Last Update: Sep 04, 2024 | Published: Aug 26, 2014
This is the second installment in our article series on how to perform a Microsoft Exchange 2010 cross-forest migration, using a lab environment to migrate users from one domain to another. In the previous post, we configured DNS forwarding and the two-way trust relationship.
In this article, we’ll perform the following five steps:
A Microsoft Exchange cross-forest migration doesn’t happen overnight, and we might need to have the environment in co-existence mode for a long time. We need to create and configure GAL sync between the blue.com and green.com domains so that users can find the contact of other forest in their local GAL. The followings steps prepare and configure GAL sync between two forests using the free GAL sync script by Carol Wapshere, a Microsoft Forefront Identity Manager (FIM) MVP.
3. Create the new OU with name Galsync under the root domain green.com and then create bluecontacts OU under Galsync OU.
ADD-RoleGroupMember "Recipient Management" –Member "Galsync"
Set-user -identity "GALSYNC" -RemotePowerShellEnabled $True
read-host -assecurestring | convertfrom-securestring | out-file C:scriptsBpassword.txt
read-host -assecurestring | convertfrom-securestring | out-file C:scriptsGpassword.txt
4. Edit the file C:scriptsGalsync.ps1 and update the GLOBAL DEFINITIONS parameter as defined in the below screenshot:
Updating the global definitions parameter. (Image: Krishna Kumar)
5. Start the Exchange Management Shell on the Exchange 2010 server, then change the path C:scripts and execute the script “.Galsync.ps1” to create GAL contacts in both the forests.
Send-connectors are created to send emails directly to the remote forest, instead of routing through the Internet. The following is a step-by-step instruction on how to create and configure send-connector at blue.com and green.com to send emails to each other directly.
$mycred = Get-Credential
New-SendConnector -Name "Cross-Forest" -Usage Internal -AddressSpaces green.com -SmartHosts greenexch.green.com -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $mycred -SourceTransportServers blueexch.blue.com -DNSRoutingEnabled $false
.Enable-CrossForestConnector.ps1 -Connector "Cross-Forest" -user "ANONYMOUS LOGON"
3. Execute the below PowerShell command on green.com Exchange management shell to create send-connector to send blue.com emails directly to the targeted server – blueexch.blue.com. On executing the first command, it will prompt for an input for the credentials. Input the username as blueblueconnector and password for the same.
$mycred = Get-Credential
New-SendConnector -Name "Cross-Forest" -Usage Internal -AddressSpaces blue.com -SmartHosts blueexch.blue.com -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $mycred -SourceTransportServers greenexch.green.com -DNSRoutingEnabled $false .Enable-CrossForestConnector.ps1 -Connector "Cross-Forest" -user "ANONYMOUS LOGON"
Configuring Availability service is to allow a free/busy information, accessible across the forests. As we will have exchange environment in co-existence, we need to have a “free/busy”, sharing between forests. Below are the steps to configure free/busy information between the forests.
1. Login to blueexch.blue.com and access Exchange management shell. Execute the below two commands to create and configure free/busy sharing with green.com.
Add-AvailabilityAddressSpace -ForestName green.com -AccessMethod PerUserFB -UseServiceAccount $true Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "greenExchange Servers"
2. Login to greenexch.green.com and access Exchange management shell. Execute the below two commands to create and configure free/busy sharing with blue.com.
Add-AvailabilityAddressSpace -ForestName blue.com -AccessMethod PerUserFB -UseServiceAccount $true Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "blueExchange Servers"
Once all the above configuration is completed, the blue forest should be good to accept emails for green.com and deliver the emails to green domain. This is normally done when the acquiring company decides that it should be a source of authority to send and receive emails from internet for the acquired company.
1. Login to blueexch.blue.com and access the Exchange management shell
2. Execute the below command to allow blue domain exchange server to accept emails for green.com and also use internal relay connector to relay the emails to green.com domain.
New-AcceptedDomain –Name “Green” –DomainName Green.com –Domaintype InternalRelay
3. Once Accepted domains are configured, we should be good to switch MX record for green.com domain, to point out to the same server (IP address) where blue.com emails are delivered. A mail exchanger record (MX record) is a type of resource record in the Internet DNS, which points to the mail server to accept emails from internet. To edit the MX record, you need to login to the account where your green.com domain is registered.
As an example, here’s how to edit an MX record hosted at GoDaddy.com.
1. Log in to your account at www.godaddy.com.
2. Open the Domains tab and select My Domain Names. You’ll be directed to the Manage Domains page and the click on the domain green.com
3. In the MX (Mail Exchanger) section, select the MX record you want to edit, and then click Edit Record
4. Edit any of the following fields:
5. Click Save, and then click Save Changes. Below is the reference example screenshot.
MRS Proxy needs to be enabled on the source forest to perform cross forest migration. By default, this service is disabled and we need to start it. A simple way to do this is to execute the following command in the Exchange management shell on the CAS server.
Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -MRSProxyEnabled $true
If you are using Exchange 2010 RTM or SP1 then you can enable MRS Proxy by editing the web.config file at the path “C:Program FilesExchange ServerV14Client Accessexchwebews”.
You also need to change the parameter IsEnabled=”false” to IsEnabled=”true” then save the file and restart the Exchange MRS Service. The parameter “IsEnabled” is located in the section that starts with “<!– Mailbox Replication Proxy Server configuration –>”.
Below is the updated part of the web.config file.
MRS can be throttled to maintain the health of the database. MRS throttling is controlled by the configuration file MSExchangeMailboxReplication.exe.config. By default, this configuration file is located on all Client Access servers in the same folder where Exchange is installed: Program FilesMicrosoftExchange ServerV14BinMSExchangeMailboxReplication.exe.config.
That’s it! We’ve now prepared Microsoft Exchange servers in both the forests to work in co-existence mode. In the next part of the article series, we’ll install and configure the ADMT tool, install and configure Password Export Server (PES), and finally perform necessary tweaks in an environment to perform the migration.