Microsoft Exchange 2010 Cross-Forest Migration
Microsoft Exchange to Microsoft Exchange cross-forest migration is a process of migrating Exchange user mailboxes from one Active Directory (AD) forest to another. In this four-part article series, I’ll walk through how to perform a Microsoft Exchange 2010 cross-forest migration between two Exchange 2010 installations.
Why do I need a Microsoft Exchange cross-forest migration?
A Microsoft Exchange cross-forest migration typically happens for several different reasons, including:
- Company mergers and acquisitions
- Company consolidation
- IT environment segmentation for security reasons
- Fresh Microsoft Exchange deployments that leave legacy systems behind
- Corporate name change
- Needed isolation of messaging environment
A cross-forest migration is a very tedious and complex task. People often get confused and tend to miss out on a few processes during a cross-forest migration, which can lead to additional work and potentially harm your environment. Many companies uses third-party tools to migrate users in a large scale environment, which comes with a huge price tag.
Microsoft provides some free tools like the Active Directory Migration Tool (ADMT) and scripts to perform a cross-forest migration. Although these free tools help administrators migrate users from one forest to other, it is a complex process. Not only does the administrator have to perform multiple, complex, and manual tasks, but it’s extremely time consuming to migrate users from one forest to another. A manual implementation almost always lead to errors, and it can have a major impact on production users after migration.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
In this first part of the article series, we’ll migrate mailboxes and groups from one forest to another.
The following is our lab environment with two forests, green.com and blue.com. It has Exchange 2010 servers in both the forests with one multirole Exchange server and one Windows server 2008 domain controller. In this article series, we will prepare, configure the environment, and perform the migration of users from the source forest green.com to target forest blue.com.
Setting up an Exchange Cross-Forest Migration Lab Environment
Setting up and Exchange cross-forest migration lab environment. (Image: Krisha Kumar)
Before we start to migrate, we need to prepare the Exchange environment. The following are configuration steps that need to be performed in the defined environment above:
- Configure DNS resolution and trust between two AD forests.
- GAL sync between blue.com and green.com AD forests.
- Create and configure Send connector between blue.com and green.com
- Create and configure Availability service between blue.com and green.com
- Configure green.com as accepted domain in blue.com
- Install and configure ADMT server at the target domain blue.com
- Install and configure Password Encryption Server (PES) on the source domain green.com
Configure DNS forwarder and trust between Active Directory forests
1. Log in to the server BlueDC.blue.com and access DNS Manager
2. Right click on the Conditional Forwarder and select “New Conditional Forwarder”
Setting up a new conditional forwarder. (Image: Krishna Kumar)
3. Input Green.com in the DNS domain field and add the IP address, 126.96.36.199, for the Green domain, which is also a domain controller. Click “OK”.
Setting up a new conditional forwarder IP address. (Image: Krishna Kumar)
4. Similarly, add conditional forwarding for blue domain in green.com DNS server.
5. Login to greendc.green.com and access DNS manager from Administrative tools.
6. Right click on the Conditional Forwarder and select “New Conditional Forwarder.”
Creating another new conditional forwarder. (Image: Krishna Kumar)
7. Input blue.com in the DNS domain field and add its IP address. Click “OK”.
Setting the ‘Blue’ conditional forwarder IP address. (Image: Krishna Kumar)
Create and configure two way trust between AD forests
1. Log in to blue.com domain controller: bluedc.blue.com and access “Active Directory Domain and Trust” from Administrative tools
2. Right click on the domain and click “Properties.”
Setting properties for the ‘blue’ domain. (Image: Krishna Kumar)
3. Select the “Trusts” tab and select “New Trust” button to create a two-way trust between two forests.
Creating a new two-way trust between forests. (Image: Krishna Kumar)
4. Click “Next” on the welcome screen and input green.com as the domain name.
Creating the ‘green’ domain name. (Image: Krishna Kumar)
5. Select the Trust Type as “External Trust” and click “Next.”
Selecting the trust type in the New Trust Wizard. (Image: Krishna Kumar)
6. Select the Direction of Trust as “Two Way” and click “Next.”
Selecting a two-way trust type in the New Trust Wizard. (Image: Krishna Kumar)
7. Specify the Sides of Trust by selecting “Both the domain and the specific domain” and click “Next.”
Specifying sides of trust in the New Trust Wizard. (Image: Krishna Kumar)
8. Specify the green.com administrator credentials to create a trust relationship and click “Next.”
Specifying the ‘green’ admin credentials. (Image: Krishna Kumar)
9. Select “Domain-Wide authentication” and click “Next.”
Setting the outgoing trust authentication level. (Image: Krishna Kumar)
10. Select “Domain-wide authentication” and click “Next.”
Selecting domain wide authentication for the domain. (Image: Krishna Kumar)
11. Click “Next” for the “Trust Selections Complete” page. Click “Next” for the “Trust creation complete” page.
12. Select the “Yes” radio button for “Confirm Outgoing Trust” and click “Next.”
Confirming outgoing trust in the new trust wizard. (Image: Krishna Kumar)
13. “Confirm Incoming Trust” with “Yes” and click “Next.”
14. Click “Finish.”
Completing the new trust wizard. (Image: Krishna Kumar)
DNS resolution and forest trust plays a major role for cross-forest migration. In the first part of the series, we have configured DNS forwarder and two-way trust between green.com and blue.com.
In the next part of the article series, we will configure a GAL sync script. We’ll also set up Send connectors to send emails directly to each other. Continue following the Petri IT Knowledgebase to learn more about how to prepare your ADMT server to migrate users.