locked
Domain Migration - Users in Trusted Domain accessing and sending mail across trust RRS feed

  • Question

  • I am in the planning stages of a Domain Migration. I have a test domain set up and have been working out my process. I have the Domain Trust set up, have migrated AD Objects and Groups using ADMT 3.2 with SID history and Password Sync. That part works fine. Users can log into either domain, they can access Outlook from the Migrated AD accounts.

    For purposes of this discussion:
    Domain A = old domain (source domain)(Exchange 2007 SP3, AD 2003)

    Domain B = new domain (target domain)(Exchange 2013 SP1, AD 2008R2)

    Some questions regarding expected results:

    1. I was expecting users to be able to have the same permissions on the migrated accounts because of SID history. IE: users should be able to log to mailboxes hosted in Domain A from their Migrated account in Domain B. This is not the case. I had to add-mailboxpermission -identity DomainAUserAccount -user DomainB\DomainBUserAccount -accessrights fullaccess for them to access the mailbox.

    2. Users cannot send mail, so I added send-as rights to the mailbox, add-adpermission -identity DomainAUserAccount -user DomainB\DomainBUserAccount -ExtendedRight sendas . After running this command, it shows in powershell "get-adpermission" that the user in Domain B has send-as rights. But when attempting to send email logged in as DomainBUserAccount, exchange rejects the message. You can also see the rights in Exchange Mgmt Console under full rights and send rights.

    Any ideas of what to try? This is repeatable on all the accounts I have tested with. I have verified that SidHistory WAS migrated, and is accurate.

    Does SIDHistory really gain you anything in Exchange? After I work this out, I am actually going to to mailbox migrations across the trust to Exchange 2013. That's the plan anyway, will see how it works out

    Monday, May 19, 2014 9:10 PM

All replies

  • 1. I was expecting users to be able to have the same permissions on the migrated accounts because of SID history. IE: users should be able to log to mailboxes hosted in Domain A from their Migrated account in Domain B. This is not the case. I had to add-mailboxpermission -identity DomainAUserAccount -user DomainB\DomainBUserAccount -accessrights fullaccess for them to access the mailbox.

    What I suspect is happening here, is you're migrating accounts to domain B, but the security on the mailbox (in domain A) does not get changed. It's the permissions on the mailbox object that matters in this case. When you run Add-MailboxPermission you are fixing permissions on the mailbox.

    2. Users cannot send mail, so I added send-as rights to the mailbox, add-adpermission -identity DomainAUserAccount -user DomainB\DomainBUserAccount -ExtendedRight sendas . After running this command, it shows in powershell "get-adpermission" that the user in Domain B has send-as rights. But when attempting to send email logged in as DomainBUserAccount, exchange rejects the message. You can also see the rights in Exchange Mgmt Console under full rights and send rights.

    You may need to look at the receive connector that accepts mail from Outlook. You may need to update it to allow connections from Outlook in another domain.

    Hope this helps

    Monday, May 19, 2014 11:39 PM
  • I guess what was happening is that adding send-as permissions to the mailbox takes some time to take effect. I came in this morning and tested, and everything was working fine.

    Which is odd, because when I did add-mailboxpermission, the permissions took effect right away, users could get right into the mailbox using the migrated account from Domain B. But doing the add-adpermission -extendedright sendas did not. I messed around with it for about an hour before I gave up and posted here on technet forum.

    So that begs the question, is there a service I could restart or a powershell command I could run to make this happen quicker? I have seen similar things happen when I have to disable someone's mailbox access, like disabling MAPI in their mail profile, when you re-enable it, it takes HOURS to take effect.

    Any idea here?
    At least it's working, I feel vindicated, as at least the process and commands which I THOUGHT were valid, actually were, it just took a long time for the changes to take effect.

    And before you ask, it's not a replication issue, in my test domain, I have 2 DC's, and a single AD site, everything is in one site including exchange.

    Tuesday, May 20, 2014 11:29 AM