How to: Quick Check-List help you fast the AD/Exchange migration using Quest migration tool
One my friend reached me today asking for some help on migration project. They are using Quest to help customer to AD/Exchange migration and stuck on the huge effort for system preparation. I think Quest should already have provided tool to help get permission ready rapidly, while from project execution aspect, a proved check-list may make you more comfortable, especially when customer would like to know what changes you make to their environment.
This is the quick check-list I personally consolidated in past projects, just try it.
**Only proved on migration from Exchange Server 2003 to 2010**
Domain Preparation |
Source Domain Controller (xxx.com) |
|
Domain Controller Host Name |
|
AD Site |
|
Domain Controller IP Address |
|
IP Setting: DNS Servers |
|
IP Setting: WINS Server |
|
Domain Controller Operating system |
|
Domain Controller Roles |
|
Domain Functional Level |
|
Forest Functional Level |
|
DNS Setting: List all avaialable domain zones: |
|
DNS Setting: Conditional Forwarders |
|
DNS Setting: Conditional Forwarders Target |
|
Zone Transfer (Only transfer to specified IP address) |
|
Create Second Zone |
|
Second Zone Resolve Success |
|
DNS FQDN Name Ping Test (on Source SPOC DCs - xxx) |
|
FQDN Name Ping Result |
|
NetBIOS Name Resolution |
|
NetBIOS Name Ping Result |
|
Windows Server Support Tools Installed |
|
Firewall turned-off for all client PCs1. turn "Security Center" through group policy2. disable Windows Firewall service through group policy |
|
enable GC Replication and Index for service attributes: |
|
adminDisplayName |
|
extensionAttribute15 |
|
Target Domain Controller (xxx.com) |
|
Domain Controller Host Name |
|
AD Site |
|
Domain Controller IP Address |
|
IP Setting: DNS Servers |
|
IP Setting: WINS Server |
|
Domain Controller Operating system |
|
Domain Controller Roles |
|
Domain Functional Level |
|
Forest Functional Level |
|
DNS Setting: List all avaialable domain zones: |
|
DNS Setting: Conditional Forwarders |
|
DNS Setting: Conditional Forwarders Target |
|
DNS FQDN Name Ping Test (on Target SPOC DCs - xxx) |
|
FQDN Name Ping Result |
|
NetBIOS Name Resolution |
|
NetBIOS Name Ping Result |
|
Windows Server Support Tools Installed |
|
Firewall turned-off for all client PCs1. turn "Security Center" through group policy2. disable Windows Firewall service through group policy |
|
enable GC Replication and Index for service attributes: |
|
adminDisplayName |
|
extensionAttribute15 |
|
|
Trust |
Two-way Trust Done |
|
Disable SID filteringNetdom trust johndemo.local /domain:rogertech.local /quarantine:No /usero:administrator /passwordo:Passw0rd |
|
|
Account Preparation |
Single Administrative Account |
|
Source Domain Account Preparation |
|
built-in Administrators group on source DC |
|
Full Control on Domain partition via ADSIEdit |
|
Read on Configuration partition via ADSIEdit |
|
Administrators group on all exchange servers, and other involved application servers |
|
Full Control permission on the OUs where the source synchronized objects are located. |
|
Full Control permission on source Exchange2003 servers HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdminValue name: ShowSecurityPageData Type: REG_DWORDValue data: 1 |
|
Full Control permission on the Microsoft Exchange System Objects OU |
|
Modify public folder replica list, Modify public folder deleted item retention, and Modify public folder quotas permission on the ESM administrative groups |
|
Group Policy to add <your single administrative account> to local administrators group in all clients1. Create one Domain Local security group names as QMMAdminGroup in Target domain2. Add <your single administrative account> into QMMAdminGroup3. Modify default domain policy (or create a new one) to add this QMMAdminGroup into Administrators group on all clients |
|
Target Domain Account Preparation |
|
built-in Administrators group on target DC |
|
Full Control on Domain partition via ADSIEdit |
|
Read on Configuration partition via ADSIEdit |
|
Full Control on Exchange organization via ADSIEditCN=<ExchangeOrganizationName>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<...>,DC=<...> |
|
Full Control permission on the OUs where the target synchronized objects are located. |
|
Full Control permission on the Microsoft Exchange System Objects OU |
|
Full Control permission on each mailbox database and associated public folder databaseGet-Mailbox | Add-MailboxPermission -User <your single administrative account> -AccessRights FullAccessGet-MailboxDatabase | Add-ADPermission -User <your single administrative account> -AccessRights GenericAll -ExtendedRights Receive-As,Send-AsGet-PublicFolderDatabase | Add-ADPermission -User <your single administrative account> -AccessRights GenericAll -ExtendedRights Receive-As,Send-As |
