Here is a production job aid I've created to perform cross forest mailbox moves migrating from Exchange 2007 to Exchange 2010.
Purpose
This Job Aid is to provide the steps required to migrate a ipcfcdom user account and mailbox to corp.dom The instructions will cover using ADMT to migrate the user account, profile and computer. The instructions will also cover using Powershell to migrate the mailbox. Finally the instructions will cover migrating the SharePoint and ResolveIT accounts.
Audience
This document is intended for use by Server Engineering.
Instructions
Step Description
CORP.DOM = New Target Forest
IPCFCDOM= Source Forest
Prereq
Verify that the computer is Wired and set classID to corp “ipconfig /setclassid * corp” (This may not apply to you. This is to ensure new migrated systems will use the DHCP servers in the new Forest and not the source Forest)
1. Provision source AD account to be Exchange Aware.
a. Log into DCEXCASP01 (Target Exchange 2010 CAS Server). Launch Exchange Management Shell Start All Programs Microsoft Exchange Server 2010
b. Change directory to C:\Program Files\Microsoft\Exchange Server\V14\Scripts
c. Type: $Local = Get-Credential you will get a windows prompt. Enter your admin credentials for the ipcfcdom domain. Type: $Remote = Get-Credential you will get a windows prompt. Enter your admin credentials for the corp.dom domain.
d. Delete the GALsync contact in the Corp domain OU GalSync\FromILM for the user you are migrating. If you don’t it merges with the contact producing john doe1734633. Then you will need to rename it to take out the random numbers and set the contact to apply email address policy and set corp as the external address.
.\Prepare-MoveRequest.Ps1 -Identity "CN=Alexander Htet,OU=reston,DC=ipcfcdom,DC=inphonic,DC=com" -RemoteForestDomainController "dcfcdc03.ipcfcdom.inphonic.com" -RemoteForestCredential $Remote -LocalForestDomainController "eqdcp01.corp.dom" -LocalForestCredential $Local -TargetMailUserOU "OU=FromILM,OU=GALSync,DC=corp,DC=dom" -UseLocalObject –overwritelocalobject
New-MoveRequest -Identity "CN=alexander htet,OU=FromILM,OU=GALSync,DC=corp,DC=dom" -RemoteLegacy -TargetDatabase "mdb04 tier2" -baditemlimit 100 -acceptlargedataloss -RemoteGlobalCatalog "dcfcdc03.ipcfcdom.inphonic.com" -RemoteCredential $Remote -TargetDeliveryDomain "corp.dom" -SuspendWhenReadyToComplete
Ignore Warning Message
WARNING: When an item can't be read from the source database or it can't be written to the destination database, it
will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting Exchange not copy such items to
the destination mailbox. At move completion, these corrupted items will not be available at the destination mailbox.
e. To check the status of the mailbox move, launch Exchange Management Console
f. Expand Recipient Configuration Move Requests. Double click the user to get the stats on progress
2. Migrate the user account to corp.dom using ADMT
a. Log into the ADMT server EQDCP03.CORP.DOM with svcadmt account
b. Launch Active Directory Migration Tool on desktop
c. Action menu, user account migration Wizard
d. 1. Welcome page, next
e. 2. Domain selection, click next. All fields should be pre-populated
f. Source: ipcfcdom.inphonic.com DC: fcrs05 Target: Corp.dom DC: Eqdcp01
g. Select Users from Domain
h. Add and find the user to be migrated
i. Target OU choose destination OU
j. Password Options, Migrate Passwords
k. Password Migration Source DC: fcrs05
l. Enable Target Accounts. Migrate user SIDS to target domain
m. Enter ipcfcdom\svcadmt credentials
n. Fix users group memberships
o. Object Property Exclusion, leave blank
p. Migrate and merge conflicting objects. Move merged objects to the specified Organization unit
q. Finish
3. Migrate the user profile using ADMT
a. Action menu, security Translation Wizard
b. Welcome page, next
c. Previously migrated objects
d. Domain selection, click next. All fields should be pre-populated
e. Select computers from domain
f. Add and find computer to be migrated. Domain selected should be ipcfcdom
g. Translate Objects, User profiles.
h. Security Translation Options, Add
i. Finish.
j. Log in corp.dom ADUC. Locate the migrated account and uncheck “user must change password at next logon”
After a few seconds the Active Directory Migration Tool Agent Dialog menu will pop up. Select the radio button “Run pre-check and agent operation” and click start. If you get the following error below it means the corp\svcadmt is not local admin on the client machine.
