locked
Exchange Cross forest Migration RRS feed

  • Question

  • Dear All,

    I am in the process of migrating Exchange 2013 . This will be a cross forest Migration. I have 2 domains Domain A and Domain B . Following is the Environment:

    Domain A:

    dc1.A.com

    dc2.a.com

    2 mbx 2013 servers

    2 CAS 2013 servers

    Domain B:

    dc1.b.com

    dc2.b.com

    2 mbx 2013 servers

    2 CAS 2013 Servers

    Now I am in the process of creating the External trust: I completed the DNS zone transfer from domain A to domain B and Vice versa, As my DCs in new domain also have the ips from the same network 

    eg dc1.a.com has 192.168.1.20 then dc1.b.com has 192.168.1.200, so I am not sure how to zone transfer for reverse lookups.

    Also when I try to create the trust it fails with the below error:

    the security database does not have a computer account

    But When I validate the trust and try to repair the trust it says trust has been repaired and it will take some time for trust object to be replicated to all the DCS.

    I can also see the object of each other domains. but when I am trying to log in to any Machine from Domain A with a account of domain B it gives Error. Access is denied

    Now I have below Question:

    1. Do we need to do reverse lookup zone transfer as well , if yes what should be my approach in case if the ips are from same subnet as even domain b woukd have reverse lookup zone with 192.168.1 and I wont be able to create secondary copy 

    2. Can you help with the Error "the security database does not have a computer account" or shall i wait for a day and check it tomorrow again

    Monday, December 5, 2016 2:37 PM

Answers

  • Dear All,

    I am in agreement with the above process, but i am stuck with trust creation

    I am trying create a two way trust between domain a and domain b. It allows to create trust , but incoming trust validation fails with the below Error:

    "The secure channel (SC) verification on Active Directory Domain Controller \\AD-DC02..B.com of domain B.com to domain A.com failed with error: Access is denied.

    Also Want to highlight: Host name for both DCS is same as in Old forest

    for Eg: DC1.a.com and dc2.a.com

    New Forest

    Dc1.b.com and dc2.b.com

    Now on one of the DCS in new forest I can see the below Event:

    Log Name:      System
    Source:        NetBT
    Date:          12/5/2016 2:05:19 PM
    Event ID:      4321
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      AD-DC01.ADNOC.SCH.AE
    Description:
    The name "AD-DC01        :0" could not be registered on the interface with IP address 10.20.15.200. The computer with the IP address 10.20.15.20 did not allow the name to be claimed by this computer.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="NetBT" />
        <EventID Qualifiers="49152">4321</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2016-12-05T10:05:19.127952000Z" />
        <EventRecordID>4810</EventRecordID>
        <Channel>System</Channel>
        <Computer>AD-DC01.ADNOC.SCH.AE</Computer>
        <Security />
      </System>
      <EventData>
        <Data>
        </Data>
        <Data>AD-DC01        :0</Data>
        <Data>10.20.15.200</Data>
        <Data>10.20.15.20</Data>
        <Binary>000000000400320000000000E11000C001010000010000C002000000000000000000000000000000</Binary>
      </EventData>
    </Event>

    Do u think i should change the names and try again


    • Edited by vgahod Wednesday, December 7, 2016 6:25 AM
    • Marked as answer by vgahod Wednesday, December 7, 2016 10:37 AM
    Tuesday, December 6, 2016 12:59 PM
  • Yes, given the error message, please change the name and try again.

    Thanks for your effort.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by vgahod Wednesday, December 7, 2016 10:37 AM
    Wednesday, December 7, 2016 7:58 AM

All replies

  • Hi,

    We don’t need to do reverse lookup zone transfer, we need to create two-way transitive trusts between AD forests. Please see a list of high level tasks below:

    1. Install Exchange 2013 in the target forest
    2. Configure DNS for a forest trust
    3. Set up a forest trust
    4. Set up GAL sync which you will need to use to sync the GALs between the forests: https://technet.microsoft.com/en-us/library/bb124734(v=exchg.150).aspx
    5. Configure cross site availability service for free/busy information transfer between forests: https://technet.microsoft.com/en-us/library/bb125182(v=exchg.150).aspx
    6. Configure cross forest mail flow using internal relay accepted domains for the source forest domains on the target forest: http://markgossa.blogspot.co.uk/2015/09/exchange-2013-cross-forest-mail-flow.html
    7. Migrate AD groups using ADMT
    8. Stage AD users using ADMT
    9. Migrate AD users using ADMT, prepare for a cross forest move request (Prepare-MoveRequest.ps1) and move the mailboxes: https://technet.microsoft.com/en-us/library/ee633491(v=exchg.150).aspxhttp://blogs.technet.com/b/meamcs/archive/2011/10/25/exchange-2010-cross-forest-migration-step-by-step-guide-part-i.aspx
    10. Prepare for decommissioning the servers in the source forest
    11. Decommission servers in the source forest

    It’s recommended to read the article: Cross Forest Migration in Exchange 2013

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.

    For the error message, there are several causes please see: https://technet.microsoft.com/en-us/library/ee849847(WS.10).aspx

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Jason.Chao Tuesday, December 6, 2016 5:58 AM
    • Proposed as answer by AnveedBanned Tuesday, December 6, 2016 6:45 AM
    Tuesday, December 6, 2016 5:58 AM
  • Dear All,

    I am in agreement with the above process, but i am stuck with trust creation

    I am trying create a two way trust between domain a and domain b. It allows to create trust , but incoming trust validation fails with the below Error:

    "The secure channel (SC) verification on Active Directory Domain Controller \\AD-DC02..B.com of domain B.com to domain A.com failed with error: Access is denied.

    Also Want to highlight: Host name for both DCS is same as in Old forest

    for Eg: DC1.a.com and dc2.a.com

    New Forest

    Dc1.b.com and dc2.b.com

    Now on one of the DCS in new forest I can see the below Event:

    Log Name:      System
    Source:        NetBT
    Date:          12/5/2016 2:05:19 PM
    Event ID:      4321
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      AD-DC01.ADNOC.SCH.AE
    Description:
    The name "AD-DC01        :0" could not be registered on the interface with IP address 10.20.15.200. The computer with the IP address 10.20.15.20 did not allow the name to be claimed by this computer.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="NetBT" />
        <EventID Qualifiers="49152">4321</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2016-12-05T10:05:19.127952000Z" />
        <EventRecordID>4810</EventRecordID>
        <Channel>System</Channel>
        <Computer>AD-DC01.ADNOC.SCH.AE</Computer>
        <Security />
      </System>
      <EventData>
        <Data>
        </Data>
        <Data>AD-DC01        :0</Data>
        <Data>10.20.15.200</Data>
        <Data>10.20.15.20</Data>
        <Binary>000000000400320000000000E11000C001010000010000C002000000000000000000000000000000</Binary>
      </EventData>
    </Event>

    Do u think i should change the names and try again


    • Edited by vgahod Wednesday, December 7, 2016 6:25 AM
    • Marked as answer by vgahod Wednesday, December 7, 2016 10:37 AM
    Tuesday, December 6, 2016 12:59 PM
  • Yes, given the error message, please change the name and try again.

    Thanks for your effort.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by vgahod Wednesday, December 7, 2016 10:37 AM
    Wednesday, December 7, 2016 7:58 AM