locked
Best Method for Cross Forest Mailbox Moves RRS feed

  • Question

  • Hi There,

    I'm having trouble moving mailboxes from one forest to another and need a couple of things clarified.

    1. On the destination forest do I need to create the AD account pre-move or an AD account WITH mailbox?

    I've tried moving mailboxes with mixed results, for example I tried moving an account by creating a mailbox on the destination server first and got this issue;

    [PS] C:\>New-MoveRequest -Identity 'test.mailbox@resourcegroup.co.uk' -Remote -TargetDatabase 'Users from LRTT'  -Remote
    HostName 'mail.lrtt.co.uk' -RemoteCredential $Cred -TargetDeliveryDomain 'resourcegroup.co.uk'
    Target user 'Test Mailbox' already has a primary mailbox.
        + CategoryInfo          : InvalidArgument: (test.mailbox@resourcegroup.co.uk:MailboxOrMailUserIdParameter) [New-Mo
       veRequest], RecipientTaskException
        + FullyQualifiedErrorId : CBF9D817,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

    and then I removed the account and tried and got this issue;

    [PS] C:\>New-MoveRequest -Identity 'test.mailbox@resourcegroup.co.uk' -Remote -TargetDatabase 'Users from LRTT'  -Remote
    HostName 'mail.lrtt.co.uk' -RemoteCredential $Cred -TargetDeliveryDomain 'resourcegroup.co.uk'
    The operation couldn't be performed because object 'test.mailbox@resourcegroup.co.uk' couldn't be found on 'thdc2.Resou
    rceGroup.co.uk'.
        + CategoryInfo          : NotSpecified: (0:Int32) [New-MoveRequest], ManagementObjectNotFoundException
        + FullyQualifiedErrorId : E0AD70F2,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

    Can anyone help?

    Many Thanks

    Wednesday, May 23, 2012 9:27 AM

All replies

  • Hi

    You need to have a mail user object in the destination organisation which has the same values as the source object.

    See the mandatory attributes section in this document: http://technet.microsoft.com/en-us/library/ee633491

    Cheers, Steve

    Wednesday, May 23, 2012 9:32 AM
  • Hi Steve,

    Thanks for your quick reply.  Is thee a simple way to copy this information or is it a time consuming process of copying and pasting??

    Wednesday, May 23, 2012 9:34 AM
  • Wednesday, May 23, 2012 10:22 AM
  • Thanks Leif,

    When I try that I get;

    [PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>./Prepare-MoveRequest.ps1 -Identity test.mailbox@lrtt.co.uk
    -RemoteForestDomainController thdc1.resourcegroup.co.uk -RemoteForestCredential $RemoteCredentials -LocalForestDomainCon
    troller kadc1.lrtt.co.uk -LocalForestCredential $LocalCredentials
    C:\Program Files\Microsoft\Exchange Server\V14\Scripts\Prepare-MoveRequest.ps1 : Error looking up source MBX test.mailb
    ox@lrtt.co.uk in source forest.
    At line:1 char:26
    + ./Prepare-MoveRequest.ps1 <<<<  -Identity test.mailbox@lrtt.co.uk -RemoteForestDomainController thdc1.resourcegroup.c
    o.uk -RemoteForestCredential $RemoteCredentials -LocalForestDomainController kadc1.lrtt.co.uk -LocalForestCredential $L
    ocalCredentials
        + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
        + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Prepare-MoveRequest.ps1
    
    0 mailbox(s) ready to move.

    I am correct in running the command on the new domain aren't I?

    Am I also right in thinking that;

    $LocalCredentials = new domain credentials
    $RemoteCredentials = old domain credentials

    Wednesday, May 23, 2012 1:31 PM
  • I have a job aid posted on my blog to perform cross forest mailbox moves that I documented for my migration. Nothing should exist in the target Forest no mailbox, no user, not even the GAlsync contact (if you were doing galsync) Any objects that exist in the target forest causes too many issues trying to merge the attributes causing duplicate accounts ie. jchong73643 or failing to stamp attributes etc.

    http://msexchangetips.blogspot.com/2012/05/exchange-2007-to-exchange-2010-cross.html


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com



    Wednesday, May 23, 2012 3:25 PM
  • Hi James,

    I'm not moving from Exhcange 2007 to 2010, I'm moving from a 2010 server in one forest to a 2010 server in another.

    Does your guide still apply?

    Many Thanks

    Wednesday, May 23, 2012 3:34 PM
  • Yes steps are still the same. Just make sure no objects exist in the target, prepare the move request, then move the mailbox which will merge. Than run the ADMT which will find the account already exist and bring over the SID.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Proposed as answer by Troy Werelius Wednesday, May 23, 2012 4:26 PM
    Wednesday, May 23, 2012 3:41 PM
  • I've managed to successfully get 1 mailbox READY to move...  can someone tell me how I get it to move??