|
Organization Management group membership for target Exchange Server 2010 |
|
Public Folder Management group membership for target Exchange Server 2010 |
|
Recipient Management group membership for target Exchange Server 2010 |
|
Administrators group on all exchange servers, and other involved application servers |
|
ApplicationImpersonation role on target Exchange Server 2010New-ManagementRoleAssignment –Name QMMAppImpersonation -Role ApplicationImpersonation –User <your single administrative account> |
|
ms-Exch-EPI-May-Impersonate extended rightGet-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User ((Get-User -Identity qmmadmin) | select-object).identity -extendedRight ms-Exch-EPI-Impersonation} Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <your single administrative account> -ExtendedRights ms-Exch-EPI-May-Impersonate} Get-PublicFolderDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <your single administrative account> -ExtendedRights ms-Exch-EPI-May-Impersonate} |
|
Group Policy to add <your single administrative account> to local administrators group in all clients1. Create one Domain Local security group names as QMMAdminGroup in Target domain2. Add <your single administrative account> into QMMAdminGroup3. Modify default domain policy (or create a new one) to add this QMMAdminGroup into Administrators group on all clients |
|
|
|
QMM Console (xxx) |
|
Grant "Log on as a service" right to <your single administrative account> via local security policy |
|
Verify <your single administrative account> belongs to Administrators group membership |
|
|
Exchange Server Preparation |
Source Exchange Server - 2003 |
|
Exchange Server Name |
|
Exchange Server IP Address |
|
IP Setting: DNS Servers |
|
IP Settings: WINS Server |
|
Existing Accepted Domains |
|
Email Redirection Target Domain SMTP namespaces |
|
mail route SMTP name space |
|
Smart Host Address |
|
Mailbox Access and Email Flow Verification |
|
Default Source Domain -> Default Target Domain |
|
Default Source omain -> Email Redirection Target SMTP name space |
|
Offline Address Book Downloading Availability |
|
Create a temp Storage Group for synced mailbox-enabled objects |
|
Exchange Server |
|
Storage Group name |
|
Enable "circular logging" for this storage group |
|
Mailbox Store name |
|
Full Backup Done |
|
Create "Aelita EMW Recycle Bin" Public Folder |
|
Creating Administrator Mailboxes for Public Folder, Free/Busy and Calendar Synchronization |
|
Specifying displayName Value for source EX2K3 mailbox database via ADSIEdit1. Locate CN=First Storage Group,CN=InformationStore,CN=EX2K3,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Mail,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<…>,DC=<…>2. copy adminDisplayName value to displayName field. |
|
Firewall turned-off |
|
Target Exchange Server - 2010 |
|
Exchange Server Name |
|
Exchange Server IP Address |
|
IP Setting: DNS Servers |
|
IP Settings: WINS Server |
|
Accepted Domains |
|
Existing Accepted Domains (Related) |
|
Email Redirection Target Domain SMTP namespaces |
|
Email Address Policies |
|
Remote Domains |
|
Add email redirection Source Domain SMTP namespace |
|
Send Connector |
|
mail route SMTP name space |
|
Smart Host Address |
|
Create Target Mailbox Database for migration |
|
Database Name |
|
Mount Availability |
|
Limit Configuration Matching with policy |
|
Public Folder Database Association |
|
Offline Address Book Association |
|
Default Receive Connector permission group -> Anonymous |
|
Mailbox Access and Email Flow Verification |
|
Default Target Domain -> Default Source Domain |
|
Default Target Domain -> Email Redirection Source SMTP name space |
|
Offline Address Book Downloading |
|
Full Backup Done |
|
Create "Aelita EMW Recycle Bin" Public Folder |
|
Creating Administrator Mailboxes for Public Folder, Free/Busy and Calendar Synchronization |
|
Creating Custom Throttling PoliciesNew-ThrottlingPolicy QMMExAccountThrottlingPolicySet-ThrottlingPolicy QMMExAccountThrottlingPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $nullSet-ThrottlingPolicyAssociation -Identity <your single administrative account> -ThrottlingPolicy QMMExAccountThrottlingPolicy |
|
Installing the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1, and Restart Server |
|
Disable RPC Encryption on Target Exchange 2010 ServersSet-RpcClientAccess –Server EX2010.rogertech.local –EncryptionRequired $false |
|
firewall turned-off |
|
|
QMM Console Preparation |
Firewall turned-off |
|
Installing the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1, and Restart Server |
|
Double check <your single administrative account> is in local Administrators group |
|
|
Originally posted at "https://blogs.technet.com/b/rogerliu".