In this part of Cross-Forest Migration Guide we will solve the second challenge but before that let’s take a look again on the current environment:
Second Challenge: Move Mailbox Error:
As explained in Part II, we will use ADMT first to migrate SID History, Password and other AD attributes then we will use Prepare-MoveRequest, the idea of these steps is to get healthy Mail Enabled User (MEU) that will be used later to move the mailbox from the source forest to the target forest, after finishing Part II now we have the healthy MEU and we can check the LDAP properties for the mandatory attributes required for the move to succeed.
The following snapshot shows the LDAP attributes:
Now this is the time to run New-MoveRequest to migrate the mailbox from the source forest to the target forest.
The following snapshot shows the result of running New-MoveRequest:
The error is: Cannot find a recipient that has mailbox GUID
The error is clearly saying that there is no MEU with the mandatory attribute msexchmailboxguid, however when we check the MEU LDAP property:
The mailbox GUID is there (of course it’s there because Prepare-MoveRequest migrated this attribute, check Part II), so what’s the problem?!
We have MEU with the required msexchmailboxguid and each time we try to migrate the mailbox we will get the same error: Cannot find a recipient that has the mailbox GUID.
The problem here that when the remote forest implies a child name relationship, Exchange 2010 will think that this is a child domain and then the strange error will be returned. In our case the source forest name is egypt.tailspin.com and the target forest name is tailspin.com so Exchange will think that the target is child domain from the source forest and it will fail.
So what’s the solution?
We have two painful options:
1. Export all mailboxes as PST files from the source forest and then import it in the target forest: this option is based on big bang approach where there is no co-existence. This option might be considered in small companies where we can disconnect the source forest, export the PSTs and import it to the target forest in reasonable downtime.
2. Co-Existence: when co-existence is required in enterprise companies with thousands of users the only option will be creating Intermediate Forest.
As you might guess this will be our option as co-existence is required, in this option we will do the migration on two steps.
First we will need to create a new Active Directory Forest with a different name in our scenario we will use nwtraders.com. This forest will contain Exchange 2010 server we can use single server with HUB/CAS/MBX installed on the same server, as this forest will be intermediate and will not serve any users you may decide that high availability is not required.
Now the migration will be done on two steps as following:
1. Move the mailbox of the user (batch of users) from the source forest egypt.tailspin.com to the intermediate forest nwtraders.com.
2. Move the mailbox of the user (batch of users) from the intermediate forest nwtraders.com to the target forest tailspin.com.
After implementing the intermediate forest it’s very important to complete the following tasks before starting the migration:
1. Apply SSL certificate on the intermediate forest that can is trusted and can be validated from the target forest. If Exchange 2010 server in the target forest can’t validate the certificate moving mailbox will fail.
2. Enable the MRS Proxy service: this service responsible of moving the mailboxes from/to Exchange 2010, as the intermediate Exchange server will be 2010 then moving mailboxes will not work without enabling the MRS Proxy service.
The following section contains the detailed steps required to prepare the intermediate forest:
This certificate must be trusted and validated from the CAS servers in the target forest. The certificate could be generated from internal Certification Authority trusted by the CAS servers in Corp forest.
The steps to request to install the certificate as follow (on Intermediate Forest Exchange Server):
a. Request certificate:
I. Open Exchange Management Shell:
II. $data = New-ExchangeCertificate -GenerateRequest –domainname mail.nwtraders.com,autodiscover.nwtraders.com,servername.nwtraders.com -FriendlyName Int-CAS
II. Set-Content -path "C:\CertRequest.req" -Value $Data
b. Import the Certificate:
I. Import-ExchangeCertificate -PrivateKeyExportable:$true -FileData ([Byte]$(Get-Content -Path C:\cert.cer -Encoding Byte -ReadCount 0)) | Enable-ExchangeCertificate -Services IIS
This step should be completed before moving the mailboxes from the Intermediate forest to the target forest.
a. On the Client Access server in the Intermediate Forest (nwtraders.com), open the following file with a text editor such as Notepad:
b. Locate the following section in the Web.config file:
<!-- Mailbox Replication Proxy Service configuration -->
c. Change the value of IsEnabled to "true".
d. Save and close the Web.config file.
In this part we addressed the second challenge and now we are ready to start the migration, in the next part we will start by configuring co-existence between the three forests.