    [PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>./Prepare-MoveRequest.ps1 -Identity test.mailbox -RemoteFor
    stDomainController kadc1.lrtt.co.uk -RemoteForestCredential $RemoteCredentials -LocalForestDomainController thdc1.resou
    cegroup.co.uk -LocalForestCredential $LocalCredentials -LinkedMailUser
    Appending x500:/o=LRTT/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Test Mailbox to proxyAddress
    s of New Object in Local forest.
    Appending x500:/o=ResourceGroup/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Test Mailboxa53 to
    roxyAddresses of Object(CN=Test Mailbox,CN=Users,DC=lrtt,DC=co,DC=uk) in Source forest.
    Preparation for test.mailbox done.
    1 mailbox(s) ready to move.
    Help? :)
    Thursday, May 24, 2012 2:04 PM
  • My blog posts shows, did you try or were you getting an error

    New-MoveRequest -Identity "CN=alexander htet,OU=FromILM,OU=GALSync,DC=corp,DC=dom" -RemoteLegacy -TargetDatabase "mdb04 tier2" -baditemlimit 100 -acceptlargedataloss -RemoteGlobalCatalog "sourceDC" -RemoteCredential $Remote -TargetDeliveryDomain "TargetDC" -SuspendWhenReadyToComplete


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, May 24, 2012 2:12 PM
  • Hi James,

    Is -TargetDatabase where the mailbox is moving TO or FROM?

    Thursday, May 24, 2012 2:17 PM
  • target is the TO.

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, May 24, 2012 2:20 PM
  • Also you dont need to specifiy the whole DN "cn=blah blah" like below you can just use the username

    New-MoveRequest -Identity "Bjones" -RemoteLegacy -TargetDatabase "mdb04 tier2" -baditemlimit 100 -acceptlargedataloss -RemoteGlobalCatalog "sourceDC" -RemoteCredential $Remote -TargetDeliveryDomain "TargetDC" -SuspendWhenReadyToComplete


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, May 24, 2012 2:22 PM
  • I tried this but it failed :(

    [PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>New-MoveRequest -Identity test.mailbox@lrtt.co.uk -Remote -T
    argetDatabase 'Users from LRTT' -RemoteHostName 'kamx1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -TargetDeliveryD
    omain 'mail.resourcegroup.co.uk'
    The call to 'https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc' failed because no service was listening on the specified endpoi
    nt. Error details: There was no endpoint listening at https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc that could accept the m
    essage. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
    --> The remote name could not be resolved: 'kamx1.lrtt.co.uk'
        + CategoryInfo          : NotSpecified: (0:Int32) [New-MoveRequest], RemotePermanentException
        + FullyQualifiedErrorId : C4DA96C7,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest


    Thursday, May 24, 2012 2:23 PM
  • What server is 'kamx1.lrtt.co.uk' and what server is  'mail.resourcegroup.co.uk'


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, May 24, 2012 2:26 PM
  • kamx1.lrtt.co.uk is the mailserver that the mailbox is moving FROMmail.resourcegroup.co.uk is the CAS server that the mailbox is moving TO

    I've checked KAMX1 and it does has the EWS virt dir in IIS and its running SSL Require SSL and Ignore Client Certs.

    Thursday, May 24, 2012 2:29 PM
  • instead of kamx1.lrtt.co.uk you need to use the DC not the source exchange.

    Do this

     -RemoteGlobalCatalog "sourceDC"

    Not this

    -RemoteHostName 'kamx1.lrtt.co.uk'

    Then targetdeliverydomain is just just the domain name of the new domain you're moving to resourcegroup.co.uk (not the exchange server name)


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, May 24, 2012 2:32 PM
  • OK I'll give that as whirl!! Thanks a lot!
    Thursday, May 24, 2012 2:34 PM
  • It requests a RemoteHostName
    cmdlet New-MoveRequest at command pipeline position 1
    Supply values for the following parameters:
    RemoteHostName:

    :/
    Thursday, May 24, 2012 2:40 PM
  • Doesn't this suggest that there's an issue on kamx1?

    [PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>New-MoveRequest -Identity test.mailbox@lrtt.co.uk -Remote -T
    argetDatabase 'Users from LRTT' -RemoteGlobalCatalog 'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -TargetDeli
    veryDomain 'resourcegroup.co.uk'
    
    cmdlet New-MoveRequest at command pipeline position 1
    Supply values for the following parameters:
    RemoteHostName: kamx1.lrtt.co.uk
    The call to 'https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc' failed because no service was listening on the specified endpoi
    nt. Error details: There was no endpoint listening at https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc that could accept the m
    essage. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
    --> The remote name could not be resolved: 'kamx1.lrtt.co.uk'
        + CategoryInfo          : NotSpecified: (0:Int32) [New-MoveRequest], RemotePermanentException
        + FullyQualifiedErrorId : C4DA96C7,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
    It loks to me that https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc isnt working..
    Thursday, May 24, 2012 2:46 PM
  • Did you truncate the -remotelagacy paramter? Use exactly like below.

