d. $user.Name = "John Doe"

e. $user.Update()

After you migrate John Doe, and you’re ready to migrate a second user, you only need to type in lines C,D,E. You can copy and paste all 3 lines into powershell rather than entering in one at a time.

8. Migrate the user’s ResolveIT Account. You will need ResolveIT Sysadmin rights.

e. Log into the

f. Go to administration  System –Users  User Management

g. Click edit user. UserID enter bsmith and click find

h. Scroll down under the menu heading “Mandatory fields for all users”

i. Change the authentication Method to Primary (LDAP/Exchange/Active Directory)

j. Scroll down and click save

Manually Migrate User Profile Using Reg Hack

1. Log into machine with admin rights and launch regedit and naviate to

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

2. Highlight the SID that corresponds to the Corp user. You can locate it by highlighting each SID entry and looking at the ProfileImagePath string value example C:\Users\bsmith.CORP.

3. Edit this entry to equal the profile path of the original ipcfcdom profile path.


ProfileImagePath = C:\Users\bsmith.CORP


ProfileImagePath = C:\Users\bsmith.ipcfcdom

Friday, May 18, 2012

Search-AdminAuditLog The attempt to search the administrator audit log failed. Please try again later

When running the command Search-AdminAuditLog you receive the following error:

The attempt to search the administrator audit log failed. Please try again later.

This is because the query is not valid. For example the below would be an invalid query and would produce the error.
Search-AdminAuditLog -StartDate 05/16/2012 -EndDate 05/16/2012 -ObjectID "jyoung"

An example of a correct query syntax to query who's made changes to a mailbox called John Doe would be like below.

[PS] C:\Users\jyoung.CORP\Desktop>Search-AdminAuditLog -Cmdlets Set-Mailbox -objectids "corp.dom/Corporate Locations/Reston/John Doe" -StartDate 05/10/2012 -EndDate 05/12/2012 -IsSuccess $true

When searchng for the target mailbox John Doe you must use the complete CN like in my example corp.dom\corporate... you can't use just the username, alias etc.
Another option is to just do a complete dump and export to txt file and do a search against the txt file.

search-adminauditlog > c:\log.txt

James Chong
Security+, Project+, ITIL 

Tuesday, May 15, 2012

Exchange Recovery Database with Backup Exec 2010 R2

Below are the steps in order to restore an Exchange 2010 DB to a recovery database using Backup Exec 2010 R2.

1. Create 2 folders on the Exchange mailbox server.

•Database –> E:\Recovery\Database

•Transaction Logs –> E:\Recovery\Logs

Make sure you're restoring full backup and not differential otherwise otherwise only the logs will restore.
New-MailboxDatabase -Recovery -Name RDB -Server DCEXMAILP01 -EdbFilePath "E:\Recovery\RDB\RDB.EDB" -LogFolderPath "E:\Recovery\RDB"

Mount the DB, need a blank DB file to Pre-exist then dismount and delete all files except the .edb in the E:\Recovery\Database. (Ensure that on the DB properties the check box is checked for for database can be overwritten by a restore. It should still be checked.

Once recover is complete, the DB will automatically be mounted.
Get-MailboxStatistics -Database RecoverDB

Restore-Mailbox -Identity User1 -RecoveryDatabase rdb

Restore to pst

New-MailboxExportRequest -Mailbox User1 -FilePath file://dcexmailp01/PST%20Dumps/User1.pst

Get-MailboxExportRequest (to show the status of the export)

James Chong
Security+, Project+, ITIL

Friday, May 04, 2012

Web.config Configuration An Extension of Name "SecurityServiceBehavior" already appears in Extension Collection

The following error on your web app can be due to multiple reasons, however the root issue is because your web.config is being loaded twice. The error is does not indicate that you have duplicate tags in the web.config nor that its an issue with this specific tab. How does the web.config reoload twice? One is something within your code where when you get to your webapp, it can do some other function or loging that calls your web.config again. Another reason in my specific case was due to incorrect IIS settings on the web app for example:

The root on website has an application declared with home:

d:\intepub\wwwroot\test\virdirectory instead of just d:\intepub\wwwroot\test
Then there is a virtual directory off the root of called virdirectory with a  home directory of:

• d:\intepub\wwwroot\\virtualdirectory

This causes the web.config to be loaded twice.

James Chong
Security+, Project+, ITIL
xml:lang="en" lang="en"> MS Exchange Tips: May 2012