
close
close
Chance to win $250 in Petri 2023 Audience Survey
In the first two installments of this article series on Microsoft Exchange 2010 cross forest migration, we prepared both Exchange installations to work in co-exisitance mode. In this article, we’ll continue using our migration by using the Active Directory Migration Tool (ADMT) and the Password Export Server (PES) setup, and now we’ll prepare the configuration to perform the cross forest migration of users.
Here’s a quick preview of the steps we’ll complete in this installment, which I’ll go into much greater detail as we progress through the operation:
The ADMT service account plays a major role during the migration. It needs permission on both the source and target forest. It helps to migrate the users, groups, and computers to migrate from source to target.
SQL Server is a pre-requisite for an ADMT tool, and it needs to be installed prior to ADMT installation. Microsoft has SQL recommendations for working with ADMT 3.2 in a command-line mode.
If you have a requirement to install ADMT 3.2 on a domain controller to use command-line or scripted user migrations with SID History, then install SQL 2008 SP1 (non-Express edition) on a Windows Server 2008 R2 member server in the target domain and select that remote instance when installing ADMT 3.2 on the DC. Alternatively, you can install SQL Express 2005 SP3 on the DC.
Installing SQL Server 2005 Express Edition. (Image Credit: Krishna Kumar)
The Active Directory Migration Tool Installation Wizard. (Image Credit: Krishna Kumar)
The PES server helps to migrate passwords from the source domain to the target domain. It integrates into the ADMT tool to perfom this operation. The ADMT key has to be generated at the target domain (blue.com), and it has to be imported into the source forest PES server.
This is to generate the ADMT encryption key, log in to the ADMT server (bluedc.blue.com), and then start the command prompt by run as administrator and execute the command below. You will be prompted for the password, key in the password and again confirm the same. This generates the encryption key file at the path “C:\Pes.pes”.
admt key /option:create /sourcedomain:green /keyfile:PES /keypassword:
Apart from configuring the PES server, some registry settings need to be configured to allow the password to be copied from the source to target account.
The Windows Registry Editor. (Image Credit: Krishna Kumar)
It is the best practice to preserve the user’s access on the source forest once the AD account is migrated to the target forest. This is done by copying the SID from source account to the target account as SID History and it is performed using ADMT migration. SID history can be used for a roaming user profile access, certification authority access, software installation access, and resource access. SID filtering is enabled by default, while configuring the two-way trust between the forests. It also needs to be disabled using the following steps:
Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No /usero:domainadministratorAcct /passwordo:domainadminpwd
The following is the command that’s executed on bluedc.blue.com.
Netdom trust green.com /domain:blue /quarantine:No /usero:administrator /passwordo:Password1
The Administrator Command Prompt. (Image Credit: Krishna Kumar)
This is only for the lab environment, as the Exchange certificates are issued by a local untrusted CA and cross-forest CAS servers may not be able to establish the TLS connection between the two cross-forest CAS servers and the move-mailbox requests will fail. The following image shows the error snapshot.
Move mailbox request error. (Image Credit: Krishna Kumar)
Hence, copy the root certificate and Exchange certificate from greenexch.green.com (CAS) to the blueexch.blue.com (CAS) server’s ‘Trusted Root Certification Authorities’ container with the following steps:
Exporting certificate in the console. (Image Credit: Krishna Kumar)
The Certificate Export Wizard (Image Credit: Krishna Kumar)
Choosing the file format in the Certificate Export Wizard. (Image Credit: Krishna Kumar)
Choosing and confirming password in the Certificate Export Wizard. (Image Credit: Krishna Kumar)
Importing a certificate. (Image Credit: Krishna Kumar)
Importing a certificate with the Certificate Import Wizard. (Image Credit: Krishna Kumar)
Most of the steps for copying the certificate from the blue.com CAS servers to green.com CAS servers may not be required in a production environment, as the CAS servers will have certificate from external trusted root Certificate Authority.
With this, we have prepared both the Exchange forest blue.com and green.com, where they are ready for migration of users. In the next and the final part of the article series, we will use our custom script to migrate the users from green.com to blue.com.
More in Exchange 2010
Exchange Privilege Elevation Vulnerability Addressed by Microsoft Patches
Feb 12, 2019 | Tony Redmond
Most popular on petri