Unable to determine the local path for ADMIN share on the machine "desktop". rc=-2147024891
When the Agent Operation changes from Running to Successful, click Close.
4. Migrate the computer to corp.dom using ADMT
a. Action menu, computer migration Wizard
b. Welcome page, next
c. Domain selection, click next. All fields should be pre-populated
d. Select computers from domain
e. Add. Location should be ipcfcdom
f. Target OU = Automatic Updates, Non Production, Infrastructure, Infrastucture Clients...
g. Translate Objects, unselect all.
h. Minutes before computers restart = 1
i. Object Property Exclusion, skip
j. Conflict Management. Migrate and merge conflicting objects. Move merged objects to the specified target Organizational Unit
k. Finish. Close. After a few seconds the Active Directory Migration Tool Agent Dialog menu will pop up. Select the radio button
l. Run pre-check and agent operation and click start. Ater status changes to completed you can click close.
5. Post User Configuration
a. When the computer has rebooted, ensure that user logs into corp.dom domain as the computer will still default to ipcfcdom.
b. Delete the "Closest GC” registry key. Search the registry for this key and delete it
c. Launch Outlook. You do not need to create a new profile. You will receive warning message that Outlook must restart due to administrative changes. Ignore the message and continue with Outlook.
6. Set the migrated user’s account extensionattribute15 to “migrated” so Galsync will not create contact for this user in the corp.dom domain. Failure to do this will create a contact for an already existing user in corp.dom causing email issues.
a. Log in dcexcasp01.corp.dom
b. Type adsiedit.msc in the run box
c. Expand Default Naming Contact and highlight the OU where the user resides.
d. Right click the user and properties. Search for extensionattribute15 and type in “migrated” without the quotes
7. Migrate the user’s SharePoint Account. You will need DB owner rights to SP DB.
a. Log into the SharePoint server DCSPAPPS01
b. Launch cmd
c. STSADM -o migrateuser –oldlogin ipcfcdom\user -newlogin corp\user –ignoresidhistory
d.
You should receive “operation completed successfully”
Update the display name. After migrating the SharePoint account, the display name changes from John Doe to corp\jdoe. To change it back to the friendly name:
1. Log into SharePoint Server DCSPAPP01
2. Launch Powershell
3. Enter the following lines one at a time
a. [Reflection.Assembly]::Load("Microsoft.SharePoint, Version=12.0.0.0, Culture=Neutral, PublicKeyToken=71e9bce111e9429c")
b. $site = New-Object -TypeName Microsoft.SharePoint.SPSite -ArgumentList http://inside.simplexity.com
c. $user = $site.RootWeb.SiteUsers["corp\jdoe"]
d. $user.Name = "John Doe"
e. $user.Update()
After you migrate John Doe, and you’re ready to migrate a second user, you only need to type in lines C,D,E. You can copy and paste all 3 lines into powershell rather than entering in one at a time.
8. Migrate the user’s ResolveIT Account. You will need ResolveIT Sysadmin rights.
e. Log into the ResolveIT.simplexity.com
f. Go to administration System –Users User Management
g. Click edit user. UserID enter bsmith and click find
h. Scroll down under the menu heading “Mandatory fields for all users”
i. Change the authentication Method to Primary (LDAP/Exchange/Active Directory)
j. Scroll down and click save
Manually Migrate User Profile Using Reg Hack
1. Log into machine with admin rights and launch regedit and naviate to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
2. Highlight the SID that corresponds to the Corp user. You can locate it by highlighting each SID entry and looking at the ProfileImagePath string value example C:\Users\bsmith.CORP.
3. Edit this entry to equal the profile path of the original ipcfcdom profile path.
Replace:
ProfileImagePath = C:\Users\bsmith.CORP
with
ProfileImagePath = C:\Users\bsmith.ipcfcdom