    New-MoveRequest -Identity test.mailbox@lrtt.co.uk -RemoteLegacy -TargetDatabase 'Users from LRTT' -RemoteGlobalCatalog 'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'resourcegroup.co.uk'


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com


    Thursday, May 24, 2012 2:54 PM
  • That gives me the following;

    [PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>New-MoveRequest -Identity test.mailbox@lrtt.co.uk -RemoteLeg
    acy -TargetDatabase 'Users from LRTT' -RemoteGlobalCatalog 'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -Targ
    etDeliveryDomain 'resourcegroup.co.uk'
    An Active Directory error 0x51 occurred when trying to check the suitability of server 'kadc1.lrtt.co.uk'. Error: 'Acti
    ve directory response: The LDAP server is unavailable.'
        + CategoryInfo          : NotSpecified: (0:Int32) [New-MoveRequest], RemoteTransientException
        + FullyQualifiedErrorId : F617BA2E,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
    The previosu commands looked as if it should work if only for the EWS error.


    Thursday, May 24, 2012 3:08 PM
  • Is 'kadc1.lrtt.co.uk as GC?


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, May 24, 2012 3:09 PM
  • Yup, the only one on that site. 
    Thursday, May 24, 2012 3:09 PM
  • From the 2010 server you're running the move request, can you ping kadc1? Also you're not blocking any standard ports to the DC 389 etc?

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com


    Thursday, May 24, 2012 3:10 PM
  • From the 2010 server you're running the move request, can you ping kadc1?

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    AHAR!!!   Good point, I'd set the servers IP using the hosts file on my PC as im running the command from PS on my PC but I guess the server needs it too!!   D'oh!
    Thursday, May 24, 2012 3:11 PM
  • I added the required hosts records to the mail servers and I still get the same issues;

    [PS] C:\Windows\system32>New-MoveRequest -Identity test.mailbox@lrtt.co.uk -Remote -TargetDatabase 'Users from LRTT' -Re
    moteGlobalCatalog 'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'resourcegroup.co.uk'
    
    cmdlet New-MoveRequest at command pipeline position 1
    Supply values for the following parameters:
    RemoteHostName: kamx1.lrtt.co.uk
    The call to 'https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc' failed because no service was listening on the specified endpoi
    nt. Error details: There was no endpoint listening at https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc that could accept the m
    essage. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
    --> The remote name could not be resolved: 'kamx1.lrtt.co.uk'
        + CategoryInfo          : NotSpecified: (0:Int32) [New-MoveRequest], RemotePermanentException
        + FullyQualifiedErrorId : C4DA96C7,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

    ;/
    Thursday, May 24, 2012 3:23 PM
  • I've made progress, the inverted commas were ballsing it up.

    Now I get;

    [PS] C:\Windows\system32>New-MoveRequest -Identity test.mailbox@lrtt.co.uk -Remote -TargetDatabase 'Users from LRTT' -Re
    moteGlobalCatalog 'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'resourcegroup.co.uk'-Re
    moteHostName kamx1.lrtt.co.uk
    The call to 'https://kamx1.lrtt.co.uk/EWS/mrsproxy.svc' failed. Error details: Could not establish trust relationship f
    or the SSL/TLS secure channel with authority 'kamx1.lrtt.co.uk'. --> The underlying connection was closed: Could not es
    tablish trust relationship for the SSL/TLS secure channel. --> The remote certificate is invalid according to the valid
    ation procedure..
        + CategoryInfo          : NotSpecified: (0:Int32) [New-MoveRequest], RemoteTransientException
        + FullyQualifiedErrorId : 42D47808,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest


    Thursday, May 24, 2012 3:34 PM
  • I think I've found the issue in event log;

    Microsoft Exchange could not find a certificate that contains the domain name mail.lrtt.co.uk in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default KAMX1 with a FQDN parameter of mail.lrtt.co.uk. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.


    Thursday, May 24, 2012 3:50 PM
  • How come you are still using the remotehostname parameter? Is is still not working if you just do like below?

    New-MoveRequest -Identity test.mailbox@lrtt.co.uk -RemoteLegacy -TargetDatabase 'Users from LRTT' -RemoteGlobalCatalog 'kadc1.lrtt.co.uk' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'resourcegroup.co.uk'



    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, May 24, 2012 3:51 PM
  • Hi There,

    That didn't work, it moaned about LDAP.

    I've discovered that it's a certificate issue that I've got now.

    "Microsoft Exchange could not find a certificate that contains the domain name mail.lrtt.co.uk in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default KAMX1 with a FQDN parameter of mail."

    Thursday, May 24, 2012 4:05 PM
  • If it's moaning about your new exchange not being able to communicate with your old DCs than I would expect more problems down the line not just with mailbox moves. You need to find out why it can't communicate with the DC.

    That error about the certificate is generic everybody and their cousin gets that error when they first build exchange.

    You need to check the ports required for mailboxe moves.

    MapiExceptionNetworkError: Unable to make connection to the server. (hr=0x80004005, ec=2423)

    http://msexchangetips.blogspot.com/2010/11/mapiexceptionnetworkerror-unable-to.html


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, May 24, 2012 4:15 PM